Today the European Parliament, the EU Member States, the European Commission and the EU Agency for cybersecurity (ENISA) organised an exercise to test the EU’s response to and crisis plans for potential cybersecurity incidents affecting the EU elections.
The objective of the exercise, which took place today in the European Parliament, was to test how effective EU Member States and the EU’s response practices and crisis plans are and to identify ways to prevent, detect and mitigate cybersecurity incidents that may affect the upcoming EU elections. This exercise is part of the measures being implemented by the European Union to ensure free and fair elections in May 2019.
“We must protect our free and fair elections. This is the cornerstone of our democracy. To secure our democratic processes from manipulation or malicious cyber activities by private interests or third countries, the European Commission proposed in September 2018 a set of actions. Together with the EU Member States, and other EU Institutions we are implementing these actions. We also decided to test our cybersecurity vigilance and readiness towards secure, fair and free EU elections 2019 by organising the first in its kind EU exercise on elections. I believe that this is an important step forward for more resilient EU elections in a connected society,” said Vice-President of the European Commission, for the Digital Single Market, Andrus Ansip.
More than 80 representatives from EU Member States, together with observers from the European Parliament, the European Commission and the EU Agency for cybersecurity, participated in this first EU table-top exercise (with the code name EU ELEx19) on the resilience of the upcoming European Parliament elections. The main responsibility for protecting the integrity of the elections lies with the Member States, and the overall objective of the exercise was to test and further strengthen their preparedness – especially their election and cybersecurity authorities – in the face of hybrid cyber-enabled threats, and to assess their ability to swiftly develop and maintain situational awareness at national and EU level if a serious cybersecurity incident which could impact on the integrity of the 2019 EU elections were to occur.
“Cyber-attacks are a recent but very real threat to the stability of the European Union and its Member States. A cyber-attack on elections could dramatically undermine the legitimacy of our institutions. The legitimacy of elections is based on the understanding that we can trust in their results. This very trust has come under pressure from cyber-attacks and other new types of election fraud in the Digital Age, and we must respond! With the upcoming European elections in 2019, we have to take responsibility and build up the necessary means to strengthen our electoral cyber security. This responsibility is a common one, shared by European and Member State institutions. Together we need to safeguard the integrity of the elections,” said Vice-President of the European Parliament, Rainer Wieland.
Based on various scenarios featuring cyber-enabled threats and incidents, the exercise allowed participants to:
Acquire an overview of the level of resilience (in terms of policies adopted, available capabilities and skills) of election systems across the EU, including an assessment of the level of awareness among other stakeholders (e.g. political parties, electoral campaign organisations and suppliers of relevant IT equipment);
Enhance cooperation between relevant authorities at national level (including elections authorities and other relevant bodies and agencies, such as cybersecurity authorities, Computer Security Incident Response Teams (CSIRTs), the Data protections Authority (DPA), authorities dealing with disinformation issues, cybercrime units, etc.);
Verify EU Member States’ capacity to adequately assess the risks related to the cybersecurity of European elections, promptly develop situational awareness and co-ordinate communication to the public;
Test existing crisis management plans as well as relevant procedures to prevent, detect, manage and respond to cybersecurity attacks and hybrid threats, including disinformation campaigns;
Improve cross-border cooperation and strengthen the link with relevant cooperation groups at EU level (e.g. Election Cooperation Network, NIS Cooperation Group, CSIRTs Network) in order to improve the capacity to respond in a coordinated manner in the event of cross-border cybersecurity incidents;
Identify all other potential gaps as well as adequate risk mitigation measures which should be implemented ahead of the European Parliament elections.
Concrete measures to address potential threats
On 12 September 2018 the European Commission announced a set of concrete measures to address potential threats to elections, including a recommendation of the European Commission on election cooperation networks, online transparency, fighting disinformation campaigns and protection against cybersecurity incidents.
In line with this European Commission recommendation, a European Cooperation Network on elections has been established. This network has already met three times in Brussels to discuss necessary actions to address potential threats to the elections and thereby strengthen the resilience of the European Union’s democratic systems. One of the actions that this network decided to pursue was the organisation of a table-top exercise to test EU’s cybersecurity preparedness to ensure secure, free and fair EU elections 2019.
Today’s cybersecurity test also goes hand-in-hand with the Action Plan against disinformation that the European Union adopted last December to build up capabilities and strengthen cooperation between Member States and EU institutions to proactively address the threats posed by disinformation.