Despite paper ballot, election hacking vulnerabilities exist
News | 09/04/2018 11:55 am EDT
To bolster Canada’s democratic defences before the next election, governmental departments, political organizations, research groups and private industry tasked with that goal need to contend with a menagerie of cyber threats, experts from security field tell the The Wire Report.
Fortunately, Canada’s federal electoral undertakings include some immunities — the recording and counting of someone’s vote in a national election is done on paper and by hand, respectively. But the use of technological solutions is proliferating in the political landscape, and that means websites and internal communications are vulnerable to common hacking techniques, experts say.
“There’s a whole world which is going on below the surface, that you cannot see with your eyes, but it’s 100 per cent there and 100 per cent affects the data that you’re keeping,” said Western University software engineering assistant professor Aleksander Essex in a telephone call with The Wire Report. He referred to it as a “wicked landscape.”
“If you don’t know how this technology works, you better find someone you trust,” he said, given it’s “happening whether you’d like to believe that it is, or not.”
Smartphones, computers and electronic communication channels are critical parts of any campaign process, while more and more sensitive information about voters and internal operations is stored online. That means from embarrassing email leaks to compromised voter data, there are many ways our increasingly digital infrastructure is making the democratic process vulnerable to unwanted interference.
Limited technological protections, lack of personnel training or too much carelessness has resulted in security issues for a number of campaign efforts in the past. This means cyberespionage, blackmail, discrediting and stealing voter or party data have are major threats, according to a 2017 report by the Communications Security Establishment (CSE).
While Public Safety Canada is in charge of the overall cyber security strategy for the federal government, as it’s currently running the Canadian Cyber Incident Response Centre (CCIRC) and setting up its successor, the Canadian Centre for Cyber Security (CCCS), as part of a cyber security initiative, it has handed off election defence to the CSE and the Minister of Democratic Institutions.
Earlier this year, the ministry tabled Bill C-76, a new elections bill which includes a prohibition of the “unauthorized use of computers” to “obstruct, interrupt, or interfere with the lawful use of computer data during an election period.” Scott Brison, then acting minister of democratic institutions, said at the time Canada will work with other governments on a multilateral, ongoing basis against cyber threats and foreign interference. The CSE was also given new powers to defend democratic institutions in the still-to-be-confirmed national defense bill, C-59.
The CSE produced a summer 2017 report covering the threats to Canada’s democratic process and concluded that “almost certainly, political parties and politicians, and the media are more vulnerable to cyber threats and related influence operations than the election activities themselves.”
The federal political parties have committed to better cyber defences, the Hill Times reported earlier this month, though they’re not saying much. Representatives from each of the parties declined to go into the details of their strategies.
But that position makes sense, said vice-president of government relations and policy at the Information Technology Association of Canada (ITAC), Andre Leduc. “Nobody wants to say ‘hey our platform or our network is potentially insecure.’ So what you do is, internally, you do the due diligence,” he told The Wire Report in a phone interview.
“Whether it’s you or your brand as a party defending yourself from cyber security threats, It needs to be a multipronged and multifaceted approach. It’s not if but when, and how you mitigate and respond is important as putting up all the defenses,” said Leduc, adding that the major parties all need to understand these threats.
The stakes for political parties have been clear since the 2016 American presidential elections, where the theory that cybercriminal activity could throw the U.S. democratic process out of whack turned into reality. For the last two years, Canada’s national security organizations, electoral officials, the information technology industry and cyber security researchers have had the opportunity to prepare for what many feel is a coming storm.
While the 2016 American election was the most high profile example, cases of unauthorized access to secret information and even voter hardware systems had occurred before and since the Democratic National Committee (DNC) had its confidential emails leaked to the Democrats’ electoral detriment.
In 2014, according to an article in the Christian Science Monitor, Ukrainian officials beat back a cyber intrusion which occurred on election day, sourced from a suspected foreign nation state. On that occasion the defenders successfully stopped the malicious actors from changing vote totals as well as their earlier attempts to disable the entire digital election system.
This event was characterized by the magazine as the first time someone had attempted to do real damage, after evidence emerged other western European nations merely had their online election infrastructure examined by unknown assailants.
Subsequent to the DNC failing to stop its emails from getting out, the campaign of the now-French president Emmanuel Macron was victim to a similar attack in 2017. Around nine gigabytes of emails associated with his election efforts were released to the public.
The vast majority of these attacks have been pinned on Russian-aligned cyber groups by federal investigators in the U.S. and around the world, according to a July report from the Washington Post. “Russia combines such cyber operations with propaganda to amplify social fault lines, polarize public opinion and undermine the integrity of Western democratic institutions,” it read.
To date though, the Russian government continues to publicly deny all involvement in foreign election meddling.
“This is why cybersecurity for political candidates and the parties is important, because there’s is a sphere of influence which may be coming from foreign jurisdictions,” said Leduc.
Because western democracies tend to be very stable, according to Essex, it’s difficult to disrupt their systems through traditional warfare. Essex, who researches ways to protect electronic voting systems, said that information warfare has evolved in its place.
“So if you want, as another enemy state, to get into it with a democratic system you know you’re facing some real challenges. But democracies have a weakness, in a sense, which is that the legitimacy of the decisions that get made, flows from the people,” he told The Wire Report over the phone.
Disrupting the democratic process can paralyse the societal systems without needing to be successful, he added. Essex used the example of the current position of the U.S. political system, which has been grappling with the outcome of the 2016 election since it occurred.
“The waters are muddy and even though the intelligence community is saying ‘this is what has happened’ you have the political leadership saying ‘you know, it’s probably fine,’” Essex said.
Although he admits there have not been any direct threats against Canada, announcing intentions is not the style of the sources of these threats. “We haven’t gone down that road yet, [but] you can see it coming,” he said.
According to University of Ottawa professor Michael Pal, speaking at a summer 2018 Public Policy Forum roundtable on the topic of election cyber security in Ottawa, Canada might be on the target list of enemy nation state actors because it has passed Magnitsky Act-style anti-corruption legislation. That a move was opposed by the high level Russian officials, including President of Russia, Vladimir Putin, according to media reports.
At the same event, assistant deputy minister of IT Security at CSE and incoming head of the CCCS, Scott Jones, said that our status as a middle power and relationship with the U.S. makes us “attractive.” Canada could serve as way to access infrastructure integrated with the U.S., he said.
These events are what makes the headlines, but they’re fuelled by a list of common hacking methods CSE included in its 2017 report, which it dubbed a ”cyber toolbox.”
Among the techniques was the distributed denial of service (DDoS) attack. It occurs when someone launches a barrage of access requests to a specific webpage, overloading it and causing it stop working. Malicious actors could use that to disrupt critical election information like polling place locations and political messaging from being shared, said Leduc. Political parties are especially at risk because “you undermine their competency and the ability for them to get their message out,” when a DDoS attack is used, he said.
DDoS attacks aren’t difficult to pull off, Leduc added. “There’s an entire black market for hacks. You can lease a massive botnet for an amount of amount of money at a certain time to attack a specific site,” He said. Botnets are collections of internet connected devices which can be controlled to overload a internet server’s traffic capacity.
In 2012, the NDP was victim to a DDoS attack during its leadership convention. The attack temporarily disabled the online voting system the party was using to select its next leader. Subsequent investigations could not determine the source of the attack, according to a report from the provider of the voting system, Scytl Secure Electronic Voting S.A.
The CSE also believes that website defacement or when an adversary changes “the content of the website with an image or a message designed to embarrass the political party or election agency, or in an attempt to raise awareness of a particular issue,” is a similar threat, according to its report.
What was suspected to have caused major headaches for the Hillary Clinton campaign in the 2016 presidential election, was something called a “spear-phishing” attack, or where someone is tricked into entering sensitive credentials in a similar looking website. Instead of logging in successfully, that information could be transmitted to another party. In the 2016 example, investigators suspect the root cause of emails associated with the DNC being leaked to the public was a high-ranking official falling for this kind of attack.
The CSE said ransomware, an extremely common form of malicious software in 2017, could end up locking political or electoral organizations out of important computer files, while demanding that a fee be paid to access them. Essex told The Wire Report that there were cases of nation state actors using the proceeds of ransomware activities to finance their operations.
“It’s like playing a giant game of whack-a-mole. There are constantly changing threat vectors and we constantly need to be updating our cyber security to address those threats,” said Leduc. He explained that sources of these threats have evolved from criminal elements in the 1990s and 2000s, to nation state actors in the late 2010s.
The different types of cyber threats need different solutions, according to cyber security researchers.
Using encrypted communications could spoil a certain kinds of attack and avoid embarrassing and unintentional disclosures, but there are challenges found in picking the right software, said Open Privacy security researcher Erinn Atwater.
“Even the major political parties are only just beginning to investigate end-to-end encrypted communications apps,” she said in an email to The Wire Report. Though in recent years “there has been a glut of new (supposedly-)secure messaging apps flooding the market, and it’s almost impossible for even those with good digital literacy to evaluate and compare them.”
To stop network intrusions which can lead to leaked data, Leduc points to proactive efforts like threat monitoring, where incoming connections are scanned to determine whether they are friendly or penetration testing, trying to exploit security vulnerabilities. Hacking attacks can also be deployed on your own infrastructure to figure out the ways that malicious actors can access the data.
There’s also an employee behavioural component to protecting sensitive electronic infrastructure, said Leduc, meaning it’s necessary to train employees about these issues. Phishing attacks can be fended off through an alert and educated campaign staff, he said.
One group focusing on training is Elections Canada. According to Elections Canada assistant director Melanie Wise, the independent agency is training employees on cybersecurity, as well as using phishing simulations, sending fake phishing emails to see who is vulnerable to being tricked to test employees’ security awareness. It’s also currently under an ongoing cyber security audit.
Outlined on its website, the CSE’s top ten security actions include applying the latest software patches to operating systems, enforcement of administrative privileges and isolating applications which connect to the internet. CSE told The Wire Report that it has connected with political parties, parliamentarians and electoral officials to offer advice and guidance.
“In line with our mandate, CSE is tracking foreign cyber threats to Canada’s democratic processes and is taking action to bolster Canada’s cyber defence activities. CSE is also working with our domestic and international security partners to further protect Canada’s democratic institutions and processes from these kinds of threats and interference,” said CSE media relations representative Ryan Foreman in an email.
As the election draws closer, a fuller picture of the kinds of threats Canada’s 43rd federal election might be facing is likely to emerge — that’s when CSE said it plans on publishing an updated report on the threats.