Category: Security

CSE releases report Cyber Threats to Canada’s Democratic Process

On June 16, 2017 at 10:30am, the Canadian Communications Security Establishment (CSE) released its report

Cyber Threats to Canada’s Democratic Process

Analysis to follow.

Previously:
June 15, 2017  cyber threats to Canada’s democratic process – news conference
February 1, 2017  defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

June 16, 2017 – cyber threats to Canada’s democratic process – news conference

Media Advisory from the Government of Canada – Democratic Institutions

News Conference by Minister Gould on cyber threat assessment

Jump to additional background information I have provided.

Media representatives are advised that the Minister of Democratic Institutions, the Honourable Karina Gould, and the Chief of the Communications Security Establishment, Ms. Greta Bossenmaier, will be holding a news conference to discuss an assessment of cyber threats to Canada’s democratic process.

Senior officials from the Communications Security Establishment will provide an embargoed technical briefing immediately before the press conference. The technical briefing will not be for attribution.

Technical Briefing
Date: 
June 16, 2017
Time: 9:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

Journalists who wish to participate via teleconference should contact the Minister of Democratic Institutions’ Press Secretary at the number below.

All information will be embargoed until 10:30 AM on June 16, 2017.The technical briefing will not be for attribution. No cameras will be permitted.

Press Conference
Date: 
June 16, 2017
Time: 10:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

For more information (media only), please contact:
Byrne Furlong
Press Secretary
Office of the Minister of Democratic Institutions
613-943-1833

END MEDIA ADVISORY

Here is some additional information and context from me.

Election Cybersecurity

USA

In ICA 2017-01D Assessing Russian Activities and Intentions in Recent US Elections (PDF), the US intelligence community describes an influence campaign “strategy that blends covert intelligence operations — such as cyber activity — with overt efforts”.

The description is introduced with the term of art “We assess”, indicating an analytical assessment.  The US intelligence community asserts “high confidence” in the judgments related to the influence campaign.  High confidence is a term of art about confidence in sources that is defined in Annex B on Estimative Language: “High confidence generally indicates that judgments are based on high-quality information from multiple sources.”

For the technical background on the assessment, see Joint Analysis Report (JAR) JAR-16-20296A GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)

The Netherlands, France, Germany, the UK and Australia

I am not an expert in nation-state cyber threats, so I cannot independently assess this material.

Hacking of Canadian Government is Real

Hacking of governments is a real threat.  The Canadian federal government has been successfully hacked multiple times.

above links from my blog post Canadian government departments have been hacked before

Online Voting

Canada has no online voting at the federal or provincial level, and in fact online voting has been rejected by multiple Canadian studies.

There is however online voting at the municipal level in Nova Scotia and Ontario.  With 97 municipalities using online voting in the 2014 election and potentially over 200 municipalities using online voting in the 2018 election, this is one of the largest uses of online voting in the world.  This includes some municipalities where online voting is the only option (all paper ballots have been eliminated).  There are no (none, zero) standards for provincial online voting security.  There is no guidance for decisionmaking and risk-assessment related to online voting.  Without exception, the online voting is contracted out to third-party, for-profit vendors.  The computer code and systems designs used by the vendors is confidential, and there have been no public security tests and no public examinations of the computer code used.

Online voting provably does not substantially increase turnout.  The most comprehensive study, conducted on the Ontario use of online voting, shows a maximum effect of 3% increase.

For more information see Wikipedia – Electronic Voting in Canada.  (Disclaimer: I am a substantial contributor to that Wikipedia page.)

Estonia

If you want to cite the example of Estonia (the only country in the world with national online voting), you might want to mention:

Computer Security Experts

If you want to interview computer security experts about online voting, here is a list of over a dozen with contact information, including Canadians.

Twitter

  • I tweet regularly about election security and online voting: @papervote

Detailed briefing

If you have made it all the way down here, you may also be interested in my 16-page briefing about online voting, written for the New Brunswick consultation on the topic.

Government of Canada statement on online voting and cybersecurity

May 30, 2017

Electoral Reform
Committees of the House
Routine Proceedings

Discussion introduced by Nathan Cullen (Skeena—Bulkley Valley, BC).

Madam Speaker, I move that the third report of the Special Committee on Electoral Reform presented on Thursday, December 1, 2016, be concurred in.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/nathan-cullen-1/

Later in the discussion, response (excerpt) by Andy Fillmore, Parliamentary Secretary to the Minister of Democratic Institutions

Another committee recommendation, number 4, advises against allowing online voting at this time. Again, we agree, and while Canadians who participated in mydemocracy.ca agreed that online voting would improve voter turnout, their support was contingent on the need for solid assurance that such a system would not be vulnerable to manipulation by hackers. Similar concerns were heard from the experts before the special committee.

I want to touch briefly on the Minister of Democratic Institutions‘ mandate to protect our electoral system from cyber-attacks. Working with her colleagues, the Minister of Public Safety and Emergency Preparedness and the Minister of National Defence, the minister has asked the Communications Security Establishment to analyze proactively the risks to our electoral system and to release a public report. Further, we will ask the CSE officer for advice for political parties on cybersecurity best practices.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/andy-fillmore-2/

I do need to mention that, despite the survey-question-driven assertion that “online voting would improve voter turnout”, the evidence is that online voting does not increase turnout.

Previously:
December 1, 2016  ERRE Electoral Reform Committee Recommends Against Online Voting
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons

Comments about Guelph Internet voting

A letter submitted for the April 24, 2017 Guelph Council meeting, agenda item COW – CS – 2017.04 2018 Municipal Election: Methods of Voting.

COMMENT

Dear Mayor and Councillors:

The Internet threat environment has changed since 2013 when Guelph did its initial analysis of online voting.  Since then, Ontario, British Columbia, New Brunswick and the federal government have all released reports on online voting, and all have recommended against it at the provincial or national level.  Threats have gotten worse while security technology has not advanced at the same pace, to the extent that the Economist magazine just did a cover story proclaiming “Why computers will never be safe”.

http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

If you do choose to continue with online voting, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.

In staff report CHR – 2013 – 30 “2014 Municipal Election:  Methods of Voting”, principles for a municipal election are outlined.  Here is my evaluation of online voting against three of those principles:

  • the secrecy and confidentiality of the voting process is paramount;

Use of a third-party vendor for online voting compromises voting secrecy and confidentiality.  Even if the voting systems were developed and hosted in-house, the information necessary to cast a vote (the voter identification) is extremely difficult to completely separate inside the computer from the vote cast.  Additionally, unsupervised remote voting opens the potential for anyone to view a vote that is being cast (and indeed to coerce the vote, or to pay someone for their voting credentials).

  • the integrity of the process shall be maintained throughout the election;
  • there is to be certainty that the results of the election reflect the votes cast;

The chain-of-custody for an Internet ballot extends from the personal computing device, across the Internet, and through to the voting servers.  There are potential threats to the integrity of the process at every stage, from compromised (“hacked”) home computers, through to denial-of-service attacks and potential vote alteration or addition of votes (“ballot stuffing”) at the server end.  Or the computer code could simply have errors in it (all computer programs have errors).  There is no way to observe the entire process; it is a black box.  Therefore there can be no real certainty that the results of the election reflect the votes cast.

Additional information supporting the above statements is available in an appendix to this email.

Thank you,

Richard Akerman

Appendix

Changes since 2013 report

The primary report is the July 16, 2013 “An Analysis of Alternative Voting Methods“.  http://guelph.ca/wp-content/uploads/AnalysisOfAlternativeVotingMethods.pdf

Both Elections Canada and Elections Ontario have been actively exploring the prospect of implementing an online voting channel for a number of years and have since allocated resources to undertake a detailed investigation and feasibility review of doing so.

As of 2017, neither Elections Canada nor Elections Ontario has implemented online voting, nor are they actively exploring the possibility.

A consultation by the Canadian Parliamentary Special Committee on Electoral Reform recommended against online voting[1], and the Canadian government accepted the recommendation.[2]  On March 2, 2017 Elections Canada released an RFP which included the statement “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”[3]

Ontario’s Alternative Voting Technologies Report, released June 2013, recommends against online voting and there is no online voting in provincial elections in Ontario.[4]

[1] December 2016 – Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8655791&File=291#87 – “Recommendation 4: The Committee recommends that online voting not be implemented at this time.”

[2] April 2017 – Government Response to Report Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8853290 – “The Government accepts this recommendation.  We will not implement online voting at this time.”

[3] March 2017 – Elections Canada RFP – https://buyandsell.gc.ca/cds/public/2017/03/02/967d72343b6234a0571287c709b7ae1f/ecrs-rfp-16-0167_-_anpp_-_ec-vsm-pppe_-_bilingual.pdf – “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”

[4] June 2013 – Alternative Voting Technologies Report – Ontario Chief Electoral Officer’s Submission to the Legislative Assembly (PDF) – http://www.elections.on.ca/content/dam/NGW/sitecontent/2014/reports/Alternative%20Voting%20Technologies%20Report%20%282012%29.pdf – “At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.”

Additional Context

In fact, there is no provincial online voting anywhere in Canada, and there is only municipal online voting in Nova Scotia and Ontario.  Reports from Nova Scotia [5], New Brunswick [6] and British Columbia [7] have all recommended against provincial online voting.  Quebec has had a moratorium on provincial online voting since investigating problems with its electronic voting machines in 2005.[8]

[5] Elections Nova Scotia: Annual Report of the Chief Electoral Officer April 1, 2012 – March 31, 2013 (PDF) – https://electionsnovascotia.ca/sites/default/files/ENS%20AR%20Web%202012_13.pdf – specifically pp. 14-16 Appendix I: Internet and Telephone Voting in Nova Scotia.

[6] March 2017 – A pathway to an inclusive democracy (PDF) – http://www2.gnb.ca/content/dam/gnb/Departments/eco-bce/Consultations/PDF/PathwayToAnInclusiveDemocracy.pdf – specifically pp. 20-21 E-voting

[7] February 2014 – Independent Panel on Internet Voting: Recommendations Report to the Legislative Assembly of British Columbia (PDF) – http://www.internetvotingpanel.ca/docs/recommendations-report.pdf

[8] October 2006 – Electronic voting – Le Directeur général des élections du Québec (DGEQ)http://www.electionsquebec.qc.ca/english/municipal/media/electronic-voting.php

There is a consensus statement from US computer scientists advising against Internet voting.[9]

[9] http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

END COMMENT

Here are additional documents I tracked down as part of writing the above comment:

2014 Election Cycle

July 16, 2013 — An Analysis of Alternative Voting Methods (PDF) — by Blair Labelle, City Clerk

July 16, 2013 — Staff Report CHR – 2013 – 30 — 2014 Municipal Election:  Methods of Voting (PDF) — Prepared and Recommended by Blair Labelle, City Clerk

June 2, 2014 (Amended September 15, 2014) — Procedures for Voting and Vote  Counting Equipment for the 2014  Municipal Election (PDF)

2018 Election Cycle

September 6, 2016 — Staff Report CS-2016-73 –Municipal  Election  Modernization,  Service  Expansion  and  Ranked  Ballot  Election (PDF; pp. 255-289) – Prepared by Jennifer Slater, Approved by Stephen O’Brien, City Clerk

April 3, 2017 — 2018 Municipal Election Voting Methods  (PDF; pp. 99-109) – by Stephen O’Brien, City Clerk and Returning Officer

April 3, 2017 — Staff Report CS  -2017.51 — 2018  Municipal Election: Methods of Voting (PDF, pp. 110-115) — Prepared by Tina Agnello, Deputy City Clerk; Approved by Stephen O’Brien, City Clerk

Other Reports Cited by Guelph

June 23, 2005 — Risk Analysis of Traditional, Internet, and other Types of Voting  Alternatives for Town of Markham — by Harry M. Kim

Internet voting filter bubbles

From a Canadian perspective, there are basically three groups that examine Internet voting:

  • social scientists that examine people’s attitudes, feelings and behaviours associated with Internet voting
  • staff at municipalities that have chosen Internet voting and see it as just another digital service to offer, and the vendors they procure Internet voting from
  • computer scientists that examine Internet voting from the perspective of requirements and threat risk assessment

These three communities basically don’t interact.  The social scientists cite one another.  The municipal staff and vendors reference other municipalities and vendor analysis.  The computer scientists cite one another.  This gives three basically different filtered world views.

  • The social science perspective indicates some level of popularity of Internet voting either conceptually or in practice, and associated levels of satisfaction.  It also documents the expectations of turnout (high) and the reality of turnout (no change).  Additionally and unfortunately it sometimes reports on perceptions of security, which are meaningless.  It doesn’t matter how safe you feel jumping off a cliff, the same thing will still happen at the bottom when you encounter reality.
  • At best, municipalities approach Internet voting from a digital services perspective, and do the standard things one does for a transactional service, including security buzzwords like firewalls and encryption, obtaining vendor assurances, and contracting confidential security assessments.  One of their primary sources of technical information is the vendors themselves.  Two issues are that Internet voting is not a standard transactional service, and that vendors have literally millions of dollars in sales at stake.
  • Computer scientists look at the requirements for voting systems, e.g. the Computer Technologists’ Statement on Internet Voting.  When they evaluate real Internet voting systems against those requirements, they always find that current systems cannot meet the requirements.  In order to provide the best security assessment of the real systems, they seek the ability to conduct truly independent and public security assessments of the technology being used (this is almost always denied).  They also assess the full spectrum of potential risks against a system.  That includes technical risks and non-technical risks.  An often overlooked risk is the risk of coercion when voting no longer takes place in private in a supervised location (the polling place).  They also examine techniques used by very sophisticated attackers, as well as very basic but successful techniques (e.g. phishing) and the risk of insider attacks.  For a service where there is no way for the end user to verify their intended result (due to the combination of secret ballot and coercion avoidance), the inevitable conclusion is that there are no adequate risk mitigation measures.

So the answer you get about Internet voting depends on which community you ask.  If you ask social scientists, it’s popular.  If you ask municipalities that have implemented it, they assure you that everything is going fine.  If you ask computer scientists, they will tell you that it is not a regular transactional digital service, and that using Internet voting introduces catastrophic risk.

You can get a pretty easy indication of which community is talking by looking for language clues.  If the discussion is around popularity, it’s probably a social science analysis.  If the discussion is around firewalls and encryption and security assurances, it’s probably municipalities.  If the discussion is around risks, it’s probably computer scientists.

It may seem odd that computer scientists would speak in less technical language, but that’s because specific technical measures are much less important than a system-wide requirements and threat analysis, particularly in an environment including home computing devices and non-technical online service users.

The result of having these different communities means that basically only consultations that include the computer science community recommend against voting using computers, which may be an unexpected outcome.  But it is the outcome of any serious consultation, including e.g. New Brunswick, Nova Scotia, Quebec, Ontario, British Columbia, the Government of Canada, and the Government of Australia.

The Ontario municipal association AMCTO is holding a 2017 event for municipal clerks, featuring a session about the security of Internet voting.  The presenters will be

  • a clerk from a municipality that has approved Internet voting
  • an Internet voting vendor representative
  • a second Internet voting vendor representative

I leave it to you to conclude which filter bubble will be in operation.

 

ISSA Ottawa Presentation – Internet voting: What could go wrong? – Marcel Gingras

I was pleased to have the opportunity to see the presentation Internet voting: What could go wrong? at the Information Systems Security Association (ISSA) Ottawa Chapter January 26, 2017 meeting.

Marcel Gingras has a keen grasp of the requirements for a high-integrity voting system, and provided a good history of how we ended up with the highly-ranked Canadian federal paper-based system, followed by a discussion of the risks that an Internet voting system would introduce.

The presentation is available below

Provided by permission of Mr. Gingras.

defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

In the mandate letter for Minister of Democratic Institutions Karina Gould, she receives direction to discontinue electoral reform activities

Changing the electoral system will not be in your mandate.

She is also directed to defend the current electoral system from cyber threats, by working with National Defence, Public Safety, and the Communications Security Establishment (CSE).

UPDATE 2017-06-19: The CSE has released its report on Cyber Threats to the electoral process.  ENDUPDATE

In addition through her, CSE is directed to analyze security risks to Canadian political and electoral activities, and to offer advice to Canadian political parties and Elections Canada on cybersecurity.

In collaboration with the Minister of National Defence and the Minister of Public Safety and Emergency Preparedness, lead the Government of Canada’s efforts to defend the Canadian electoral process from cyber threats.  This should include asking the Communications Security Establishment (CSE) to analyze risks to Canada’s political and electoral activities from hackers, and to release this assessment publicly.  As well, ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security.

(a copy of the mandate letter is also available in Archive.org)

Given the current cyber threat environment, with documented compromises of political party systems and elections-related systems, I consider this new emphasis on electoral process cyber security to be excellent.  Having CSE release its security assessment publicly is also a very important step.

Note that in addition to Canada and the US, the Australian Prime Minister also expressed his concern about foreign actors attacking political parties.

The [Australian] Federal Government is urging Australia’s political parties to steel themselves against potential foreign cyber attacks, as Prime Minister Malcolm Turnbull prepares to announce an unprecedented cyber security briefing for political parties to be held in Canberra early next month.

from ABC News – Government urges political parties to ‘keep themselves secure’ ahead of cyber security briefing – January 23, 2017