ELD releases updated advisory on mitigating cyber-security risks in elections
Sign up now: Get ST's newsletters delivered to your inbox
ELD noted that there have been reports of cyber attacks in several countries, where a variety of techniques were used to target political parties and figures.
ST PHOTO: KUA CHEE SIONG
Follow topic:
SINGAPORE - With election campaign activities increasingly being conducted online, the Elections Department (ELD) has issued an advisory to candidates and political parties on potential cyberthreats, and the preventive measures they can take.
This is to mitigate the risk of cyber incidents disrupting their activities, said ELD in an advisory posted on its website on Monday.
“While the transition online has made it more convenient for candidates and political parties to increase their reach to the voters, the information technology systems underpinning such activities are susceptible to cyber attacks,” it added.
Examples of online campaign activities range from holding online rallies on social media platforms like Facebook, to organising question-and-answer sessions on videoconference platforms like Zoom.
This is not the first time the ELD has published an advisory relating to cyber-security issues and elections. It also did so in 2020
The latest advisory includes more details on potential cyberthreats, and puts forth more suggestions of the precautionary measures to take.
ELD said in the advisory that to ensure all online campaign activities are protected from cyberthreats, candidates and political parties should take appropriate precautionary measures to protect their digital assets.
It noted that there have been reports of cyber attacks in several countries, where a variety of techniques were used to target political parties, elected parliamentarians and election candidates.
These attacks may be part of a wider intent to influence voters, undermine public confidence in the election process or disrupt campaign efforts, it said.
Potential cyberthreats include data theft or breaches, website defacement, distributed denial of service, ransomware, exploitation of vulnerabilities in IT systems, compromised or fake social media accounts, insider threats and social engineering attacks like phishing, vishing – voice phishing – or baiting. If candidates, political parties or campaign staff suspect that a cyber-security incident may have occurred, a police report should be lodged immediately, said ELD.
They should also keep the department informed.
Precautionary measures
ELD said candidates and political parties should appoint a responsible person to take charge of their campaign’s cyber-security matters. They should also consider engaging a cyber-security vendor to review and manage the cyber-security posture of the election campaign systems, and respond to any related incident.
There should be strict access control established, such as who has administrator and remote access privileges to digital assets.
There should also be a whitelist of applications allowed to run on devices used for campaign purposes, especially those containing or processing sensitive data.
Accounts related to the campaign should have passwords with minimum length and complexities instituted, and have multi-factor authentication implemented.
Other measures proposed include regular software updates, regular backups of important data, and raising cyber-security awareness among campaign staff.
Candidates and political parties should also develop cyber-security monitoring capabilities to detect breaches or attempts to breach, as well as develop a plan for what happens when a cyber security-related incident occurs.
Personal data protection
Separately, ELD also revised its advisory guidelines on the application of the Personal Data Protection Act (PDPA) to election activities, and put them up on its website last Friday.
The guidelines were first issued in August 2017. The Act, which was implemented in 2012, governs the collection, use and disclosure of individuals’ personal data by organisations.
Changes to the guidelines include more details of the obligations under the PDPA’s Data Protection Provisions that parties and candidates are required to comply with.
For example, under the transfer limitation obligation, political parties and candidates must not transfer personal data to a country or territory outside Singapore, unless they have ensured that there are legally enforceable obligations that the data will be accorded a standard of protection comparable to the PDPA, among other conditions.
Under the data breach notification obligation, political parties and candidates must also assess whether a data breach could cause significant harm to those affected, and notify them as well as the Personal Data Protection Commission where needed.
This could be cases where personal data such as full names or NRIC numbers, together with information such as passwords or credit card details, is breached.
The commission must also be notified if the breach is of a significant scale, with more than 500 individuals’ data involved.
For example, when a political party discovers unauthorised access to its volunteer database, with the full names and personal contact details of 500 volunteers stolen.
As the data breach involves only the volunteers’ full names and contact details, it is not deemed to have resulted in significant harm to the individuals. The party is not required to notify the affected volunteers of the breach.
However, it must still notify the commission as it affected at least 500 individuals.
