This year is experiencing a phenomenon on a scale never seen before, with more significant elections taking place around the world in 2024 than has ever been documented. But with an abnormally large number of elections comes a greater risk of attempted manipulation and disinformation, as ISC2 Associate Justine Guyau explains.

Justine Guyau, ISC2 AssociateThis year is set to be a record year for elections. Depending on your definition of a major leadership election, by the end of 2024 more than two billion people will have voted in between 50 and 73 different countries. This unprecedented alignment of voting events has raised many questions around safety and transparency, often in terms of cybersecurity.

By virtue of the sheer numbers of voters involved, the challenge is perhaps most acute for the world's most populated country, India, which is going to choose simultaneously its House of People representatives and its Prime Minister. We are looking at India as our example purely as a timely example of a democratic election process and the cybersecurity challenges that exist around a large and distributed election. How does one ensure that almost a billion people can cast their vote in a democratic way, without any threat or actual interference? Can we apply those experiences and observations to any other electoral process? For the most part, we can.

The Logistical Challenge

Elections in India are, of necessity, conducted slightly different from the ones we may be used to. Indeed, if all 960 million eligible voters were to go to the polls the same day, it would overwhelm polling places, make the supervision of the process extremely tedious and any crisis could paralyze the whole country. Therefore, Indian citizens aged 18+ and registered on the electoral roll were called to vote during one of seven different phases according to the province they live in. For instance, if you live in New Delhi, your voting day was May 25th, whereas Gujarat residents did so on May 7th. The whole process lasted 44 days, from April 19 to June 1, to elect 543 members of the Lok Sabha, the lower house of India’s parliament, who once in place are tasked with appointing the Prime Minister of the country. All votes from the seven phases were totaled and results were made public on June 4, 2024.

To make counting easier, India used Electronic Voting Machines (EVMs). These have now totally replaced the traditional paper ballots, which were considered costly, time-consuming and unreliable. Indeed, the manual, paper ballot system left room both for counting errors and for fraud including the use of pre-filled ballots.

The advent of EVMs has significantly accelerated the counting process for quicker result announcements. And it has also eradicated fraudulent activities due to their safety features. Such features include security locks, thumb impression verification, and Write Once Read Many (WORM) memory which prevents tampering with the votes once they are cast. EVMs are also self-contained, battery-operated devices that require no form of network or internet connectivity, making them very hard to take down.

Although EVMs provide an extremely secure and accurate voting medium, parties often challenge the veracity of results. To demonstrate the resilience of the system, the Election Commission of India implements a paper audit trail, a sample of which is used to ensure they match with the electronic results. A trial run is also conducted before election day, to verify that the device works and that no vote has been pre-recorded.

A Tense Geopolitical Situation

In common with many other countries, electoral campaigns in India experience heavy disinformation on social media. According to the Davos Forum’s 2024 Global Risk Report, India was ranked highest for the risk of misinformation and fake news. Indeed, the 22 main languages and hundreds of regional dialects are spoken in the country make it especially hard for content platforms to review or moderate every single post that is shared online.

The latest developments in terms of text-to-speech artificial intelligence (AI) technologies allow for very realistic deepfakes, and consequently, a wave of fake videos featuring party leaders, congressmen and even Bollywood stars spread across the internet. Just prior to the election, the incumbent Indian Prime Minister Narendra Modi raised concerns about AI after a senior member of his party became the target of a deepfake video purporting to show the politician saying Prime Minister Modi wanted to dismantle the reservation system (an affirmative action program for disadvantaged communities). The information was false and members of an opposition party were convicted of fabricating the video on this occasion.

Candidates are also frequently targeted by disinformation campaigns run by foreign actors. Low-level conflicts between India and neighboring countries have rumbled on for many years, with cyberspace becoming an extension of the physical conflicts. The wave of fake news and cyberattacks has become even more intense in relation to India’s official pro-Israel stance after the October 7 incident, with pro-Palestine threat actors forming a unified front and leading DDoS attacks against critical websites. Last November, the official website of the Indian government was down for several hours.

India’s political climate is especially tense, with multiple strong religious and cultural identities that frequently clash with each other. Wherever it originates from, the spread of disinformation can sometimes lead to dramatic events and even human casualties. In 2018, rumors of child abductions all over the country sparked mob actions which resulted in an estimated 20 deaths. While it’s hard to quantify the total number of victims who lost their lives as a consequence of disinformation, such events show that it’s a problem that all governments have to tackle effectively.

The Integration of Cybersecurity Strategies

The starting point – before formulating strategies to counter cybercrime and its impact – is the creation of a national center for cybersecurity. Or, even better: a ministry, as some countries like Australia have already done.

Currently, no single entity co-ordinates India’s cyber defense efforts; instead, every ministry does its best to integrate a little bit of cyber into its duties. Cybersecurity needs to remain a top priority, even when other urgent security issues arise. Having a dedicated body or minister ensures policymakers stay focused on cybersecurity tasks and needs. In case of a cyberattack, this would also provide a clear point of contact and point of instruction to follow. This is especially important in a country the size of India as large parts of the country’s critical infrastructure – healthcare and energy being examples – belong to the private sector, like they do in the US and other major economies.

In respect of the elections, the rampant spread of hyper-realistic fake news is the main problem the government has to troubleshoot.

A good first point would be the development of a code of conduct for the creation of social media content, that every candidate should respect. India currently has few regulations or guidelines for electoral campaigns or advertising, unlike some countries that set very clear and rigid rules for what can and can’t be said, broadcast or published. Getting every party to adhere to this code could be a challenge. However, a selling point is that this measure would avoid conflict between candidates, who often accuse social media platforms of bias if their posts are taken down and not their opponents’. If everyone follows the code of conduct, there would be no risk of bias; content will only be taken down if it didn’t respect the rules.

Another important measure, helping to fight against foreign threat actors’ disinformation campaigns and cyberattacks, requires a country to rely on international cooperation. Given its geopolitical stances, India has fallen prey to a large number of advanced persistent Threats (APTs) that can be hard to identify and track down. Since India is not a signatory to the Budapest Convention (which aims to make exchange of information easier between countries), it has to foster good diplomatic relationships with other states so that trans-border investigations can be led effectively, with or without the help of Interpol.

Justine Guyau, ISC2 Associate, is an entry-level cybersecurity practitioner who passed the CISSP exam in February 2024. Her cybersecurity work spans risk management, compliance, cyber resilience and crisis training for SMEs.