Taaha Rauf has completed his A levels from Roots International School. During his gap year, he decided to write his research paper on the possible use of EVMs (electronic voting machines) in the 2023 general elections of Pakistan and the cyber threats posed by them.
In the 21st century, technology has influenced every individual’s life. As of January 2021, there are 61.34 million internet users in Pakistan, out of which a whopping 43.00 million people are present on some form of social media platform (Kemp, 2021). With the voter turnout being only 53.12 million in the 2018 general elections of Pakistan, It would be naive to turn a blind eye to the influence of technology and cyber attacks on democratic systems and voters’ attitudes in elections.
Cyber attacks on Pakistan in the form of fake news and propaganda, by both internal and external forces, may drastically change the election results by shaping narratives that are favorable for them. As Pakistan progresses towards becoming an increasingly democratic state, lawmakers and stakeholders look for solutions that would make the democratic process fairer and efficient. This paper discusses the possible use of EVMs (electronic voting machines) in the upcoming general elections of 2023 and the cyber threats it poses.
Furthermore, it looks at the potential ways democracy in Pakistan can be challenged by cyber warfare from enemy states by looking at similar cyber attacks from the past. By using different countries as case studies, this document dives deep into what has worked and discusses recommendations based on these case studies for Pakistan’s upcoming elections.
By definition, propaganda means, “information, especially of a biased or misleading nature, used to promote a political cause or point of view.” Propaganda via fake news and misinformation is a weapon long known to mankind. From Nazi Germany’s use of newspapers to Britain’s use of airborne pamphlets, the means of spreading propaganda has evolved drastically. With the dawn of social media platforms such as Facebook, Instagram, and Twitter, spreading false information is now just a few clicks away.
In a physical world, we are often told to always carry our IDs on ourselves to prove our identity when required, however, this is not the case online. Creating an account on online platforms, such as those mentioned before, is just as easy as thinking of a fake name. A single person can have multiple identities over the internet, all of them with different names, addresses, and, most importantly, ideologies.
This can be exploited by anyone, be it an individual working only to convince his office colleagues or a government-backed organization to compromise an election campaign with malicious intent. The use of social media to sway opinions is now an old marketing tactic, but the use of false information to change political stances and radicalize the masses is unethical and should be illegal by Pakistan’s Penal Code.
Cyber Threats In The Past
Cambridge Analytica (2016)
Perhaps the most important example of how social media can be used to swing opinions in an election is the Cambridge Analytica scandal. In the 2016 US presidential elections, Cambridge Analytica—a data intelligence and analytics company—used Facebook to influence voters’ opinions. Initially, Cambridge Analytica paid approximately 32,000 US voters to take a survey that was based on the OCEAN model (openness to experience, conscientiousness, extraversion, agreeableness, and neuroticism) to trace out their personality traits and political opinions.
More importantly, Cambridge Analytica required them to log in to their Facebook accounts before paying them. What this essentially did was create specific profiles for every user that took the survey and linked it with their personality traits or political opinions. Another catch to this was that it also collected information of the users’ friends and their activities on Facebook, such as likes, comments, etc. They then linked this data with the psychology quiz to see if there were patterns.
With this large set of information about individual users and their psychological preferences, Cambridge Analytica was able to target about 2 million people in 11 states with highly personalized advertisements (Hern, 2018). This meant that people could be individually targeted with specific ads, gaming their psychology and hence, convincing them for or against a certain opinion.
This proves that social media, without appropriate checks and balances, can be used as a powerful weapon to sway the opinion of the masses. With ever-increasing access to the internet and social media platforms, such a weapon can be used against the state of Pakistan and also harm any upcoming elections.
In 2020, a group of 17 media outlets, including The Guardian and The Washington Post, in a collaboration with Amnesty International and Forbidden Stories began investigating an Israeli company, NSO Group. The findings exposed that the NSO Group sold a software called Pegasus, to its clients which could be used to attack mobile phones and extract sensitive data, such as emails, messages, or photos, from it.
Pegasus spyware could easily be infected into any user’s phone by exploiting “zero-day vulnerabilities”, which means exploiting vulnerabilities that are unknown to system software developers as of yet. Furthermore, phones could be infected without having the victim take an action such as clicking a link or entering a password (Tanvir, 2021).
According to Amnesty International’s CyberSecurity Labs, forensic evidence showed that some of the iPhones were hacked as recently as July of 2021. Surprisingly enough, the findings reported that NSO’s clients were government agencies and a leaked list of 50,000 phone numbers of potentially hacked mobile phones contained numbers of important personalities, including prime ministers, human rights activists, and journalists, etc. (Pegg & Cutler, 2021).
The list contained names of relatives of important journalists such as Jammal Khashoggi, who was murdered in Turkey. More importantly for Pakistan, one of the NSO’s clients was India and according to The Washington Post, the list contained a phone number previously used by Prime Minister Imran Khan (Tanvir, 2021).
There may be several cyberintelligence companies out there, making cyber technology exploit important members in democratic systems i.e politicians, journalists, or heads of states. This technology, if used with a malicious intention, can severely harm any democratic process and raise lots of questions about its integrity and authenticity.
Federal Board of Revenue Hack
Very recently, Pakistan’s Federal Board of Revenue (FBR), overlooking tax and revenue collection, was hacked, taking down all of its websites for 72 hours (Zainab, 2021). Hackers were able to hack Pakistan’s largest data center, taking down 360 virtual machines used by FBR, which is almost half the amount the board uses.
Multiple reports surfaced regarding the details of the hack. FBR’s technical wing said that hackers used a vulnerable link of Hyper V link software to get into the system, another source says that the login IDs and passwords of data administrators were stolen. The chairman of FBR, Shaukat Tarin, later confirmed that Indian hackers had access to taxpayer data for up to 7 days.
Months have gone by and the FBR has still not been able to release information regarding what data was hacked and if changes were made to the records in the taxpayers’ database (Rana, 2021). This hack is a very important example of how vulnerable the government institutions in Pakistan are right now. The institutions are rapidly digitalizing—the cabinet is going paperless and using digital tablets for its meetings instead—but are very slow in securing their digital developments (“PM Khan Holds Paperless Cabinet Meeting,” 2021).
In fact, according to a 2019 World Bank report, the “ICT hardware used by the FBR has already reached its end-of-life, resulting in risks of critical system failure and disruption of operations,” and later in 2021, Pakistan saw these cyber attacks. These vulnerabilities pose a major risk to the very institutions that are the pillars of the political system in Pakistan.
Case Studies Of Countries with Existing EVM Structure
United States Of America
The USA has a diverse electoral structure, there are several thousand independent organizations that work on both the local and state level to make sure that elections are transparent and more accessible to local communities. These organizations work in accordance with local jurisdictions. At the federal level, the EAC (Elections Assistance Commission) exists to build voter confidence and oversee elections in states as a part of the Council Of State Governments.
The EAC also manages the national voter registration form. In 2002, investments for the use of technology in elections increased because of the Help America Vote Act. Almost two decades later, the technology that was deployed is now getting older and hence, prone to hackers. There is a dire need to update the technologies because of the increasing amounts of exploits being discovered by hackers around the world every minute.
The main concern of the US is not the hacking of the EVMs but it is the hacking or manipulation of databases that store voter registration IDs and other similar important data, as this data is always online. According to the US constitution, the guarantee of freedom of speech means that the government cannot control social media platforms, however, the government is in close partnership with major social media platforms, such as Facebook and Google, so they can self-regulate and block disinformation campaigns pre and post-elections.
Furthermore, the government uses EAC to make sure that there is an intense level of interagency collaboration. The EAC makes sure that all relevant and important government departments are in collaboration with local and state-level organizations. When institutions such as the Department of Homeland Security and National Institute of Standards and Technology partner with local bodies they exchange resources—such as training for staff to protect the polling areas from cyber attacks, information regarding possible threats, and training staff for different scenarios.
This helps all election bodies to protect themselves from threats that could otherwise invalidate the election results. Moreover, the government also seeks help from the private sector and legitimized companies, to develop and test new technology that can be deployed during elections. This type of coordination occurs at two mayoral forums – the Elections Government Sector Coordination Council and the Sector Coordinating Council – both of which are set up by the EAC and meet on a regular basis.
Australia’s election process contains several uses of technology, including data transmission and tabulation, ballot scanners, and a voter registration system. This means that the system is vulnerable to malicious attacks or sometimes errors that may potentially cause damage to the electoral results.
However, the Australian Government gives very high priority to its cybersecurity policies and has set strict standards and policies for protecting its IT systems. These policies apply to other government entities as well, ensuring that the democratic system of Australia is not harmed. Australia set up an Electoral Integrity Task Force in 2018 to conduct risk assessments, ensure information collaboration, and advise the government to make necessary changes to protect its electoral process.
Calls for regular cyber-related health checks of all electoral commissions have been voiced in the Council of Australian Governments. The Australian Electoral Commission (AEC) is in regular communication with social media platforms to spread information about election policies and measures to the Australian public. The AEC uses these platforms to counter disinformation campaigns as well.
Perhaps the most similar electoral structure to Pakistan’s election system is that of the United Kingdom. Most of the UK elections are run locally by independent returning officers, and hence, completely manual. The manual nature of the election makes it secure from most major cyber threats. However, this does not protect it from digital disinformation campaigns that can target individual politicians, political parties, or even the election itself.
There is evidence of widespread unlawful marketing campaigns over social media before the European Union (EU) referendum of 2016. The UK fined Facebook for not protecting its citizens’ data from being harvested for political gains. Two significantly large parties, Leave.EU and Vote Leave, were also fined for unlawful marketing tactics.
However, whether or not these tactics are the major reason why the referendum results favored Brexit varies on who you ask, but they certainly did have an effect. The UK Electoral Commission and National Cyber Security Centre collaborate frequently to educate political parties, stakeholders, and other important individuals against possible cyber threats such as phishing and inform them about the best practices to follow.
Canada’s election system is also largely paper-based and is mostly a manual process. However, it does use technology for several different election-related purposes such as voter registrations and online real-time result reporting. Even though these applications can pose major cyber threats as well, the most significant attack on Canada’s electoral process was the 2011 Robocall incident in which thousands of voters were falsely told via automated phone messages that their voting stations had been changed before the elections.
Canada’s government has taken significant measures ever since to combat such cyber attacks, these include the creation of Canada’s Centre for CyberSecurity. Canada uses inter-agency collaborations to brief political parties, individuals, and stakeholders about the possible threats to elections. It also works to establish relationships with social media companies to tackle disinformation campaigns and false propaganda.
Furthermore, it passed the Critical Election Incident Protocol according to which five senior public servants would make decisions, after assessing events going on during the campaigning period with the help of national security agencies, to launch an information campaign to inform the public.
Pakistan’s Present Infrastructure
Even though the current government of Pakistan is aiming to deploy EVMs at the upcoming general elections of 2023, present elections in Pakistan are a manual process. Ballot papers are used to cast votes which are manually counted under the supervision of independent officers. However, the use of technology is abundant even in the present electoral structure due to the use of the Results Transmission System (RTS) and electronic voter registration.
Along with the unreliability of RTS, such as in the general elections of 2018, when the RTS system simply just collapsed, Pakistan faces several other cybersecurity threats as explained before in this paper. To address these cyber security concerns, several acts have been passed such as the Prevention of Electronic Crime Act (PECA) 2016, and the only selective response team – the Cyber Security Incident Response Teams (CSIRTs) – has been established.
Pakistan is looking forward to passing the National Cyber Security Policy (Ali, 2021). Due to lack of development in the ICT (information and communications technology) industry, Pakistan relies heavily on imported hardware, software, and services which makes essential sectors in Pakistan vulnerable to foreign cyber attacks and data breaches.
How Can Pakistan Counter the Cyber Threats to EVMs
Policy and implementation are the two factors that must be considered in order to amend the cyber landscape of Pakistan and prevent cyber attacks against it, making it up to internationally accepted standards. Making the right policies and implementing them with brute force is essential to maintain the integrity of democratic institutions in Pakistan.
Very recently, Pakistan Tehreek-e-Insaf’s (PTI) government approved the National Cyber Security Policy which can be considered as one of the largest leaps towards a secure digital Pakistan. According to the policy, cyber attacks on the cyberspace of Pakistan would be considered an attack on national sovereignty, and the government of Pakistan would retaliate on a state level.
The policy also emphasizes public-private partnerships for development in the IT sector along with an increase in research and development. The policy calls for information campaigns regarding online security and developing trust amongst citizens for the use of online technologies. However, this policy needs further additions to bolster Pakistan’s growth as a cyber-secure nation.
1. Social Media
Pakistan needs to create concrete legislation regarding disinformation campaigns and propaganda using social media platforms. There is an essential need to partner with major social media platforms, such as Facebook and Twitter, to thwart any campaign that promotes false narratives and anti-state agendas based on false information.
Social media platforms should be pushed to extensively fact-check content on their platforms and penalized if found guilty or otherwise. These platforms have a large user-base from Pakistan making it absolutely necessary to curb fake news, especially during election periods. The use of machine learning and natural language processing can help recognize the sources of fake news and can, hence, be used to effectively counter such propaganda (Boudourides, 2018).
2. Inter-agency Collaboration
One of the most important practices that need to be adopted is inter-agency collaboration. As the National Cyber Security Policy now recognizes cyber attacks as threats to the sovereignty of Pakistan, it needs to be treated as such. Collaboration between important ministries and organizations, such as the Ministry of Defence and the Election Commission of Pakistan, on a regular basis, is important to make sure any possible threat is circulated on time to prevent cyber attacks.
Other government institutions and banks should collaborate and share information, training sessions, and seminars to stay up to date on modern security standards. There should be regular joint risk assessment exercises along with expert opinions to counter those risks (Baloch, 2021). Effective communication channels, roles, and leadership must be established to ensure such inter-agency collaboration.
3. Public Information Campaigns
To maintain public trust and to make sure false information narratives are effectively countered, Pakistan’s government should use all media channels (social, electronic, and print media) to spread accurate information regarding important events in the country. Proper channeling of important information, such as election results or election updates, would ensure that people are aware of their democratic rights and undo uncertainty during election periods.
This will result in a decrease in public distrust and an increase in voter turnout. The government of Pakistan should also use social network analysis to identify sources of false propaganda that could be damaging during the election periods.
4. Electronic Voting Machines (EVMs)
As Pakistan advances towards the general elections and PTI’s government pushes towards the use of EVMs, effective testing of these machines needs to be carried out. Election officers need to be extensively trained. Exercises, where cyber attacks are simulated on the EVMs, should be held to test the readiness of the election officers in constituencies all across Pakistan.
As a backup of electronic data, a paper trail of votes should exist so that in case of a severe cyberattack, votes can be recounted using the physical ballot papers. Extensive testing of the machines which includes testing with extreme data sets should be regularly held to make sure that the EVMs do not crash on election day. Furthermore, such EVMs should be, by law, regularly updated to fill in any loopholes left behind by out-of-date software or hardware.
- Ali, K. (2021). Cabinet gives the green light to cyber security policy. Dawn. https://www.dawn.com/news/1637334.
- Boudourides, M. (2018). The Twitter network of the february-march 2018 UCU mobilization. Medium, https://medium.com/@mosabou/the-twitter-network-of-the-february-march-2018-ucu-mobilization-7c81e57a2874.
- Baloch, R. (2021). Cyber warfare trends, tactics and strategies: Lessons for Pakistan. Journal of Development, Policy, Research and Study, 3 & 4. https://sdpi.org/journal/controlpanel/assets/lib/uploads/1608131701490723.pdf?fbclid=IwAR22HK5_y-bsPiyfpIu-VE4ClGGPqNbA9zcjeJYviivQOa-oWACRR8xoEnA.
- Hern, A. (2018). Cambridge Analytica: How did it turn clicks into votes?. The Guardian. https://www.theguardian.com/news/2018/may/06/cambridge-analytica-how-turn-clicks-into-votes-christopher-wylie.
- In a first PM Khan holds paperless cabinet meeting. (2021). Global Village Space. https://www.globalvillagespace.com/pakistans-government-takes-first-step-to-going-paperless/.
- Kemp, S. (2021). Digital in Pakistan: All the statistics you need in 2021. DataReportal. https://datareportal.com/reports/digital-2021-pakistan.
- Pegg, D., & Sam C. (2021). What is Pegasus spyware and how does it hack phones?. The Guardian. July 18, 2021. https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones.
- Rana, S. (2021). Neglect caused FBR cyber-attack. Tribune. https://tribune.com.pk/story/2316604/neglect-caused-fbr-cyber-attack.
- Tanvir, M.H. (2021). What is pegasus spyware and how will it change cyberwarfare? Paradigm Shift. https://www.paradigmshift.com.pk/what-is-pegasus-spyware/.
- Zainab, F. (2021). Pakistan’s Federal Board of Revenue (FBR) under cyber attack. Global Village Space. https://www.globalvillagespace.com/pakistans-federal-board-of-revenue-fbr-under-cyber-attack/.
If you want to submit your articles and/or research papers, please check the Submissions page.
The views and opinions expressed in this article/paper are the author’s own and do not necessarily reflect the editorial position of Paradigm Shift.