Canada’s electronic spy agency has warned the country’s political parties, candidates and news media that it is “highly probable” the increasing cyber threat activity against democratic processes around the world will be seen here.
In a report issued Friday the Communications Security Establishment (CSE), which looks after protecting federal networks, said specifically it expects “that multiple hacktivist groups” will very likely deploy cyber capabilities in an attempt to influence the democratic process — including disrupting political parties, candidates and the media — during the 2019 Canadian federal election. “We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.”
For example, it notes that in 2015 the hactivist group Anonymous leaked reports about the redevelopment of Canada’s key diplomatic centres in Britain.
The warning applies not just to federal political parties and candidates, but to local candidates as well.
Because federal elections are still largely paper-based and Elections Canada has a number of legal, procedural, and information technology measures in place which mitigate cyber threats, CSE doesn’t think it likely a federal vote will be tampered with. Instead it says the greater risk is to political parties — by DDoS attacks, defacing a Website, blackmail, tampering with a party voter database or releasing embarrassing material — and the media — by trying to inject false news.
The agency hasn’t yet seen nation-states using cyber capabilities to influence the democratic process in Canada during an election. Whether that remains the case for the next federal election depends on how other countries perceive our foreign and domestic policies, and on the policies of federal candidates, the report says.
“While there is a risk that cyber capabilities could be used to covertly change the vote count and lead to a different election winner,” says the report, “we assess that this would be very challenging for an adversary to accomplish if elections were conducted in a manner that includes cybersecurity best practices and paper processes that occur in parallel. In general, it is likelier that adversaries would use cyber capabilities to disrupt the voting process in order to sow doubt among voters about the fairness of the election.”
Daniel Tobok, CEO of Cytelligence, a Toronto-based cyber breach investigation firm, said “it’s refreshing to see them ringing the alarm and waking up people … People should not have a false sense of security.”
Satyamoorthy Kabilan, director of national security and strategic foresight at the Conference Board of Canada, called the report “astute,” noting “overt” cyber incidents during the recent U.S., French and German elections. Part of that is “fake news” spread through social media and regular news outlets to influence political discussions.
The challenge for reporters, he added, is verify where information is coming from.
The threat to provincial, territorial and municipal elections is “low,” says the report, although some local parties and the media “are likely to come under increasing threat from nation-states and hacktivists.”
Although a number of fingers have pointed at Russia for being behind the hacks at the Democratic Party in last year’s U.S. federal election — and the American intelligence agencies are unanimous that it did — and for alleged hacks and leaks before this year’s elections in France, the CSE makes no specific comment on Russia.
Tobok is among the experts who maintains attribution is difficult and there is no concrete evidence so far of any country being behind specific incidents. Kabilan said there’s no proof an election result has changed from political-related cyber incidents, there’s ample evidence public debate in some countries has been shaped by incidents like the Democratic Party breach.
The CSE report does note that so far this year 13 per cent of countries holding federal elections “have had their democratic process targeted.”
And Foreign Affairs Minister Christa Freeland told reporters on a conference call that cyber election interference is “an issue which has been discussed quite energetically at the NATO table and also at the G7 table.”
As a result of the report CSE this week will brief all federal parties on its findings as well as provincial and territorial chief electoral officers to share best practices and explain the report.
The report comes just before Public Safety Minister Ralph Goodale next week releases the results of a federal review of the government’s critical infrastructure protection strategy.
There are a number of ways threat actors can disrupt what the report calls democratic processes (including elections, political parties and politicians, and traditional and social media):
• Against elections, adversaries use cyber capabilities to suppress voter turnout, tamper with election results, and steal voter information.;
• Against political parties and politicians, adversaries use cyber capabilities to conduct cyberespionage for the purposes of coercion and manipulation, and to publicly discredit individuals;
• Against both traditional and social media, adversaries use cyber capabilities to spread disinformation and propaganda, and to shape the opinions of voters.
The report points out what any infosec pro knows: Attack tools are cheap and easily available. And it points out what any chief marketing officer knows: The rapid growth of social media makes it easier for adversaries to use cyber capabilities and other methods to inject disinformation and propaganda into the media and influence voters.
“Deterring cyber threat activity is challenging because it is often difficult to detect, attribute, and respond to in a timely manner. As a result, the cost/benefit equation tends to favour those who use cyber capabilities rather than those who defend against their use,” says the report. And, it adds, the obvious public successes cyber attacks have achieved so far only emboldens attackers and copycats.
The report casts a shadow over hopes that Internet voting and online voter registration could increase citizen participation in elections, unless government systems are attack-proof. In June 2016, the report notes, Arizona shut down its voter registration system for nearly a week after someone attempted to gain access to the system. The next month the Illinois state election agency took down its website for two weeks after discovering tens of thousands of voter records (including names, addresses, and driver’s licence numbers) were suspected to have been viewed by the someone outside the government.
But secure online democratic processes are being sought. At the recent Identity North conference a British Columbia deputy minister suggested anonymous online discussion forums might be welcome in his province because activists there have disrupted many public meetings.
Among the problems with online voting is verifying the identity of participants. It’s an issue that a number of countries are wrestling with, including the Digital ID and Authentication Council of Canada (DIACC). The council is building a Canadian digital identification and authentication framework to enable citizens to safely do a number of things online — including renewing passports — without having to produce paper documents.
Although its final work is still a year away, DIACC has created a proof of concept framework for proving residency, which could be used to verify an online participant’s right to be part of a forum needing proof of location (for example, an online meeting to discuss an issue in a municipal ward, or a province) without identifying the person by name.
Vancouver startup PlaceSpeak Inc. has leveraged some of this work to create what it calls a “location-based civic engagement platform” that a number of Canadian jurisdictions are already using.
Still, until DIACC’s framework is finalized and tested for elections Ottawa is unlikely to hold an online federal vote.