This is how insecure the computer systems of the cantons are during elections and voting

This is how insecure cantons’ computer systems are when it comes to elections and voting

In an extensive investigation, the magazine “Republic” reveals serious weaknesses in the IT systems of the cantons. The federal government also faces a challenge.

What happened?

Many cantons use outdated or vulnerable software to determine election and voting results: this was made public by “Republik” magazine on Friday, based on its own research in collaboration with computer security experts.

Watson summarizes the most important findings.

What kind of software is it?

In Switzerland, votes are counted in near real time on Sundays after voting and elections. This requires considerable automation: “Computer programs must calculate the number of seats won and lost and represent electoral changes graphically.”

According to the report, results analysis software is used in elections almost throughout Switzerland. “In some cantons even to vote.”

How bad is it?

According to the republic, there is “a flagrant legal vacuum”: the digital determination of results is not regulated at all.

According to the investigation, at least 14 cantons are using “vulnerable and outdated software.” There are no indications of successful hacker attacks (see point 5).

According to research by IT security experts, the most serious vulnerabilities and threat scenarios include:

• weak standard passwords;
• possible internal attacks by attackers accessing the network of an electoral authority;
• Man-in-the-middle attacks, in which hackers secretly switch between a polling station and headquarters, where the results are automatically evaluated.

Isn’t such a report just before the voting dangerous?

In order to minimize the risk, the “Republic” informed the manufacturers, the Federal Chancellery and the cantonal state chancelleries before the results of the investigation.

Above all, there is the possibility of attacks in national and cantonal elections. “However, the identified weaknesses could hardly be exploited in such a short period of time (that is, until the Sunday of the vote on September 27), according to several experts.”

What cantons are affected?

Computer security experts found critical weaknesses in the “SESAM Wahlen” software, which, according to the “Republic” report, is used in the following cantons:

• Baselland,
• Basel city,
• Glarus,
• Grisons,
• Lucerne,
• Nidwalden Y Obwalden,
• Schaffhausen,
• Hate.

Another serious weakness is in the cantonal systems. Wallis Y Bern been found.

Canton Tessin it uses, according to the report, completely outdated encryption protocols with its “Votel” software.

The two IT security researchers also found “some missing security precautions” in Sitrox’s “VeWork” software. The cantons are clients of Sitrox Aargau, Solothurn Y Zug. However, the head of the company described the findings of the security researchers as irrelevant: compensating the corresponding attack scenarios with other security mechanisms, such as blocking access to external IPs.

A detailed list of all affected cantons, ordered by software products, can be found in the technical investigation report (see sources).

Have IT vulnerabilities already been exploited?

According to the report, there is no evidence of this. It is said that “no evidence was received or found.”

What is the federal government doing?

The investigation shows a clear regulatory gap, emphasizes journalist Adrienne Fichter in her article. Although this is the so-called “critical infrastructure”, there are still no federal security requirements for the purchase and operation of such systems. Therefore, there is no transparency about the functionality of the software.

Tighter security controls are urgently needed, cites the republic, the constitutional lawyer and director of the Aarau Center for Democracy, Andreas Glaser. Otherwise the door opens wide for future manipulations.

sources

(dsc)