Tag: cybersecurity

Estonian ID card vulnerability and upcoming election

On September 5, 2017 the Estonian Information Systems Authority – Riigi Infosüsteemi Ametit (RIA) reported that researchers have found a vulnerability in the Estonian digital ID card:

Possible Security Vulnerability Detected in the Estonian ID-card Chip

This is a serious issue in general, as the card is at the heart of citizen digital interactions with the government, but has particular implications for Internet voting, as the ID card is key to the functioning of the voting system, enabling amongst other features the unique Estonian ability to vote multiple times with only the last vote counting (including choosing to vote in person on election day, cancelling all previous Internet votes).

There are local government council elections coming up soon, with online voting starting in a month, running from 5 October 2017 to 11 October 2017 (online voting is only available for advance polls, not on election day).

Estonia Local Gov Council Elections 2017

above from Municipal council election 2017

According to the Is the ID-card safe? FAQ, the National Electoral Committee (Vabariigi Valimiskomisjon) will decide whether to proceed with online voting.

UPDATE 2017-09-06: In its September 6, 2017 meeting, the National Electoral Committee decided to proceed with online voting in the October elections.  Reported by err.ee – Electoral committee: Online voting in October elections still on / Valimiskomisjon: e-hääletamine toimub.  ENDUPDATE

The analysis of the ID-card vulnerability, by “[a]n international group of cryptography scientists from recognized universities” will be “published in the coming autumn at an international scientific conference” according to the ID-card safety FAQ.

UPDATE 2017-09-06: There’s more detail about the specific vulnerability, which is appears to be a computationally-intensive, technically-challenging way to determine the private key from the security chip, in Postimees article Hackers could have made digital clones / Häkkerid võinuks luua eestlastest digikloonid.  ENDUPDATE

Links in English

Links in Estonian

Additional Context

Original story via Bruce Schneier – Security Flaw in Estonian National ID Card

As Estonia is the only country in the world with national Internet voting, I have written about it many times:

June 16, 2017  evaluation of Predicting the Future – online voting – Estonia
July 8, 2016 Estonian Internet voting and turnout myths
March 8, 2011 Estonian vote-counting system fails
November 11, 2004 e-voting in Estonia

For a perspective on security concerns with the Estonian system that predate the ID card issue, it is also important to read the materials on the website Independent Report on E-voting in Estonia as well as

CSE releases report Cyber Threats to Canada’s Democratic Process

On June 16, 2017 at 10:30am, the Canadian Communications Security Establishment (CSE) released its report

Cyber Threats to Canada’s Democratic Process

Analysis to follow.

Previously:
June 15, 2017  cyber threats to Canada’s democratic process – news conference
February 1, 2017  defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

June 16, 2017 – cyber threats to Canada’s democratic process – news conference

Media Advisory from the Government of Canada – Democratic Institutions

News Conference by Minister Gould on cyber threat assessment

Jump to additional background information I have provided.

Media representatives are advised that the Minister of Democratic Institutions, the Honourable Karina Gould, and the Chief of the Communications Security Establishment, Ms. Greta Bossenmaier, will be holding a news conference to discuss an assessment of cyber threats to Canada’s democratic process.

Senior officials from the Communications Security Establishment will provide an embargoed technical briefing immediately before the press conference. The technical briefing will not be for attribution.

Technical Briefing
Date: 
June 16, 2017
Time: 9:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

Journalists who wish to participate via teleconference should contact the Minister of Democratic Institutions’ Press Secretary at the number below.

All information will be embargoed until 10:30 AM on June 16, 2017.The technical briefing will not be for attribution. No cameras will be permitted.

Press Conference
Date: 
June 16, 2017
Time: 10:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

For more information (media only), please contact:
Byrne Furlong
Press Secretary
Office of the Minister of Democratic Institutions
613-943-1833

END MEDIA ADVISORY

Here is some additional information and context from me.

Election Cybersecurity

USA

In ICA 2017-01D Assessing Russian Activities and Intentions in Recent US Elections (PDF), the US intelligence community describes an influence campaign “strategy that blends covert intelligence operations — such as cyber activity — with overt efforts”.

The description is introduced with the term of art “We assess”, indicating an analytical assessment.  The US intelligence community asserts “high confidence” in the judgments related to the influence campaign.  High confidence is a term of art about confidence in sources that is defined in Annex B on Estimative Language: “High confidence generally indicates that judgments are based on high-quality information from multiple sources.”

For the technical background on the assessment, see Joint Analysis Report (JAR) JAR-16-20296A GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)

The Netherlands, France, Germany, the UK and Australia

I am not an expert in nation-state cyber threats, so I cannot independently assess this material.

Hacking of Canadian Government is Real

Hacking of governments is a real threat.  The Canadian federal government has been successfully hacked multiple times.

above links from my blog post Canadian government departments have been hacked before

Online Voting

Canada has no online voting at the federal or provincial level, and in fact online voting has been rejected by multiple Canadian studies.

There is however online voting at the municipal level in Nova Scotia and Ontario.  With 97 municipalities using online voting in the 2014 election and potentially over 200 municipalities using online voting in the 2018 election, this is one of the largest uses of online voting in the world.  This includes some municipalities where online voting is the only option (all paper ballots have been eliminated).  There are no (none, zero) standards for provincial online voting security.  There is no guidance for decisionmaking and risk-assessment related to online voting.  Without exception, the online voting is contracted out to third-party, for-profit vendors.  The computer code and systems designs used by the vendors is confidential, and there have been no public security tests and no public examinations of the computer code used.

Online voting provably does not substantially increase turnout.  The most comprehensive study, conducted on the Ontario use of online voting, shows a maximum effect of 3% increase.

For more information see Wikipedia – Electronic Voting in Canada.  (Disclaimer: I am a substantial contributor to that Wikipedia page.)

Estonia

If you want to cite the example of Estonia (the only country in the world with national online voting), you might want to mention:

Computer Security Experts

If you want to interview computer security experts about online voting, here is a list of over a dozen with contact information, including Canadians.

Twitter

  • I tweet regularly about election security and online voting: @papervote

Detailed briefing

If you have made it all the way down here, you may also be interested in my 16-page briefing about online voting, written for the New Brunswick consultation on the topic.

Government of Canada statement on online voting and cybersecurity

May 30, 2017

Electoral Reform
Committees of the House
Routine Proceedings

Discussion introduced by Nathan Cullen (Skeena—Bulkley Valley, BC).

Madam Speaker, I move that the third report of the Special Committee on Electoral Reform presented on Thursday, December 1, 2016, be concurred in.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/nathan-cullen-1/

Later in the discussion, response (excerpt) by Andy Fillmore, Parliamentary Secretary to the Minister of Democratic Institutions

Another committee recommendation, number 4, advises against allowing online voting at this time. Again, we agree, and while Canadians who participated in mydemocracy.ca agreed that online voting would improve voter turnout, their support was contingent on the need for solid assurance that such a system would not be vulnerable to manipulation by hackers. Similar concerns were heard from the experts before the special committee.

I want to touch briefly on the Minister of Democratic Institutions‘ mandate to protect our electoral system from cyber-attacks. Working with her colleagues, the Minister of Public Safety and Emergency Preparedness and the Minister of National Defence, the minister has asked the Communications Security Establishment to analyze proactively the risks to our electoral system and to release a public report. Further, we will ask the CSE officer for advice for political parties on cybersecurity best practices.

Above from Open Parliament https://openparliament.ca/debates/2017/5/30/andy-fillmore-2/

I do need to mention that, despite the survey-question-driven assertion that “online voting would improve voter turnout”, the evidence is that online voting does not increase turnout.

Previously:
December 1, 2016  ERRE Electoral Reform Committee Recommends Against Online Voting
October 2, 2016  ERRE Presentation – Internet Voting: Making Elections Hackable – Dr. Barbara Simons

Updates on Internet voting worldwide

Many things are happening.  Too many things for me to write separate blog posts.  Here’s the situation as of March 8, 2017:

Canada

  • Canadian Parliamentary Special Committee on Electoral Reform recommended against national Internet voting – see December 1, 2016 blog post ERRE Electoral Reform Committee Recommends Against Online Voting
  • Canada’s Minister of Democratic Institutions was directed in her Mandate Letter to defend the Canadian electoral process against cyberthreats – see January 23, 2017 blog post defend Canadian electoral process from cyber threats
  • New Brunswick legislature Commission on Electoral Reform recommended against Internet voting – see March 23, 2017 blog post New Brunswick Internet voting and page 21 of Commission report A pathway to an inclusive democracy
  • Vancouver Independent Election Task Force recommended to city council that Vancouver conduct an online voting pilot, including asking the province to establish an independent technical committee – see slide 17 “Conduct an online voting pilot” of the Task Force presentation to council and pages 27-28 of the Task Force final report
  • Many Ontario municipalities have approved Internet voting for the 2018 municipal elections (far more than this blog can track; it will probably end up being about 200 municipalities)

Everywhere Else

defend Canadian electoral process from cyber threats – Minister of Democratic Institutions Mandate

In the mandate letter for Minister of Democratic Institutions Karina Gould, she receives direction to discontinue electoral reform activities

Changing the electoral system will not be in your mandate.

She is also directed to defend the current electoral system from cyber threats, by working with National Defence, Public Safety, and the Communications Security Establishment (CSE).

UPDATE 2017-06-19: The CSE has released its report on Cyber Threats to the electoral process.  ENDUPDATE

In addition through her, CSE is directed to analyze security risks to Canadian political and electoral activities, and to offer advice to Canadian political parties and Elections Canada on cybersecurity.

In collaboration with the Minister of National Defence and the Minister of Public Safety and Emergency Preparedness, lead the Government of Canada’s efforts to defend the Canadian electoral process from cyber threats.  This should include asking the Communications Security Establishment (CSE) to analyze risks to Canada’s political and electoral activities from hackers, and to release this assessment publicly.  As well, ask CSE to offer advice to Canada’s political parties and Elections Canada on best practices when it comes to cyber security.

(a copy of the mandate letter is also available in Archive.org)

Given the current cyber threat environment, with documented compromises of political party systems and elections-related systems, I consider this new emphasis on electoral process cyber security to be excellent.  Having CSE release its security assessment publicly is also a very important step.

Note that in addition to Canada and the US, the Australian Prime Minister also expressed his concern about foreign actors attacking political parties.

The [Australian] Federal Government is urging Australia’s political parties to steel themselves against potential foreign cyber attacks, as Prime Minister Malcolm Turnbull prepares to announce an unprecedented cyber security briefing for political parties to be held in Canberra early next month.

from ABC News – Government urges political parties to ‘keep themselves secure’ ahead of cyber security briefing – January 23, 2017

video – An Uninvited Security Audit of the U.S. Presidential Election

Computer security researchers J. Alex Halderman and Matt Bernhard report on US voting computer security and the attempts to conduct comprehensive audits of the 2016 election results (recounts) in Wisconsin, Michigan and Pennsylvania.

Video also available (including for download) at https://media.ccc.de/v/33c3-8074-recount_2016_an_uninvited_security_audit_of_the_u_s_presidential_election#video

Halderman and Bernhard were presenting at the hacker conference Chaos Communication Conference (CCC) on December 28, 2016.

The slides may become available on the presentation page https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8074.html

Matt Bernhard tweets @umbernhard

You can find more about J. Alex Halderman in my list of computer security experts https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#JAlexHalderman