Public intrusion test Swiss Post system 2019

Swiss Post was responsible for paying people who reported security breaches. Swiss Post decided how much was paid. The federal government and the cantons contributed CHF 250,000 towards the public intrusion test via eGovernment Switzerland’s priority plan.

No. The aim of an intrusion test is to reveal weaknesses and eliminate them if necessary. Furthermore, it is in the interest of transparency that as many independent experts as possible are familiar with e-voting security issues. The public intrusion test could provide them with the opportunity to find out more about e-voting.

No. The public intrusion test is one security measure among many. Every IT system has weaknesses, and this will remain the case with e-voting even after the public intrusion test. The decisive factor is that no weakness gives rise to a serious risk. Weaknesses must be countered by security measures that are sufficiently effective. With full verifiability, e-voting has a comprehensive and particularly effective security measure that is not available for other services. In addition, the systems are regularly audited and certified by an accredited body.

Full verifiability essentially means that manipulating a single component is not enough to falsify votes unnoticed. If a single component is manipulated, other components are available that can be used to uncover the attempted voting fraud.

The seriousness of the weakness was not decisive. Rather, what was important was that participants played by the rules when testing the system. Participants were encouraged to make attacks that would provide new findings to help increase security against voter fraud. No payment was made for attacks that simply highlight known weaknesses. Some attacks were even forbidden, even though they are linked to a relevant risk. To keep these risks under control, however, more effective means are available than the public Intrusion test.

A payment was made for any successful attack on Swiss Post’s e-voting infrastructure, provided the attack was permitted for the purposes of the test. Other organisations (cantons, printing companies and other Swiss Post services) were not taking part in the intrusion test, and therefore were not to be attacked. In addition, distributed denial-of-service attacks were prohibited as they do not provide new findings in a public intrusion test, can be tested elsewhere and would have also disrupted the testing process. No payment was made for attacks on voters' platforms, or for any attacks using fake messages to persuade the actors to deviate from the planned processes (social engineering). Successful attacks take advantage of errors by the actors which cannot be realistically simulated in a public intrusion test. Nevertheless, a payment was foreseen for breaking individual verifiability (a ‘yes’ is cast and a ‘no’ is displayed), where voters are completely unaware that their vote has been manipulated. 

A weakness could be reported to a potential attacker instead of to the organisers. This is not a problem as long as the organisers are also informed about the weakness and fix it if necessary. The payments offered by Swiss Post provided an incentive to report weaknesses to the organisers. Illegal attempts to find weaknesses could be made at any time, not just during the public intrusion test. On the other hand, the public intrusion test provided well-meaning participants with the opportunity to examine the system thoroughly for weak points. 

The system that was available for public intrusion testing is the first system to be fully verifiable. The systems in use today offer individual verifiability, but not yet full verifiability. Given that full verifiability allows the wider use of e-voting, such a system must meet even higher security requirements, including certification and source code disclosures. In addition, the federal government and the cantons have decided that fully verifiable systems must undergo a public intrusion test before they can be used for the first time.