Cyber Threats To Canada's Democratic Process

How The Democratic Process Is Targeted

This section details three key aspects of Canada’s democratic process and how each is vulnerable to cyber threats.

Target: Elections

  • Key threat: Prevent citizens from registering
  • Key threat: Prevent voters from voting
  • Key threat: Tamper with the election results
  • Key threat: Steal voter database

Federal, provincial/territorial, and municipal election agencies carry out elections across Canada. While the activities of these agencies will vary, every election involves these essential phases:

  1. Registering voters: Determining who is eligible to vote;
  2. Voting: Receiving, counting, and recording the votes; and
  3. Disseminating results: Informing the public of the election results.

Decades ago, elections were entirely paper-based. Today, as Figure 4 shows, there is a variety of both paper-based and electronic systems used to carry out elections in Canada. While we cannot consider the specifics of every electoral jurisdiction in Canada, what follows below is a general description of the three election phases and the ways in which they may be vulnerable to cyber threats.

 

Figure 4: Target: Elections

Government Level Voter Registry Vote Vote Count Dissemination
ResultsFootnote 6
Federal Digital Paper Paper Internet
Provincial/Territorial DigitalFootnote 1 Paper PaperFootnote 2 Internet
Municipal DigitalFootnote 3 PaperFootnote 4 PaperFootnote 5 Paper
Legend
Paper
Paper

Process is conducted using paper

Digital
Digital

Process uses electronic devices that are not regularly connected to the Internet (e.g. to scan paper ballots or to store information digitally)

Internet
Internet

Process is conducted on the Internet (e.g. online voting)

 
1:

Online voter registration is available for Alberta, British Columbia, Northwest Territories, Prince Edward Island, and Saskatchewan.

Return to footnote 1 referrer

2:

New Brunswick only.

Return to footnote 2 referrer

3:

Some municipalities across Canada offer online voter registration.

Return to footnote 3 referrer

4:

Some municipalities in Nova Scotia (36%) and Ontario (22%) use Internet voting.

Return to footnote 4 referrer

5:

Some municipalities use machines to count paper ballots; for those that use Internet voting, the count is also online.

Return to footnote 5 referrer

6:

Unofficial results are provided on election night. In most cases, election results are certified (i.e. offical results) days or weeks following election night.

Return to footnote 6 referrer

 

Registering Voters

For every election, there is a process that determines the eligibility of voters. Only those voters meeting particular criteria (e.g. minimum age and/or residency requirements) are allowed to vote. In Canada, all levels of government maintain and update voter registration lists.Endnote 6

If voter registration occurs online, adversaries could use cyber capabilities to pollute the database with fake voter records. They could also render the website inaccessible or have it display misleading information. Moreover, they could attempt to erase or encrypt the data and thereby make it unavailable.

All of this activity has the potential to embarrass the electoral agency and sow doubt in the minds of voters. It could also slow down voting, leading to voter frustration and/or suppression, which could impact election results. It is also possible that the voter database – potentially containing millions of personal identity records – could be stolen, resulting in a massive breach of privacy.

 

Voting

Voting is the process by which an eligible voter casts a ballot for a candidate. Most voting occurs on Election Day but also on advance poll dates and via absentee ballots. In Canada, voters cast their votes via three main methods: paper ballot, electronic voting machine, or the Internet.Endnote 7 After the polls close, the votes are counted and the results are tabulated. Paper ballots can be counted by hand or by using a digital vote tabulation machine. Internet votes are also tabulated digitally.

Neither digital vote tabulation nor electronic voting machines are typically connected to the Internet, but sophisticated adversaries could tamper with these machines prior to their use. For example, an adversary could cause them to improperly count ballots, or wipe all data at the end of the night. Internet voting presents many more opportunities to adversaries, who can use cyber capabilities, for example, to “stuff the ballot box” or to render the voting website inaccessible.

 

Disseminating Results

In most elections, there is more than one polling place. After the polls close, and counting at the polling stations is finished, the count totals from each polling station must be transmitted to a centralized location. In many elections, the election authority provides frequent updates of the tallies to the public via a website. The same results may be sent directly to the media. Transmitting this vote count can be done by hand, by phone, and/or by Internet. If done using the Internet, adversaries could use cyber capabilities to disrupt or change the vote results while they are in transmission.

If this tampering were discovered, and if there were robust safeguards in place (e.g. paper ballots that can be recounted), the correct results could eventually emerge. However, the delay and confusion would likely reduce the public’s trust in the process and perhaps impact the winner’s ability to govern. In the worst case, it could even lead to challenging the results of the election, sparking a democratic challenge.

 

If this tampering were not discovered, then the vote count would be covertly changed to select one candidate (or party) over another. Covertly changing election results using cyber capabilities is difficult, but not impossible, for an elite handful of adversaries. An adversary’s decision to try – as well as the odds of success – would depend on the safeguards and risk mitigation activities incorporated into the election system.