Getty Images

IT sector advises Swedish government on elections and voting system

Swedish IT secure is helping the government make election systems more secure and reduce external influence

This article can also be found in the Premium Editorial Download: CW Nordics: CW Nordics: Swedish IT sector advises on election security

The security measures assembled and implemented around the 2018 election in Sweden were devised in consultation with leading actors within Sweden’s private IT sector.

The primary role of the IT suppliers was to advise government panels, which included the national security service (Säpo), the National Police Board (Rikspolisstyrelsen), the National Civil Contingencies Agency and the National Election Authority.

Säpo was at the head of a government-commissioned election taskforce that organised an IT-based protective shield around the voting process and implemented measures to minimise hostile external inference.

The main threats come by way of malicious attacks against IT-voting infrastructure from cyber space, or the potential risk of foreign-based entities launching propaganda and misinformation wars against political parties or individual politicians.  

The level of security expertise mobilised to protect the trustworthiness of the election result in Sweden ranged from a direct collaborative input from the Swedish Defence Force’s Cyber Defence Centre to creating consulting roles for leading companies operating within Sweden’s cyber security domain.

The higher level of security in the 2018 election reflected deep and genuine concerns within government quarters regarding the potential for serious external interference to distort the nature of political information and policy messages circulated by campaigning parties.

Moreover, the election task force feared active manipulation of the election result through electronic interference with the national voting system. Such concerns were deemed to be more than justified given the well-documented efforts by external forces to disrupt parliamentary votes and elections both in Europe and the United States since 2014.

Read more about e-voting

Despite the added layers of new security measures built into the 2018 election system, Säpo continued to observe events and combat attempts to damage confidence in the national voting process as Swedes headed to polling stations on 9 September.

“The activities we saw are within the range of what we expected,” said Linda Escar, the deputy chief of Säpo’s Protective Security Unit. “The important thing is that the election and result were well protected.”

The malicious activities identified by Säpo included the use of hijacked and fake social media accounts; disinformation spread over social media to polarise the political loyalties of voters; and DDoS attacks and hacking attempts that targeted both political parties and key election services.

There were some notable pre-election strikes by malicious entities from cyber space. A series of DDoS attacks were launched against the website of the ruling centre-left Social Democratic Party in August. The attacks were tracked to IP addresses which both Säpo and the SDP’s IT security team believe were located in Russia and North Korea.

“The attacks were serious, but because we were well prepared, it [only] forced the website offline for short periods,” said Helena Salomonson, the SDP’s director of communications. “We can only suspect the hackers were trying to access and disrupt information about our campaign strategies and policies.”

The election taskforce’s consultations with the private ICT-sector covered all core security enhancement areas, with a special focus on how best to enable government agencies and political parties to protect their critical functions from IT attacks.

“What we can now see is that the preventive efforts we have engaged in since early 2017 have paid off,” said Säpo’s Escar. “The public is more aware and alert than before, and this has increased national resilience. We have an election system that is difficult to influence, and this will continue to ensure a legitimate election result.”

Electoral integrity

The integrity of Sweden’s 2018 parliamentary election was also strengthened, especially in regards to malevolent activities within the social media sphere, by an initiative to build a united collaborative front between state broadcaster SVT and Sweden’s largest media companies.

SVT joined forces with media groups Bonnier, Schibsted and Norrköpings Tidningars Media (NTM) to develop a digital platform to counteract the dissemination of so-called “fake news” in Sweden.

Sweden’s proportional representation electoral system uses paper and electronic vote counting. The security needs within this system are elevated because citizens can participate in advance voting, or cast their votes if living abroad or holidaying. In this instance, Swedes voting abroad can do so either by postal ballot or at special polling stations at Swedish embassies, consulates and state-run missions.

The Ministry of Justice (MoJ) is examining a proposal that could lead to a system – potentially modelled on Estonia’s digitised election voting platform – where Swedes would be able to cast their ballots online. The proposal is linked to an all-party election committee in 2013, which wanted to pilot online voting in a number of counties during municipal elections sometime in the future.

The advancement of the online voting proposal has stalled a number of times due to security concerns and the commissioning of studies to examine different electronic voting machine types that are currently in use in western democracies.

The Stockholm-based KTH Royal Institute of Technology (KTH-RIT), Sweden’s leading engineering and technology institute, has taken a lead role in studying possible remote electronic voting system (Revs) options.

Vote registration

The KTH-RIT, which set out to model a reliable and trustworthy Revs solution for Sweden, identified its preferred system as being able to safeguard the manner in which votes were cast and registered, while maintaining confidentiality and verifiability through the entire chain.

The MoJ appears to be in no rush to introduce online voting to Sweden. The selection and approval process for a new Revs would entail developing, or finding in the open marketplace, a user e-authentication-based solution that only accepted votes from eligible voters; that prevented voters from casting multiple votes.

As part of its exploration of possible Revs solutions, Sweden is expected to scrutinise Estonia’s electronic voting system more closely. Estonia pioneered e-voting when it launched the I-Vote system in 2005 to coincide with general elections held that year.

The I-Vote system, which is now a mainstay of Estonia’s election process, uses a digital envelope system that mimics the physical dual envelope system. The system encrypts the actual vote in the same way as sealing an inner envelope in traditional paper-based voting.

In the Estonian system, the vote is then digitally signed and placed in an outer e-envelope containing the voter’s personal information. When the vote is counted, the outer e-envelope is discarded, leaving only the voter’s information remaining. All information about the voter is expunged in this process.

Read more on Identity and access management products