E-Voting and Cybersecurity challenges

  • February 24, 2022
  • By Cyberarch Admin

In a democratic country, ultimate power should essentially reside in the hands of the citizens. Elections are held in different countries worldwide where individuals exercise this power by voting. With the rapid advancement in digital technology, electoral processes are modernized, making them more accessible and realizable. However, it also poses major cybersecurity threats and challenges that can undermine the democratic process and negatively impact election-related goals. In this case study, you will find in detail, comprehensive information about the integration of technology in elections, e-voting types, major cybersecurity challenges and possible solutions.

  • Technology and Election

Technology use in elections across the world is not a new phenomenon. Since the advent of radio, television and computer, these devices have been used for election campaigning. Gradually, the growth in technology paved the way for its integration and implementation into election procedures. By the 1990s, mobile phones, smart devices and the network of computers became quite popular in various countries and became part and parcel of daily lives. Thus, it began to be used in election activities as well. Consequently, electronic voting or E-voting today has become the latest technology adoption that has transformed elections. Technology is now used for a wide range of electoral processes such as database generation of voter registrations, organization of polling stations, allocation of polling staff, identification of voters, electronic voting machines, vote counting and results.

Cyber threats, in recent times, have increased exponentially and have become more sophisticated as well. They threaten to compromise traditional election processes and the public confidence in election results. On the broader note, cybersecurity issues have an underlying impact on other election-related activities such as online campaigns, social media, fake news and divisive information.

  • Voting System Types

Voting systems integrated with technology enable individuals or citizens of a country to cast their vote in an election using computer systems. There are mainly three types of voting systems that have been used by different countries since the 1960s.

Paper-based is the simple system where electors cast their votes by hand using paper ballots. However, with the emergence of electronic tabulation and punch cards with perforated holes, the votes are counted electronically. The second type is the Direct-recording Electronic Voting System – DRE, where an optical scanner scans a circle coloured and counts the vote. Optical scan systems are also used to count ballot papers. This includes a mark sense system, electronic ballot markers and digital pen. In general terms, optical scanning blends paper with electronic devices.

Electronic Voting is the latest innovation that allows people to vote from the comfort of their homes, workplace or public place or elsewhere using the internet or web. Although it offers the most convenience to voters, it raises security concerns as well. Election officials also do not have under its control the voter’s computer system. Some countries have implemented kiosk voting or internet voting polling sites where voters can cast their vote through machines which are under the control of election officials.

  • Security Threats to E-Voting

With the growing use of the internet and the ease of access, it is difficult to avoid e-voting as a better means for election purposes. There are many benefits of e-voting, which includes flexibility, convenience and cost reduction. However, both human-related and technology-related security threats are evolving with time and they continue to affect e-voting in different ways. Some of them are discussed.

1)Denial of Service Attacks

Denial of Service Attacks, commonly referred to as DoS, is a sophisticated method by which the cybercriminals or threat actors attack the server either temporarily or permanently used by the elector for voting purposes. Consequently, such attacks prevent genuine voters from exercising their voting power through the web. There are many ways in which DoS attacks are carried out. The web server is filled with messages, which prevent voters from reaching the election web. Secondly, the attackers cut the connection between two computers. Thirdly, the election web is made unreachable, specifically preventing a computer system and finally preventing an individual voter from accessing the election web.

2)Malicious Software

Malicious software is one of the potent methods through which cyberattacks are carried out throughout the world. It is in the form of software codes that infect computers and it can be viruses, worms and Trojan horses. In e-voting systems, malicious software is used by threat actors to eliminate voting-related data. Else, it is used to prevent an elector from voting by affecting the computer system used to access the election web. Most often, these computers do not have the security capabilities to withstand or protect against malicious software. Additionally, the elector may not be aware of the malicious software and its intent, compromising the integrity of the election.

3)Spoofing

Spoofing attacks are another security challenge that affects e-voting. In this type of attack, the cybercriminal communicates with the elector or voter trying to reach the election web. Disguised as the original web, they deceive the voter. In other words, when a voter tries to reach an election web, they are misled into reaching a fake election web. Furthermore, voters’ personal data and voting are exploited and abused. This alters voting results and leads to privacy issues as well. Pharming Attack is also similar to spoofing where traffic from one website is redirected to another website by exploiting Domain Name Server – DNS. Also, user errors, server-side mis-configuration, and cryptographic attacks are often used to access and alter voter preferences. This is also known as man-in-the-middle attacks.

4)Internal Vulnerabilities

There are several cybersecurity issues that spring up while using the e-voting option in the election, and most of them are caused due to internal vulnerabilities. Experts often find current or ex authorized users of the system who act as an internal threat. They can be divided into three categories. First, the users who utilize the e-voting system exploit the non-technical vulnerabilities of the system to make financial gains. They do not essentially damage the organization. Secondly, the administrators or management bodies can cause severe damage as they have exclusive privileges and rights to access the system. In this type, financial gain is not the motive but revenge. Thus, special care must be taken so that electronic votes remain a secret, and no single individual must be given rights to decrypt the data collected. 

5)External Vulnerabilities

One of the major highlights of e-voting is that it can be exercised from any part of the world. However, the same factor can act as a disadvantage as it makes e-voting more vulnerable to cyber threats from any part of the globe. Different types of criminals attack the election web. This includes terrorist groups, hackers, criminals and others. They can be financially or politically motivated. 

Hackers are a group of computer fanatics who have extensive knowledge about computer systems, applications and the internet. They generally spend quality time in understanding the weakness of different network systems and winning challenges. Disrupting an electoral process is mainly governed by their interest in showcasing their abilities or just for fun. Cybercriminals, on the other hand, attack election systems to make financial gains by extracting private voter data and selling them to those buying votes. 

In recent times, foreign intelligence services are playing the role of cyber attackers. The main aim is to cause public chaos and disorder, influence people, change the election outcome, topple governments and much more. 

 

  • Countries and E-voting

Experts, from across the world, have argued repeatedly that e-voting can become the best method for a credible election. This is because it minimizes the possible risk of double voting and spoilt ballot papers. However, the risk of hacking and manipulation remains, which needs to be overcome using better solutions. So, which countries have e-voting? Find out in this section. 

The United States of America was the first country in the world to try electronic or e-voting in the 1960s. Since then, the majority of states have used DRE and optical scanner voting systems. In addition, 90% of votes today are counted via electronic means, which is an incredibly strong number. Namibia is the first African country to utilize voting machines in the year 2014. Island nation of the Philippines started using voting machines in 2010. The world’s largest democracy India used voting machines way back in the late 1990s and early 2000s, and it has been in use since then. Other countries like Kyrgyzstan and Mongolia use electronics to count votes. One of the most popular nations to implement e-voting and internet voting has been Estonia, who has used e-voting since 2005 and continues to use it even today. 

There are some other countries in the world that use e-voting systems partially in their elections. For example, Canada uses voting machines in local elections. In Belgium, few districts have opted for voting machines. France allowed its foreign citizens to exercise their voting power using internet voting. However, hacking news in the US elections of 2016 had a ripple effect on France, which decided to do away with internet voting in 2017. Russia, Iran and Argentina also employ e-voting in one way or another. 

According to the latest reports, many countries are in the process of implementing e-voting. Many countries are testing the effectiveness and other positives of e-voting. This includes Bangladesh, Bulgaria and Norway. At the same time, it is interesting to note that there are many countries that are not satisfied with e-voting and are no longer using the option. Ireland is one such country that dropped its plan to use e-voting due to cybersecurity challenges and concerns. Paraguay, the Netherlands, Germany are other countries that have experimented with e-voting and lack of transparency and public support made them revert back to paper ballots. 

Find out in-depth about the e-voting history or present scenario in different countries across the world. 

1)Brazil

Brazil’s tryst with e-voting started way back in 1985 when a computerized election database was implemented by the Superior Electoral Court. The main aim was to achieve economic feasibility and prevent fraudulent activities. In 1996, e-voting was first used in a municipal election. An interesting thing about their e-voting system, developed in the 1990s is that different software players developed different generations of voting machines. Also, the source code of the software used for e-voting is proprietary. It mainly deals with identification, vesting of votes and tallying process. 

2)USA

The 2016 US election was a watershed moment for all the democratic countries in the world. It showed the cybersecurity challenges of democratic elections conducted through e-voting. The world came to know that key electoral processes such as voter registration, voting machines, storage and transmission can be manipulated to influence the final outcome. Foreign interference in a nation’s election was unfathomable before. The incident proved that it is indeed high time to fight against both real and perceived cybersecurity challenges and vulnerabilities. 

3)India

The voting machines in India consist of a Control Unit which is operated by the polling official and a Balloting Unit. When the officer presses the ballot button, the voter can cast his vote by pressing the button on the balloting unit. For a considerable amount of time, a paper trail was not available for voting in India. But today, a voter-verified paper audit trail VVPAT has been enabled since the 2014 elections. As for remote internet voting, it was implemented as an experiment in Gujarat in 2011. 

4)European Union

 Internet voting in the European Union is a breath of fresh air to reinvigorate citizen participation in the democratic election and to facilitate young people to engage in the electoral process. For the past several years, many European countries are assessing the advantages of e-voting and the adoption of internet voting has increased as well. According to many surveys, general trust towards e-voting is high and others have expressed concerns about privacy and security issues. However, it is important to note that cybersecurity challenges around the world have forced many countries like Germany to stop using E-voting and return to paper ballots. 

5)Canada

In Canada, electronic voting is partially used at the municipal and provincial levels due to federalism. At the same time, some provinces have banned the use of e-voting in Canada. At places where e-voting is an option, the technical features vary a lot. It is important to note that e-voting is not available for the national election. Ontario and Nova Scotia are the only provinces with internet voting. 

6)Switzerland

In Switzerland, the remote internet voting project began in 2000, both at the cantonal and international levels. After hundreds of trials were conducted at the federal, cantonal and community level, e-voting was made available to its citizens worldwide. 

7)Latin America

There has been a massive increase in the adoption of digital solutions in the democratic process in Latin America. Correspondingly, cybersecurity threats have substantially increased as well. According to the latest surveys, 50% of member states in Latin America have implemented digital identification but 70% of respondents anticipated cyberattacks on elections. Another concerning report is that 50% did not know or are unaware of the possibility of cybersecurity incidents that can affect them in electoral processes. 

8)Estonia

Estonia, as discussed before, is one of the few countries that have successfully implemented and utilized e-voting in elections. In 2001, discussions began on e-voting. By 2002, legal provisions were developed and by 2003 e-voting projects started. The rapid pace with which e-voting started is an achievement in itself. Finally, in 2005, internet voting was officially used in municipal elections. Voter identification in Estonia is carried out in multiple ways such as ID cards with PIN codes, Digital ID and Mobile-ID.

In the parliamentary elections held in 2015, approximately 30% of voters exercised their voting power via e-voting rather than the traditional option. It is in high contrast to 5% in the 2007 elections. It shows the confidence and popularity of e-voting among the Estonian population. Moreover, the Estonia e-voting model shows that once people start internet voting, they will continue to use the same method in the future too. It reduces the election cost and is hassle-free for people living far away from polling stations. 

  • Post-COVID Realities and E-voting

The unprecedented COVID pandemic has changed the way the world functions. Democratic counties worldwide have scrambled to provide safe means to vote in an election and prevent infection. Electronic voting is one of the best methods to keep citizens safe. A simple, transparent system with a strong identification process is enough to make e-voting a success. 

  •  Possible E-voting Security Solutions

There are security solutions that can be used to negate the impact of cyberattacks. Some of them are discussed.

1)Open-Source Software

Generally, closed source software is used in electronic voting systems, which opens up questions regarding its security as well as reliability. Instead, open-source software codes are open for public as well as expert scrutiny. This also enables the discovery of errors and potential options for manipulation. However, it is important, at this point, to note that accepting open-source software as the best solution for the electoral process is also open for further debate and scrutiny.

2)SSL Protocol

Spoofing attacks, as mentioned before, can be prevented or mitigated by a possible solution known as SSL protocol. The Secure Socket Layer protocol works by protecting the sensitive information exchanged between a user (in this case a voter) and server (election web server) through the encryption process. This will prevent cyber attackers from attaining personal data exchanged. However, cyber-attacks have so advanced that they can penetrate and decrypt the data. Increased awareness among users about SSL and identification of harmful web addresses can be a possible solution.

3)Secure System Architecture

Special care should be taken to develop and design secure system architecture for e-voting systems. Specialized programs, developed by different parties at every level of the electoral process like casting votes can possibly improve security and reliability.\

4)Private Wireless Networks

If the election processes are conducted in public networks, it opens up opportunities for the threat actors to disrupt the process by reaching the election web and related equipment. Therefore, it is high time that election processes are shifted to private wireless networks or private Internet Addresses – IPs. This makes it difficult for cybercriminals to find such networks and attack them. 

5)Connectivity

4G/5G can play an instrumental role in boosting security and providing end-to-end encryption. In addition, the connectivity at specific locations can be upgraded with advanced routers with in-built security features such as web content filtering, IDS and unified threat management. 

6)Other Technical Measures

Other technical measures that are used to fight against cybersecurity issues include network access control by verifying user identities. This is carried out as per 802.1x standard, which can give access controls and check user profiles. Demilitarized Zone or DMZ is an access control tool that makes sure that the public servers are secure. Another possible measure is Public Key Infrastructure or PKI, which is a set of procedures related to hardware and software procedures, and it is used to store, manage, update and remove certificates using public-key cryptography. This can fasten the exchange of information. Experts also suggest technical tools like Intrusion Detection System – IDS, Web Application Firewall – WAF and TLS protocol. 

  • Cybersecurity in Elections

Cybersecurity in elections has a broader scope than what people generally imagine. It covers a wide spectrum of processes such as technical, governance, organizational activities related to the election. Also, it goes beyond the use of anti-virus software, security tools and firewalls. According to the International Telecommunication Union, cybersecurity is defined as “The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment.” It is precisely the requirement when it comes to e-voting and election challenges worldwide.

International standards for cybersecurity in elections provide a clear definition of the role of technology in it. For instance, it strongly advocates the use of technology by keeping its basic principles intact such as transparency, accountability, integrity and verifiability. 

International organizations such as the United Nations have established standards for all elections globally where data is stored in digital form. According to the General Assembly of the UN, the responsibility of the data is on those who collect it. Accuracy, transparency, lawful collection, discrimination prevention and secure storage of data should be ensured. 

The Council of Europe in 2017 have set additional standards in relation to voting and vote-counting mechanisms. It puts the onus of Election Management Bodies to ensure availability, reliability, usability and security of the e-voting system. The U.S. Electoral Assistance Commission – EAC has voluntary guidelines to assist election authorities to ascertain the functionality, accessibility and security standards of their election systems. One of the ways election management bodies can upgrade and boost the election security is by building partnerships with cybersecurity experts. The professionals and the whole team of skilled engineers can lead the way in equipping each electoral process with best security measures and prevent cyber attacks. 

 

Recent Articles

Got hacked? Speak to our security consultant.

Get in Touch
Scroll Top

Contact Us

Follow Us