Topics

Communicating and Storing Data Securely

Digital Parliaments (e-Parliament)

As a parliament, it is important to pay particular attention to the communications and operational security policies of your most essential functions, including those that occur online and in the digital space. Whether your parliament is considering a full “e-Parliament” system that can digitize everything from the drafting of bills through debate and electronic voting (such as Nextsense, Propylon, or Granicus to name a few examples), or you are using simpler, less-expensive tools to facilitate your parliamentary operations, it is essential to consider how any tool (or tools) and process (or processes) take into account the security, integrity, and availability of information.

Security and Digital Parliaments

As evidenced by a series of incidents in South Africa, the transition of parliamentary operations to the digital world necessitates attention to cybersecurity to avoid not just the loss or theft of sensitive data, but also potential embarrassment, insult, and harm to members and staff. In May 2020, pornographic images popped up a few minutes before the start of a virtual meeting of the country’s National Assembly. Following the display of the offensive images, the “hacker” or “zoom bomber” then hurled sexist and racial insults at the speaker of the assembly who was hosting the session, forcing the meeting to adjourn. A similar incident occurred a month prior when a meeting chaired by the minister of women, youth and persons with disabilities was disrupted with pornographic images.

Remote Plenary Sessions and Committee Meetings

Chief among those processes are the plenary sessions and committee meetings. These sessions and the conversations, decisions, and votes that occur within them are at the core of much of your parliament’s work and as such can be a particular target for adversaries. In a modern, pandemic-impacted world, such sessions and meetings are taking place in increasingly diverse fashion depending upon your country’s context, both in-person, completely online, and in a “hybrid” fashion.

As outlined in the House Democracy Partnership’s recent Parliaments Responding to a Pandemic guide, the typical parliamentary debate structure is different from a normal conference discussion or standard organizational meeting. Needs for remote voting, the submission of official proposals and amendments, structured debate, and even simultaneous interpretation to ensure inclusion of all constituencies often require additional features not found in most standard technology solutions. As a result, when hosting a virtual or hybrid session, it is likely that your parliament may need to develop (or already has developed) custom software, or purchase expensive, enterprise solutions (such as Cisco’s Webex Legislate) designed specifically to manage parliamentary sessions remotely. Whatever option your parliament chooses, it is important to give thought, as outlined in the Parliaments Responding to a Pandemic guide, to how all members and staff will be able to access such a system. It’s also crucial to ensure such a system is properly secured.

When building and implementing technical solutions for parliamentary sessions, it’s important to ensure basic security fundamentals are in place. These include steps to ensure data is secured “at-rest” within the system itself, properly encrypted while in transit, and that only authorized users are able to access the system. There are many approaches that can be taken to ensure such security, including many of the fundamentals outlined throughout the rest of this Handbook. End-to-end encryption on any data sharing and communications systems used, strong password and two-factor authentication requirements and/or IP address restriction for users to access such systems (unless they are intended to be open to the public), the requirement of virtual private networks (which will be discussed later in the Handbook), and the limitation of access to only trusted, clean devices are all helpful steps.

Remote Voting

The need for robust security is perhaps most critical when dealing with remote voting. As the aforementioned Parliaments Responding to a Pandemic guide highlights, MPs are elected to parliament for the specific purpose of voting on behalf of their constituents. The ability to trust and verify these votes is crucial not only to the functioning of your parliament itself but to the democratic system as a whole. Such votes are relatively easily verified when an MP votes in person, but when participating virtually, technical authentication becomes a greater challenge that requires significant care and focus. As outlined in expert testimony given to the Canadian House of Commons’ Standing Committee on Procedure and House Affairs, parliaments typically choose one of four options for remote voting:

  • Email voting: where members receive a ballot form electronically and submit their vote via email. This option is generally considered insecure, in part due to its lack of end-to-end encryption, and should be avoided.
  • Web-based voting: where members access and cast ballots via a website on either a computer or mobile phone. This approach requires investment in secure infrastructure, including secured devices with strong authentication controls as mentioned above.
  • Application-based voting: where members download an application to access and cast ballots. Similar to web-based voting, but uses a specific app, which can be downloaded to a phone or tablet as opposed to being accessed through a browser.
  • Video voting: where members vote on-screen by a show of hands or a voice vote. For non-anonymous voting this can be the least technically complicated and least technically sophisticated to set-up and secure. It does still require robust encryption and authentication systems, however, to avoid impersonation or interruption during voting sessions.

Whatever option your parliament chooses to implement for remote voting - if it uses remote voting at all - it is important to address cybersecurity basics throughout the voting process as well. Such fundamentals include ensuring the devices that MPs use to cast votes are properly secured physically and free from malware, that members’ internet access is properly secured when voting (and when conducting other parliamentary business as well), and that members have stable internet connections and are able to vote when called upon. As outlined in the Parliaments Responding to a Pandemic guide, when adopting remote voting, there is a need for extensive testing of the system before it goes live and a need to provide support and training to MPs to ensure they can use the system effectively. It is important to remember that part of security is availability. There is also a need in particular to ensure that women MPs and staff are able to use online systems safely, including remote voting, and have access to the technology to do so. When women, particularly elected women, go online they face greater levels of intimidation and harassment, and this factor should be considered when developing and using technology like remote voting to ensure that all MPs are able to fulfill their functions effectively. Further, it is critical to ensure adequate remote multi-language access in countries where multiple formal languages are spoken by members and staff.

Remote Voting in the Real World

members of parliament voting remotely

Various parliaments have implemented remote voting systems and, in doing so, taken considerable steps to ensure the security and integrity of members’ votes. One element in this process, among others mentioned above, is to ensure proper authentication. A few examples include in the U.K. House of Commons where members use a single sign-on process to log in to their parliamentary accounts before voting, which requires a password to be used on a specific, assigned device. In Spain, MPs are assigned personal codes that must be entered via a smartphone app before a vote can be recorded remotely. In Chile, senators who vote remotely via the chamber’s carefully designed remote voting app must be visible on screen in order to cast a vote.

e-Parliament Vendor and Software Security

Any software that you procure - whether used for remote voting or a broader range of parliamentary needs - should come from a secure and accredited source, be audited for security by independent teams, and receive appropriate certifications. It is important to remember that software developers, those whom you hire to build an application or tool, are not always security experts themselves. Therefore, bringing in security experts to test the application for potential security gaps via an audit is critical to reducing the risk that your platform, tool, or app could be hacked or compromised. Even the best software developers make mistakes without a second (or third) set of expert eyes checking their work!