Defending Democratic Institutions and Processes: A Call for a Multi-Stakeholder Response
Nemanja Malisevic
Microsoft
Nemanja Malisevic joined Microsoft in 2014. Until recently he led the work of the Digital Diplomacy Team in Germany. Since the launch of Microsoft’s Defending Democracy Program (DDP), he has shifted his focus to leading the international DDP engagements. He is also very actively involved in Microsoft efforts related to cybersecurity norms.
Prior to joining Microsoft, Mr. Malisevic worked more than 10 years for the Organization for Security and Co-operation in Europe (OSCE), where he was the Organization’s first Cyber Security Officer. In this capacity he was deeply involved in the negotiation of the first set of OSCE cyber/ICT security related confidence building measures (CBMs), adopted in December 2013. Before that, he led the Organization’s efforts dealing with combating terrorist use of the Internet.
Mr. Malisevic holds a bachelor’s degree (BA) from the University of Wales (Cardiff, UK) and a master’s degree (M.Litt.) from the University of St. Andrews (St. Andrews, UK).
Running a political campaign was never an easy endeavor. That is not necessarily negative. Few worthwhile endeavors can ever be considered “easy” and it is arguably the struggle against meaningful competition and challenges that, at least to a certain extent, make most endeavors worthwhile.
Looking at the big picture, however, running a political campaign today means preparing for challenges that did not exist before—certainly not on this scale—and much of this is because of developments in cyberspace.
The Growing Impact of Nation-State Cyberattacks
Specifically, nation-state actors continue to be increasingly active in cyberspace. This includes offensive cyber-operations against democratic institutions and processes.
As a result, even though the increased digitalization of democracy has brought numerous benefits, there is another side to this story as well. Cyber threats to democratic institutions and processes have increased and they keep increasing.
Clearly, there is increased state-against-state activity in this realm, with nation-states working to influence various components relevant to the democratic processes and institutions of other states. Similarly, we have seen increased manipulation of social media aimed at spreading disinformation.
A recent report by the Berlin-based think-tank Stiftung Neue Verantwortung, provides a wealth of examples in this regard; a selection is included below.[1]
Democratic Institutions and Processes Under Attack
In the run-up to the 2017 French presidential election, malicious actors leaked information, some of which they apparently manipulated, gained from compromising the IT systems of Emmanuel Macron’s party. There are many other tactics, of course.
A hacking operation targeting the German parliament back in 2015 showed that it does not necessarily have to be followed by a leak. Sometimes causing uncertainty is enough—a notion this article will revisit in a subsequent section. There have also been blackmail fears after alleged hacking operations against U.S. targets and the UK parliament.
Other types of attacks we have seen included operations that were intended to interrupt or alter the information flow to a certain set or subset of voters. This became apparent, for example, in the run-up to the Dutch national election in 2017, when suspected hacktivists conducted a distributed denial-of-service attack against two key publicly-funded websites that were set up to help voters decide who to vote for.
Data manipulation, which focuses on altering the integrity of the data itself, is another attack vector to keep in mind. This tactic was employed, for example, against elections in Ukraine in 2014. Many additional examples exist and, to be clear, even a much longer list would only scratch the surface of a growing threat.
An Old Tactic at An Unprecedented Scale
Looking at the big picture, one of the crucial considerations to keep in mind is this: The threat of an attack or the perception of a compromised electoral system can cause damage by diminishing voter trust and sowing the seeds of doubt in voters’ minds about the integrity of the process.
The threat of an attack or the perception of a compromised electoral system can cause damage by diminishing voter trust and sowing the seeds of doubt in voters’ minds about the integrity of the process.
Such doubt can result in real-world consequences. For example, Germany in 2009 as well as the Netherlands and Norway in 2017 chose to do without electronic vote counting machines and instead hand count ballots. They did this largely to mitigate against this type of threat to the public’s trust in the respective electoral processes.
Admittedly, one could argue that none of this is really all that new. After all, states likely have always been engaged in such activities—leveraging the technologies of the time—and they will likely remain engaged in them in the future.
While this argument is not necessarily wrong, it is important to understand that the scale of potential influence, manipulation, distortion—or, to put it differently, the potential attacks on a nation-state’s democratic institutions and processes, such as voting hardware and software or election campaigns—is significantly different from before.
The Importance of a Multi-Stakeholder Response
With the above in mind, clearly the only effective and sustainable way to tackle the pertinent threats is through a true multi-stakeholder response, i.e., a response that includes the public sector, industry, and civil society.
Nation-state cyberattacks on democratic institutions and processes harm and diminish trust in the entire cyber ecosystem. This is not in the interest of individual citizens, not in the interest of civil society, not in the interest of industry, and not in the interest of the international community of states.
Speaking from the perspective of industry, Microsoft introduced the Defending Democracy Program in 2018 and has been actively leveraging company expertise in this space globally and in a non-partisan manner. This has, inter alia, included the organization of training and awareness-raising workshops, entering into partnerships with entities such as NewsGuard aimed at enhancing media literacy as a means to counter the spread of disinformation. It has also led to the introduction of dedicated and free-of-charge products designed to protect organizations that, frankly, underpin democratic processes—for example, political campaigns are increasingly being targeted but do not necessarily have the resources to afford more expensive security solutions.
For the sake of completeness, it should be noted that a number of other industry entities are also working diligently to take similar steps, and Microsoft is enthusiastic about their work. As we expand services, Microsoft will look for opportunities to work together and coordinate with their efforts.[2]
Working Together for the Common Good
In closing, it is worth reiterating that, as previously mentioned, nation-state cyberattacks harm and diminish trust in the entire cyber ecosystem and are, therefore, a critical challenge that requires a collective response at the policy, technical, and operational level.
As political campaigns face challenges on levels of scale that are unprecedented, there needs to be a corresponding multi-stakeholder response on a similarly unprecedented level of scale—a response that leverages the expertise, resources, and strengths of all stakeholders so that citizens of free and democratic societies can continue to enjoy the opportunities, freedom, and benefits democracy bestows, and counter those who seek to undermine it.
[1] For the sake of transparency, it should be noted that the author was part of a working group that contributed to the analysis contained in the SNV report. However, the views and opinions expressed in the report are those of the authors—i.e., Dr. Sven Herpig and Julia Schuetze, supported by Jonathan Jones—and do not necessarily reflect the official policy or position of the working group members or that of their respective employer/s.
[2] Microsoft’s Account Guard is one example.
