The Legislative Assembly of the Northwest Territories will hold a public briefing on the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday June 30, 2020 at noon Eastern time. This report is significant because this was the first Canadian general election in which online voting was permitted at a provincial or territorial level.
The Standing Committee on Rules and Procedure, …, will hold a public briefing regarding the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday, June 30,  at 10:00 AM MDT [noon Eastern time]. Dr. Aleksander Essex will be in attendance.
To watch the meeting, tune in to the live stream on ntassembly.ca, or on the Legislative Assembly’s Facebook, Youtube, or Twitter accounts.
They identify five election technology systems:
- Elections NWT website hosted by GNWT
- Electorhood website hosted by ColdFront Labs (was electorhood . ca, but website is now gone)
- Elections NWT Learning Management System (LMS) hosted by Kellett Communications
- Elections NWT Elections Management System (EMS) hosted by DataFix
- Online Voting Platform hosted by Simply Voting
In case this terminology isn’t clear, the online voting was procured from the third-party, for-profit company Simply Voting, which ran the entire online voting system. The code is proprietary and has not been made available for independent analysis. This model of handing over the entire operation of online voting to a private for-profit company is the one used in all Canadian online voting to date.
I will quote part of the Security section of the report
To ensure the security and integrity of all Elections NWT online environments, and the election process as a whole, a security assessment was conducted on all five of Elections NWT online Platforms.
An agreement was made with Hitachi Systems Security to perform a Web Application Assessment and Penetration Test of the Elections NWT online systems.
This is a routine measure to secure an ordinary web server used for government services. It treats online voting as if it is any other web-based government service. But online voting has a uniquely higher level of risk and may attract sophisticated attackers, who will do a lot more than a vulnerability scan in order to compromise a system.
The Hitatchi Systems Security report has not been made public, even though there is no security in obscurity.
Overall, the Election Technology section of the report does not propose any threat model. Without a threat model, there is no way to determine what assessments should be used.
The most basic possible online voting model must include:
- the client
- the network
- the online voting server
- the code running on the online voting server
Security – The Client
The client (the voter casting the vote) is a huge security gap that is simply not considered in most online voting security analysis conducted by governments. Votes are cast from personal computers and smartphones. Computers and smartphones that are notoriously insecure. And often not updated with operating system and software application patches for known vulnerabilities. Where is the vulnerability scan and assessment for every single voter?
In the absence of client security, there are a wide variety of possible attacks, including software that watches for voting activity and alters the votes cast. If this sounds theoretical, this is exactly what banking trojan software does. F5 identifies over a dozen different major named banking trojans, it’s not an uncommon type of attack. In another type of attack, realistic-looking false websites are set up to direct voters to fake voting websites or applications for a variety of malicious purposes. If this sounds theoretical, it’s exactly what some ransomware attackers did when a Canadian COVID-19 contact tracing application was announced.
If you want an analogy, considering online voting secure if the server and network were somehow secure, but without client security, is like having thousands of dollars visible in the front window of your unlocked house, but then transporting it by armored car to a bank vault. Where do you think a thief is going to target their attack?
But of course the network and the server aren’t secure.
Security – The Network
From the client’s router through to the core network hardware, there are continuous vulnerabilities in networks. How continuous? Well here are three different network vulnerabilities from just the past week:
- Palo Alto Networks Security Advisories CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication – Severity 10 · CRITICAL (highest level of severity)
- Netgear httpd upgrade_check.cgi stack buffer overflow – Vulnerability Note VU#576779 – “may allow for unauthenticated remote code execution with root privileges” (this is the most severe possible level of system compromise)
- Telnet Vulnerability Affecting Cisco Products – CVE-2020-10188 – “A remote attacker could exploit this vulnerability to take control of an affected system.”
Security – The Server
There are very sophisticated attackers that target specific government activities. You don’t have to believe me. You can read e.g. the Canadian Centre for Cyber Security Cyber threats to Canadian health organizations (AL20-008 – Update 1). The counter-argument to that is usually “why would anyone attack my election?” But that is no counter-argument. To quote the Centre for Cyber Security
Sophisticated threat actors may choose to target Canadian organizations
There’s nothing about elections that would prevent them from being targeted; if anything they are potentially a very attractive target for many reasons.
Patching the kind of routine web vulnerabilities a penetration test is going to find is a necessary measure but almost meaningless against sophisticated attackers who can exploit much more challenging and obscure vulnerabilities using entire teams of people trained in compromising computer systems.
In addition to this, Canada has no mechanism whatsoever for inspecting the actual code that the third-party vendors are running on their servers. Even if somehow the entire chain of client through network to server were secure, the online voting code itself could have bugs.
Look to Switzerland
We need much stronger security assessment of Canadian online voting, including independent security analysis with access to the actual online voting code. Switzerland has been a world leader in putting in place the legislative framework for this kind of inspection, as I outline in my blog post
Swiss voting technology law sets the standard, in theory
and finding even that inadequate, Switzerland has now surveyed international experts for guidance on how to further enhance the legislative framework for examining the security of online voting systems. And notably Switzerland has paused all online voting until they can get a system that passes that assessment.
Security – Summary
It is good that the Northwest Territories conducted penetration testing
All tested applications showed good resilience against known Web attacks and were not vulnerable to any injection flows, privileged escalation, broken access controls or sensitive data exposure.
Many Canadian municipalities procuring online voting don’t conduct even this very most basic security measure.
However, this level of basic web server security is wildly inadequate for online voting. The threat actors are much more sophisticated, the level of risk is much higher, and the integrity of the system requires the entire voting process to be secure, end-to-end. Canada needs to examine online voting security using a threat model that includes every step actually involved, including the client, the network, and the online voting code. Collaboration with Canada’s Centre for Cyber Security and developing much more extensive independent assessment criteria based on the Swiss model would be a starting point.
The Actual Online Voting Numbers and Countries
Online voting was made available for absentee voting only. 489 ballots were cast, making this voting channel 3.7% of all ballots cast.
In the table “Absentee Poll Electronic Ballot Turnout by Country” the report indicates that ballots were cast from Canada (459 ballots), the US, France, Philippines, Denmark, Serbia, Spain, Japan, Norway, New Zealand, Zambia, Switzerland, Italy, Mexico, Morocco, and Germany.
Keep in mind how much additional, uncontrolled, non-Canadian Internet infrastructure some of these online voting interactions had to traverse.
Analysis of Recommendations for Legislative Changes
Many of the recommendations are about clearly separating voting by mail from voting online.
43 Powers of the Chief Electoral Officer – Create – report page 94
The Chief Electoral Officer may establish procedures in respect of voting by online ballot.
This would effectively make online voting a permanent option for Territorial elections, with basically no parameters around what the procedures should be.
If we are to have online voting (and to be clear, I don’t think we should), this lack of requirements and standards is a huge gap that could be addressed with a Swiss model that is much more prescriptive about assessing online voting.
45 Security of the Ballot Box – Section 153 (2) – Create – report page 95
The Chief Electoral Officer shall take precautions to ensure the safekeeping and security of the ballot box and ballots used for voting by online ballot.
S.N.W.T. 2010,c.15,s.17; S.N.W.T. 2014, c.19,s.20, 21.
As above, this is better than nothing, but far from the level of prescriptive requirements that would be needed, starting with an actual threat model including every step and participant in online voting, and advancing with Canadian Centre for Cyber Security guidance to a model much more like Switzerland where there is outside independent assessment by experts.
Just compare the level of requirements actually needed with the current model, which is a routine web server penetration test, with results in a secret report not provided to the public, and no assessment whatsoever of the vendor’s secret computer code that actually runs the online voting.
How can we have trust in an election where the security measures are a secret assessment of only the web servers, an assessment that didn’t even include looking at the actual computer code?
There is more in the recommendations but quite frankly I’m out of time.
The next Territorial General Election is expected on October 2nd, 2023.
SIDEBAR: The Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election is also available from the Elections NWT website (PDF). END SIDEBAR
May 21, 2019 Questions about online absentee voting in the NWT