Turbulent times ahead? The Cyber dimensions of Colombia’s upcoming elections: Sofia Liemann Escobar

It is no surprise that in 2022 fears around cyber incidents potentially impacting elections run high. Since the 2016 interference reports against the US presidential election, concerns over cyber threats to the electoral system have been on the rise around the world. And Colombia is no different. With the legislative elections having passed in March, and the first round of the presidential elections due in May, Colombians have been seeing a stream of warnings from media outlets of possible cyber incidents.

In February, during a speech given at a Plenary Session of the European Parliament, Colombian President Iván Duque discussed the need for Colombia to “be able to protect its democracy against external influence or interference, [and] of those who intend to manipulate algorithms or those who intend to generate hatred and division”[1]. By early March the National Registrar, Alexander Vega, revealed that the National Civil Registry website had seen 400,000 cyber-attack attempts in just one week. News outlets were soon reporting that according to information provided by Colombian intelligence, the attacks were originating from countries such as Venezuela, Nicaragua, Russia and China. The first two countries have had strained relations with Colombia in recent years, whilst the latter two are geopolitical rivals of one of Colombia’s closest allies: the US.

To counter the potential threats arising for the legislative elections of the 13th of March, a unified command post was set up that would monitor electoral crimes as well as cyber incidents. 160 experts from the Police Cyber Centre were tasked to protect the National Civil Registry website as well as any other entity linked with the elections. Furthermore, a simulation was carried out a few days before the election with the aim of preparing all relevant entities to counter any cyber incident emerging on election day. The Minister of Defence, Diego Molano, explained that through this process they were able to find points of improvement and develop contingency protocols for all relevant entities if a cyber incident were to arise.

Despite such preparations, issues did emerge. Most notably, the “Infovotante” app where voters could consult the location of their voting table was not accessible for three hours on election day and the website continued to falter for the rest of the day. The National Registrar alerted the country to “growing and unusual activity” on the platform and media outlets began reporting that a cyber-attack had taken place. This was disproven by the Attorney General who stated later that their investigations suggested that the incident was not due to a criminal action but simply due to the portal’s inability to deal with a surge of demand from voters wanting to consult the location of their voting stations.

Colombian media coverage will often suggest that the main cyber threat is that of foreign actors potentially interfering and affecting the elections. However, many cyber security issues might actually be rooted in digitalising and implementing new technologies.

The other ‘side’ of cyber security

As was seen with the recent unintentional denial of service incident, sometimes cyber security is not just about deterring a malicious enemy. There are many steps that a national entity can take to ensure that its systems do not falter when they are most needed. Digitalising and embracing technology per se does not immediately translate into greater resilience and security.

Voters had already started experiencing technical issues when interacting with the National Civil Registry website. As the civil society group Fundación Karisma reported, multiple citizens in Colombia and abroad had issues registering to vote online and on the app “InfoVotantes Congreso”. This was the first time an online option to registration had been introduced in the country and was intended to facilitate the process. It was not clear to many using the online options that a biometric verification process was required once the initial registration had taken place. As a result, many people had not completed the process by the time election day came round. For others, uncertainty emerged on how the biometric verification would take place and what entity would confirm it. This meant that when individuals received a link via email or SMS, many ignored them with the suspicion that the links could be bogus. Finally, not all devices appeared to be compatible with the web page or the app, meaning that the online registration was only possible for a few. What these incidents show is that unintentionally, the voting rights of citizens were being undermined by technological and communication barriers.

A lack of integrity guarantees around the vote counting software being utilised is a lingering issue. Although national and international observers were invited to oversee some of the preparations leading up the election, greater efforts could have been made to increase transparency as well as making it easier for relevant organisations to either audit the software or have access to the final reports of the audit that the government had commissioned. Fundación Karisma presented a report following a last-minute invitation to oversee the final preparations of the counting software before the elections, where they highlighted various points that could be improved on to ensure greater trust in the electoral system. Amongst the many points of concern highlighted was that the software version that had been observed and was used for simulations was not the same as the final version that would be used on election day. Any modification made between the different versions is therefore unknown. In their electoral oversight report, the OAS makes note that on election day, the software and the user training process had not been completed. They conclude that though a formal acceptance procedure for the final software is not a legal requisite, it should nonetheless be good practice to follow.

Ultimately the real danger is that it can exacerbate societal mistrust that is already ever-present in these elections; around one million votes that had not been counted in the pre-count appeared in the official election scrutiny altering the initial results of the composition of congress. Though small differences between the pre-count and the official scrutiny are to be expected, this was the first time the difference had been as pronounced. This has set an atmosphere of conspiracy, doubt, and mistrust around the legislative and presidential elections. If further incidents in the cyber realm persist for the presidential elections in May, even if caused unintentionally, it will undermine trust in the political system of a country that has already been experiencing a growing social unrest over the past few years.

If Colombia is serious about building trust in the digital realm as was laid out in the 2020 National Cyber Security Strategy, it must be careful to not only focus on alerting its citizens of foreign threats, but to also continuously evaluate how its own digitalisation and deployment of technology can create unforeseen circumstances. Transparency surrounding the deliberations and plans of implementation of new technologies become of the utmost importance in the context of national elections. In this regard, the calls from the National Electoral Council to conduct an international audit on the counting software is a welcome development. The government should address any point or issue that can cause ambiguity and distrust through greater transparency and close collaboration with civil society and international organisations, to ensure that no actor can take advantage of an already tense and volatile situation.

[1] Own translation.