Introduction: (00:09)

Welcome back to another episode of ADR Speaks! My name is Divya Arora and I work as a Sr. Software Analyst at ADR. Today’s segment, is on “Growing need of robust cyber security during elections”. After listening our Prime Minister's speech on India’s Independence Day, where he made a crucial announcement that India will soon introduce a new cyber security policy, We thought why not share with you all What is cyber security, how relevant it is? Is our cyber security law adequate to deal with electoral malpractices?

Overview: (00:46)

The growing use of technology in the election process has made cyber security a crucial issue.

You must be thinking What is Cybersecurity?

Cyber Security is “Protection of information systems against unauthorized access to or modification of information while the goal is to protect our information and information systems from cyber threats.

Now question arises, what do we mean by term Cyber threats or what are Cybercrimes?

The term "cyber-crimes" is not defined in any statute or rulebook. The word "cyber" is slang for anything relating to computers, information technology, internet and virtual reality. Therefore, it stands to reason that "cyber-crimes" are offences relating to computers, information technology, internet and virtual reality.

One finds laws that penalise cyber-crimes in a number of statutes and even in regulations framed by various regulators. The Information Technology Act, 2000 ("IT Act") and the Indian Penal Code, 1860 ("IPC") penalise a number of cyber-crimes and unsurprisingly, there are many provisions in the IPC and the IT Act that overlap with each other.

Nowadays, Instances of the spread of fake news, manipulation of voter behaviour and hacking shows how digital technology can be mis-used. Digital technologies and the internet have affected how elections are conducted, including online voter registration. At the same time issues concerning cyber security have also emerged. Allegations of, and fears about, cyber meddling in election systems undermine confidence in the democratic process and threaten citizens' trust in voting. Protection and deterrence are necessary and reassuring voters of the importance and effectiveness of election cyber security policies is also critical. Achieving these objectives requires local, national, and international actions to strengthen cyber security in election systems and to elevate election integrity in cyber security policies and monitoring.

Relevance of the topic: (03:27)

 Electoral integrity is not only imperative for countries that are ruled by democracy, but it is also influential in enhancing public voters’ confidence and accountability.

The process of electing a new government is always fraught with impediment. Violence, booth capturing and identity erasure have been par for the course in elections past in India. This LokSabha time around though – the month-long process began on April 11, 2019– the threat inheres in digital technology.                                                                

With political parties using social media to drive communication strategies and data analytics for targeted political campaigns, the possibility of rogue actors and adversarial states exploiting digital technology to harm the integrity of the election process, cannot be ruled out.

A related problem has been the spread of ‘fake news’, particularly through the WhatsApp messaging platform. In the run-up to the elections, social media platforms have been full of false news posts, targeting Prime Minister Narendra Modi and other major political leaders. Tackling this issue has been challenging for India.

Some countries such as Estonia, Georgia or the Ukraine have already been exposed to cybersecurity threats to their electoral process for 10 years and more. However, it was only the widely debated cyber-related incidents that are thought to have influenced the 2016 US presidential elections that created broader awareness and attention of this topic. Within several months, this led to worldwide discussions on how to counter increasingly prominent risks of cyberattacks on elections and democracy in both young and established democracies.

Elections rely on varying combinations of manual and technology-based procedures. As neither truly non-hackable technology nor entirely tamper-proof manual processes exist, an essential task in election administration involves the management and mitigation of manipulation risks through a range of integrity, audit and control measures. While countries around the world have long-standing best practices for integrity measures for paper-based and manual processes, recent events have highlighted the need to address the risks that emerge from the ever-increasing use of technology in elections.

 A common misperception is that only countries with electronic voting or other high-profile election technologies are at risk of a cyberattack. However, all elections depend on information and communication technology (ICT) tools, from voter registration to an electoral management body’s (EMB’s) website. Therefore, while the type of cyber-risks, adversaries and attack vectors vary between countries, EMBs—as well as high-level office holders, security agencies and democracy assistance providers—now agree on the need to invest more in understanding, preventing and mitigating the risks that new technologies bring to democratic processes and elections.

A second misperception is that an EMB is the main (or even sole) agency responsible for cybersecurity in elections. However, cyberthreats against elections and democracy arise in a variety of forms that fall under the jurisdiction of many different actors:

• cyberattacks against election-related infrastructure aimed at breaching the confidentiality, integrity and availability of election technology and data;
• disinformation campaigns that attempt to undermine the credibility of the electoral administration and democratic institutions;
• cyberattacks against electoral stakeholders, parties, candidates, media and campaigns;

and • disinformation campaigns designed to shape the political debate.

Addressing these cyberthreats often requires more than the implementation of technical mitigation measures by the EMB or any other single entity.

 EMBs are commonly responsible for protecting the integrity of their own systems and for upholding the trust and credibility of their institution. Hacking attacks against electoral stakeholders, such as political parties and candidates, and undue influence over the political debate are more commonly a grey area over which other state agencies have jurisdiction; alternatively, there may be no regulation and/or clear mandate for countermeasures.

Election managers and stakeholders often have neither the resources nor the expertise to defend themselves from sophisticated cyberthreats. Cybersecurity expert bodies generally have limited electoral expertise, and may not always give high priority to defending against election-related threats. They may instead focus on protecting critical infrastructure such as the military, public utilities or highlevel economic targets from cyberattacks.

Therefore, more interagency collaboration is needed to pool the required resources and expertise; for developing a better mutual understanding of areas of responsibility, overlaps, gaps and points of contact; and for building holistic defences against both domestic and international cyberattacks on elections and democracy.

Twitter, Facebook and WhatsApp, where such malicious content is typically posted, have taken several deterrent measures. They introduced transparency standards for political advertising and clearly labelled content as ‘sponsored’ to distinguish it from that posted by regular users. They partnered with fact-checking websites, deploying Artificial Intelligence (AI), and appointed a grievance officer. A campaign they launched helps internet users verify content on social media platforms. They also work with the EC to implement a ‘Voluntary Code of Ethics’ to report details of political advertisements and prohibit any political canvassing-related content 48 hours before voting.

These are important steps, but still small compared to the scale at which malicious content is spreading through social media. Ten days before the elections on 1st April,2019, Facebook removed 687 pages from its platform for spreading misinformation – Facebook terms it ‘coordinated inauthentic behaviour’ – including some linked to the Indian National Congress (INC). Yet, such pages continue to proliferate in ever new avatars.

The spread of misinformation has been a perennial problem even before preparations for the upcoming elections. It surfaced in 2018, with incidents of violence associated with rumours about child lifting in which 29 people across 12 states lost their lives.

Way Forward: (11:57)

The government therefore needs to initiate additional measures for the long term. They can:

• convene an all-party initiative to design a code of conduct for using social media platforms, including for political campaigns and advertising. Animosity between political parties and lack of trust in the government may impede this;
• design a content code, specifically to tackle fake news, on the lines of India’s Programme and Advertising Codes for television, and provide an ombudsman for internet users to report objectionable content, like the Broadcasting Content Complaints Council, which examines content-related complaints against cable television. This will also avoid the bias which has crept into many social media companies’ content code.

While political parties have enthusiastically used social media to reach out to voters, some leaders are well-versed with the nuances of cyber security used in their political campaigns and the basics of cyber hygiene. In fact, cyber security figures as an issue in the election manifestos of only three parties – the BJP, INC and the Communist Party of India (Marxist). Of these, only the INC and CPI (M)have promised to take steps to counter the spread of fake news and punish those who misuse digital and social media.

Many of these issues will continue to matter well beyond the current elections.

During each phase of elections, the direct and indirect use of computers and other technology introduces a range of risks to electoral integrity. These pose threats to confidentiality, integrity, and availability of information and infrastructures concerning votes and voters, candidates and parties, and broader election processes.

If democracy must stay alive and well, the sanctity of the election process must be preserved.  And for this, electoral authorities should continue to give careful consideration to use of technology in the elections process if and where it demonstrably addresses a clear need, while carefully managing the resulting cybersecurity risks, with measures that are proportionate to the risk.

Ever newer threats will emerge as technology acquires newer sophistications – and the environment will need constant vigilance. For now, the noise and dust generated ought not to go in vain for technical reasons.

Closing Remarks: (15:03)

Well, that’s all for today’s episode. I hope you all found this useful and interesting. If you like our work, make sure you subscribe to the podcast on our website: adrindia.org and don’t forget to write to us at [email protected] with your feedback. We will be back in two weeks with another amazing episode. Please stay tuned and thank you for listening.

*****************