Democratic institutions can be targeted by cyber threat and nation state actors, especially during an election. Threat actors may take advantage of the state of affairs during the campaign process to launch cyber attacks to exfiltrate data, obtain administrative access to systems and potentially infect democratic institutions with malware. Misinformation and disinformation attacks may also be used to target voters and discredit the outcome of the electoral process. Any of these actions could undermine the public confidence in the election results.
Threats actors can:
- Disrupt election infrastructure using distributed denial of service (DDoS) attacks.
- Compromise or mimic user identities to spread false information on social media or perpetuate voter fraud.
- Exploit the current work-from-home environment to compromise systems and gain unauthorized access to election management and/or political party systems.
- Launch online foreign influence campaigns to discredit the democratic process.
- Use ransomware-based attacks to disrupt access to election data and systems leading to interruption of election services.
Protect your systems:
- Patch election and IT systems regularly and avoid the use of obsolete software and hardware systems.
- Enable two-factor authentication on social media and email accounts.
- Use strong passwords and passphrases to secure access to social media and email accounts.
- Avoid sharing passwords and ensure each user has unique credentials associated with their access.
- Train your staff on basic cyber security best practices, including procedures for identifying and handling of suspicious emails.
- Implement a high availability and disaster recovery (DR) strategy.
Reports on cyber threats
Guidance for political parties
Cyber actors target political party candidates, political party members, elected representatives and their staff.
- Cyber Security Briefing for Canadian Elections (ITLC 612, Course Training)
- Cyber Security Guide for Campaign Teams
- Cyber Security Advice for Political Candidates
- Five Practical Ways to Protect your Campaign
- Fact Sheet for Canadian Political Campaigns: Protect Yourself Online
- Social Media Account Impersonation
- Securing access controls in a volunteer-based organization (ITSM.30.010)
- Security considerations when using social media in your organization ITSM.10.066
Guidance for voters
Voters can be victims of influence peddling, misinformation and disinformation campaigns which could undermine public confidence in the electoral process.
Guidance for election authorities
Election management authorities and their staff interact with a vast array of personal identifiable information which could be targeted by threat actors using techniques, including ransomware, DDoS and spear-phishing attacks.
Guidance for vendors
Private sector organizations involved in delivering election related services could also be targeted by cybercriminals for financial gain. This may directly or indirectly impact on front-line electoral services.
Training
Self-paced 30-60 minute online course offering Canadian democratic institutions the tools and knowledge needed to make educated decisions about securing their IT infrastructure. This course requires a Learning Hub account in order to view it.
Additional resources
Refer to the following list of advice and guidance products to gain insight into common cyber threats and suggested preventative measures to reduce the risks associated with the election process.
Prevent
- Baseline Cyber Security Controls for Small and Medium Organizations
- Top Measures to Enhance Cyber Security for Small and Medium Organizations (ITSAP.10.035)
- Offer Tailored Cyber Security Training to Your Employees (ITSAP.10.093)
- Cyber Security at Home and in The Office: Secure Your Devices, Computers, and Networks (ITSAP.00.007)
- Best Practices for Passphrases and Passwords (ITSAP.30.032)
- Spotting Malicious Email Messages (ITSAP.00.100)
- Mobile Devices and Business Travellers (ITSAP.00.087)
Defend
- How Updates Secure Your Device (ITSAP.10.096)
- Using Your Mobile Device Securely (ITSAP.00.001)
- Protecting Your Organization While Using WI-FI (ITSAP.80.009)
- Cyber Security Considerations For Consumers of Managed Services (ITSM.50.030)
- Protecting Your Organization Against Denial of Service Attacks (ITSAP.80.100)
- Ransomware: How to Prevent and Recover (ITSAP.00.099)
- Security considerations when developing and managing your website (ITSAP.60.005)
- Ransomware playbook (ITSM.00.099)
Respond and Recover
Report a cyber incident
Reporting a cyber incident helps the Cyber Centre keep Canada and Canadians safe online. Your information will enable us to provide cyber security advice, guidance and services.
Get Cyber Safe
Get Cyber Safe is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.
