Electoral cybersecurity and technological neutrality: ensuring reliable elections in a digital society

Blog Post

Electoral cybersecurity and technological neutrality: ensuring reliable elections in a digital society

by Dr. Tamara Alvarez Robles

4 weeks ago

Celebrating the First Graduation of EMILDAI!

April 4, 2025

PhD Position – AI Regulation, Digital Sovereignty, and the Future of the EU Defence Strategy

March 26, 2025

Applications are OPEN for the 2025–2027 edition of EMILDAI!

March 12, 2025

Technology as Risk or Ally in Democratic Systems

Technology in an electoral democracy can be approached in two ways: we can either see it as a risk or threat to democratic systems, or we can see it as an ally against authoritarian and dictatorial systems.

Of course, nowadays, technology is mostly perceived as a threat or risk factor to democratic systems because it is related to techniques such as deepfake videos (the well-known AI impersonation of Barack Obama in 2017), voice cloning (the faked recordings of the Slovak presidential candidate Michal Šimečka in 2023, or those of the former US President Joe Biden in 2024), and spear phishing (personalized phishing attacks targeted against a person, such as the hacking of the X account of the Dominican presidential candidate Abinader in 2024, also the hacking of the account of Emmanuel Macron in 2017). These attacks could be directed against electoral candidates, against magistrates of Electoral Courts or Commissions, and even against staff members with access to relevant (critical) systems or sources of information. Both electoral institutions (such as the court) and political parties could be affected by these attackers. For example, let us bring our attention to denial of service attacks (DoS) on the websites of institutions that retransmit or communicate election results. To put it simply, DoS is an attack that emulates a large number of “users” accessing the same site in such a way that access is blocked to any real user, generating an error instead. In other words, an overload of access requests occurs that ends up eating away the resources (for example, the website of the Spanish Ministry of the Interior in the 2023 general elections, or for an attack on the voting system itself, see the example of, attack on overseas voting systems from the 2023 Ecuador elections ). Also linked to this is the more adversarial use of technology with the creation (generative AI), acceleration, and dissemination (bots) of disinformation. To make matters worse, there is sometimes a combined use of disinformation with the aforementioned attacks on websites, institutional systems, or voting machines, and these precarious situations are commonly dubbed hybrid threats.

Despite all of these, there is a more gentle approach to technology that sees it as a useful tool in the defense of the democratic system. For example, these technologies can be of use to us in verifying users, creating incident summaries, monitoring anomalies in data access, creating alerts for those accesses or patterns that do not correspond to the usual, and monitoring disinformation. Likewise, it can be of help to confront censorship (cf. Arab Spring in 2011), prevent information manipulation and information blockages (cf. internet shutdown in Ukraine during the Russian invasion), or fight against totalitarian, authoritarian, or illiberal regimes (content verification, implementation of alternative communication channels, etc).

Case Study: The 2024 Venezuelan Elections

Let’s take the 2024 Venezuelan elections as a case study to better understand this issue. During this period, Nicolás Maduro’s government claimed that there were attempts to hack the Venezuelan National Electoral Council’s systems, which consisted of a denial-of-service (DDOS) attack targeting the data transmission system. I would like to point out here that the transmission of electoral data is a process that is not vulnerable in terms of integrity, especially when a DDOS attack focuses on disrupting communication/service, not modifying what has been communicated.

Responding to the Maduro regime’s claims, the cybersecurity community and election observers were quick to refute these baseless accusations by pointing to a lack of scientific evidence for the said attack and affirming that there was no evidence of anomalous traffic from third countries to Venezuela; in fact, neither are there any audit reports on the matter.

In the event of a potential denial-of-service attack or even hacking of the Venezuelan voting system itself, which would surely have been either isolated from the larger internet or connected to an insulated network specifically dedicated to the elections, a response could be based on scientific evidence through independent and transparent audits in information security and cybersecurity. These types of measures, it should be noted, must be provided for in the various cybersecurity information security plans and incident recovery plans, which must be implemented following the National Security Strategies or National Security Plans, based upon internationally recognized guidelines in this area. I would like to emphasize here the importance of the communication process in an electoral cybersecurity event.

Continuing with the Venezuelan example, and now from a more nuanced perspective on the technology implemented in the electoral process, we can point to the creation of a system for receiving and transmitting data collected and curated by the Venezuelan opposition to prevent electoral manipulation and to demonstrate, through the publication of the records, the total number of actual votes obtained.

The Double-Edged Role of Communication Channels

If we focus on the role of communication channels, which is predominantly social media in the Venezuelan electoral context, we can once again see these two facets: from the negative perspective, we have their use to spread disinformation. It’s worth noting that artificial intelligence and analytical technologies can help collect and analyze narratives and other disinformation in the electoral context. However, we must not overlook the fact that generative AI can and indeed does contribute to the creation of information manipulation techniques such as deep fake video and audio.

However, on the positive side, it should be noted that cybersecurity helps bring to light the situations of information manipulation, electoral fraud, and authoritarian abuse by helping mobilize the population when an attack on democracy is taking place. This situation is evident in Nicolas Maduro’s confrontation with the social network X in Venezuela, and also in his call to not use WhatsApp. The Venezuelan case helps us understand the importance of cybersecurity in electoral processes. Cybersecurity must be studied from different perspectives (technical, legal, regulatory, etc.) given its interdisciplinary nature.

Multidimensional Approaches to Electoral Cybersecurity

Cybersecurity in the electoral process can be considered from a multitude of perspectives. This can be from an infrastructure-centered approach, from a more physical approach, such as network cables or supply chain, the hardware underlying the system, or from a logical approach, focusing on the software that is implemented both in the development of the electoral process (voting machines, results transmission systems, etc.) and in the state institutions (in the tools implemented by CERT / CESIRT – Computer Emergency Response Team, a team that is ideally specialized in managing and responding to cybersecurity incidents by providing analysis, mitigation, and prevention of threats, and SOC – Security Operations Center, an apparatus that monitors, detects and responds to threats in real-time, protecting an organization’s infrastructure and data). Finally, cybersecurity can also be approached from a more humane perspective (education/culture and awareness in cybersecurity), which would aim at preventing the weakest link in the information security chain, such as falling for phishing (in its different forms) or providing passwords or other sensitive data to cybercriminals.

Moreover, cybersecurity can and should be studied at different levels: at a more institutionalized level, in which the States themselves will include electoral cybersecurity within their national security strategies and develop it at the planning level (state and institutional) and policies, and will set up a Higher Electoral Coordination Committee (an ad hoc committee during election day). At this level, it must also permeate the electoral regulatory framework itself, for instance, with the classification of special electoral crimes, providing legal protection against them. At other specific levels, more dedicated and expert bodies can be constructed, such as the Electoral Tribunals or the CERT/CESIRT, which will participate in ensuring the integrity of the electoral process. Here, we would suggest creating an interdepartmental working group within the Electoral Courts or Boards of various sovereign states. This group should meet periodically and build experience and trust, which are necessary for the review and implementation of the various transferable plans and protocols and would help respond effectively and efficiently to any incident. Key concepts at this point are: the Information Security Management System (ISMS), which will represent the referential framework for implementing information security policies; the Cybersecurity Plan, which will focus specifically on measures and strategies to protect computer systems and networks against threats; and the Incident Response Plan, which will focus on responding to and recovering from a cybersecurity event. In this context, ISO certifications related to information security are highly recommended to follow, such as ISO 27000 or ISO 27001-ISMS. These standards focus on information security management, helping to protect confidential data and guarantee secure processes against cyber threats. ISO/TS 54001:2019, based on ISO 9001:2015, is also recommended. This standard ensures quality management in electoral processes, promoting transparency, trust, and efficiency in the organization of elections. Having both certifications will help bolster citizen confidence in the systems, processes, and technologies used.

Final Reflections: A Democratic Conception of Cybersecurity

While cybersecurity often goes unnoticed in electoral procedures, its role is fundamental to ensuring the integrity and trust that citizens place in the democratic system. Without an adequate focus on cybersecurity, electoral processes would be vulnerable to risks and threats that could compromise not only the validity of the results but also the very legitimacy of democratic institutions. This is why we must make an effort and contribute, to the maximum possible extent, to create a democratic conception of cybersecurity.

Dr. Tamara Alvarez Robles is an assistant professor at Universidad de León in Spain with specialization in constitutional law and digital rights.

This article was previously published on Ibericonnect in original Spanish. It was translated for the EMILDAI Blog by our editors, Nauani S. Benevides and Meem A. Manab.