For some years now, the threat of foreign state actors and their role in global elections has been in the headlines, with the threats ranging from exploiting digital vulnerabilities that manipulate electronic voting systems or influence public discourse, steal sensitive data, and undermine democratic institutions.
Australia is at the cusp of another federal election and the threat of cyber interference from state actors has not waned, but the issue does not seem to be getting the level of media attention it deserves. One of the key and worrying trends within this context is that the external actors are no longer purely targeting large governmental organisations, but smaller agencies and businesses within the government services ecosystem are also dealing with much more frequent and sophisticated cyber threats.
The Evolving Cyber Threat Landscape
State-sponsored cyber threats are not a new phenomenon, but the trend is more and more towards increased sophistication, moving beyond hacking attempts to steal data to now aiming to compromise integrity of public messaging channels and to orchestrating disinformation campaigns. These attacks are no longer just about espionage or disruption; they’ve grown into complex strategic operations that can work to shift public opinion and destabilise trust in democratic processes.
Ultimately, the objective is to sow enough doubt about the integrity of the process which then feeds itself in increasingly polarised and ‘echo-chambered’ communities.
Such campaigns dominated headlines during and after the 2016 U.S. elections, where credible reports exist of foreign actors conducting coordinated misinformation campaigns, leveraging social media platforms to spread false narratives. Similarly, in recent European elections, cyberattacks targeted political parties, government agencies, and electoral commissions. Australia, is a strategic middle power in the Asia-Pacific region, and with some contentious interactions with key players over the past decade, is already a target for such cyber operations.
Vulnerabilities in Government and Corporate Cybersecurity
Australia’s cybersecurity ecosystem, thanks to a number of active government and industry initiatives, has certainly strengthened in recent years. These initiatives include significant investments made by the Australian government through the Australian Cyber Security Centre such as the Critical Infrastructure Uplift Program, Department of Home Affairs’ Hosting Certifications Framework and Security of Critical Infrastructure Regime and Telstra’s Cleaner Pipes program. However, significant vulnerabilities still remain and are regularly exploited by adversaries. These chinks in the armour, when exposed in the government agencies have a particular effect on erosion of public’s trust.
Australia’s electoral cybersecurity risks are unique. Australian Electoral Commission (AEC) has stood up the Electoral Integrity Assurance Taskforce, which brings together various agencies in the Commonwealth to support AEC to counter disinformation campaigns, foreign interference and cyber intrusions.
One of the areas which provides a somewhat ‘natural barrier’ to cyber threats to our electoral process is that AEC maintains a manual process of voting. Ballot papers are counted manually by AEC representatives and overseen by scrutineers representing each party. This makes a cyber attack against the process of voting with a view to tampering with the results difficult as there are paper based records which can be fallen back on. However, there are still a lot of avenues during pre-election (voter enrolment), vote counting and tallying and election results release process where technology based risks exist.
Some of the key risks emanate from electoral support systems still relying on legacy IT systems, which are more susceptible to cyberattacks. Voter databases, and government ICT which supports electoral processes must be secured against potential breaches. Government agencies and electoral bodies must invest in modern, secure IT infrastructure with regular penetration testing, multi-factor authentication, and zero-trust security models to reduce vulnerabilities.
Businesses and organisations must also prioritise cybersecurity awareness by training employees on phishing scams, enforcing strong password policies, and implementing end-to-end encryption. Meanwhile, media organisations, social platforms, and regulators must work together to combat disinformation through fact-checking, transparency in political advertising, and content moderation. The international trend is interesting to say the least – we’ve seen global leaders such as Meta drop fact checking from their platforms, only to bring it back in the form of crowd sourced ‘community notes’. This is a complex area – how do you balance the valid need for ‘free speech’ whilst enabling a level of validating accuracy of information?
A Call for Vigilance and Cooperation
Australia’s democratic integrity relies on a secure and resilient digital ecosystem. As we move closer to election day, governments, businesses, and individuals must recognise the stakes involved and take preemptive action to guard against state-sponsored cyber threats. Professionals in the field also need to recognise and study the evolving nature of these threats, to assist their organisations (industry) or clients (consultants) adequately.
Proactivity truly is the key here, with the ‘genie’ incredibly difficult to put back in the bottle. Strengthening defences through a collaborative effort will go a long way to safeguard Australia’s democratic institutions and business security, ensuring that public confidence in the electoral process remains high. As Edmund Burke, an 18th Century statesmen and philosopher said, “Nobody made a greater mistake than he who did nothing because he could do only a little”, the small matter of maintaining integrity in our democratic processes is not just something for those in Canberra’s bureaucracy or security community to sweat, this is a cause the whole nation must get behind.
Harry Cheema is a Partner and Chief Operating Officer at Anchoram Consulting, a partnership of trusted experts with strong capabilities across Security, Technology, Risk Assurance, Data Management, Financial Management, Strategy & Governance, Training, and Project Management.
Got something on your mind? Go on then, engage. Submit your opinion piece, letter to the editor, or Quick Word now.