The upcoming May 2019 European Parliament elections could be the next epicenter for malign election interference. While Europe has confronted the specter of foreign meddling before, these are the first European Parliament elections to be held since it became clear how disruptive Russian interference can be. Moreover, the stakes are now arguably even higher, as these elections will be crucially important to the future of the European Union (EU) over the next several years, and the contests will take place even as political fragmentation across Europe continues to grow.

In light of Russia’s track record of disruptive election interference—especially since 2016—many European countries have sought to shore up election security and counter disinformation. The EU, too, has taken preparatory steps to help defend the European Parliament elections. As Europeans assemble to cast their ballots, the outcome will be an important benchmark for how effectively governments and the private sector are working together to thwart the challenge of election interference.

How Big of a Target Are the European Parliament Elections?

The European Parliament elections occur once every five years. The next contest will be held on May 23 through May 26, 2019. In total, 751 seats are in play (a number that will shrink to 705 after Brexit). Although parties generally compete at the national level, most of them are affiliated with a pan-European party group in the European Parliament. This deliberative assembly is the EU’s only directly elected body, and the Lisbon Treaty, which entered into force in late 2009, conferred on it greater legislative responsibilities, including over budgetary matters and the appointment of the European Commission president.

Erik Brattberg
Erik Brattberg is director of the Europe Program and a fellow at the Carnegie Endowment for International Peace in Washington. He is an expert on European politics and security and transatlantic relations.
More >

Unsurprisingly, given Moscow’s track record of high-profile election interference in the past few years, prominent EU leaders have voiced concerns that Russia, and potentially other actors, will seek to meddle in the European Parliament elections. For example, as European Council President Donald Tusk observed, “there are external anti-European forces which are seeking—openly or secretly—to influence the democratic choices of the Europeans.” Likewise, former NATO secretary general Anders Fogh Rasmussen has warned that Moscow might launch a “major” effort to disrupt the coming European vote. The national intelligence agency of Estonia has echoed such remarks, and private sector cybersecurity experts have issued similar warnings. According to the cybersecurity firm FireEye, two Russian hacker groups, APT28 (also known as Fancy Bear) and Sandstorm, have in concert targeted European government systems ahead of the May 2019 elections. Likewise, Microsoft has reported that hackers linked to the Russian intelligence services have taken aim at European think tanks and other nonprofit organizations.

The pressing question is whether Moscow will go all in on the European Parliament elections. In the past, after all, the degree of Russian interference has varied. The more modest scope of Russian meddling in the September 2017 German federal elections, for instance, suggests that Russian political subterfuge is not always a given even when Moscow has the motives and the capabilities to act. Russia may sometimes hold back for fear of triggering too strong a reaction from a target country either because the costs of interference have risen or because the Kremlin is waiting for a better opportunity to strike. Moreover, each EU member will hold its own contest in the May 2019 elections, and developing the deep expertise necessary to be able to operate effectively in such a diverse set of countries would be a tall order even for Russia. On top of that, Russia’s interference in Europe goes well beyond elections per se, as Moscow continues seeking to stoke divisions and promote anti-European narratives in other ways as well.

That all being said, there are several reasons why Russian interference in the European Parliament elections must be considered a serious risk. First, the elections coincide with growing political fragmentation in Europe. Several anti-EU parties are expected to perform well. Although these groups are unlikely to form a majority, they could derail legislation and disrupt EU decisionmaking or the appointment of a new European Commission. Given the Kremlin’s desire to weaken the EU, lending a helping hand to euroskeptical (and often pro-Russian) parties in the European Parliament would be quite tempting. Besides seeking to impact voting behavior, Russian operatives can be expected to amplify anti-European narratives to undermine trust in the elections and the democratic system more generally. While Russian cyber attacks and disinformation tactics are naturally major concerns, other activities such as instigating violent protests or providing dark money to European political groups should not be underestimated either.

Second, the European Parliament elections are more vulnerable to misinformation in part because they generally attract less voter interest than national elections. In particular, voters’ unfamiliarity with EU politics could make them more susceptible to false or misleading information. In addition, low turnout could provide an outsized boost for far-right parties, making it more likely that even small efforts to interfere could pay significant dividends. In the 2014 European Parliament elections, average turnout was 42.6 percent, and the rate of participation was as low as 13 percent in the case of Slovakia. While European citizens appear to be aware of the threat of election interference (two-thirds of them say they are concerned that elections can be manipulated through cyber attacks), this awareness could paradoxically cast doubt on the election results afterward.

Third, safeguarding the European Parliament elections is challenging because of the sheer number of contests in individual countries, which are governed by different sets of rules in each member state. As European Commission official Julian King observed, “the dispersed nature and comparatively long duration of the European Parliament elections . . . present a tempting target for malicious actors.” For example, while many EU member states still have paper ballots and count votes manually, some countries employ electronic voting or electronic ballot counting machines, which can be susceptible to cyber incursions. Others still have online voter registration rolls or disseminate election results online. While this lack of a singular harmonized European electoral system may create a degree of resilience, it also allows adversaries to take advantage of soft targets—that is to say, EU members that are less well prepared. The risk is that even just one successful campaign in one member state could sow doubts about the elections writ large. Further afield, U.S. officials have expressed concern that Russia may use the European Parliament elections to test new tactics that it could deploy against the United States in 2020.

How Is Europe Preparing to Protect the Elections?

Protecting the coming European Parliament elections from interference is a daunting task, partly because the contests are more multifaceted and complex than the average national election. The elections are the world’s second-largest democratic exercise, involving twenty-eight countries each conducting their own elections subject to different rules and voting methods.1 Since the responsibility for organizing and ensuring the integrity of elections in Europe rests ultimately on EU member states, EU institutions are careful about not interfering with member states’ sovereignty. As a result, ensuring sufficient coherence and coordination between all the member states remains tricky.

National Efforts to Improve Election Security

As the profound implications of Russian election interference became evident in 2016, several European countries quickly sought to upgrade their election security and combat disinformation. This was particularly true of countries that went on to hold major elections in 2017 and 2018. For example, the Netherlands banned the electronic counting of votes ahead of its March 2017 parliamentary elections after reports of software-related vulnerabilities. In the United Kingdom (UK), a new National Security Communications Team was set up after the June 2017 snap elections to combat disinformation by states and other actors. Meanwhile, Germany carried out cybersecurity stress tests against its electoral system prior to the September 2017 elections to ensure the integrity and authenticity of election data. And Sweden, which held general elections a year later in September 2018, quickly prioritized election security and created an agenda for coordinating national efforts to counter disinformation and influence operations, foster dialogue between the government and media organizations, and provide training to raise awareness of these issues among politicians and government officials. Although some EU member states have accordingly devoted considerable resources and thought to suitable countermeasures, others have taken a more laissez-faire approach, and some even reportedly view the problem as overhyped.

EU Efforts to Protect the European Parliament Elections

Given the stakes, Brussels has taken several steps to address cybersecurity and disinformation despite the limitations of its electoral purview. Over the past year, the EU also has strived to help better protect the upcoming contests. Some relevant actions predate the widespread concerns about election interference that surfaced in 2016. The EU’s External Action Service, for instance, established the East StratCom Task Force in March 2015 “to challenge Russia’s ongoing disinformation campaigns.” With limited funding and a small staff, it has mainly focused on discrediting false Russian claims. Thanks to a proposed funding boost (from 1.9 million euros in 2018 to 5 million euros this year), the task force has expanded its team of analysts, which consists mainly of personnel on loan from EU member states. The task force is now comprehensively monitoring Russian media outlets such as RT and Sputnik and is analyzing the impact of disinformation. For the European Parliament elections specifically, the task force has launched a dedicated website with resources about Russian interference tactics and narratives. Yet the task force is unlikely to have a major impact on the European Parliament elections, as its budget is still quite modest, and the unit remains dependent on the willingness of member states to designate staff. Another major limitation is that disinformation stemming from within European member states is outside the scope of StratCom’s mandate.

After the scope of Russian interference became more widely known, the EU’s early efforts to enhance its preparedness for the forthcoming European Parliament elections included assembling a high-level group of experts in January 2018 from academia, social media companies, news organizations, and civil society. This group was tasked with formulating policy recommendations to counter fake news and disinformation in a March 2018 final report, although some experts criticized it for not singling out Russia for its actions. The following month, the European Commission released a document on tackling online disinformation containing several recommendations the group of experts had developed.

As the salience of election security grew, European Commission President Jean-Claude Juncker remarked in a September 2018 speech that “[w]e must protect our free and fair elections”; the European Commission released a document that same day on securing free and fair European elections. In December 2018, the commission and the EU high representative for foreign affairs and security policy adopted a new EU joint action plan against disinformation, building on the commission’s September 2018 document. These documents focused on building up European capabilities and strengthening cooperation between the EU and individual member states on countering disinformation. A key element of the action plan is active engagement with the private sector; among other things, it called for the establishment of a European rapid alert system to better coordinate actions and share information. The plan also proposed offering financial support for independent media and fact-checkers through various EU mechanisms. While the action plan is a welcome signal that the EU is taking the issue more seriously, it is still relatively modest in scope and likely came too late to be fully implemented and fine-tuned before the May 2019 elections take place. Implementation of the action plan also depends on member states’ willingness to support independent media and investigative journalism—an issue with which certain member states already struggle. These shortcomings reflect the limited time left in the current European Commission’s mandate and the lack of complete agreement among member states on the seriousness of the issue at hand.

In February 2019, the European Council adopted its conclusions on securing free and fair European elections, drawing on the commission’s previous proposal and the joint action plan. The following month, an inaugural meeting was convened in Brussels and the aforementioned European rapid alert system was launched. Each member state designated a liaison to coordinate the exchange of information via a dedicated digital platform. The hope is that this platform will encourage member states to share information more readily, although some countries may be more willing to do so than others, especially in the case of sensitive information. There is potential for the rapid alert system to be linked to NATO (via its counter hybrid support teams) as well as the G7 (via its Rapid Response Mechanism). The operators of the rapid alert system are supposed to share their findings with the European election cooperation network (a pan-European forum for exchanging information and best practices that will meet four times during the first half of 2019) while seeking not to reduplicate existing intelligence cooperation efforts. Although the creation of the alert system was a major breakthrough, its late rollout (only three months before the election) will likely hamper its effectiveness.

Finally, to test European cybersecurity preparedness ahead of the elections, EU member states, the European Commission, the European Parliament, and the EU’s cybersecurity agency, the European Union Agency for Network and Information Security, jointly conducted a cybersecurity tabletop exercise in early April 2019. Given the significant cybersecurity vulnerabilities facing election integrity in Europe, the exercise is welcome, although holding it less than two months before the elections left little time to address any potential shortcomings.

These efforts notwithstanding, European leaders recently demanded “further enhanced coordinated efforts to address the internal and external aspects of disinformation and protect the European and national elections across the EU.” There are also ongoing discussions about the possibility of imposing sanctions on would-be election attackers, whether that be individual hackers or hacker groups connected to governments. Another proposed measure would be to impose fines on political parties or other groups found to be violating data protection rules to influence voting.

The Crucial Role of the Private Sector

A core feature of Brussels’s engagement on election security with the private sector (especially social media platforms) is the voluntary EU-wide Code of Practice on Disinformation that was rolled out in September 2018. It contains specific language on ad transparency as well as identifying and closing fake user accounts. Major social media platforms like Facebook and Twitter as well as other technology companies (like Google and Mozilla) have signed up. Several social media companies have sought to enhance preparedness ahead of the European elections, recognizing that the potential business and reputational losses of a repeat of the 2016 U.S. elections would be detrimental to their own interests.

After the elections, the European Commission plans to conduct a review and, if the results are deemed unsatisfactory, EU officials have not ruled out future regulatory action. While the voluntary pledge is intended to deliver quick results, the lack of legally binding commitments on private sector actors means that the actions they take voluntarily may not be sufficient. It is possible that more transparency requirements for companies will be necessary and that some companies might even be supportive of such efforts since it would create a standard against which compliance measures can be taken. Another major limiting factor is that not all relevant companies have signed on.

According to the first implementation reports published in January 2019, the four aforementioned companies have all taken some steps to enhance preparedness, but the report also concluded that more needs be done. The European Commission has encouraged major social media platforms to provide monthly updates on progress ahead of the EU elections. In March 2019, the commission welcomed “meaningful progress” that companies have made, particularly on ad transparency, but it noted that companies’ progress has been uneven in some cases. A month earlier, the European Commission expressed frustration that efforts “have fallen further behind,” complaining that companies had “failed to identify specific benchmarks that would enable the tracking and measurement of progress in the EU.” King, the European commissioner for security, noted in March 2019 that all major companies had made more progress on ad transparency, but he also urged further action.

One notable effort to date is a new tool Facebook has rolled out to enhance ad transparency. A new initiative was launched in March 2019 requiring advertisers to be authorized before buying political ads during the European Parliament elections and increasing the amount of information available to users about who is responsible for political ads. However, Facebook’s decision to impose national registration restrictions have also attracted criticism from EU institutions and European Parliament political parties who believe they could limit pan-European campaigning efforts.

Facebook is taking other steps as well. The company has expanded its fact-checking program to cover sixteen languages. It is also conducting red team exercises on the European Parliament elections, having established an elections operations center in Dublin, Ireland to coordinate with the company’s global election monitoring office in California. Beyond that, Facebook offers outreach and training to those who administer EU political pages, has set up a dedicated website with resources for political groups in seven EU languages, and has established a dedicated channel of communication for questions about the European Parliament elections. In Germany, Facebook has also partnered with a news agency to improve fact-checking. Still, the commission has urged Facebook to increase its data sharing for the monthly impact assessments and step up cooperation with fact-checkers and researchers in Europe.

Facebook is not the only company seeking to manage the risk of disinformation during the elections. In addition to national-level efforts, Twitter has established a high-level internal elections group devoted specifically to the European Parliament elections, and the company is offering outreach and training for EU political parties. The company has also sought to verify political ads ahead of the European Parliament elections, limit the ability of non-EU entities to advertise on the platform, and store financed political ads in a publicly available database called the Ads Transparency Center. The European Commission has acknowledged that Twitter has made progress in terms of deleting fake accounts but still has concerns about the level of data the company is willing to share. The commission has also criticized Twitter for failing to provide benchmarks to measure progress on ad monitoring.

Meanwhile, Google is striving to ensure that the information found on its platform ahead of the EU elections is credible, while the company also seeks to enhance political ad transparency (including an EU-specific ad transparency report with publicly available information), offer security training to the most vulnerable political campaigns facing phishing attacks, and collaborate with fact-checkers. Despite these efforts, a letter from the commission to Google mentions that “there is an urgent need for further action.” Microsoft, meanwhile, under its Defending Democracy Program, is tracking Russian hacking efforts and alerted a group of European think tanks to an attack in February 2019. Microsoft is also offering its AccountGuard threat detection solution free of charge to political campaigns and nongovernmental organizations that are using its software in twelve additional European countries (the UK and Ireland already enjoy free access). Both Facebook and Microsoft are also sponsors of the Transatlantic Commission on Election Integrity led by Anders Fogh Rasmussen and former U.S. secretary of homeland security Michael Chertoff.

One persistent sticking point is that many private sector firms remain reluctant to share a great deal of proprietary data with the commission. While this is important for protecting their business models to some degree, such reluctance may ultimately prove shortsighted as it risks increasing their reputational costs and subjecting the industry to further legislation down the road. Social media companies have demonstrated that they are taking the issue of election interference more seriously than before and have voluntarily taken some significant steps to address misuse of their platforms. The European Parliament elections and other forthcoming national elections will test whether these measures are sufficient or whether further regulation is required.

Too Little Too Late?

As grave as concerns about Russian cyber attacks and other forms of interference are, the greatest danger to European democracy might come from persistent efforts within and without Europe to bolster anti-European narratives and delegitimize electoral democracy. EU leaders have already made notable headway in beefing up security before ballots are cast. Yet the effectiveness of these efforts to secure the European Parliament elections remains hindered by the EU’s limited oversight of election procedures, the delayed rollout of key countermeasures, buy-in from only some technology companies, and a lack of preparation by EU members that remain skeptical of claims of election interference or that are otherwise reticent about confronting Russia too directly.

With so little time left until the May 2019 elections, now is the time to focus on the implementation of existing measures. All member states must be fully committed to the EU’s action plan and the rapid alert system. Given Russia’s tendency to opportunistically exploit weaknesses, a single soft spot in one European country could cast doubt on the legitimacy of the EU elections more broadly. Attempts to increase awareness about election interference among more skeptical European governments—by providing more documentary evidence of foreign influence activities, for instance—should be highly prioritized. That said, the fact that some governments and political parties in the EU are themselves spreading disinformation means that the boundary between internal and external interference is sometimes blurry. Additionally, when it comes to collaboration with the private sector, it will be important to widen the number of signatories to the code of practice. While the EU should scrutinize social media companies’ algorithmic practices and certain forms of voter microtargeting, it is equally important that European officials do not let fear of digital tools unduly drive their policy responses. Rather, the EU should remain open when possible to digital solutions that can help improve European democracy in the future.

Of course, it is not just governments and the private sector that need to act. European political parties and campaigns must also step up their game. Parties often lack basic cyber hygiene—as illustrated by prominent hacks against the U.S. Democratic Party in 2016 and German politicians in January 2019. Troublingly, some European parties—by accepting foreign donations, spreading fake news, and using social media bots—have even been part of the problem. All European parties and politicians should commit to upholding certain standards, such as the pledge for election integrity developed by the Transatlantic Commission on Election Integrity.

This important work will not end when the European Parliament ballots are cast. After the results are tallied, the commission should carry out a thorough and comprehensive review of how well the preparations went and propose additional measures to address any observed shortcomings. Following the European Parliament elections, there will be several more national and local elections across Europe and the United States over the coming year. And, given that the outcome of the May 2019 elections will gauge the efficacy of government and private sector responses, this review will also be of importance for U.S. officials, as they plan for the country’s 2020 election.

In the months and years ahead, EU leaders must continue to recalibrate their diplomatic response, including by considering the potential use of sanctions against potential attackers. Other proposals—like French President Emmanuel Macron’s idea of establishing some sort of European agency for protecting democracy with a pool of European experts tasked with warding off cyber attacks and other forms of manipulation—may also warrant further exploration (though it is not entirely clear what precise role such an agency would play in practice).

Ultimately, however, simply focusing on outside interference obfuscates the fact that the greatest threat to European democracy is likely internal. The rise of nationalism and euroskepticism across the continent gives malign actors ample opportunities to exploit and amplify existing discord. The most important response to election interference in Europe is, therefore, not a technical one but efforts to oppose anti-European narratives by offering alternative, positive narratives about the EU and why it remains integral for peace and prosperity in Europe. This work also entails doing more to push back against the unfortunate backsliding of democracy, the rule of law, and freedom of the press in certain EU member states. Brussels and other European capitals would do well to apply this lesson both in the lead-up to the elections and in the months and years that follow.

Notes

1 Given the extension of Article 50 that EU leaders granted to the UK on April 10, 2019, the UK will participate in this year’s European Parliament elections.

Correction: This article originally misstated the years that some events occurred. These dates have been corrected accordingly.