French presidential elections 2022: What are the cyber risks?

The presidential elections in France are approaching, and with them the cyber risk.

Tomorrow’s targets will be public sectors: town halls, prefectures, but also political parties or service providers.

We can expect attacks on infrastructures directly, or denial of service attempts, or data theft on political party sites, polling institutes…

Finally, we must not forget this new and increasingly frequent threat, disinformation, which will affect the credibility of candidates and can influence votes.

In a context where attacks will continue to increase, it is strategic to measure the risks and to opt for a preventive approach.

Cyber risks will play an increasingly important role in upcoming elections

What are the risks?

Technical attacks

Exemples from around the world

  1. This type of attack is not new, already in 2007 Estonia has suffered the costs. It was the first cyber attack (DDOS) targeting a state structure related to a diplomatic dispute. The main websites were blocked.
  2. Georgia followed with another series of attacks first in 2008 and then in 2019 targeting 2,000 websites belonging to the presidency, courts, and some media.
  3. Unfortunately, cybercriminals have a lot of resources, as most of the violations are financed by states. We could thus suffer tomorrow, in France, the same types of attacks as in Ukraine today. These attacks are not part of an electoral campaign, but they could be perfectly adapted to this context.
  4. The United States have also been confronted with these problems, particularly during the presidential campaign of 2016. Indeed, on July 22, WikiLeaks revealed that nearly 20,000 email accounts of seven officials of Hilary Clinton’s Democratic Party had been hacked.
  5. Emennet Pasargad, a cyber security and intelligence firm based in Iran, conducted a campaign to interfere in the 2020 U.S. presidential election. They reportedly sent intimidating emails, disinformation videos, and hacked into media company websites.

Exemples in France

  1. In France in 2017, we can cite the Macronleak, where tens of thousands of documents namely the internal discussions of the movement, photos, invoices, a total of 70,663 emails attributed to the campaign team of Emmanuel Macron, leaked on the American forum 4Chan.
  2. Another example, during the municipal elections in 2020, the city of Marseille and Aix-Marseille-Provence were paralyzed by a virus, blocking the electoral lists.
  3. A few weeks before the presidential elections, infiltration attempts have been spotted in town halls in France. The attacker posed as a user requesting documents such as death certificates, birth certificates, etc. by e-mail. In his email, he did not fail to add a malicious attachment.

The ANSSI had anticipated this scheme and prevented the attack from being more widespread, nevertheless this destabilization attempt did take place, and we can obviously expect it to happen again in the weeks or months to come.

Voting in France is still mostly in paper format, not digitalized. The digital part intervenes in the collection of results, in the diffusion of polls, … An attack would therefore be more easily “controllable” and visible. The risk is more at the level of destabilization during campaigns.

Risk of disinformation

In addition to these purely technical attacks, one should also expect disinformation campaigns or deepfake. (Sophisticated and misleading videos)

  1. In India, in February 2020, a candidate in a local election used this new technique to promote his candidacy and influence his future voters.
  2. The troll factory in Russia called the Internet Research Agency was created for one purpose only: to destabilize by spreading false information, rumors, etc.

The impact of deepfakes should not be ignored. Even if until now deepfakes did not really touch politics, except in a satirical way, or were not yet perfect; they tend to gain greatly in realism. This new source of threat should not be neglected.

Indeed, this new technology can lead to create false information, change public opinion, spread rumors, and thus change the decisions of future voters.

  1. In 2017, we remember this video showing Emmanuel Macron washing his hands, supposedly after greeting workers at the Whirlpool factory, when it was a video following his meeting with eel fishermen in the Hérault part of France. This may seem trivial, but the impact of such a video can be significant in the context of elections and compromise the image of a candidate.

What are the solutions?

At the international level

Governments have understood the stakes of the new cyberwarfare, especially during election campaigns since the incidents in the United States. It is understood that rival countries will use their intelligence services to obtain information on candidates.

Platforms such as Facebook and Twitter are multiplying their efforts to avoid these manipulation campaigns.

Organizations are multiplying to conduct fact-checking. We see more and more of them in newspapers, on social networks, etc.

But this fight must consider questions of legislation: the right to image, censorship…

At the national level

Here are 4 national initiatives :

  • Viginum, which is the vigilance and protection service against foreign digital interference created in 2021, was created for this purpose.
  • the “anti-fake news law” allowing to react in case of disinformation during election campaigns

  • The lights in the digital age, this commission created by E. MACRON will aim to fight against the disseminators of hate and disinformation.
  • The establishment of the CNCCEP in order to reinforce the legal security of the presidential election. Thus, in case of an important attack, the ANSSI will second staff to investigate and watch over the country’s security on a daily basis

So, the solutions at the state level do exist, but what about at the political party level? This is where the question remains. It is difficult for some parties to protect themselves from all these threats which require a budget and a structure that not all have. It is worth noting that a budget of 1 billion euros has been released to strengthen cyber security in France. Most political parties have understood the stakes and the cyber risk by limiting the attack surface as much as possible. Activists are more and more aware of the cyber risk, favoring multi-factor authentication, being aware of phishing, preferring secure communications such as Signal, etc.

At the European level, we also act for security. The “Network and information security” (NIS) directive has been put in place in this sense. It concerns, among other things, the computer security of “essential service operators” (OSE), the cooperation between member states in case of cyber attacks (NIS has created the CSIRTs Network)

Security basics should be applied such as:

  1. securing accounts
  2. making sure you have reliable technologies protecting party sites, communications, data exchange. Tools like TEHTRIS’ EDR technology or MTD are specifically designed for endpoint security. EDR detects and neutralizes threats in real time and without human action, while MTD technology protects the mobile fleet and scans applications. These types of tools are an essential part of an overall zero-trust strategy.
  3. strengthen partnerships with fact-checking media.
  4. to remain constantly on the lookout for any inconsistent publications, videos, etc.
  5. Finally, the CNIL proposes 6 reflexes to adopt during election campaigns:

[1] National Commission for the Control of the Electoral Campaign for the Election of the President of the Republic

[2] The National Agency for Security and Information Systems

[3] National Commission for Information Technology and Civil Liberties