The European Union’s Parliament isn’t quite yet ready for the upcoming June election, at least not in terms of cybersecurity.
According to an internal view by the European Parliament’s IT department that was presented to key members, the election’s cybersecurity is falling short of meeting industry standards and is “not fully in-line with the threat level” that it may face from state-sponsored attacks.
The report includes a long list of risks: hackers can steal data from internal accounts and correspondence between members of Parliament to threaten politicians and influence election campaigns, on top of manipulating vote count and information systems used for the election.
Cyberattacks on EU institutions not only have become more sophisticated but have drastically grown in numbers and the EU is expected “to face similar threats,” the report by the IP department explained. The IT department also believes that the institution is more susceptible to security risk due to its transition to remote work.
“We’re standing with our bare bottoms out and if anyone wants to hack us, like any Chinese threat actor or any state actor, they can,” one staff member at the European Parliament administration told POLITICO.
The Parliament has taken measures to enhance its cybersecurity infrastructure, but it seems to be lagging behind the rapidly evolving tactics of hackers.
“In the last two years we’ve introduced two-factor authentication between institutions. Before you were just able to log into one institution and you could enter all others,” said a Parliamentary assistant.
Parliament members say one of the biggest issues the institution is currently facing is its fragmented cybersecurity setup.
The European Parliament’s cybersecurity system doesn’t have a central body overseeing its cybersecurity system and it doesn’t standardize how cybersecurity is managed across these groups. The situation becomes even more complicated during the election as in addition to the political groups with the Parliament, pan-European and national political parties become more actively involved, making it even more complex to manage and control cybersecurity.
This issue may be too complicated to tackle, for now, but the Parliament is working on its other major issue: hiring more cybersecurity experts.
“You get roughly one staff [IT] member for every three members of the European Parliament, so smaller groups are less protected,” one Parliament official said.
The Parliament plans to hire 40 cybersecurity experts. It’ll also add €7 million to its cybersecurity directorate budget in 2024, and will further increase it to €8.5 million 2025.
“Cybersecurity has been one of our top priorities. I think it’s a part of the current reality that we are all living in. We have to find a way to be prepared and to take all the preventive measures,” said Parliament Vice President Dita Charanzová. “I wouldn’t say that the Parliament is not doing enough,” she said.
In addition to performing technical penetration tests on the Parliament, the institution introduced a spyware detection tool that members can use to scan their phones for traces of malicious software. It also plans to distribute “election hacking memos,” detailing emerging techniques that might jeopardize election security.
“People tend to wake up when they read [about hacks] in the press, but I think there is a lot that we as individuals can do on the prevention side,” Charanzová said. “We want people to be aware of the potential risks.”