France takes steps to prevent an election hack attack

Electronic Voting

Electronic Voting

Alarmed by allegations of Russian meddling in the 2016 US presidential race, French authorities have warned political parties against the threat of cyber attacks as the country prepares to elect a new president in May.

A US president-elect who may be compromised by a foreign power. A presidential election marred by cyber attacks, leaks and interference. An incoming head of state in open disagreement with his intelligence agencies.

Donald Trump’s tumultuous transition to power in the United States is everything French authorities hope to avoid ahead of the country’s own presidential elections in May. With five months to go, the National Agency for the Security of Information Systems (L’Agence nationale de la sécurité des systèmes d’information or ANSSI) has been forced to learn some valuable lessons from the United States.

“We’re clearly not up against people who are throwing punches just to see what happens. There’s a real strategy that includes cyber [attacks], interference and leaked information… These are people whom we’re obviously following closely. Even if we can’t be sure that they’re the same, they’re attackers who regularly come knocking on our ministers’ doors,” ANSSI Director Guillaume Poupard told FRANCE 24.

Political parties in the crosshairs

In France as in the United States, political parties, communication teams and campaign staff are particularly vulnerable to hackers.

“We help [identify] attack methods that are already being used in industrial espionage. It’s even easier to obtain organisational charts or the identities of officials and their underlings from political parties – there’s much more of a pronounced human-communication component. Political parties also organise more public events, where they might fall victim to mobile phone or computer theft,” said Cyrille Barthélémy, CEO of the French cyber security company Intrinsec.

The devastating attack on the Democratic National Committee (DNC) in the United States began with a massive phishing campaign – a technique that allows hackers to steal personal data by sending fraudulent emails purporting to be from trustworthy sources. After opening the email, victims are often directed to a fake log-in page, where they are asked to enter their usernames and passwords.

This information can then be used to identify people close to the victim, steal his or her identity, or access the holy grail of hacking: an official’s personal email account. The goal is to reach as far as possible into the victim’s life in order to find information that can be used to compromise him or her. The email accounts of campaign staff might also be targeted for website log-in information, or username and passwords to accounts on social media such as Twitter and Facebook.

Mounting threat of cyber attacks

While tactics used by hackers haven’t changed much over time, the threat of cyber attacks has increased tenfold. Instead of a lonely, acne-ridden teenager holed up in his parent’s garage – the stereotype of a hacker – there are now legions of programmers. According to US intelligence chiefs, the attack on the DNC was carried out by individuals trained, financed and supervised by Russia’s foreign intelligence service, the GRU.

“It’s pretty serious, because on one side there are strong attackers, while on the other, there are political parties. Fundamentally, political parties, like small and medium-size businesses … are not equipped to deal with the situation alone,” Poupard said.

For the moment, all ANSSI can do is teach political parties how to protect themselves and advise them to seek outside expertise from a list of pre-approved companies. The agency also organised a symposium in October 2016 for French and European parliamentary political parties on the importance of strengthening cyber security.

The opaque world of cyber security

Because of the opaque nature of cyber security, there is very little information available about past or ongoing attacks. ANSSI refuses to divulge any information about breaches. But political parties have made no secret that it is an issue of deep concern.

“We’ve haven’t changed anything in our approach, because we’ve always been very vigilant of the potential risks, and have taken steps to guard against threats,” Gaëtan Bertrand, head of far-right presidential candidate Marine Le Pen’s digital team, told FRANCE 24 in an email.

In a recent interview with French weekly Le Journal du Dimanche, the conservative Les Républicains party (formerly the UMP) said that the cyber attack in the US presidential race “didn’t really come as a surprise”. The party added that it had reinforced security at its offices to protect against hacking.

Although many parties say they’ve been targeted by attempted attacks, only independent candidate and former economy minister Emmanuel Macron’s political movement, En Marche, has admitted to having been successfully hacked in recent weeks.

“We experienced a digital attack on our website during the month of October. It took us at least one full night of work to repair the damage. We won’t go into detail, but we take digital security very seriously,” an En Marche spokeswoman said.

Crisis communication

From the first revelations of hacking at the DNC in September to this month’s US intelligence report blaming Russia, the cyber attack has acted as a slow, corrosive poison that has undermined the foundations of American democracy.

It’s a nightmare scenario that French authorities are determined to avoid.

“If it happened in France and stolen information was revealed, I think we would intervene very quickly to explain what could have happened and to warn that the divulged information may not necessarily be accurate, so as to avoid the situation getting out of hand,” Poupard said.

“It wasn’t very natural for American intelligence agencies to communicate to the broader public. It’s not easy for them, they can’t say much without running the risk of revealing how they obtained their information … In France, ANSSI can speak pretty freely and there’s no conflict of interest because we’re not an intelligence service,” he added.

But ANSSI’s greater ability to communicate in a crisis doesn’t mean they’ll be able to determine who’s behind an attack on their own. According to cyber security experts, it’s almost impossible to pin down a suspect without the help of governmental intelligence agencies and police investigators.

And that means that assigning blame for an attack is, ultimately, a political decision.