June 16, 2017 – cyber threats to Canada’s democratic process – news conference

Media Advisory from the Government of Canada – Democratic Institutions

News Conference by Minister Gould on cyber threat assessment

Jump to additional background information I have provided.

Media representatives are advised that the Minister of Democratic Institutions, the Honourable Karina Gould, and the Chief of the Communications Security Establishment, Ms. Greta Bossenmaier, will be holding a news conference to discuss an assessment of cyber threats to Canada’s democratic process.

Senior officials from the Communications Security Establishment will provide an embargoed technical briefing immediately before the press conference. The technical briefing will not be for attribution.

Technical Briefing
Date: June 16, 2017
Time: 9:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

Journalists who wish to participate via teleconference should contact the Minister of Democratic Institutions’ Press Secretary at the number below.

All information will be embargoed until 10:30 AM on June 16, 2017.The technical briefing will not be for attribution. No cameras will be permitted.

Press Conference
Date: June 16, 2017
Time: 10:30 AM
Location: 
National Press Theatre
150 Wellington Street
Ottawa, Ontario

For more information (media only), please contact:
Byrne Furlong
Press Secretary
Office of the Minister of Democratic Institutions
613-943-1833

END MEDIA ADVISORY

Here is some additional information and context from me.

Election Cybersecurity

USA

In ICA 2017-01D Assessing Russian Activities and Intentions in Recent US Elections (PDF), the US intelligence community describes an influence campaign “strategy that blends covert intelligence operations — such as cyber activity — with overt efforts”.

The description is introduced with the term of art “We assess”, indicating an analytical assessment.  The US intelligence community asserts “high confidence” in the judgments related to the influence campaign.  High confidence is a term of art about confidence in sources that is defined in Annex B on Estimative Language: “High confidence generally indicates that judgments are based on high-quality information from multiple sources.”

For the technical background on the assessment, see Joint Analysis Report (JAR) JAR-16-20296A GRIZZLY STEPPE – Russian Malicious Cyber Activity (PDF)

The Netherlands, France, Germany, the UK and Australia

• The Netherlands eliminated all electronic processes from its 2017 election (based on an assessment of a particular system vulnerability) – if you read Dutch, the announcement is Uitslag verkiezingen moet boven alle twijfel verheven zijn – widely reported e.g. Politico Europe “Dutch go old school against Russian hacking” and The Guardian “Dutch will count all election ballots by hand to thwart hacking“
• France cancelled online voting for overseas voters for the 2017 Legislative Elections due to cybersecurity concerns (it was never available for the Presidential Election).  Widely reported e.g. Reuters “France drops electronic voting for citizens abroad over cybersecurity fears“
• Germany has no electronic or online voting following finding such methods unconstitutional.  However there is more to democracy than elections.  The German Bundestag was hacked, and Bloomberg reports that Germany is concerned enough about foreign interference to be devoting efforts to what it calls an “election firewall”.
• The UK also has no national electronic or online voting, but also had “cyber security chiefs” protect the election from disruption.  e.g. Evening Standard “Improved cyber security for General Election after Russian hacking scandal“
• Australia announced “unprecedented intelligence briefings” for politicians about cybersecurity.  e.g. InnovationAus – “Pollies sent to ASD hack school” (ASD, the Australian Signals Directorate, is a rough equivalent of the Canadian CSE)

I am not an expert in nation-state cyber threats, so I cannot independently assess this material.

Hacking of Canadian Government is Real

Hacking of governments is a real threat.  The Canadian federal government has been successfully hacked multiple times.

• CBC – Foreign hackers attack Canadian government – Finance, Treasury Board Secretariat and Defence Research and Development Canada – Feb 16, 2011
• Reuters – Canada says cyber-attack serious, won’t harm budget – Finance Department and Treasury Board [Secretariat] attacked – Feb 17, 2011
• Wikipedia – 2011 Canadian government hackings
• CBC – Chinese cyberattack hits Canada’s National Research Council –  Jul 29, 2014
• Government of Canada – Statement by the Chief Information Officer for the Government of Canada – Jul 29, 2014
• Globe and Mail – Extensive fallout from Chinese hack of National Research Council – Sep 2, 2016

above links from my blog post Canadian government departments have been hacked before

Online Voting

Canada has no online voting at the federal or provincial level, and in fact online voting has been rejected by multiple Canadian studies.

There is however online voting at the municipal level in Nova Scotia and Ontario.  With 97 municipalities using online voting in the 2014 election and potentially over 200 municipalities using online voting in the 2018 election, this is one of the largest uses of online voting in the world.  This includes some municipalities where online voting is the only option (all paper ballots have been eliminated).  There are no (none, zero) standards for provincial online voting security.  There is no guidance for decisionmaking and risk-assessment related to online voting.  Without exception, the online voting is contracted out to third-party, for-profit vendors.  The computer code and systems designs used by the vendors is confidential, and there have been no public security tests and no public examinations of the computer code used.

Online voting provably does not substantially increase turnout.  The most comprehensive study, conducted on the Ontario use of online voting, shows a maximum effect of 3% increase.

For more information see Wikipedia – Electronic Voting in Canada.  (Disclaimer: I am a substantial contributor to that Wikipedia page.)

Estonia

If you want to cite the example of Estonia (the only country in the world with national online voting), you might want to mention:

• An independent assessment of Estonian online voting found multiple security issues: https://estoniaevoting.org/
• The entire number of voters in Estonia’s 2015 parliamentary election was 577,910 of which only 30.5% (176,491) voted online – from Statistics about Internet Voting in Estonia
• Despite offering online voting since 2007, Estonia’s turnout has not increased substantially (from 61.9% to 64.2%) and in fact Canada’s turnout in 2015  (68.3%) was higher than Estonia’s in 2015

Computer Security Experts

If you want to interview computer security experts about online voting, here is a list of over a dozen with contact information, including Canadians.

Twitter

• I tweet regularly about election security and online voting: @papervote

Detailed briefing

If you have made it all the way down here, you may also be interested in my 16-page briefing about online voting, written for the New Brunswick consultation on the topic.