Around 3,400 hackers and hackers from all over the world have attempted to penetrate Swiss Post’s e-voting infrastructure in an intrusion test over the past four weeks. But they failed, as the Post reported: “No one has succeeded in cracking the e-voting system or even getting into the electronic ballot box.”
According to Swiss Post, the “white hat” attackers launched around 60,000 attacks on the beta version of their new e-voting system. The hackers hit exactly the infrastructure that is planned to be used in the cantons in the future, Swiss Post said. Only one vulnerability classified as low risk without security relevance was disclosed, for which the hacker received a reward of 500 francs (480 euros). Swiss Post offered up to CHF 30,000 (EUR 28,870) for confirmed vulnerabilities.
Public Intrusion Test
For the “Public Intrusion Test” (PIT), Swiss Post provided sample voting rights identification. This enabled hackers and other interested parties to practice the voting process on the voting portal. The portal is the surface of the e-voting system and thus the first target for potential intruders.
As the Post explains, the e-voting infrastructure is the outer protective ring of the system. The hackers tried to break through this with their attacks. The central security goals of the e-voting system – such as voting secrecy or the integrity of the electronic ballot box – are not only protected by the infrastructure, but also by other cryptographic security precautions, emphasizes Swiss Post.
At the beginning of 2021, Swiss Post launched an e-voting community program and published components and documents of the beta version of its new e-voting system on Gitlab. To date, around 172 reports have been received from the professional world, the Post said. On this basis, she has now implemented various improvements to the system.
At the same time, Swiss Post launched an open-ended bug bounty program offering up to CHF 250,000 (EUR 240,610) for the discovery of vulnerabilities. The source code and all system documentation have also been published since September 2021 and can be checked for errors and used by experts to simulate ballots and attacks, for example.
In July 2021, the federal government started the independent review of the e-voting system. The audit reports published in early 2022 showed that Swiss Post’s e-voting system had been significantly improved since 2019, according to the Federal Chancellery. At the moment, it is said that the main question is whether the system meets the requirements of the legal bases, which include repeated public intrusion tests.
Restart after hard braking
In 2019, the Swiss “Project Vote électronique” was stopped until further notice after a long test phase and it was decided not to introduce e-voting as a regular voting channel for the time being. At that time, tests had shown deficiencies in the implementation of universal verifiability of voting, and it turned out that manipulations could not be detected.
As a result, the Swiss Post system did not meet the legal requirements for electronic voting. The government, the Federal Council, then pulled the plug on the test operation. Swiss Post then decided to discontinue the e-voting system and to develop a new system that met the requirements.
However, the government also wanted a reorientation of e-voting and commissioned the Federal Chancellery to design this together with the cantons. The aim was and is a stable test operation with fully verifiable e-voting systems.
The Federal Chancellery emphasizes that the new ordinances are intended to strengthen the security of e-voting systems by specifying and increasing the security and quality requirements for the systems, their use and their development. The new legal bases are also intended to increase transparency and prescribe the involvement of the public and specialist groups.
Cooperation with experts is also established as constant monitoring of the trials with e-voting and anchored in the legal basis. A broad catalog of measures is to be implemented over the next few years in order to achieve continuous improvement in the e-voting systems.
Next attempt 2023
According to the Federal Chancellery, individual cantons are planning to resume trials with Swiss Post’s e-voting system. In the course of 2023, Swiss Post wants to offer its system in the cantons of Basel-Stadt, St. Gallen and Thurgau for cantonal and federal elections and votes.
Whether all Swiss people will one day be able to vote online remains to be seen. The Vote électronique project is well over twenty years old. Between 2004 and 2019 there were over 300 trials with e-voting in a total of 15 cantons in the Confederation.
In the course of the project, three e-voting systems were already available. Such a system developed by nine cantons in the “Consortium Vote électronique” together with the IT service provider Unisys, but which was dropped in 2015 because it could not meet the requirements of the federal government and subsequent improvements would have caused excessive costs. The canton of Geneva also decided at the end of 2018 to discontinue its “CHVote” system due to scarce financial and human resources.
What remains is that of Swiss Post, which has now also recorded various ongoing improvements. The Federal Chancellery emphasizes: “The motto safety before speed has remained unchanged since the beginning”. The Confederation remains cautious: If a new e-voting system is used in the first round, a maximum of 30 percent of the cantonal and 10 percent of the Swiss electorate will be able to cast their votes online.
To home page