Election Security Insights: Shamla Naidoo on Safeguarding Democracy in the Digital Age

In a world where the digital landscape intersects with the very fabric of democracy, the integrity of electoral processes has never been more vulnerable to cyber threats. As nations navigate the complexities of modern governance, the specter of data breaches, disinformation campaigns, and AI-generated deepfakes looms large, posing formidable challenges to the sanctity of elections.

Amidst this backdrop of escalating cyber threats, Dataquest brings forth a groundbreaking exposé, featuring exclusive insights on election security from Ms. Shamla Naidoo, a distinguished expert in cloud strategy and innovation. With her extensive experience in navigating the cybersecurity landscape, Ms. Naidoo offers a profound understanding of the critical strategies required to fortify democratic integrity in the digital era.

As electoral processes increasingly migrate to digital platforms, the need for robust security measures has never been more urgent. Against this backdrop, in an interview, Ms. Naidoo's revelations shed light on the multifaceted dangers posed by cyber threats and the imperative of adopting proactive strategies to safeguard electoral processes. Join us as we delve into the depths of election security, exploring the challenges, strategies, and solutions that define democracy's digital frontier.

"Deepfakes are dangerous because they are increasing the credibility and impact of fake news, and may have a greater deception or disinformation power on citizens. Ultimately, this could result in part of the population casting their votes based on incorrect information, and that is precisely where deepfakes can threaten the integrity of the elections." - Shamla Naidoo

Ms. Shamla Naidoo is currently Head of Cloud Strategy & Innovation at Netskope, and serves as a non-executive director for multiple domestic and international companies, and an adjunct professor of law at the University of Illinois, Chicago. She has successfully led digital strategy in technology leadership roles, including as CISO and Head of Information Technology Risk at IBM. Applying her experience in the healthcare, finance, hospitality, energy, and manufacturing sectors, Ms. Shamla Naidoo advises governments and industry on how to embrace innovation while managing risk.

Could you elaborate on why safeguarding user data is so crucial to upholding the integrity and credibility of the democratic process, particularly in the context of upcoming elections?

Protecting citizens’ data is always important for any organisation, but should a citizens’ data leak occur in the middle of the Lok Sabha elections, it is unlikely to compromise the integrity of the democratic process. 

When we consider the cyber risks around elections it is not election fraud that is the biggest concern as there are lots of processes to mitigate those risks. For example, to vote in the Indian elections you need a physical ID documentation, so even if the necessary data was leaked and available to bad actors, any significant attempt at election fraud would require the ability to create fake ID documentation on a large scale and get through the physical checks at the voting places. 

The biggest cyber concern around elections this year is the potential for groups - both national and international - to influence the electorate with disinformation. This doesn’t require any access to personal data and has shown to be highly effective around the world at impacting public opinion.

What are some of the most concerning risks and vulnerabilities associated with collecting, storing, and transmitting voter information in today's digital landscape, and how can election authorities effectively mitigate these risks?

In this digital landscape, an increasing number of organisations are collecting citizens’ data. Whether they are private organisations, or election authorities, we need to see consistent standards for securing both static data, and data in movement, as data leaks could lead to identity theft or scams among the population. 

Identity theft can be a highly disruptive experience for those affected, but the reality is that Electoral bodies the world over have stringent processes in place that protect them from large scale electoral identity fraud so the public should be reassured that the world’s largest democracy is pretty robust in terms of cyber risk.

Can you share some best practices and measures that election authorities and stakeholders can implement to enhance data security throughout the electoral process, especially regarding encryption, access control, network security, and regular audits?

For data protection to be comprehensive, it shouldn’t be an isolated piece in a cybersecurity architecture, but rather embedded in a broader network security approach. In 2019, analyst firm Gartner defined a new model called Secure Access Service Edge (SASE), which is a network security model with multiple cybersecurity components at its core working in unison to protect data, such as Data Loss Prevention or Zero Trust Network Access for access control. The idea is to cover a maximum of security blindspots that the shift to more modern networks may create, such as rapidly growing cloud environments, insider threats, or vulnerable devices and wifi networks, which are becoming massive sources of incidental or intentional data leaks for organisations. 

This same comprehensive approach informs the way election authorities approach security - with identity authentication just one element of the process, but also securing voter registration data appropriately and controlling systems so that an entire national infrastructure cannot be jeopardised from a single point of weakness. 

Given your background in cybersecurity, how do you see the role of technology and cybersecurity experts evolving in mitigating threats and ensuring the confidentiality and integrity of election-related data, particularly in the face of advancing technologies such as AI-powered deepfake tools?

AI-generated deepfakes are AI weapons used for disinformation, or manipulating and deceiving given targets. We do not yet have the technical tools to nip deepfakes in the bud and avoid their spread in real-time, even with the recent progress in AI, but what we - the technology savvy experts - can do is warn and educate the Indian population about their existence, how to identify them, and generally encourage them to be suspicious of online content that doesn’t come from legitimate sources. 

"Protecting citizens’ data is always important for any organization, but should a citizens’ data leak occur in the middle of the Lok Sabha elections, it is unlikely to compromise the integrity of the democratic process." - Shamla Naidoo

Securing election-related data is really going to become a more complex issue in the future if India and other global democracies start to look seriously into online voting. Developing an online voting system isn’t your regular cybersecurity implementation as it requires the highest privacy standards to protect voters’ anonymity, transparency to allow the whole system to be easily audited, foolproof authentication tools, and the broader infrastructure to run this at the scale of a population of 1.5 billion people, while keeping hackers at bay. 

India hasn’t reached a consensus on how online voting would look like, but it is under discussion and will require a high level of local cybersecurity expertise and best-of-breed technologies to ensure this is done safely at such a scale. And even then, with enough time and money, threat actors will access internet connected systems, and all involved stakeholders have to be ready to face all potential scenarios. 

You mentioned the growing threat of misinformation and disinformation surrounding elections. How can education and awareness-raising efforts help mitigate these risks, and what steps can individuals take to become more discerning consumers of information?

Various initiatives and education programmes around the globe have been designed to help people understand and deal with disinformation, in and outside of school. Awareness campaigns from the government, social media and media organisations, which are all heavily concerned by the issue, can also help progress this cause. 

In India we are already seeing best practices from organisations involved in the electoral process proactively flagging fake content on social media. Such ongoing warnings can help citizens gradually understand the threat of disinformation, but it is not enough. A large part of the Indian population has become Internet users only in recent years, and may not be as well equipped to detect and hinder the spread of disinformation. We should be considering broader education programmes to speed up general awareness of the existence and dangers of misinformation and disinformation. 

At an individual level, we must all take responsibility for scrutinising the sources of our news, and determining if they are legitimate and credible. People should be cautious about anything they see on social media because even social media accounts that appear to be legitimate could be fake. They should also learn to exercise caution with hearsay and to question each other. No matter how legitimate, smart or reliable we consider someone in our family or circle of friends, if they say something they can’t back up with reliable sources and factual information, we can’t take what they say for granted. Those are the kind of reflexes that will help develop more critical thinking and media savviness among the population. 

Could you delve deeper into the implications of deepfake AI tools on the electoral process and democracy as a whole? How can societies and policymakers effectively combat the spread of deepfake content?

Deepfakes are dangerous because they are increasing the credibility and impact of fake news, and may have a greater deception or disinformation power on citizens. Ultimately, this could result in part of the population casting their votes based on incorrect information, and that is precisely where deepfakes can threaten the integrity of the elections. The general availability and sophistication of AI technologies that allow the creation of deepfakes is also making this threat more present, with threat actors now able to create deepfakes targeting smaller communities or sections of the population, when in the past most deepfakes were designed for mass targeting and spread. 

Beyond education and awareness initiatives, there needs to be regulations defining accountability and consequences for the people behind this type of AI-generated deepfakes, as current Indian laws do not cover these scenarios clearly and comprehensively. Those regulations should also aim to define accountability for parties that fail to warn about or protect citizens from these campaigns when they have a power and responsibility to do so, which at the very least should include social media platforms and concerned political parties or government agencies. 

As someone who has advised governments and industries on embracing innovation while managing risk, how do you propose striking a balance between leveraging technological advancements in electoral processes and ensuring robust security measures are in place?

One of the main pitfalls with major innovation or transformation projects is the prioritisation of speed of delivery over risk management. Some political leaders may push to accelerate certain innovations because they’re linked to political objectives or electoral promises, which for me is a huge red flag. 

Technology projects should be politically unmotivated, because delivering innovation without security is not an option anymore, and it is essential that we take the time we should to ensure we meet the right standards both in performance and safety. 

If we consider electoral processes, some major innovations may be an online voting platform, or a national digital ID, which are massively complex projects, especially for such a large population. Governments and political leaders have to accept that there will be some red tape along the way, and allow the luxury of time. Existing processes have worked so far, so there is no need for urgency. 

This mindset should be reflected in the selection of technology vendors and consulting services involved in such projects. Some may pitch with an aggressive–but unrealistic– timeline to seal the deal, and cut corners to deliver on time. I urge project leads to prioritise vendors aiming for more reasonable and realistic timelines and objectives.