Europa Calling: 2019 European Elections, a New Era for the EU…and its Cyber Protection

By Alejandro Fernández-Cernuda Díaz

Most of us lovers of EU politics will have to concede that the only cross-continental voting that stirs passion among Europeans is that of Eurovision. For those who do not know what Eurovision is and have the time for some catchy songs, click here. Otherwise, I guess it can be said that Eurovision is, since its creation in 1956, perhaps the most bizarre music contest in the world, a crazy competition where several truly European countries such as Australia, Israel, and even the UK fight for reaching one year of continental fame in a combined display of questionable musical skills and regional geopolitics.

However, even if Europa Calling is a blog on cyber European issues and even if one of the semi-finals of this year’s Eurovision contest got hacked indeed, I am not here to speak about it, at least not this time. Its protection may be important for the pure cause of entertainment and sheer fun but not for the future of democracy.

As you can imagine, and now I’m getting serious, this post is about the 2019 European Elections; the ninth in the history of the Union and the first when this unique political experiment of continental cooperation has taken a clear stance to protect its democratic model. This electoral process, which has started today and will run until next Sunday, is one of the largest and most complex in the world, with more than 400 million people eligible to vote, 28 countries involved, and an intricate combination of voting systems and rules.

The 2019 elections have been widely considered as a plebiscite on the future of the European project, with a clear block of political parties pushing hard to boycott any plan for further integration (and even for dismantling the Union as a whole) and a more diffuse but larger one that either do not oppose the current model or pursues deeper integration (in the direction of the so-called United States of Europe).

But, apart from the political debates on the future of the Union, these elections are crucial because, for the first time, the EU institutions have adopted a firm position to protect the entire electoral process and the cleanliness of the democratic game. This strategy of active defence is based on a commonly accepted perception of threat against the EU model, from both external and internal actors.

The battle, as it is very much the case of most of the modern-world conflicts, is essentially played in cyberspace, and it ranges from disinformation and purely political attacks (the contents side) to the possibility of disruption and interference in the vote-counting and public reporting mechanism (the systems side). This dossier published this week by the prestigious Italian Institute for International Political Studies (ISPI) and this report from Microsoft’s EU Policy Blog offer a wide vision of the dimensions and implications of the threat.

Apparently, the contents side has been the one that has attracted more media attention in this electoral process. The background of the controversial 2016 US presidential election and the relevance of social media in the life of modern Europeans have surely helped there, but also the priority given by the EU authorities, more particularly, the EU External Action Service (EEAS), which has created – and budgeted for – specific action groups to face the challenge.

This media vigilance, together with the double ascertainment that disinformation campaigns rarely serve to change votes and that the European elections lack general interest (the average turnout has been below 50 percent since 1994), have probably led to a significant decrease in the volume of junk news in this voting process, as shown by this report from the Oxford Internet Institute (University of Oxford).

The systems side of the threat, however, is still there. And, in spite of the overall efforts taken by the member states to protect their voting infrastructure and communication networks (the approach here has been mostly national, due to the disparity of the electoral systems in place), we should not rule out a mutation of the attackers’ focus and even actual incidents and events of disruption.

The only possible strategy against this is a coordinated move towards measures for active defence, just as it has happened on the contents side. And this move has to be at the EU level.

The whole electoral system of the EU needs to be protected, from e-voting machines or postal voting mechanisms, to the online presence of political parties and candidates.

There, the multiplicity of electoral systems (closed vs open lists) and constituencies (local, regional-federal, national, EU Parliament, international, etc.) opens up a vast array of vulnerabilities and areas of exposure. In this sense, it is (sadly) very significant that none of the incumbent political groups at the EU Parliament has the basic protection of the DMARC standard implemented to protect their domains and. In fact, the two largest groups have not even implemented the minimum SPF protection level.

The current work of the Global Cyber Alliance to adapt its current cybersecurity toolkit for the protection of election offices, even if focused on US elections, is a good model for working on the systemic risks of the EU electoral system as a whole.

Only awareness, media attention and, especially, support from EU institutions will make a real difference, however. Let’s just hope that the activation of that side of the active defence of our democratic model does not start as a consequence of a major incident.

I wish all our EU friends a good voting second half of the week!

The author, Alejandro Fernández-Cernuda Díaz, is the Director of Communications and Marketing at the Global Cyber Alliance. You can follow Alejandro on Twitter @CyberDiplo or connect with him on LinkedIn