With cyber interference in elections going beyond hijacking the ballot box, the Election Commission must prepare to address all potential threats – both domestic and international.
On the morning of May 16, 2014, India woke up to a new government, a new prime minister and a historic mandate. The Bombay Stock Exchange’s Sensex closed on a record high. More than 200 million Indians had come online the same year. To many, this was our first social media and technology savvy election, but those in the thick of the game would know we had only seen the tip of the iceberg in leveraging technology and data to win political battles.
If the 2014 Indian general elections saw a tectonic shift in campaign strategy, 2019 and beyond will see only greater usage of sophisticated technologies and reliance on digital systems to fight and win the mandate of the people.
How will things change? It’s almost certain that big data will enable micro-targeting of the Indian voter, although some of this has been tempered by the Election Commission’s (EC) wise decision to refuse linkage of Aadhaar with voter IDs. Your Facebook likes will lead campaigns to push contextual ads and become sharply accurate markers for your voting preference. We are also almost certain to be hit by virtual avatars of candidates, interacting with us at the mall, in the cinema or at the train station.
On the other hand, our political discourse and elections will become more susceptible to outside influence, propaganda and leaks. While this new arena creates significant opportunities, it also leaves us open to being vulnerable in newer and more sinister ways. ‘Election hacking’ will likely become common parlance, whether a particular incident deserves it or not, and our democratic system will be tested like never before.
While there has been a good amount of debate around the safety of electronic voting machines and the privacy of Aadhaar data, there is not enough concern around protecting the sanctity of our political process. The global cyber epidemic, WannaCry, was a grim reminder of how easy it is for our infrastructure to become compromised.
Hacking and modern elections
Modern elections are ‘hacked’ in two broad ways. The first is through general interference in political affairs, where third-parties or foreign governments work to influence domestic narratives and discourse.
The second is through the use of leaks and espionage, where third-parties or foreign governments break into systems to interfere with the electoral system’s apparatus or to leak data.
A few weeks ago, national security focused news website Intercept released a classified NSA document outlining the depth of Russian state-sanctioned digital interference in foreign elections. There is worrying evidence that hacking moved beyond mere disinformation and political leaks to attacking the core American election infrastructure.
The 2016 American election is only the most recent example. There have been reports of massive online hacking of Latin American elections. Andrés Sepúlveda, the chief protagonist in a decade long story of Latin American election rigging, is currently serving a prison term in Colombia.
One can spy, one can steal and one can smear. Attacks can target confidentiality, integrity or availability of certain systems or data in the following ways:
- Stealing information – Campaign strategies, voter data, donor lists and general eavesdropping on competitors.
- Manipulating social media – Building false narratives and spreading propaganda (‘fake news’), sending misleading emails and texts.
- Malware/virus attacks – Installing and injecting hostile software in the digital infrastructure of opposing candidates.
- DDOS attacks – Defacing campaign websites or knocking them off the internet.
- Spoofed results – Hijacking the EC’s website and publishing wrong/misleading results.
- Leaks – Wikileaks-type disclosures (Russian hackers released Democratic National Committee documents which were unflattering to the party).
- Attack electoral infrastructure – Attack the systems of election officers and third party companies dealing with certain aspects of the election.
India in numbers
If the strongest nation in the world has shown to be vulnerable to such attacks, India needs to take notice. India is fast becoming a mobile and internet obsessed nation, with Indians spending 45% of their time on mobile phones. In India, the number of internet users in 2019 is projected to be over 520 million, over 50% of whom will be on Facebook. The penetration of smartphones is also projected to increase to 48% by 2019. In 2014, elections witnessed 540 million Indians exercise their right to franchise.
The first and biggest fear will be the spread of misinformation and fake news to manipulate the voter. This is a real concern when estimates already suggesting that social media could ‘swing’ 3%-4% of the vote in 24 ‘internet-active’ states.
But that is not all. As more of our political systems and processes come online, more kinds of threats will unravel. Several vulnerabilities and loopholes exist, including the databases of India’s political parties, the back-end operations of individual candidates, election war rooms and critical EC infrastructure.
It is likely India will witness the dark side of politics, delivered digitally. Imagine a malware attack that lets an Indian politician receive a copy of his opponent’s speech as it is being typed or the leaking of a political opponent’s campaign strategy, meeting and rally schedule.
Will future culprits be brought to book? Is the EC and the Indian state up to the task?
From cash for votes to digital hijacking
In the summer of 1984, in a county of Oregon, alleged followers of Indian guru Shree Rajneesh were arrested in an attempt to manipulate local elections. They brought in thousands of non-locals to register them as voters and they also tried to poison a portion of the voter base by spreading salmonella to lower the turnout come election day. The history of interfering in elections is long and littered with various lessons for future governments.
The 2016 election was the third alleged Russian interference in US elections starting with its efforts against former US president Harry Truman. From orchestrating an ousting of the Iranian PM in 1953 to supporting a violent military coup in Chile, researchers have found that foreign meddling can influence up to 3% of the vote with the major superpowers allegedly intervening in one out of every nine competitive elections between 1946-2000.
The playbook to help or hinder candidates has been in place for years. The earlier methods involved providing substantial funding, kidnappings, assassinations, offline propaganda and leaks.
While sabotaging or influencing elections is not new, the modern tools have changed. With the internet it has become cheaper, easier and faster to impact outcomes. As India gains greater influence in the global order and as more of India comes online, these threats will become real and palpable.
What can we do?
India was ahead of the curve when it came to adopting offline EVMs. The voter-verified paper audit trail will add a welcome layer of security and assurance. However, cyber threats go beyond hijacking the ballot box. Nothing prevents a country like China from building sophisticated offshore war rooms to influence and hack the Indian election process.
The EC is India’s pride. It is now time for it to face this new challenge. In conjunction with other authorities, it needs to take a series of steps.
Firstly, a digital code of conduct must be drafted. An election cybersecurity unit must be established, which can identify different types of threats (from fake news to malware) and mount an appropriate defence. Ideally, this unit will also review the security of all equipment purchased – from PCs and laptops to even USB drives.
Secondly, the EC must recognise that political cyber security is an integral part of national security. Election officers and political staffers must be trained in basic cyber hygiene and should create a clear protocol to report suspicious behaviour or breakdowns.
Thirdly, greater international cooperation with global tech giants and governments is a must. Precautionary steps are being taken by institutions and governments across the world and India must take note.
Lastly, India should fix the loopholes in its domestic legal framework. Domestic law should recognise and punish cyber interference in political and electoral outcomes. Reforms in IPC and IT Act 2000 are needed to better define ‘cyber-crime’ and formally recognise (but not punish) new menaces such as the generation and dissemination of politically-motivated fake news.
India must clearly articulate, domestically and more importantly internationally, that cyber interference in our elections is a violation of international principles of sovereignty. If we haven’t already, national security agencies should work with the EC to identify potential state-supported actors.
The intention of this piece is not to be alarmist or to state that the 2019 Indian elections will be manipulated by foreign entities. It is to explain that we are in a different place than 2008, when the world’s first digital politician (Obama) harnessed the power of the internet to galvanise a movement and create history.
Which is why, while the risk of fraud is worrisome, the perception of it is equally dangerous. Perceived illegitimacy about the process can undermine democracy in immeasurable ways. As the Indian political landscape gets ready for this new battleground, it is important to pay heed to the statutory warnings that always come with new toys. Elections in the 21st century are as much about software engineering as it is about geopolitics.
Vinayak Dalmia is an entrepreneur and social worker. He regularly writes on issues of politics, technology and law. He tweets @vinayakdalmia.