The European Parliament has an election security problem

BRUSSELS — The European Union’s Parliament is gearing up for a major election next June but its cybersecurity "has not yet met industry standards” and is “not fully in-line with the threat level" posed by state-sponsored hackers and other threat groups, an internal review seen by POLITICO warns.

The European Parliament is ramping up its work to protect the integrity of their election against cyberattacks and disinformation campaigns. With upcoming votes in key democratic countries including the United States, United Kingdom, India and across the European Union, officials are on high alert for geopolitical foes like Russia and China to attempt to tip the ballots in their favor through disinformation and cyberattacks.

The European Parliament’s IT department presented a report to a group of key members of the European Parliament (MEPs) earlier this month, warning that state-sponsored attacks on the Parliament have become more numerous and more sophisticated since its last election in 2019.

The number of cyberattacks on EU institutions "is increasing sharply," said the report, dated November 29, and the EU should prepare "to face similar threats" as politicians, parliaments and governments across Europe have faced in recent years.

The institution is also more vulnerable due to its shift to more remote work during the pandemic, it added.

Several officials and elected members involved in Parliament’s preparations against cyberattacks targeting next year’s election warned in separate conversations that the institution’s defenses were weak and could break.

“We’re standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can,” said a staff member at the European Parliament administration, granted anonymity due to the sensitivity of the topic.

Russian actors are lurking

A few incidents have already demonstrated that foreign states — most notably Russia — have ramped up their efforts to disrupt European politics.

This month, the United Kingdom, supported by its allies in the Five Eyes intelligence community and by EU countries, called out Russia’s Federal Security Service (FSB) for being behind "sustained, unsuccessful attempts to interfere in UK politics and democratic processes."

Earlier in November, POLITICO reported that the EU’s cyber team CERT-EU had warned that at least seven European governments had been targeted by a campaign to get access to internal systems, conducted by the Russian intelligence services’ hacking group Fancy Bear.

Pro-Russian hacktivist groups like Killnet have also plagued European governments with constant annoyances, mostly through distributed denial-of-service attacks (DDoS) bringing down online services. Last year, the European Parliament website faced a "sophisticated" attack disrupting its services moments after members voted to declare Russia a state sponsor of terrorism. Similar incidents have hit national institutions too.

With six months to go before the European Parliament election, the fear is a repeat of earlier election hacks.

Fancy Bear was behind the 2016 hack of the U.S. Democratic National Committee, which influenced the presidential race that saw Donald Trump elected as president. French President Emmanuel Macron’s campaign infrastructure also faced an incident in 2017 just days before ballots were cast. German politics was rocked by a hack in 2019 which exposed data of more than 1,000 politicians and public figures including then-Chancellor Angela Merkel; the country’s parliament was hacked by Russia’s Fancy Bear in 2015 as well.

Greg Lesnewich, a senior threat researcher at cybersecurity firm Proofpoint, said while China also presented a risk, the threat was not the same as from Russia.

“China’s attempts at influence are much more about how it is perceived, rather than doing typical Russian-style disinformation to sow distrust in whatever target country they’re operating in,” he said.

Uniquely vulnerable

The EU election — in which voters across 27 countries elect new European Parliament members — are uniquely vulnerable to attacks. In effect, the election is 27 parallel voting processes taking place at once, all with different infrastructure and protections. It could take just one successful disruption of a national electoral system to cast doubt on the entire new parliament.

Parliament’s report highlighted a range of risks: influencing public opinion on specific candidates through disinformation; cyberattacks on national voting systems; cyberattacks targeting the major political debates at EU and national level; and attacks targeting the EU Parliament’s own election night process itself.

At risk are internal accounts, data and correspondence of members of parliament, which can be used to pressure politicians or disrupt election campaigns. Hackers could also seek to compromise the voting, counting and information systems used in the elections to discredit or dupe results.

Compromising accounts could also help gain access to national political systems or to data on other EU institutions. “In the last two years we’ve introduced two-factor authentication between institutions,” a parliamentary assistant said. “Before you were just able to log into one institution and you could enter all others.”

One issue Parliament is grappling with is the institution’s scattered cybersecurity structures. Each political group is a little island that handles its own IT infrastructure and support. During election campaigns, national and pan-European political parties also take a more central role in coordinating the process, further complicating control and administration.

Another stumbling block is hiring cybersecurity staff. “You get roughly one staff [IT] member for every three members of the European Parliament, so smaller groups are less protected,” one Parliament official said.

Ramping up to stop the hacks

Inside Parliament, officials are in a race against time to shore up cyber defenses quickly.

The European Parliament in its report said it will hire 40 new cybersecurity experts and increase the budget of the cybersecurity directorate to €7 million in 2024 from €5 million this year, and up to €8.5 million in 2025. So far, 20 have been either recruited or offered the job.

“These posts and the planned gradual increase of the cybersecurity financial appropriations to 10 percent of the ITEC’s ICT budget by 2026 will bring Parliament’s cybersecurity capacity to the appropriate level,” reads the report.

“Cybersecurity has been one of our top priorities,” said Parliament Vice President Dita Charanzová who’s in charge of cyber and election security. “I think it’s a part of the current reality that we are all living in. We have to find a way to be prepared and to take all the preventive measures.

“I wouldn’t say that the Parliament is not doing enough,” she said.

This year, the consultant firm PriceWaterhouseCoopers (PWC) performed at least one external technical penetration test on the Parliament: i.e. a security assessment of the organization’s digital perimeter. The results are strictly protected even to DG ITEC staff, with only few officials having access to them.

Bart Groothuis, a Dutch Liberal lawmaker and cybersecurity expert, said he’d asked for a “fully fledged third party assessment” including incident response and incident handling. “Third parties make sure that you do the right things because if you do it yourself, then politics come into play,” said Groothuis. “A third party which has no interest whatsoever has the ability to look really freely and assess what is really necessary.”

Meanwhile, the EU’s Agency for Cybersecurity (ENISA) and the Commission held an electoral training exercise in Parliament’s premises in November. That exercise gathered more than 100 participants largely from national cyber and electoral authorities, with the idea to improve countries’ responses to cyber attacks.

Parliament’s cybersecurity services plan to exercise "their highest vigilance" during the week of the European election, which will run from June 6-9 next year, the report said, and services will remain on high alert until a new EU Commission is installed, it said.

The institution already rolled out a spyware detection tool that allows members to scan their phones for known traces of intrusive software. It made the service available to all MEPs and staff, the report said.

The institution also plans to circulate “election hacking memos,” which will warn about new methods and trends which could threaten election security, and EU politicians can also rely on the CERT-EU unit for a tool that spots and flags disinformation attempts like fake social media accounts and malicious social media activity, the report added.

“People tend to wake up when they read [about hacks] in the press, but I think there is a lot that we as individuals can do on the prevention side,” said Charanzová. “We want people to be aware of the potential risks.”