The weak link in election security: Europe’s political parties

Sam van der Staak is the head of International IDEA’s Europe programme and coauthor of ‘Cybersecurity in Elections’. 

Political parties don’t like to announce it when someone steals their playbook. So it’s not known how many times hackers have broken into computer systems at any of Europe’s hundreds of political parties. But we do know it’s happening. Parties — the keystones of our democracies — aren’t ready to defend themselves from ever-more sophisticated digital attacks, some backed by foreign governments.  

It’s time for the EU to help defend its elections by defending its political parties from cyberattack. We should provide expertise and funding to maintain firewalls that don’t break. 

The threat to our democracy is real — and growing. A 2015 hack targeted party factions in the German Bundestag. In the U.S., a Russian operative accessed then-Democratic party chair John Podesta’s computer in 2016. During the next year’s French Presidential election, Emmanuel Macron’s campaign was attacked. In 2019, a hacker penetrated the firewall at Austria’s ruling ÖVP, downloaded a terabyte of data, and then disappeared into the ether.  

The string of attacks prompted the creation of an EU-led security network for electoral commissions in 2019. But that effort focused on governments’ election systems. Political parties themselves have remained largely outside that discussion.  

As a result, political parties now represent the weak link in electoral cybersecurity — and a choice target for hackers. A candidates’ party getting hacked raises doubts about the candidate and even the integrity of an election. Discord, more than the information that’s stolen, is often the point of a hack.  

Even better for hackers, political parties sensitive to their public image can be hesitant to go public with hacks, particularly in election season. Particularly in post-communist countries like Romania, parties can be reluctant to hand over the keys to their firewalls to government specialists, who carry a legacy of snooping into party business. For their part, cybersecurity agencies aren’t volunteering either, already busy maintaining firewalls around state institutions like electoral commissions, parliaments and ministries.  

That’s the dilemma: Governments won’t provide the requisite expertise, and European political parties won’t buy it themselves — or can’t. Investing in cyber defense means spending money most parties would rather spend on campaigns. Digital security’s high price tag also means it’s out of reach for all but the wealthiest, largest parties.  

Even so, the considerable costs of cyber protection often outweigh the risk of being hacked. The solution to the dilemma is for Europe to step in. European Commissioner Věra Jourová can break this deadlock by proposing EU funding for the cyber protection of European political parties.  

Funds would be earmarked for cybersecurity audits, extra digital protection, and cybersecurity training. Expertise would only be purchased from an approved roster of vetted cybersecurity companies, with disbursement of funds tied to a demonstrated clean “bill of cyber health.”  

To be sure, any proposal from the European Commission would have to overcome skepticism over spending more public money on political parties, traditionally the least trusted institutions in any democracy. The Commission would also face practical questions: over the amount of funding necessary to ensure cybersecurity, and about whether support should go just to parties scoring above a certain electoral threshold or to smaller parties with fewer resources.  

The ongoing consultation by the Commission on the funding of European political parties provides an opportunity to reach consensus on each of these dilemmas. The incidents of recent years have demonstrated that foreign hacking is not only a threat to European political parties but by extension to European democracy. Commissioner Jourová would do well to counter that threat via cyberfunding for European political parties.  

In most European countries, parties must already demonstrate solvency and democratic practices to qualify for public funds. Digital security should become a similar quid-pro-quo, and Europe should help ensure it, for the good of its democracies.