IV. Lessons from Other Democracies
Aside from the United States, other advanced and emerging democracies around the world are working to manage threats to their own election security, as well as creating strategies to manage digital repression and disinformation. These efforts form only one component of a larger debate happening around enhancing cybersecurity, which in turn suffers from a lack of clear definition. According to former General Michael Hayden, for example, “rarely has something been so important and so talked about with less clarity and less apparent understanding [than cybersecurity].”182 This Part surveys some of these efforts to help provide a framework for discussion in Part V, which in turn considers a range of potential reforms to help make democracy harder to hack.
A. European Union
This section begins by discussing EU protections for voting infrastructure. We next move on to analyze companion efforts from civil society, and the private sector.
182. Michael V. Hayden, The Future of Things Cyber, 5 STRATEGIC STUD. Q. 3, 3 (2011); see Karen O’Donoghue, Some Perspectives on Cybersecurity, INTERNET SOC’Y (Nov. 12, 2012), https://perma.cc/49V2-L5SW (noting that the Internet Society maintains that “as a catchword, cybersecurity is frighteningly inexact and can stand for an almost endless list of different security concerns, technical challenges, and ‘solutions’ ranging from the technical to the legislative”).
1. EU Efforts to Safeguard its Election Infrastructure
Europeans went to the polls in 2019 for the first time in five years for widely anticipated elections.183 Cybersecurity was a key concern going into the summer after a series of high-profile breaches and disinformation campaigns.184 For example, electoral websites in the Netherlands were targeted by denial-of-service (DoS) attacks in 2017,185 as was the elections oversight body in Bulgaria and the Czech Republic.186 Evidence is mounting as well of manipulation of the 2016 Brexit debate through the use of Facebook data.187 As revealed by whistleblower Christopher Wylie at a hearing in the European Parliament, it is “almost certain that systematic fraud and voter deception took place . . . [and that] Facebook’s system allowed it to happen.”188 Other recent examples include the release of thousands of internal documents of then French presidential candidate Emmanuel Macron prior to his 2017 election victory.189 However, unlike the DNC hack of 2016, this breach did not have a major impact on the French elections given that: (1) French media were prohibited from reporting on the breach within forty-four hours of the election; (2) the lack of a “thriving tabloid culture” in France as in the UK, or the equivalent of a Fox News Network; and (3) the actions of the Macron campaign in releasing faked documents to mislead the attackers.190 There have also been spear phishing campaigns aimed at “German Chancellor Angela Merkel’s Christian Democratic Union” party,191 along with successful cyber-attacks on the German parliament (Bundestag),192 and its federal data network.193 In those attacks, the hackers had worked their way so deep into the system that the entire Bundestag IT architecture had to be rebuilt.194 The breadth of these attacks remind us that a multifaceted approach is essential to the issues associated with influence, repression, and manipulation.
183. See John Borland, As Europe Went to the Polls, Cyber Election Efforts Paid Off, SYMANTEC (June 5, 2019), https://perma.cc/96WB-8NME (stating that the election hacks of 2016 contributed to the anticipation of the election cycle).
184 See id. (noting that Europe had a prodigious focus on cybersecurity during the election cycle).
185. See id.
186. See id.
187. See, e.g., Jane Mayer, New Evidence Emerges of Steve Bannon and Cambridge Analytica’s Role in Brexit, NEW YORKER (Nov. 17, 2018), https://perma.cc/NM8N-Y6RA (citing evidence of Facebook data being used to interfere with Brexit debate).
188. Freund, supra note 149.
189. See Andy Greenberg, Hackers Hit Macron with Huge Email Leak Ahead of French Election, WIRED (May 5, 2017), https://perma.cc/9UGY-97K7 (describing the “data dump” that occurred less than forty hours before France’s election).
190. See Rachel Donadio, Why the Macron Hacking Attack Landed with a Thud in France, N.Y. TIMES (May 8, 2017), https://perma.cc/425H-VQXE (explaining the “bereft coverage” of the hack).
191. Borland, supra note 183.
192. See Hack on German Government Network ‘Ongoing,’ DEUTSCHE WELLE (Jan. 3, 2018), https://perma.cc/AD9S-PNPK (discussing the hack on the German Parliament and the controversy surrounding the German government’s response).
193. See id. (reporting the cyber-attack on Germany’s main network).
194. See id. (“[S]ecurity officials were taken aback by the sophistication of the attack, which had exceeded levels of complexity previously seen.”).
To its credit, the European Union has taken a more proactive approach to managing the full range of cyber-enabled threats facing the integrity of its democratic systems including both election security and disinformation than the United States has managed to date. First, most EU nations have minimized the use of technology in elections, with the Netherlands rejecting the use of electronic voting machines (EVMs) entirely,195 France backing away from the use of online voting after 2016,196 and Germany stopping the use of EVMs due to a court order in 2005,197 just to name a few national actions. Among the more important of these is the Network Information Security (NIS) Directive, which was adopted by the European Parliament in 2016 and was the first comprehensive piece of EU wide cybersecurity legislation.198
195. See Borland, supra note 183 (“The Netherlands rejected the use of electronic voting machines in the 2000s, after studies showed they were susceptible to fraud.”).
196. See id.
197. See The Constitutionality of Electronic Voting in Germany, NDI, https://perma.cc/X5W3-7CG2 (“The German Constitutional Court upheld the first argument . . . that the use of [electronic] voting machines was unconstitutional.”).
198. See Council Directive 2016/1148, 2016 O.J. (L 194) 1.
The NIS Directive requires that EU Member States work in cooperation199 to improve cybersecurity risk management.200 Unlike other attempts to combat cyber related issues, the NIS Directive expects nations to exchange information through Cooperation Groups, which may be considered a form of international ISAC.201 Of particular note to the readers, the 2018 Compendium on Cyber Security of Election Technology summarized a wide array of election security best practices, including: “[A]nti-DoS protections, access control and authentication procedures for election IT systems, digital signatures and duplicate data-entry practices to ensure data integrity, network flow analysis and logging procedures, and network segmentation.”202
Despite the progress, it is important to note the Compendium takes a balanced, realistic approach to embracing cybersecurity. As pointed out by the report, despite the widespread use of analogue practices and paper ballots, cyber threats are not eliminated given that these same jurisdictions may still “rely on electronic solutions for voter and candidate registration, vote counting or the communication of the results” that could be susceptible to cyber-attacks, along with the myriad other risks shown in Table 1.203 As such, the EU also embraces the use of risk-limiting audits that both monitor and ensure robust election security; however, these remain to be widely implemented across the EU.204
199. See id. at 1–2 (“A Cooperation Group, composed of representatives of Member States, the Commission, and the European Union Agency for Network and Information Security (‘ENISA’), should be established to support and facilitate strategic cooperation between the Member States regarding the security of network and information systems.”).
200. See A Cyber Security Framework for Europe, CORDIS, https://perma.cc/3UZY-WNJ5 (last updated Aug. 5, 2014) (discussing the EU’s plan to enhance cybersecurity).
201. See Council Directive 2016/1148, supra note 198, at 11 (creating Cooperation Groups to facilitate cooperation and the exchange of information).
202. Borland, supra note 183. The EU’s groundbreaking General Data Protection Regulation (GDPR) is also a relevant and useful regime to better protect personal data, including with regards to political preferences. This is an expansive regulatory regime with a wide array of requirements on covered firms ranging from ensuring data portability and consent to mandating that firms disclose a data breach within seventy-two hours of becoming aware of the incident and then conducting a postmortem to ensure that a similar scenario will not recur. See Top 10 Operational Responses to the GDPR, INT’L ASS’N PRIV. PRO., https://perma.cc/Y3MM-LMH7 (providing access to different commentary related to the GDPR). However, some nations have been criticized by the likes of Privacy International for creating exceptions to GDPR safeguards for political parties. See Ailidh Callander, GDPR Loopholes Facilitate Data Exploitation by Political Parties, GDPR TODAY (Mar. 25, 2019), https://perma.cc/ECG4-SAMV.
203. COMPENDIUM, supra note 33, at 9.
204. See id. at 25 (“Testing and auditing are the cornerstones of network and information system security, as they are the only methods of gaining a practical assurance of functionality and security. Therefore, testing and auditing need to take a comprehensive and multifaceted approach.”).
2. EU Efforts to Combat Digital Repression
As highlighted in Part II, faith in the democratic process also demands a firm commitment to combatting digital repression, including the need to manage disinformation. For example, in 2018, then President of the European Commission Jean-Claude Juncker said: “We must protect our free and fair elections.”205 As such, the EU Commission proposed new rules building from the work of the Compendium to “better protect our democratic processes from manipulation by third countries or private interests.”206 In particular, in 2018 the European Commission pushed Facebook, Google, and Twitter to sign the“Code of Practice on Disinformation,”207 committing them to boost “transparency around political and issue-based advertising.”208
This initiative was groundbreaking since the technology industry agreed “to self-regulatory standards to fight disinformation.”209 Among other provisions, the Code requires signatories to cull fake accounts, create safeguards against misrepresentation, and the misuse of automated bots, along with empowering consumers and the broader research community.210 In response, these firms have set up “searchable political-ad databases” and have begun to take down “disruptive, misleading or false” information from their platforms, and to reject ads that are inconsistent with election integrity policies.211 In 2019, Twitter rolled out a reporting feature in which individuals can report a tweet with misleading information by clicking on a drop down menu, select “It’s misleading about voting,” choose an option that explains how the tweet is misleading, and submit the report to Twitter.212 Unfortunately, this did not seem to have the impact desired, as several organizations reported EU election hashtags, such as EUElections2019, still “received a high level of suspiciously inorganic engagement.”213 Similarly, an activist group called Avaaz found that, despite these efforts, that there were more than “500 far-right and anti-EU Facebook pages and groups” being followed by some thirty-two million people.214
205. European Commission Press Release IP/18/5681, State of the Union 2018: European Commission Proposes Measures for Securing Free and Fair European Elections (Sept. 12, 2018), https://perma.cc/4RF2-7P7P.
206. Id.
207. European Union, Code of Practice on Disinformation (2018) https://perma.cc/9C26-HL67 (PDF) [hereinafter Code on Disinformation].
208. Id.; see Borland, supra note 183 (noting that Microsoft has also expressed its desire to join the Code).
209. Code on Disinformation, supra note 207.
210. See id. (listing requirements to protect against disinformation).
211. Id.
212. See Foo Yun Chee, Twitter Unveils New Tool Against EU Elections Meddlers, REUTERS (Apr. 24, 2019), https://perma.cc/L3WS-4MJX (explaining the new reporting feature).
213. Kevin Townsend, Research Shows Twitter Manipulation in Weeks Before EU Elections, SEC. WEEK (May 28, 2019), https://perma.cc/Q37M-CR8B.
214. Borland, supra note 183.
In a similar regulatory vein, the Commission underscored the need for greater transparency in online political advertisements and targeting.215 It also sought further regulation of online advertising campaigns such as by “disclosing which party or political support group is behind online political advertisements as well as by publishing information on targeting criteria used to disseminate information to citizens,”216 and even called for national sanctions for the failure to comply with the new disclosure requirements.217 And, to address potential difficulties arising from cyberinfrastructure issues in elections, the Commissions called for the creation of a Network of Cybersecurity Competence Centers, in cooperation amongst the EU Member States, to better target and coordinate available funding for cybersecurity cooperation, research and innovation.218
215. See Townsend, supra note 213 (discussing the “large scale political social engineering through social media”).
216. European Commission Press Release IP/18/5681, supra note 205.
217. See id. (noting that the sanctions would be imposed for the illegal use of personal data to influence the outcome of European elections).
218. See Commission Proposal for a European Cybersecurity Competence Network and Centre, COM (2018) 630 final (Sept. 19, 2018), https://perma.cc/T2YS-CYKR (PDF) (“[T]he initiative will help to create an inter-connected, Europe-wide cybersecurity industrial and research ecosystem.”).
In a more widespread regulatory initiative, in June of 2019, the European Commission produced a report on the implementation of the Action Plan Against Disinformation (“Report”).219 The Action Plan proposes a set of actions that should further enable a joint and coordinated EU approach to addressing disinformation. The Action Plan focuses on four pillars:
- (1) Improving the capabilities of the Union’s institutions to detect, analyze, and expose disinformation;
- (2) Strengthening coordinated and joint responses by EU institutions and Member States to disinformation;
- (3) Mobilizing the private sector to tackle disinformation; and
- (4) Raising awareness about disinformation and improving societal resilience.220
Within these pillars are previously unexplored areas of enhancements, which are not often considered within the context of cybersecurity. For example, in the area of communications, the European Commission declared the importance of supporting quality journalism as an essential element of a democratic society and “[c]ountering internal and external disinformation threats through strategic communication” while safeguarding the diversity and sustainability of the European news media ecosystem.221
219. See generally Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Concerning the Tackling of Online Disinformation, COM (2018) 236 final (Apr. 26, 2018), https://perma.cc/C847- EPFX (PDF) [hereinafter Tackling Disinformation].
220. See Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions Action Plan against Disinformation, at 5, COM (2018) 36 final (May 12, 2018), https://perma.cc/R8TE-L5CP (PDF) (stating the four pillars).
221. See Tackling Disinformation, supra note 219, at 15. Building a more knowledgeable, media-savvy user, though, is no simple matter. Trust in media outlets takes time to build. We attach a given level of trust to an outlet based on our view of the institution, the organization, and our prior experience with the individual reporter. Yet, in the digital world, journalists proliferate, and no system of verifiable trustworthiness yet exists.
The Action Plan encourages a “more transparent, trustworthy and accountable online ecosystem” while “fostering education and media literacy” to secure resilient election processes.222 Key to this plan is the improvement of societal resilience in Europe and beyond to foster critical thinking and media-literate citizens.223 This requires focus to be placed on improving the detection, analysis, and exposure of disinformation by investing in digital tools, data analysis skills, and specialized staff as well as strengthening efforts to assess the reach and impact of disinformation.224 To accomplish such a lofty goal across the European Union, the Members will necessarily need to strengthen their cooperation and joint responses to disinformation as described above.225
One such attempt at coordination exists in the EU’s Rapid Alert System.226 The system is designed to provide warnings on disinformation campaigns in real-time and national contact points for disinformation in the Member States.227 It is designed to share real-time warnings, react and ensure coordination between EU capitals and Brussels, and has been active since March 2019.228 A joint EU sanctions regime goes along with the early-warning system to better deter adversarial nations such as Russia from interfering with European Parliament elections,229 though the effectiveness of this approach has been called into question.230 In short, criticism has arisen that “[i]t’s not rapid. There are no alerts. And there’s no system.”231 Core issues—such as the level at which an alarm should be sounded and how to incentivize robust, real-time information sharing—remain to be resolved.232
222. Id. at 12.
223. See id. (“The life-long development of critical and digital competences, in particular for young people, is crucial to reinforce the resilience of our societies to disinformation.”).
224. See id. at 9 (noting that “[a]n effective response [to disinformation] requires a solid body of facts and evidence on the spread of disinformation and its impact” and advocating for “[a]dditional data gathering and analysis by fact-checkers and academic researchers”).
225. See supra notes 183–204 and accompanying text.
226. See European Commission Memo/18/6648, Questions and Answers—The EU Steps Up Action Against Disinformation (Dec. 5, 2018), https://perma.cc/596S-YW36 (PDF) (rationalizing the planned system by noting that “[a] strong European response requires Member States and EU institutions to work together much more closely, and to help each other understand and confront the threat”).
227. See id. (outlining the system’s goals and defining disinformation as “verifiably false or misleading information that is created, presented and disseminated for economic gain or to intentionally deceive the public—distorts public debate, undermines citizens’ trust in institutions and media, and even destabilises democratic processes such as elections”).
228. See Report on the Implementation of the Action Plan Against Disinformation, at 2–3, JOIN (2019) 12 final (June 14, 2019), https://perma.cc/7UYU-PRS8 (PDF).
229. See id. at 8 (describing the recent adoption of legal measures providing for sanctions to deter and respond to cyber-attacks).
230. See Matt Apuzzo,* Europe Built a System to Fight Russian Meddling. It’s Struggling*., N.Y. TIMES (July 6, 2019), https://perma.cc/G5UR-TDVA (highlighting disagreement over the success of the Rapid Alert System and noting critiques that the system is hampered by internal politics and incomplete, disorganized data collection).
231. Id.
232. See id. (noting that disagreement over when to sound an alarm has led to no alerts being issued and that only one-third of European nations contributed information to the system before the 2019 European Parliament elections). Further, and ahead of the European Parliament elections, in April 2019 ENISA hosted a “war game” that was focused on identifying governance gaps and deepening ties to aid in regional election security efforts. Such efforts can help train election officials across the EU, though much more remains to be done help get local staffers up to speed, which is a similar issue facing many campaigns and election boards in the United States. That is why the Harvard Kennedy School’s Belfer Center on Science and International Affairs, for example, has focused on training these officials on the basics of cyber hygiene and election security best practices. For further discussion of the Belfer Center’s work in this area, see BELFER CTR. FOR SCI. & INT’L AFFS., HARVARD KENNEDY SCH., THE STATE AND LOCAL ELECTION CYBERSECURITY PLAYBOOK (2018), https://perma.cc/7SK2-SYLP (PDF).
At its most basic, the Report fails to “cover the issue of domestic or non-state actors in any substantive way or provide any real solutions.”233 Yet it is overly simplistic to believe all misinformation is produced from foreign actors, as was discussed in Part II. The Report’s failure to appreciate the nature and varied sources of potential actors is a significant limitation.234 Moreover, there has been little to suggest that the reporting to date has been as robust or useful as originally hoped.235 Nonetheless, the report and various initiatives are noteworthy first steps to improve the EU’s election cybersecurity, steps that other nations are watching closely.
B. Illustrative Examples: Australia, Oceania, and Asia
This section builds from the comparative transatlantic case study outlined above with illustrative examples from how other advanced and emerging democracies are both protecting their election infrastructure and working to fend off digital repression. We begin by examining Australia, before moving on to several examples from Oceania and Asia before summarizing our key findings and moving on to policy implications.
233. Jakub Kalenský,* Evaluation of the EU Elections: Many Gaps Still Remain,* DISINFO PORTAL (June 24, 2019), https://perma.cc/3TGJ-2LFC (last updated Sept. 3, 2019).
234. See id. (“If we do not know how many channels hostile actors control, how many messages they spread, and how many people they manage to persuade, how can we talk about proportional defense?”).
235. See id. (stating that in private conversations EU Member State representatives report that “many countries apparently still lack their own monitoring systems for the disinformation ecosystem, and . . . the RAS is barely used”); James Pamment, The EU’s Role in Fighting Disinformation: Taking Back the Initiative, CARNEGIE ENDOWMENT FOR INT’L PEACE (July 15, 2020), https://perma.cc/EFF6-UXM8 (arguing that the EU’s current disinformation policy is “characterized by . . . a weak evidence base” and that “a lack of trust between member states has led to low levels of information sharing and engagement”).
1. Australia
Australia, like EU Member States, the U.S., and other democracies throughout Oceania, is no stranger to disinformation campaigns and other attempts to subvert its democratic institutions.236 The threats to Australian democracy do differ in several notable ways, though, from the nation’s other Western peers.237 For example, voting is mandatory in Australia,238 and the major parties in Australia must agree on boundary lines.239 This thereby reduces some of the common issues that can arise in the context of broader U.S. democracy preservation conversations.240 The process of voting is also distinct from its American and even some European counterparts.241 For example, all Australians vote on paper, their votes are tallied by hand, and a robust Electoral Commission oversees the process to check for irregularities.242 Australia has also taken the affirmative step of designating its political parties as critical infrastructure, similar to the U.K.’s approach,243 along with investing in efforts to guard Australians against information warfare using micro-targeting.244 The U.S., on the other hand, continues to rely on outdated technologies and systems despite years of warnings, as was discussed in Part III. Yet even these safeguards cannot inoculate Australia, the U.S., or any nation against the full range of attacks designed to influence public opinion, interfere with politicians, and the media.245 For example, in February 2019, despite these efforts, the Australian Parliament was breached by a state-sponsored cyber-attack allegedly from China.246
236. See Stephanie Borys, China’s ‘Brazen’ and ‘Aggressive’ Political Interference Outlined in Top-Secret Report, ABC NEWS (May 29, 2018), https://perma.cc/7URJ-E6MU (last updated May 29, 2018) (describing the release of an intelligence report from the Australian government concluding that the Chinese government had attempted to infiltrate all levels of the Australian government for years).
237. See Scott J. Shackelford & Matthew Sussex, How Australia Can Help the US Make Democracy Harder to Hack, CONVERSATION (Sept. 27, 2018, 6:35 AM), https://perma.cc/E289-3B5X (observing that threats to Australia’s voting system may largely relate to the government’s centralization of the system, while threats to voting in the U.S. are tied to the privatization and decentralization of voting).
238. See id. (discussing Australia’s voting system).
239. See id. (stating that the major parties agree on electoral boundaries to prevent gerrymandering); Rodney Smith, Chapter 8: Drawing Electoral Boundaries, ST. LIBR. N.S.W., https://perma.cc/S65W-WLCR (last updated Apr. 2019) (explaining how Australia draws its electoral boundaries).
240. See Shackelford & Sussex, supra note 237 (arguing that Australia’s mandatory voting law means that “there aren’t thorny political battles over who is allowed to vote,” and that party agreement on electoral boundaries prevents gerrymandering); Smith, supra note 239 (observing that the involvement of state legislatures in drawing electoral boundaries in the U.S.“means that American redistribution processes are much more involved with party politics than they are in Australia”).
241.* See* Shackelford & Sussex, supra note 237.
242. See id.; Counting the Votes, AUSTRALIAN ELECTORAL COMM’N, https://perma.cc/8HBG-AMNB (last updated Dec. 3, 2019) (outlining the Australian ballot tabulation process).
243. See Press Release, Scott Morrison, Prime Minister of Austl., Statement to the House of Representatives on Cyber Security (Feb. 18, 2019), https://perma.cc/5LE8-CPAB (declaring that “Australia’s democratic process is . . . our most critical piece of national infrastructure” and announcing that the Australian Cyber Security Centre was ready to provide immediate support to any political party).
244. See Shackelford & Sussex, supra note 237 (“Australia has decided to invest early to guard against future information warfare, such as micro-targeting audiences with tailor-made messaging and machine learning-enhanced deepfake videos.”).
245. See, e.g., Aaron Patrick, Sam Dastyari is a Chinese ‘Agent of Influence’: Ex-Intelligence Chief, FIN. REV. (Dec. 3, 2017, 11:00 PM), https://perma.cc/ETE6-5WCV (last updated Dec. 4, 2017) (“A top former intelligence official believes there is evidence that Labor senator Sam Dastyari was deliberately targeted by the China government to advance its interests in Australia.”).
246. See China Rejects Australian Parliament Cyber Attack Claims as ‘Baseless’ and ‘Irresponsible,’ ASSOCIATED PRESS (Feb. 18, 2019, 3:39 PM), https://perma.cc/ML5T-PC95 (reporting that Australian cyber experts were investigating a sophisticated cyber-attack on the “Liberal, Labor and National party platforms . . . [that occurred] during a breach of the Australian Parliament House network”).
Australia has no rapid-alert system or code of conduct of the kind being tried in the EU to better manage the spread of disinformation.247 It did, however, sign both the Paris and Christchurch Calls, which are discussed further below, further isolating the United States as the only member of the Five Eyes intelligence sharing partners to stay out of these agreements.248
247. See Daniel Funke & Daniela Flamini, A Guide to Anti-Misinformation Actions Around the World, POYNTER INST., https://perma.cc/2MPG-DWP9 (last updated Aug. 13, 2020) (describing the Australian government’s work to stop misinformation, including the establishment of a government task force and implementation of a media literacy campaign).
248. See World Leaders and Tech Giants Sign Ardern’s ‘Christchurch Call’to Curb Online Extremism, SBS NEWS (May 16, 2019), https://perma.cc/G433-QEUS (describing the Christchurch Call’s goal of engaging major techcompanies in the effort to “stamp[] out violent extremist content on the internet” and highlighting that the U.S. was not among the eighteen government signatories); The Supporters, PARIS CALL, https://perma.cc/R6NJHYCU (listing signatories to the Paris Call for Trust and Security in Cyberspace); Our Values: Collaboration, OFF. OF THE DIR. OF NAT’L INTEL., https://perma.cc/JF8T-ET53 (explaining that the “Five Eyes” group is a“long-lasting intelligence collaboration” between the U.S., United Kingdom, Canada, Australia, and New Zealand that developed after World War II).
2. Oceania
Examining the regional context surrounding Australia is a useful exercise to better understand the unique approaches being taken by developing nations in response to the cyber threats they face.249 Given the lack of attention in the area relative to other more often studied cyber powers, such a study is vital to help build resilience, and trust, in democratic systems of strategic significance in the South Pacific.250
As for election infrastructure, Pacific island nations’ election infrastructure and security efforts across Oceania range from quite sophisticated to relatively immature. New Zealand, for example, has a fairly robust, formal election infrastructure,251 while in others—such as the Federated State of Micronesia, Kiribati, Tuvalu, and Vanuatu—there is little election infrastructure to monitor.252 Yet many of the nations comprising Oceania do rely on paper ballot voting systems similar to the EU, are geographically isolated, and with the exception of New Zealand, have relatively small populations with historical connections to well-established democracies—namely the British Commonwealth, and the United States.253
249. See, e.g., David Shullman, Protect the Party: China’s Growing Influence in the Developing World, BROOKINGS INST. (Jan. 22, 2019), https://perma.cc/W7KN-QDYU (noting that China continues to grow its influence among Indo-Pacific countries, partly by manipulating the information space in the region).
250. This case study stems from the work of talented graduate students who worked together under the supervision of Professor Shackelford on a capstone team investigating election security in Spring 2019. These students include: Coryn Blacketer, Will Bobe, Bill Boger, Colin Darnell, Caellaigh Klemz, Janaki Reddy Gaddam, Kayla Hill, Tony Kelly, Jonathan Schubauer, and Aaron West. Jonathan Schubauer took the lead in summarizing their work for this Article.
251. See ONLINE VOTING WORKING PARTY, ONLINE VOTING IN NEW ZEALAND: FEASIBILITY AND OPTIONS FOR LOCAL ELECTIONS 12–16 (2014), https://perma.cc/925F-Z5F7 (PDF) (providing an overview of New Zealand’svoting systems and infrastructure); see also Dylan Matthews, 3 Reasons Why New Zealand Has the Best-Designed Government in the World, VOX, https://perma.cc/6J5W-GC5E (last updated Jan. 16, 2015) (explaining New Zealand’s mixed-member proportional representation electoral system and unicameral legislative structure).
252. See IND. UNIV. & AUSTL. NAT’L UNIV., MAKING DEMOCRACY HARDER TO HACK 76 (2019), https://perma.cc/E3WH-MMYM (PDF) (summarizing findings from case studies of election security efforts and election infrastructure in Pacific Island nations).
253. See Stewart Firth, Instability in the Pacific: A Status Report, LOWY INST. (June 4, 2018), https://perma.cc/E2TH-MH5S (outlining trends in demographics, urbanization, and democracy in the Pacific Islands).
The Russian hacking efforts during the 2016 U.S. presidential campaign were direct and intensive.254 In contrast, Chinese efforts in Australia and throughout Oceania have been more indirect. 255 Although China denies this, it is asserting itself militarily and economically throughout Oceania in an attempt to challenge the global reach and power of the United States, particularly in the Pacific.256 In fact, there is little evidence of extensive hacking, instead China has sought to influence policy through economic assistance and political contributions to candidates and parties,257 a strategy which these nations have yet to effectively defend against in an integrated manner similar to the EU Code for Disinformation discussed above.258
254. See supra notes 107–108 and accompanying text.
255. See, e.g., Shullman, supra note 249 (discussing China’s efforts to increase its global influence by funding infrastructure projects and “manipulating the information space to [its] advantage” in low-income countries).
256. See NADÈGE ROLLAND, CHINA’S EURASIAN CENTURY? 93–120 (2017) (theorizing that China is using its Belt and Road Initiative to “increase its own regional influence” and thereby prevent the United States from increasing American influence in the region).
257. See Shullman, supra note 249 (arguing that China’s approach to developing nations is largely driven by a need to protect the integrity and reputation of the Chinese Communist Party).
Despite the lack of a regional strategy, there are already several efforts underway in the South Pacific to buttress cyber-threat information sharing. For example, as part of Australia’s “International Cyber Engagement Strategy,” the Pacific Cyber Security Operational Network (PaCSON) was established in April 2018.259 PaCSON is intended to foster cooperation among South Pacific island nations by providing a mechanism to share cybersecurity threat information and defensive tools, techniques and ideas.260 At its core, PaCSON consists of a network of government-appointed cybersecurity incident response experts from Australia, the Cook Islands, Fiji, Kiribati, the Marshall Islands, New Zealand, Niue, Palau, Papua New Guinea, Samoa, the Solomon Islands, Tokelau, Tonga, Tuvalu, and Vanuatu.261 However, there is no existing or planned formal or informal regional structure in the South Pacific dealing with the security of election infrastructure.262
3. Asia As with Oceania, democracies across Asia are also dealing with election insecurity and disinformation.263 While this Article does not seek to fully address the myriad of threats to election infrastructure across Asia, it is worth briefly noting three trends in managing the twin threats of election integrity and disinformation. First, unlike efforts in the U.S., EU, or Australia, Asian democracies have been willing to criminalize the spreading of misinformation. Malaysia, for example, has criminalized the sharing of misinformation.264 Myanmar and Thailand have leaned on law enforcement actions to reign in misinformation, which have been abused in some cases to silence critics of public corruption.265
258. See supra notes 207–208 and accompanying text.
259. Pacific Cyber Security Operational Network (PaCSON), AUSTL. GOV’T DEP’T OF FOREIGN AFFS. & TRADE, https://perma.cc/RNC2-PNDS.
260. See id. (“PaCSON enables cooperation and collaboration by empowering members to share cyber security threat information, tools, techniques and ideas between nations.”).
261. See id. (listing its members).
262. See IND. UNIV. & AUSTL. NAT’L UNIV., supra note 252, at 101 (explaining existing regional efforts dealing with cyber security and recommending the adoption of a “cohesive Pacific regional cybersecurity group”).
263. See, e.g., Allie Funk, Asia’s Elections Are Plagued by Online Disinformation, FREEDOM HOUSE (May 2, 2019), https://perma.cc/GYD3-GHGZ (“Parties and candidates across the region have turned to content manipulation as a preferred campaign tactic.”).
264. See *Funke & Flamini, *supra note 28 (“The law makes publishing or sharing fake news punishable by up to six years in jail and a fine of 500,000 ringgit ($128,000). It also makes online service providers more responsible for third-party content [and] affects foreign news outlets reporting on Malaysia . . . .”).
265. See id. (reporting that in 2018 Myanmar authorities jailed three journalists for publishing a story about the regional government and that since 2018 Thai officials have increasingly targeted people who allegedly spread false information on social media); Tactics to Fight Disinformation in Thailand, Indonesia, Japan, the Philippines and India, GLOB. GROUND MEDIA (Apr. 23, 2019), https://perma.cc/BG89-JPZ8 (noting fears that Thailand’s military junta would use combating misinformation on social media as a screen for increased censorship of political dissent).
Second, there has been focused attention on this issue from the highest levels of national leadership. In Indonesia, for example, President Joko Widodo spearheaded the creation of the new National Cyber and Encryption Agency to combat disinformation in their elections.266 One example was in June 2019, when a member of the Muslim Cyber Army was arrested in Java for posting misinformation to the effect that the Indonesian government was being controlled by China.267
Third, it is apparent that more nations are using increasingly heavy-handed tactics to clamp down on internet freedoms in the name of fighting disinformation. The problem of disinformation in India, for example, is so severe that it has been likened to a public health crisis.268 One Microsoft study, for example, found that 64 percent of Indians encountered disinformation online in 2019, which was the highest proportion among twenty-two surveyed countries.269 Not only have these incidents affected elections such as by spreading false information about candidates on WhatsApp,270 but they have led to real-world harms including at least thirty-three deaths and sixty-nine instances of mob violence.271 In response, the Indian government has shut down the internet more than one hundred times over the past year,272 and has proposed laws that would give it largely unchecked surveillance powers, mirroring Chinese-style internet censorship.273
266. See Funke & Flamini, supra note 28 (reporting that “the agency was hiring hundreds of people to ‘provide protection’ to institutions online,” although the specific parameters of its authority were “still unclear”).
267. See id. (noting that man was “charged with spreading fake news and hate speech”).
268. See Samir Patil, India Has a Public Health Crisis. It’s Called Fake News., N.Y. TIMES (Apr. 29, 2019), https://perma.cc/CV4B-64FZ (arguing that India should implement citizen education campaigns modeled on successful public health campaigns in order to combat widespread disinformation).
269. Microsoft Releases Digital Civility Index on Safer Internet Day, MICROSOFT (Feb. 5, 2019), https://perma.cc/QRD8-UJTS.
270. See Patil, supra note 268 (reporting that police linked a fake video that was shared on WhatsApp to the deaths of 62 people in sectarian violence and the displacement of 50,000 more six months before India’s general elections in 2014).
271. See Child-Lifting Rumours Caused 69 Mob Attacks, 33 Deaths in Last 18 Months, BUS. STANDARD, https://perma.cc/89LK-TZ7P (last updated July 9, 2018) (reporting that between January 2017 and July 2018 rumors of “child-lifting” spread on Indian social media led to dozens of mob attacks on suspected abductors and thirty-three deaths).
272. See Funke & Flamini, supra note 28.
273. See Vindu Goel, India Proposes Chinese-Style Internet Censorship, N.Y. TIMES (Feb. 14, 2019), https://perma.cc/L48R-MPA8 (explaining that the proposed rules would allow officials to demand that social media sites remove particular categories of content, build automated screening tools to block “unlawful information,” and provide authorities with greater access to individual user accounts on messaging platforms).
C. Summary
As is apparent from these case studies and illustrative examples, there is divergent state practice with regards to both the protection of election infrastructure and the use of digital repression. The area of greatest convergence seems to be the recognition that paper ballots, or at the least EVMs using paper trails, are vital to building confidence in the outcome of an election.274 Fewer jurisdictions that we could identify have taken the next step of requiring risk-limiting audits or have reclassified their election infrastructure or political parties as “critical.”275 These findings are summarized in Table 2 and are unpacked further in Part V.
274. See, e.g., Schwartz, supra note 150 (“The key insight behind auditing as a cyber defense is that if you have a paper record that the voter got to inspect, then that can’t later be changed by a cyber-attack.”).
275. See infra Table 2.
Table 2: Summary of Surveyed Nation-State Efforts to Protect Election Integrity
| | United States | European Union | Australia | Asian Democracies | Oceania |
Paper Ballots | Fourteen U.S. states use voting machines without a paper trail as of 2019 | Major EU Member States including Germany and the Netherlands use paper ballots | Paper ballots in national elections | India (EVMs with paper trail), Japan | New Zealand, Micronesia, Fiji, Kiribati, Palau, Marshall Islands, Papa New Guinea, Samoa, Solomon Islands, Tonga, Tuvalu |
RiskLimiting Audits | Four U.S. states (Colorado, Rhode Island, Nevada, and Virginia) 276 | Suggested, but not required under 2018 EU Compendium | No | Unclear | No |
International Cooperation | Intelligence sharing through Five Eyes | Required under NIS Directive for EU Member States | Intelligence sharing through Five Eyes | ASEAN | PaCSON |
Digital Repression | No integrated strategy | EU Code of Practice on Disinformation; EU Rapid Alert System | Electoral Integrity Assurance Task Force | Thailand and Myanmar criminalize the sharing of misinformation | No integrated strategy |
Election Infrastructure Classified as “Critical” | Yes | Estonia | No | Unclear | No |
Political Parties Classified as “Critical” | No | United Kingdom | Yes | Unclear | No |
Table of Contents
- I. Introduction
- II. Unpacking the Cyber Threat to Democracies
- III. U.S. Efforts to Protect Democratic Institutions
- IV. Lessons from Other Democracies
- V. Implications for Policymakers
- VI. Conclusion