Amid allegations and fear of cyber-meddling in polls abroad, the Election Commission (EC) has initiated an unprecedented drive to protect its voter registration database and office networks from unauthorised influence and access during the Lok Sabha polls next year.
A chief information security officer in Delhi and a cyber security nodal officer in each state; regulations on cyber security exclusively for the Commission; third-party security audit of all poll-related applications and websites; workshops to train officers in cyber hygiene; and a proposal to recognise elections as ‘critical information’ under the IT Act, 2000.
These are the key steps taken by the EC over the last nine months to secure elections from cyber threats, The Indian Express has learnt.
“Elections across the globe have become a frequent target in the modern digital era,” said an EC official in a thinly veiled reference to allegations by USA and some European countries that Russia interfered in their polls. “A cyber attack, irrespective of the actual damage caused, spreads misinformation and can delegitimise a democratic process. Hence, for the first time, cyber security is part of election planning,” he added.
Although the poll watchdog is confident that the electronic voting machines (EVMs) and voter verifiable paper audit trail machines (VVPATs) are not vulnerable to hacking — since these are stand-alone units not connected to any network — its increasing dependence on digital technology and the internet for voter registration, electoral roll management and result dissemination, among other things, calls for strengthening of safeguards, said sources.
Some of the key measures it has taken:
* Launched in March, the EC’s “Cyber Security Regulations” (CSR) is a guide for its officers’ online behaviour. These regulations are meant to prevent “unauthorised access, disclosure, duplication, modification, diversion, destruction, loss misuse or theft of protection information”.
“EC is probably the first Constitutional authority in the country to have its own cyber security regulations. Its provisions are enforceable under the Information Technology Act, 2000,” said an official.
The new rules, for instance, insist on providing electoral roll information to political parties and public in non-editable (read image) format to reduce scope of manipulation. The regulations also prohibit use of personal devices (smartphones, tablets and computers) and personal email for communication of protected information.
* The EC appointed a chief information security officer (CISO) at its headquarters in December, 2017, and cyber security nodal officer (CSNO) in each state to implement the regulations and to coordinate cyber security between the EC and Chief electoral officers (CEOs) in the state.
* Since June, the EC has organised and conducted three regional workshops (north, south and central India) for poll officers.
Electoral registration officers, district election officers and the chief electoral officers are trained in “cyber hygiene,” — to make sure they clean up after accessing networks and sensitive data.
* Seven workshops are planned until January 2018, including one on secure coding practices for programmers of EC.
*Annual third-party security audit of poll-related websites and applications across all states is now mandatory. EC’s main website and six other poll-related websites are enabled with secured socket layer or SSL, which is a standard security protocol for keeping an internet connection secure by encrypting any sensitive information sent between one’s browser and the website.
Sources said the poll-bound states of Rajasthan, Madhya Pradesh, Mizoram and Chhattisgarh have initiated security audit of their websites, SSL implementation, signed non-disclosure agreements with agencies providing outsourced services and instituted a disaster recovery plan in case their websites and applications crash.
* EC has begun identifying ghost applications and started taking them down — applications that mimic EC’s logo and offer electoral services to voters.
Perhaps the most critical step to EC’s cyber security preparedness is getting its election infrastructure recognised as “critical information infrastructure” (CII). Section 70 of the IT Act 2000 defines CII as “the computer resource, incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.”
Once identified as CII, the EC’s infrastructure would be eligible for additional funding and resources; also, there will be a higher quantum of punishment for an attempt to secure access to it.
In 2017, the US designated the election infrastructure used in federal elections as a component of U.S. critical infrastructure. This was done after a series of cyberattacks on information systems of state and local election jurisdictions before the 2016 federal elections.