Category: Canada

CSE releases report Cyber Threats to Canada’s Democratic Process

On June 16, 2017 at 10:30am, the Canadian Communications Security Establishment (CSE) released its report

Cyber Threats to Canada’s Democratic Process

Analysis to follow.

Previously:
June 15, 2017  cyber threats to Canada’s democratic process – news conference
February 1, 2017  defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

June 16, 2017 – cyber threats to Canada’s democratic process – news conference

Media Advisory from the Government of Canada – Democratic Institutions

News Conference by Minister Gould on cyber threat assessment

Jump to additional background information I have provided.

Media representatives are advised that the Minister of Democratic Institutions, the Honourable Karina Gould, and the Chief of the Communications Security Establishment, Ms. Greta Bossenmaier, will be holding a news conference to discuss an assessment of cyber threats to Canada’s democratic process.

Senior officials from the Communications Security Establishment will provide an embargoed technical briefing immediately before the press conference. The technical briefing will not be for attribution.

Technical Briefing
Date: 
June 16, 2017
Time: 9:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

Journalists who wish to participate via teleconference should contact the Minister of Democratic Institutions’ Press Secretary at the number below.

All information will be embargoed until 10:30 AM on June 16, 2017.The technical briefing will not be for attribution. No cameras will be permitted.

Press Conference
Date: 
June 16, 2017
Time: 10:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

For more information (media only), please contact:
Byrne Furlong
Press Secretary
Office of the Minister of Democratic Institutions
613-943-1833

END MEDIA ADVISORY

Here is some additional information and context from me.

Election Cybersecurity

USA

In ICA 2017-01D Assessing Russian Activities and Intentions in Recent US Elections (PDF), the US intelligence community describes an influence campaign “strategy that blends covert intelligence operations — such as cyber activity — with overt efforts”.

The description is introduced with the term of art “We assess”, indicating an analytical assessment.  The US intelligence community asserts “high confidence” in the judgments related to the influence campaign.  High confidence is a term of art about confidence in sources that is defined in Annex B on Estimative Language: “High confidence generally indicates that judgments are based on high-quality information from multiple sources.”

For the technical background on the assessment, see Joint Analysis Report (JAR) JAR-16-20296A GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)

The Netherlands, France, Germany, the UK and Australia

I am not an expert in nation-state cyber threats, so I cannot independently assess this material.

Hacking of Canadian Government is Real

Hacking of governments is a real threat.  The Canadian federal government has been successfully hacked multiple times.

above links from my blog post Canadian government departments have been hacked before

Online Voting

Canada has no online voting at the federal or provincial level, and in fact online voting has been rejected by multiple Canadian studies.

There is however online voting at the municipal level in Nova Scotia and Ontario.  With 97 municipalities using online voting in the 2014 election and potentially over 200 municipalities using online voting in the 2018 election, this is one of the largest uses of online voting in the world.  This includes some municipalities where online voting is the only option (all paper ballots have been eliminated).  There are no (none, zero) standards for provincial online voting security.  There is no guidance for decisionmaking and risk-assessment related to online voting.  Without exception, the online voting is contracted out to third-party, for-profit vendors.  The computer code and systems designs used by the vendors is confidential, and there have been no public security tests and no public examinations of the computer code used.

Online voting provably does not substantially increase turnout.  The most comprehensive study, conducted on the Ontario use of online voting, shows a maximum effect of 3% increase.

For more information see Wikipedia – Electronic Voting in Canada.  (Disclaimer: I am a substantial contributor to that Wikipedia page.)

Estonia

If you want to cite the example of Estonia (the only country in the world with national online voting), you might want to mention:

Computer Security Experts

If you want to interview computer security experts about online voting, here is a list of over a dozen with contact information, including Canadians.

Twitter

  • I tweet regularly about election security and online voting: @papervote

Detailed briefing

If you have made it all the way down here, you may also be interested in my 16-page briefing about online voting, written for the New Brunswick consultation on the topic.

Government of Canada statement on online voting and cybersecurity

May 30, 2017

Electoral Reform
Committees of the House
Routine Proceedings

Discussion introduced by Nathan Cullen (Skeena—Bulkley Valley, BC).

Madam Speaker, I move that the third report of the Special Committee on Electoral Reform presented on Thursday, December 1, 2016, be concurred in.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/nathan-cullen-1/

Later in the discussion, response (excerpt) by Andy Fillmore, Parliamentary Secretary to the Minister of Democratic Institutions

Another committee recommendation, number 4, advises against allowing online voting at this time. Again, we agree, and while Canadians who participated in mydemocracy.ca agreed that online voting would improve voter turnout, their support was contingent on the need for solid assurance that such a system would not be vulnerable to manipulation by hackers. Similar concerns were heard from the experts before the special committee.

I want to touch briefly on the Minister of Democratic Institutions‘ mandate to protect our electoral system from cyber-attacks. Working with her colleagues, the Minister of Public Safety and Emergency Preparedness and the Minister of National Defence, the minister has asked the Communications Security Establishment to analyze proactively the risks to our electoral system and to release a public report. Further, we will ask the CSE officer for advice for political parties on cybersecurity best practices.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/andy-fillmore-2/

I do need to mention that, despite the survey-question-driven assertion that “online voting would improve voter turnout”, the evidence is that online voting does not increase turnout.

Previously:
December 1, 2016  ERRE Electoral Reform Committee Recommends Against Online Voting
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons

comment on The Agenda – Is Online Voting the Future?

TVO – The Agenda – Is Online Voting the Future? – May 17, 2017

COMMENT

In future I hope that TVO will invite computer scientists who specialise in elections security when the topic is online voting.

There were a number of things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, and that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.

In every such case, without exception, the recommendation is against online voting. This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.

END COMMENT

Also see my longer email with links – email to TVO about online voting.

email to TVO about online voting

Here is an edited version of an email sent to TVO about their May 17, 2017 The Agenda segment on online voting.

EMAIL

I was pleased to see Steve Paikin ask a variety of questions about online voting, Internet security and electoral fraud in the May 17, 2017 The Agenda segment on the topic.

http://tvo.org/video/programs/the-agenda-with-steve-paikin/is-online-voting-the-future

There were many things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, or that municipalities have to make the decision about online voting without any comprehensive background briefing about the computer security risks, or that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.  In every such case, without exception, the recommendation is against online voting.

This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.
[added for the web: recommendations on Internet voting from government consultations]

In addition, Quebec has a total moratorium on all forms of electronic voting, including online voting.

As well there is the recent expert study of the PEI referendum, which also recommended against online voting.

Just to give you a flavour of these kinds of expert assessments, here’s what Toronto had to say in its analysis http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

Should you have a future segment about online voting, I urge you to include computer science expertise.  Here is a list of contact information for experts specifically in the risks of online voting, including Canadian experts such as Dr. Simons and Dr. Essex:

[embedded list replaced with web link: Internet voting and computer security expertise]

END EMAIL

comment on News 1130 Online voting the future for smoother BC elections?

I don’t have the exact comment, but it was something like

COMMENT

BC already extensively studied and comprehensively rejected online voting.  You can see the results in the February 2014 Recommendations Report to the Legislative Assembly of British Columbia from the Independent Panel on Internet Voting.

http://www.internetvotingpanel.ca/

And Internet security has only gotten worse since 2014.

ENDCOMMENT

You can also listen to my interview about online voting with Ottawa’s 1310 News Radio.