By Merle Malgre, for CEPA
Ukrainian President Volodymyr Zelenskyy is in a hurry to reform the country. Cybersecurity seem to be high on the agenda. And rightly so, as Ukraine is known to be a test-bed for the Kremlin’s cyber offense. As Politico wrote, “open warfare with Russia, a highly-skilled, computer-literate pool of talent and a uniquely vulnerable political, economic and IT environment have made the country the perfect sandbox for those looking to test new cyberweapons, tactics, and tools.” All this activity spiked ahead of presidential elections in March earlier this year. So what can the rest of the world learn from Ukraine?
Why care about elections in Ukraine?
Cybersecurity has a significant influence on the stability of Ukraine, particularly during elections. Election interference has become a new domain for those who wish to suppress or interfere with the key democratic process in Ukraine. Five years ago, Ukrainian electoral IT systems were the target of numerous attacks. During the 2014 presidential election, hackers infiltrated workstations of the Central Election Committee (CEC) and destroyed various files, including those necessary for vote tabulation.
On 21 May 2014, pro-Russian hacktivist group CyberBerkut disabled the core CEC network elements and numerous components of the election system. For nearly 20 hours, the Vybory system, which is one of the two central IT systems for elections in Ukraine and which displays real-time updates in the vote count, did not function properly. If the CEC’s network had not been restored by the election day of 25 May, the country would have been unable to follow the vote count in real-time.
On 25 May 2014, twelve minutes before polling closed, attackers posted a picture of Dmitry Yarosh, the former leader of the Right Sector, a nationalist, far-right political party, on the CEC website, incorrectly claiming that he had won the election. Beyond disabling the site and successfully displaying incorrect election results, the Ukrainian Government Response Team for Computer Emergencies (CERT-UA) discovered advanced cyber-espionage malware in the CEC network. While this attack did not impact the outcome of the election as all votes are manually verified; nevertheless, the attack was well planned, highly targeted, and had some (albeit limited) real-world impact.
The 2014 presidential election of Ukraine sent an obvious alarm that there is a need for broad-ranging improvements to the organizational and technical sides of cybersecurity. Following 2014, the Central Election Committee of Ukraine worked to improve its cybersecurity principles on several occasions. It segmented the office network and critical networks; installed a comprehensive network monitoring system with a modern firewall, proxy, as well as security information and event management (SIEM); replaced outdated critical network equipment; and upgraded the system’s major hardware and software components. Also, after the 2014 incidents, the Ukrainian government and parliament, along with various agencies, initiated substantial action plans to tackle the weaknesses of election cybersecurity. They adopted the first cybersecurity strategy and passed the first comprehensive cybersecurity law. For several international friends of Ukraine, it has been imperative ever since to improve the resilience of Ukrainian elections to cyber threats.
Attempts to compromise the 2019 election
Among those who support Ukraine’s cyber capacity’s includes the European Commission. Within the framework of the European Union project Countering Elections-related Cyber Threats and Disinformation Campaigns in Ukraine, the Delegation of the European Commission contracted a consortium of the Estonian Center of Eastern Partnership and CybExer Technologies to improve Ukraine’s resilience.
As part of this project, CybExer has recently concluded a report evaluating the cybersecurity procedures and practical cooperation between Ukrainian agencies during the 2019 presidential elections. Titled Post-Election Assessment of Cybersecurity Infrastructure and Interagency Cooperation in Ukraine, it assessed the management of electoral IT systems and incident response during elections. It also examined how various agencies work together to solve problems. Findings from the study were presented on October 31 in Kyiv.
So what did we find out about the 2019 presidential elections in Ukraine? While voting occurred securely and the proccess was not derailed, there were nevertheless several serious attempts to compromise the election, including from the cyber espionage group APT Dragonfly, long associated with Russian actors. Shortly before the first round of the presidential elections on 31 March, authorities discovered an attack against the Vybory system consisting of almost 100 phishing emails containing previously-unknown, unique malware.
In addition, on 14 and 23 February 2019, attacks against Ukrainian servers maintaining the official website of the CEC were conducted with the aim to block preparatory information about the upcoming election. Also, a few months before the presidential elections, false media reports alleged that the State Voter Register (SVR) database had not been updated since 2015. The aim of this was to erode the trust in the security of the SVR system and thereby in the integrity of the voter lists. As a result, a large number of Ukrainian voters checked their status in the online registry, throttling the the SVR system and causing it to become unresponsive and reject connections.
Ukrainian election cybersecurity – gaps and mitigation
Besides analyzing the events of the 2019 election, the report identified several gaps in Ukraine’s cybersecurity defenses. Perhaps the key weakness identified was the lack of technical personnel within the CEC, where only a few technicians are responsible for the entirety of election-related systems across the country. This was compounded by the issue that temporary election commissions and supporting volunteers usually lack basic cyber hygiene training and are easy targets for malicious actors.
Second, as cyber threats evolve on a daily basis, defense systems must be regularly reviewed and updated. The existing norms and procedures of election cybersecurity in Ukraine do not yet specifically address this issue. For example, the ad hoc measures used by the CEC in its cooperation with other key Ukrainian state agencies during the 2019 presidential elections should be formalized, fixing the responsibilities of various stakeholders tasked with protecting and monitoring electoral IT systems to avoid starting from a scratch before each new election.
Third, the Ukrainian legal framework does not fully support the security of IT infrastructure for elections. Notably, the IT systems of the Central Election Committee are not listed as critical infrastructure and, therefore, do not receive the necessary political attention and financial resources. This should be addressed.
The report also recommends that risk analysis and vulnerability assessments should be regularly conducted and updated for electoral IT systems, as the cyber threat landscape is rapidly changing and new vulnerabilities are constantly discovered.
Finally, the Post-Election Assessment of Cybersecurity Infrastructure and Interagency Cooperation in Ukraine underlines that cybersecurity of elections concerns much more than online voting. Today, almost all electoral processes make some use of technology – from voter registration, to tabulation, and publication of results. Digital solutions, or election technology in itself, are no more or less secure than paper-based voting solutions, but rather need to be introduced prudently while making sure that the digital solutions meet the same legal requirements for elections as traditional solutions. Even electoral systems that exclusively rely on pen and paper in voting take advantage of digital tools and services in compiling voter rolls, candidate registration, or result tabulation and communication.
Building resilience against cyber threats is a constant battle. The Ukrainian electoral organizations have shown the required determination–so far. However, it is of the utmost importance that the relative success of the 2019 presidential elections not create complacency but rather serve as a motivation to carry out further improvements to the cybersecurity of the electoral system.
By Merle Malgre, for CEPA
Europe’s Edge is an online journal covering crucial topics in the transatlantic policy debate. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.
Merle Maigre is the Executive Vice President for Government Relations of CybExer Technologies and a former James S. Denton Transatlantic Fellow at CEPA. In 2005-2007 Maigre served as the Deputy Head of the NATO Liaison Office in Kyiv.