Swiss Post made its future e-voting system available for a public intrusion test from 25 February to 24 March 2019. The e-voting system is the first Swiss system with complete verifiability. The complete verifiability makes e-voting available to a broader public, and ensures that systematic malfunction resulting from software errors, human errors or attempted manipulations is detected.
In accordance with the requirements of federal law, the system must be certified before first use and the source code must be disclosed. In addition, the Confederation and the cantons have decided that completely verifiable e-voting systems must undergo an intrusion test before they are used for the first time. Intrusion tests stage attacks to verify a system’s security. An intrusion test is already being carried out by an accredited body as part of the certification process. The public intrusion test has the added benefit of including a large number of people to test the security of a system.
Those interested were able to register at https://onlinevote-pit.ch and access further information on the test modalities.
Media release of the Federal Chancellery of 7 February 2019
Q&A regarding the public intrusion test
Is the federal government allowed to pay for hacker attacks?
Does a public intrusion test aim to prove that E-Voting cannot be hacked?
Swiss Post was responsible for paying people who reported security breaches. Swiss Post decided how much was paid. The federal government and the cantons contributed CHF 250,000 towards the public intrusion test via eGovernment Switzerland’s priority plan.
Is it the responsibility of independent experts to make sure that all weaknesses are revealed?
No. The aim of an intrusion test is to reveal weaknesses and eliminate them if necessary. Furthermore, it is in the interest of transparency that as many independent experts as possible are familiar with e-voting security issues. The public intrusion test could provide them with the opportunity to find out more about e-voting.
Computers are necessary for full verifiability. Are these computers free of vulnerabilities?
No. The public intrusion test is one security measure among many. Every IT system has weaknesses, and this will remain the case with e-voting even after the public intrusion test. The decisive factor is that no weakness gives rise to a serious risk. Weaknesses must be countered by security measures that are sufficiently effective. With full verifiability, e-voting has a comprehensive and particularly effective security measure that is not available for other services. In addition, the systems are regularly audited and certified by an accredited body.
How serious did the weakness need to be before people were paid for reporting it?
Full verifiability essentially means that manipulating a single component is not enough to falsify votes unnoticed. If a single component is manipulated, other components are available that can be used to uncover the attempted voting fraud.
What attacks were excluded?
The seriousness of the weakness was not decisive. Rather, what was important was that participants played by the rules when testing the system. Participants were encouraged to make attacks that would provide new findings to help increase security against voter fraud. No payment was made for attacks that simply highlight known weaknesses. Some attacks were even forbidden, even though they are linked to a relevant risk. To keep these risks under control, however, more effective means are available than the public Intrusion test.
Won’t a public intrusion test also help malicious hackers understand how to hack the e-voting system?
A payment was made for any successful attack on Swiss Post’s e-voting infrastructure, provided the attack was permitted for the purposes of the test. Other organisations (cantons, printing companies and other Swiss Post services) were not taking part in the intrusion test, and therefore were not to be attacked. In addition, distributed denial-of-service attacks were prohibited as they do not provide new findings in a public intrusion test, can be tested elsewhere and would have also disrupted the testing process. No payment was made for attacks on voters' platforms, or for any attacks using fake messages to persuade the actors to deviate from the planned processes (social engineering). Successful attacks take advantage of errors by the actors which cannot be realistically simulated in a public intrusion test. Nevertheless, a payment was foreseen for breaking individual verifiability (a ‘yes’ is cast and a ‘no’ is displayed), where voters are completely unaware that their vote has been manipulated.
Why is e-voting already being used if the system has not yet been subjected to an intrusion test?
A weakness could be reported to a potential attacker instead of to the organisers. This is not a problem as long as the organisers are also informed about the weakness and fix it if necessary. The payments offered by Swiss Post provided an incentive to report weaknesses to the organisers. Illegal attempts to find weaknesses could be made at any time, not just during the public intrusion test. On the other hand, the public intrusion test provided well-meaning participants with the opportunity to examine the system thoroughly for weak points.
The system that was available for public intrusion testing is the first system to be fully verifiable. The systems in use today offer individual verifiability, but not yet full verifiability. Given that full verifiability allows the wider use of e-voting, such a system must meet even higher security requirements, including certification and source code disclosures. In addition, the federal government and the cantons have decided that fully verifiable systems must undergo a public intrusion test before they can be used for the first time.
Federal and cantonal requirements
As a measure to promote security and verifiability, the Confederation and the cantons agreed in 2017 to carry out a public intrusion test as a pilot project. To this end, they have issued the following requirements for the system operators:
Based on a mandate from the Steering Committee Vote électronique, the public intrusion test was accompanied and monitored by a management committee composed of members of the Confederation and the Cantons. The management committee prepared a final report to the attention of the Steering Committee Vote électronique.