Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime
Election Security: Is Government Doing Enough?
Critics Allege a Lack of Focus on Cybersecurity IssuesSome security experts say India's government isn't doing enough to ensure the security of the Lok Sabha elections being held through May 23. They express worries that a nation-state, such as China or Pakistan, could attempt to tamper with the results.
See Also: How Active Directory Security Drives Operational Resilience
With the elections spread over seven phases across all states, the infrastructure appears to be vulnerable to cyberattacks.
Critics argue that the Indian government is not paying adequate attention to security, offering only what they portray as "superficial gestures," such as recalibrating the electronic voting machines, conducting voter verifiable paper audit trails and organizing cybersecurity workshops for poll officers.
Because hacking groups have threatened to interfere with the elections, India should have done far more to enhance election security, argues Pavan Duggal, advocate, Supreme Court of India.
The Election Commission has taken a few steps in recent months, including having a cybersecurity nodal officer in each state, conducting a third-party security audit of all poll-related applications and websites and holding workshops to train officers in cyber hygiene. Plus, it has proposed to recognize elections as "critical infrastructure" under the IT Act, 2000. As a result, any attempt to steal information would be a crime.
Some security experts argue, however, that India needs a new cybersecurity law to deal with today's cyberthreat environment.
Meanwhile, it's not yet clear whether all states, in fact, have nodal officers. And the commission lacks a clear policy for enhancing security of EVMs.
Another important step, some experts say, is for the government to use machine learning or artificial intelligence to track patterns that might indicate election interference.
S.N. Pradhan, director general of the National Disaster Response Force in the Ministry of Home Affairs says this approach could, indeed, help police investigate potential election interference.
Rakesh Goyal, a CERT-In empanelled auditor, says the government also needs to ramp up its efforts to continuously patch EVM software and improve its efforts to detect vulnerabilities in EVM operating systems.
Lack of Coordinated Efforts
Another important issue is the apparent lack of coordination on security issues among government leaders, the Election Commission and key security auditors and practitioners.
The Election Commission should seek help from the public and private sector in building a cybersecurity ecosystem.
For now, the ruling party and ECI have asked all government officials to be tight-lipped about the security measures taken in protecting election machinery. When I asked Dr. Kushal Pathak, the CISO of Election Commission of India, to discuss security details, he said he had been asked not speak to the media on any security-related issue.
The ECI should be more transparent about its security efforts to help reassure citizens that it's taking the necessary steps to ensure the integrity of the election and show its preparedness in tackling digital threats.