Defending a democracy is tough work, and there are a multitude of threats that one needs to consider and somehow try to mitigate, all while maintaining the democratic process itself. Recently the CSE published the 2023 update to it’s cyber threats to the democratic process and I had the opportunity to have a quick read. It is mostly designed to be public facing and doesn’t really go into a ton of detail. I had wished it would have been more specific with some of the cyber attacks it (or it’s partners) have observed.
The scope is to understand and report on cyber threat activities that affects the democratic process, which it defines as the compromise of CIA of systems or information related to elections
It has identified 4 targeted actors: voters, politicians, political parties, and election infrastructure itself
It mentioned an interesting example from Feb 2023 of an Israeli “influence for hire firm”.
It talked about the “voter lifecycle” in a typical process, and discussed attacks against that lifecycle (voters registering, voters casting, ballots being counted, etc)
It talked a lot of about disinformation, and how it expects that with the increased use of generative AI that this disinformation will become harder to spot and harder to take down. Special mention to the concequences of the Online News Act as Canadian news has the potential to be dropped from major social networks
I think this is a good overview of the main topics to think about when considering the security of election systems and processes from an “end voter” perspective. The lack of discussion about actual attacks that have occured make this paper seem a bit fluffy if I am being honest.
The CSE makes several references to the fact that federal elections are still paper and hand counted, but does open up some discussion for the municipal/provincial elects to consider when considering electronic ballots. Of interesting note was the fact that they mentioned in 2023, 11 countries have abandoned e-voting due to security concerns.
Ultimately, I think there is a lot more to look in to then what is discussed in this paper. In the conclusion the CSE considers Canada a relatively low priority target (compared to the US and the UK), but that doesn’t mean we shouldn’t remain vigilent.