- Security TWENTY
- Women in Security
Are bad passwords keeping our elections paper-based? asks Tom Armstrong, UK Country Manager, Dashlane.
The May 2015 UK General Election saw turnout hitting only 66pc, less than a 1pc increase on 2005’s turnout; and there is growing debate as to what can be done to bring more people to the polls.
Setting aside apathy towards politics, accessibility has to be a key contributor to why people don’t vote – whether it’s missing the registration to vote by post, not making it to the polling office on the day, or forgetting to register completely.
In an age where so many of us handle our banking, tax returns and bill paying online, many have asked why can’t we cast a vote via the internet as well? Last year, over eight in ten (83%) of UK adults were active online – just imagine if we saw this sort of turnout for 2020’s election.
However, moving voting online has its own risks as well. And much of this is down to poor password security.
Much of this insecurity is rooted in existing Electronic Voting Machines – or EVMs – which are already in use throughout the world. India, for example, adopted EVMs for its 2004 parliamentary elections, with 380 million voters casting their ballots on more than a million machines. In the United States, push button or touchscreen style EVMs have been used regularly since 1976.
However, across the world, EVMs have been roundly criticized for being susceptible to hacking and fraud. In India, It was successfully demonstrated that the 2009 election victory of the Congress Party of India could easily have been rigged – forcing the election commission to review the current EVMs.
Complete electronic voting has been practiced in Estonia since 2005 – and the small country offered it as an option in its 2007 general election. However, independent security analysis of Estonia’s system revealed its security architecture was “dangerously out of date”, with “multiple ways that today’s state-level attackers could exploit the system to change votes, compromise the secret ballot, disrupt elections, or cast doubt on the fairness of results.”
And in the United States, EVMs have gone from bad to worse. After the constitutional crisis during the 2000 election – and the battle over “hanging chads” in a Florida recount – over $3 billion was invested in new touchscreen voting machines. But this, say opponents, has made them more hackable than ever.
In 2010, the government challenged hackers to find gaps in their online voting systems; it took students from the University of Michigan just 36 hours to find a list of passwords on the web and change all the votes cast on a Washington DC online ballot. In another case, a group of computer students from Princeton needed only seven minutes to break the password on a touchscreen EVM and install a computer program that took votes for one candidate and gave them to another. And they even had time to install Pac-Man, leaving no detectable traces of their presence.
Again, bad password security was the systems’ downfall. Even last month, it was revealed that touchscreen voting machines used in numerous elections between 2002 and 2014 used “admin” as the system password. Worse, bypassing the encrypted WEP wireless system also proved easy – as the password turned out to be “ABCDE”, and “could easily have been hacked from the parking lot outside the polling place”, according to a state report.
No surprise, then, that the public distrust of “paperless” elections is high. In the Netherlands there is even a grass roots organisation called Wij vertrouwen stemcomputers niet (“We do not trust voting computers”).
All of which makes the prospect of online voting problematic. The key issue is making sure that everyone can verify their identity before voting – and yet stay anonymous – while hackers and other cybercriminals can’t wreck the system. As David Emm, from web security firm Kaspersky, told UK paper, the Daily Mirror: “There’s the issue of somebody being tricked into a site that isn’t the legitimate online voting site – which is ‘phishing’ pure and simple. Looped in to that is that if someone’s credentials are compromised then another person can vote on their behalf through a man-in-the-middle attack.”
And yet, as the drumbeat for Internet and mobile voting grows, it is inevitable that systems with enough password security will eventually be devised. For this to be a fully secure process however, we must first improve our own password practices, making sure that our passwords are suitably strong, so they provide the necessary security and anonymity for such an important process. This golden rule must apply to system administrators and voters alike – after all there cannot be a weak link in such an important system.
Let’s also remember, it’s not as if paper voting isn’t “hackable” as well: this week it was reported that over 72,000 voting forms were stolen in London. So, the question is, when will we improve our password security? In the UK, the Electoral Commission have already been set a deadline of the 2020 election for online voting to be in place – under the auspices of the newly-created Digital Democracy Commission, so the race is on to ensure the proper procedures are in place in the UK. Only time will tell if other countries follow.