In the wake of the French and U.S. elections, each having had their fair share of confirmed and suspected hacks and data leaks, it is only natural to wonder whether the fate of democracy is today more in the hands of the hackers than the people. How can we ensure that future elections remain immune to cyber attacks? Which measures are secure and what kind of protection is required?
During his investigations of the thirty-seven websites relating to the eleven candidates running in the 2017 French presidential election, Damien Bancal, expert in cyber crime, found more than two hundred security flaws. SQL injections and cross-site scripting breaches aside, many of these concerned basic vulnerabilities such as exceedingly simple passwords (for instance, he reported that the Republicans’ website, created using WordPress, was protected only by an ‘admin’ username, with the password, you’ve guessed it... ‘admin’). Just a few straight-forward updates and the implementation of good housekeeping practices would, with minimal effort, strengthen these critical weaknesses. But France is not the only country affected by these problems; the Twitter account of the official news agency of Qatar was hacked and began sharing fake statements from the Emir, which were quickly picked up by the media. More recently, this toxic trend also hit the Tunisian elections and the Mexican campaign.
— Stormshield (@Stormshield_) 16 juin 2018
Before we can start to improve the security of polling stations, we must first come up with ways to guard against destabilisation attempts and ‘fake news’, both now extensively and consistently rife. In order to prevent slanderous information spreading like wildfire in the run-up to elections, certain filters could be introduced for websites and their content, warning users that they are visiting a website that contains or has a reputation for sharing false information.
Such systems, however, are not perfect insofar as it is only possible to effectively block what has been confirmed as illegitimate. To hand over the filtering of 'fake news’ to algorithms would require the use of syntactic analysis systems capable of detecting variants of such news, based on samples that are sometimes legitimate and sometimes not. As such, in the same way as it is already possible to detect spam campaigns, this approach could be used to curb the increasing numbers of trolls.
In 2017, we witnessed the discovery of a new cyber attack victim: democracy!Guillaume Poupard, Director General of ANSSI [in French]
The most contentious moment: voter registration
The campaign is far from the most vulnerable time of an election. Voter registration, voting itself, and the counting of the votes in electronic elections present even more complex challenges. The NSA’s ongoing investigations into the possible Russian interference in the 2016 U.S. presidential election have shown that voter registration, carried out online and without any real protection, is highly vulnerable to attacks.
A number of different fraud scenarios need to be considered: firstly, a poorly-secured system could allow one individual to register as several voters, and therefore to vote a number of times. Secondly, there is the potential theft of registered voters’ login details, which can then be used by others to vote in their place. A final, even more radical, scenario suggests that individuals who have registered properly and legally could very simply be removed from voter lists. Such situations would, in extremis, compel a return to more traditional voting using ballot boxes, which in turn would discourage voters who are put off by long queues.
Traditional antivirus software, based on ‘pattern matching’, has become antiquated due to focusing only on signature-based methods to search files for specific pieces of code used for cyber attacks. Other solutions do exist today to protect the integrity of registration systems, as well as the security of servers used, the workstations of system operators and the data they process and store. Safeguarding measures such as incorporating security into the design of electoral management applications, regular audits of the code and its vulnerabilities, application firewalls to separate the environments and the use of certificates and biometrics in identity management must absolutely be implemented. New-generation technologies that apply a behavioural approach to detecting unknown threats would further complement this arsenal. These entail the real-time analysis of the behaviour of the applications that run on a particular system. If the behaviour deviates from what is considered normal activity, a warning is triggered and the suspicious activity is blocked.
Polling stations, whether digital or not, could also be potential targets for more sophisticated attacks. So how can we ensure that voters’ choices are not manipulated?
Online voting systems could become vulnerable to attacks including denial-of-service attacks, for instance. Following new setbacks experienced during the U.S. elections in 2016, the government of the State of New York announced that it was launching a series of measures to protect against hacking and other cyber threats, as part of the preparations for the elections for the U.S. House of Representatives and the U.S. Senate in mid-June 2018. However, offline voting systems do not necessarily offer greater reliability; used during the presidential elections in the USA in 2004, the source code of the Diebold machines was leaked online, making it possible for an individual to vote more than once.
Above all, e-voting systems must guarantee that all legitimate votes are accurately counted, that there are no duplicates, no modifications or deletions, and that no fake votes have been cast by malicious parties. Such evidence must be provided in the form of cryptographic proof, held exclusively by the trusted authorities. It goes without saying that before we can fully rely on electronic encryption systems, we need to be able to rely on those in charge of them; and this is where the problem becomes the same as for traditional voting systems.
In Switzerland, the cantons of Fribourg and Neuchâtel are already offering citizens the option to vote via their smartphones, in conjunction with La Poste. Each voter will receive a ballot paper through the post with four different verification codes: the start voting key, the choice codes (to ensure their choices have been correctly transmitted), the ballot casting key (corresponding to the moment the paper is placed in the ballot box) and the vote cast code which ends the process. Other cantons are also due to introduce this option in the near future.
However, it remains difficult today to guarantee all the security features of an e-voting system. And yet democracy is never as solid as the confidence placed by the people in its representatives: must we therefore leave it up to fate and resolve to postpone this future digital version, or should we finally be taking the bull by the horns? For a true digital democracy, integrated security must begin during the very first design phase of these voting systems if it is to have a genuine impact on democratic processes. What if blockchain already has some of the answers?
Thanks to the Stormshield Security Intelligence team for their precious help in writing this article, in collaboration with Usbek & Rica.