When Chancellor Angela Merkel’s Christian Democratic Union (CDU) meets online to elect a new party leadership in January, the hackers carried out a series of massive attacks aimed at turning the summit into chaos. The attacks accelerate each time the delegate will vote.
According to a CDU spokesman, the attackers, mostly operating from abroad, bombarded the party’s website with internet traffic to flood its servers. At some point, they were successful. The site collapsed and the live stream of the event was stopped.
In the end, the CDU managed to push the intruders out: Party technical staff regained the website by blocking access from outside Germany and certain locations inside the country. Meanwhile, unfazed by the attack, the delegation elects a new party leader via a voting system hosted on a separate server – protection in place to fend off cyber intruders.
But the failed attack illustrates the threat of online interference looming over Germany’s upcoming election campaign.
As Europe’s largest economy heads into a series of regional votes that will culminate in federal elections in September, security experts and lawmakers have warned in interviews that digital risks are on the rise.
“The threat level remains high,” said a spokesman for the Federal Office for Information Security (BSI), Germany’s cybersecurity authority.
BSI has observed a consistent increase in hacking attacks and online data breaches, he said. Both measures “could be used by potential attackers to influence elections coming up this year.”
US tech giant Microsoft, which advises German political parties on how to protect their election campaigns from cyberattacks, warns that malicious actors are diversifying their strategy: They are increasingly using more than one cyber weapon in their attacks, making it increasingly difficult to fight them.
“It is such a hybrid attack that is of particular concern to us and others in the technology industry,” said Jan Neutze, who heads the company’s Democracy Defense Program.
Threats are threefold
To better understand the cyber threat that depends on German elections, it is worth breaking them down into three categories.
First, there is hacking: gaining unauthorized access to data in systems or computers. Since coronavirus restrictions are likely to move campaigns from the streets onto the internet, hackers can infiltrate party networks and disrupt campaign events with tactics similar to those used during CDU summits.
Infiltrators might even try to sabotage the actual voting on election night, September 26, by hacking into software used to count votes or into programs used by officials to report preliminary results.
Germany’s BSI said it was working with authorities and candidates to help them protect themselves from such attacks.
But such security measures will not help counter what is seen as the second major cyber threat: misleading or misinformation disseminated to manipulate voters’ thinking or behavior.
Threat of disinformation
Tankred Schipanski, lawmaker and digital policy spokesman for Merkel’s conservative bloc, described the disinformation campaign as “our biggest challenge.” The representative added that such campaigns “are often organized and financed abroad but are spread with the help of domestic actors such as Alternative for Germany,” Germany’s right-wing party known by its acronym, AfD.
Social scientists discovered that false information criminalizing refugees spread before the last federal election in 2017 pushed voters to the AfD.
This year, AfD officials have tried to cast doubt on the impending vote by spreading unlawful accusations that incoming ballots could be easily manipulated – a move that takes inspiration from Donald Trump’s campaign to discredit postal voting.
Germany’s right-wing party, whose voters have traditionally preferred to vote in person, has criticized efforts to facilitate postal voting during the coronavirus pandemic. Such amendments, they argued, would be introduced specifically to the detriment of AfD.
Similar disinformation campaigns have sprung up around the world. They are so numerous and sophisticated that experts coined the term “infodemic”.
In December, US tech giant Facebook closed 17 large-scale coordinated efforts on its platform, a record. One user targeted in Germany, although not related to the election.
In late February, a Facebook spokesperson said the company, which has more than 43 million users in Germany, “has not seen any evidence of … operations targeting German elections” but added that the company was “remaining vigilant” – at least because of that.revival of new deepfake technology which allows users to create realistic fake videos that feature people doing or saying things they never did.
Then there’s a third type of cyber threat looming over elections: complex operations known as “hybrid attacks.” These combine hacking with distorted information placement, and they often start with intruders breaking into the accounts of political decision makers or their confidants posing as trusted contacts.
Such phishing attempts are becoming more frequent and professional. The majority of what Microsoft detects can be traced back to Russia and China, but also North Korea and Iran. “It is legitimate to say that actors from these countries have the capability and, at least in part, the geopolitical interest to be active around the German federal elections as well,” Neutze said.
After the hack, the obtained destructive material was stored online, where it took his own life.
Users who do not know the origin of the material share it on social media or messenger services. Once it reaches a number of people, it tends to be picked up by political players with a larger following. They were, in turn, quoted by professional journalists, who brought the issue to public debate.
What makes fighting such a hybrid campaign so difficult is that leaking material is often innocent, but distorted or deliberately taken out of context to cause harm.
Therefore, experts talk about “misinformation” rather than “disinformation”. They say increasing digital media literacy among social media users is key to helping them recognize information designed to be deceptive.
Germany, however, has missed several opportunities to build such resilience among a population of 83 million over the past ten years, said Manuel Höferlin, lawmaker for the opposition Free Democrats and spokesman for the party’s digital policy.
“It was a big failure,” he added.
There are no rules for online campaigns
Complicating the situation even more is that even though social media companies have rules for their platforms, political online advertising remains unregulated in Germany.
In the offline world, the country has strict rules and restrictions for election campaigns, such as limiting the time a campaign billboard can remain active or limiting the time slots for campaign ads on TV – but no such restrictions apply to online campaigns.
The European Union has drawn up proposals to organize a digital campaign, but it will take years to implement, and Berlin is running out of time to create its own national rulebook.
Behind closed doors, talks are being held over whether the state party can agree to a voluntary code of conduct for an upcoming online campaign. This could include deals that would require them to tag online campaign ads, or prohibit buying followers or likes.
Decisions could be made in the coming weeks, according to an official involved in the negotiations who spoke on condition of anonymity.
“And if some parties refuse to participate, that in itself will tell,” the official said.