Estonia is the only country in the world that relies on Internet voting in a significant way for legally-binding national elections — up to 30% of all voters cast their ballots online. This makes the security of Estonia's Internet voting system of interest to technologists and citizens the world over. Over the past year, I helped lead the first rigorous, independent security evaluation of the system, based on election observation, code review, and laboratory testing. The findings are alarming: there are staggering gaps in Estonia's procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers. Our investigation confirmed the viability of these attacks in the lab, but the Estonian government has chosen to downplay them. We urgently recommend that Estonia discontinue use of the system before the country suffers a major attack.
When Estonia introduced its online voting system in 2005, it became the first country to offer Internet voting nationally. Today, people around the world look to Estonia's example, and some wonder why they can't vote online too. Nevertheless, the system remains controversial. While many Estonians view Internet voting as a source of national pride, one major political party has repeatedly called for it to be abandoned. Over the past year, I took part in the first rigorous and fully independent security analysis of the Estonian Internet voting system. My team observed operations during the October 2013 and May 2014 elections, conducted interviews with the system developers and election officials, assessed the software through source code review and reverse engineering, and performed tests on a reproduction of the complete system in our lab. The threats facing national elections have shifted significantly since the Estonian system was designed more than a decade ago. State-level cyberattacks, once a largely hypothetical threat, has become a well documented reality, and attacks by foreign states are now a credible threat to a national online voting system. To test the feasibility of such attacks, we reproduced the I-voting system and played the role of a sophisticated attacker during a mock election. We developed client-side attacks that silently steal votes on voters' own computers We also demonstrated server-side attacks that target introduce malware into the vote counting server, allowing a foreign power or dishonest insider to shifting results in favor of their preferred candidate. These risks are even more serious because of deviations from procedure and serious lapses in operational security that we observed during real elections. Election workers downloaded security-critical software over unsecured Internet connections, typed server root passwords in full view of observers and public video cameras, and prepared election software for distribution to the public on insecure personal computers, among other examples. These actions indicate a dangerously inadequate level of professionalism in security administration that leaves the whole system open to attack and manipulation. When we made our study public in Estonia, government responses ranged from dismissive to absurd. Officials discounted them, and the President and Prime Minister insinuated that we had been bought off by a rival political party. We hope that the country can separate technical reality from politics in time to avert a major attack. For other countries that are considering adopting Internet voting, we hope that the weaknesses of the Estonian system can be an important cautionary lesson.
Speakers: J. Alex Halderman