Cyberrisks to the German Federal Election: Four Key Questions About Security

German Chancellor Olaf Scholz is expected to put the vote of confidence to the German Bundestag on December 16, 2024. The parliamentary leaders of the SPD and the CDU have already agreed on February 23, 2025 as a possible election date for the 21st legislative period. Provided, of course, that the Federal President Frank-Walter Steinmeier dissolves the German parliament after the incumbent chancellor's lack of a majority. All parties have already launched their election campaigns. The leading candidates of the individual democratic parties have delivered their first campaign speeches and preparations in the 299 constituencies are well underway. In this context, the German Federal Office for Information Security (BSI) points out the short preparation time for securing critical (election) systems.

In this interview, Christof Klaus, Director of Global Network Defense at Myra Security, explains the cyberthreats associated with the German federal election. How should those responsible prepare for the new elections and what should individual voters bear in mind?

What is the current IT security situation in the run-up to the early elections, and what do we need to be prepared for?

Christof Klaus: Firstly, there is significant time pressure due to the early election. If something has to happen quickly, this is a circumstance that can potentially lead to mistakes. Secondly, both the geopolitical and domestic political situations continue to be turbulent. These two factors are reflected in the cyberthreat situation. Politically motivated and sometimes state-sponsored cyber actors are trying to exploit this situation to advance their own goals – for example, by causing damage through attacks or creating uncertainty through disinformation. The latter is technically very easy to produce and disseminate on a large scale these days. A healthy dose of skepticism and a conscious approach to dealing with information from the internet are becoming all the more important for voters in the run-up to the election. In this overall context, early federal elections can provide a greater target.

How are elections vulnerable to cyberattacks?

From a technical point of view, there is generally a potential attack surface where systems relevant for the election can be accessed via the network layers (layers 3/4 and 7) over the internet. According to my information, the voting process itself in Germany is primarily an analog process, especially with regard to the first votes. The recent attacks on Austrian municipalities, authorities and infrastructure in the context of the national council election in September have clearly shown that all digital processes of authorities and parties – before and during the election – are potential targets.

The attackers' goal here was to systematically disrupt government and institutional websites in order to unsettle the population. Similar attack patterns were observed during the elections in Belgium in October. Therefore, comparable cyberattacks can be expected in Germany as well.

Which consequences would such attacks have hypothetically?

Politically motivated cyber actors often resort to DDoS attacks to disrupt websites and online portals. Due to the ongoing trend of cybercrime-as-a-service, such attacks are associated with little effort and low costs for the attackers. This circumstance enables both a high frequency and an increased scope of attacks. On the victim side, however, defense is almost impossible without professional help. In the event of a large-scale DDoS campaign, we will therefore see a similar picture to that seen in the past: protected environments will withstand the attacks, while unprotected ones will collapse – with all the consequences that this entails. These include financial and reputational damage, additional operational costs and, of course, a loss of trust in the state and government – and thus also in our democracy.

What needs to be done now?

From a cyber resilience perspective, the same thing needs to be done constantly: objectively question whether the protection of your systems and processes is appropriate for the threat situation. Even an attack on a single system that is part of a larger infrastructure can often overload the infrastructure as a whole. If the website of a public authority or municipality is attacked, other services that have nothing to do with the election could also be affected. Such chain reactions and cross-effects must be considered holistically when planning cybersecurity measures.

The attackers are constantly arming themselves. In our Security Operations Center (SOC), we see an increasing volume of attacks and numbers of packets year-on-year. Accordingly, the defenders must also follow suit to ensure the protection of their systems. Preventive protection is always preferable. Although protective measures can still be implemented during an attack, especially in the area of web applications, damage has already been done by then.