Australia's New South Wales Electoral Commission has given its electronic voting system a clean bill of health, dismissing hacking fears as “theoretical,” and accepting a PWC report saying the system to date was protected by “security through obscurity”.
Reviews of election processes are routine, and in 2016, the NSW Joint Standing Committee on Electoral Matters kicked off the Wilkins report. It was completed in May of this year, but was only recently made public (PDF).
Australian online voting system may have FREAK bugREAD MORE
NSW's “iVote” system was used by nearly 300,000 citizens in the 2015 election, a week after Melbourne University crypto-boffins Dr Vanessa Teague and Dr Chris Culnane demonstrated a FREAK-bug-like “theoretical attack”.
While internet voting is not yet widespread in Australian elections, Wilkins noted that “a number of Australia’s Electoral Commissioners have said to me: 'We need to be ready to do this efficiently and securely because it is inevitable.'”
Among the report's 29 recommendations are:
- Rather than the commonwealth and states building their own systems, Internet voting needs a national, standardised platform, jointly owned and maintained, and available to any jurisdiction that wants it.
- Parliament needs to consider the security impacts of changes to electoral legislation.
- The NSW Electoral Commission needs a security strategy covering “people, place, and data and information."
- The commission also needs the in-house ability to properly manage third parties providing hardware, software and services; and a cyber security strategy that covers all of the commission's activities.
- Agencies like CERT Australia, the Australian Cyber Security Centre, the Department of Home Affairs, the Australian Federal Police, and ASIO be called on to provide advice to all electoral commissions.
- Vulnerability testing should go beyond pentests, to include whether the system can be “gamed” or otherwise manipulated.
- The iVote software should be published, or at least made available for expert review.
Wilkins also wrote that systems should be transparent, auditable and verifiable.
All good, right? Not so fast …
The report's author Roger Wilkins dismissed as “theoretical” Teague's and Culnane's (along with Dr Aleksander Essex, and Professors Rajeev Goré J Alex Halderman) concerns that the system isn't well-protected against attack. A hack could alter an election result, but Wilkins wrote that argument “places too much weight on theoretical possibility and not enough on empirical likelihood, or probability of things occurring.”
He did, however, concede that Internet voting security needed improvement, writing that it is not attended to as systematically and comprehensively as it needs to be, given the emerging threat environment and the fact that internet voting was now becoming 'critical infrastructure'”.
Dr Culnane, for one, expressed his displeasure in the Twitter thread starting here.
In particular, he noted that the 282,669 votes cast using iVote could well swing some electorates if there were an attack, and that a separate PWC risk assessment claimed voters are protected by the obscurity of the system (which to El Reg seems at odds with the call to publish the software).
Here's how PWC put it (the risk assessment is an appendix to the report):
To date, there have been limited categories of eligible voters legally allowed to use iVote, allowing the system to benefit from ‘security through obscurity’, and therefore, the level of risk management of iVote at present is appropriate based on current scale and scope of its use.
The PWC assessment continued: “iVote as a voting channel has not yet reached the ‘tipping point’ of visibility that makes it a desirable target for malicious actors”.
The NSW Electoral Commission has accepted (PDF) most of the report's recommendations. ®