2024. A year when more than half of the world has voted or is set to vote. According to Time magazine, this year, ‘64 countries (plus the EU) representing a combined population of about 49% of the people in the world are meant to hold national elections.’

Among these, some countries like Pakistan, Bangladesh and Indonesia have already completed the election process, while the world’s biggest democracy, India, is currently going through this once-in-five-year exercise.

While elections across the world are a time of excitement and suspense, this is also the period when threat actors – cybercriminals, hackers, state-sponsored actors, etc. – can have a field day.

This election season, the cybersecurity landscape in India, in particular, has witnessed the misuse of technology with the emergence of deepfakes. This new trend has added another complex dimension to the elections. Even as governments and tech majors were deliberating about mechanisms to combat the menace of fake news, the use of artificial intelligence to spread propaganda poses a new and genuine threat to democratic institutions.

Relying on neural networks, deepfakes marry facial mapping technology and artificial intelligence to create very real video and audio clips, with the aim of misinforming and misleading the public. These technology-led and mostly social-media driven malicious campaigns can have far-reaching ramifications – from influencing one’s choice of candidate to creating serious law and order situations. They can also result in reputation loss and disrupt the electoral process.

While deepfakes have emerged as a new risk during the current election season in India, cyberattacks and threats during elections are not a new phenomenon. Countries across the globe have been exposed to these threats to various degrees over the years. But it’s possibly the cyberattack during the 2016 US Presidential elections that drew public attention like never before. In 2023, Estonia reportedly thwarted cyberattacks in its first-ever elections through electronic voting. Other countries, of varying sizes and with electoral bases having different levels of tech maturity, have also been exposed to these types of cyberthreats. The tactics and tools used may differ, but the intent remains the same – to jeopardise fair elections.Technology as a driver

India first computerised its electoral rolls in 1998, with prevention of fraud being one of the major aims. Since then, technology has played a key role in elections in the country, right from the formation of Electoral Rolls Management Systems (ERMS), Communication Plan for Election Tracking (ComET), SMS-based services to monitor election process milestones and polling progress, webcasting/video streaming of poll proceedings from polling stations to GIS for election management. These are a few of the ICT interventions that demonstrate how well entrenched technology is at every step of the election process in India.

However, ensuring the cyber security of elections entails more than just securing these ICT interventions or technical aspects pertaining to the design and manufacturing of electronic voting machines or EVMs. It would also require a well-rounded understanding of aspects such as distributed denial of service (DDoS), data tampering, data theft and impersonation through deepfakes.

It is important to bear in mind that the targets of cyberattacks could be varied. Threat actors can tamper with or cause harm to anything and anybody in the election ecosystem, be it through the gadgets one uses, connected vehicles or the content one consumes. Beyond gadgets and platforms, they could target people and institutions, as is the case with deepfakes. Similarly, cybersecurity is not just a tech issue or related to data compromise. Cyberthreat actors can cause physical and infrastructural damage too, through unauthorised access, infiltration, physical movement of assets, etc.

Being an alert citizen

Citizens have a vital role to play in ensuring cybersecurity during elections. By acting responsibly, they can ensure that threat actors do not succeed in their malicious intent.

First, in this world of disinformation, we need to exercise a considerable degree of scepticism when consuming content. Fact checking needs to become second nature, ‘news’ has to be questioned, views have to be debated. Secondly, in a world where personal data and log-in credentials of users can be easily compromised and are often leaked for a price, we need to establish tighter security mechanisms for our digital avatars/worlds.

Another important aspect to bear in mind is that any major event is a ripe time for phishing attacks. Given the scale of elections in the country, phishing campaigns are likely to be rampant at this time. One needs to exercise great caution when asked to click on links. Earlier, it was relatively easier to identify phishing emails – spelling and grammatical errors, a sense of extreme urgency – were telltale signs. However, with increased technological sophistication, the methods of attackers today have also evolved. Links sent to us even from seemingly known and credible sources should be double checked. Furthermore, as a voter, one may need to upload documents on government sites. One should refrain from using public Wi-Fi for such purposes and also ensure a two-step authentication process as far as possible when using log-in credentials or uploading/downloading personal information/documents. Finally, it is our responsibility as citizens to stay vigilant and report any suspicious activity to help thwart the malicious actions of threat actors.

Ensuring a well-rounded and stringent cybersecurity framework which is constantly updated is vital for countries to conduct free and fair elections. Cyberthreat actors are often, if not always, ahead of the curve. For us to secure the world’s democracies, the need of the hour is to stay one step ahead of them.

The author is Sundareshwar K, Partner and Leader – Cybersecurity, PwC India.

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.