The e-election system is prepared for cyber-attacks

Klaid Mägi.

PHOTO: Heiko Kruusi / Õhtuleht

The Internal Security Service and the Information Board have warned in their yearbooks that Russia may attempt to discredit Estonia during the European Union chairmanship and that the likelihood of cyber-attacks is also high during that period, due to Estonia’s reputation as am advanced e-state. The Information System Authority (RIA) and its unit CERT Estonia for handling cyber-incidents have considered such threats.

Estonia’s chairmanship period also covers the local councils’ elections in the autumn. However, the head of RIA, Taimar Peterkop (TP), and the head of CERT Estonia, Klaid Mägi (KM), are convinced that the e-elections will be again well organized.  

How has the RIA prepared for possible threats?

TP: The context of the chairmanship period is that Russia has become increasingly active in cyberspace. European countries refer ever more frequently to the Russian threat in cyberspace. We have been preparing for that. We cooperate with election services, test applications, give advice and monitor international events. We have also been holding training sessions for staff.

Can we presume that there will be attempts to harm Estonia?

TP: We have learned from incidents in our country and abroad and can prevent such things. What worry us are the things we need not be able to foresee. The functioning of the Estonian state depends on digital solutions more than that of most other countries and this makes us more vulnerable as well. But we have been paying attention to security all the time. Our eastern neighbor’s tactics have been quite clever and dynamic. For example, cyber-capabilities have been incorporated I waging information warfare. During the US election campaign, information was stolen from the campaign chief’s mail account and later used for attacking Hillary Clinton.

The e-elections are well known in the world, but can we expect it to attract special attention of hostile hackers during chairmanship?

TP: We have had e-elections for 12 years and the discussion over the security of elections has been going on for the whole time. The Supreme Court has discussed the issue repeatedly and has decided that e-elections are quite legal. The local elections this year are different precisely due to Estonia being the EU chairman nation at the same time.

A new e-election system will be completed by the time of elections; how secure will it be?

TP: I am certain that the developer or the system, Cybernetica AS, with its extensive experience and top specialists of the field is doing a fine job and the state election service is a smart client. Since the election process sis one of the most important processes of the democratic state, special attention will be paid to security. RIA will help the election service so as to make the election information system and the entire election process as secure as possible.

KM: The security against hacking can be improved only through special tests and it is obvious that such systems are always tested against hacking before they are put to use. Before that no one can say anything.

Will the new system be more secure than the application used so fare?

 TP: When building the new system we can base it on 12 years of experience and also use the technological development. The system will certainly be tested before use and the discovered flaws will be corrected.

What kind of cyber-threats can threaten the e-election besides hacking?

TP: Considering that the e-election is based on the ID card and the process used cryptography, a cyber-attack against e-election would require extensive resources. An information warfare-type attack could be much easier to carry out. They would make use of the ongoing discussion and the rifts within the society and expand it. There is a constant discussion over security regarding the e-election. When looking at the earlier actions of the eastern neighbor we can expect it to be exploited. The issue of the security of e-election could be attempted to be blown up so as to create distrust among the public against the whole election process.

There is no e-election system like in Estonia anywhere in the world and therefore in other countries there are no attacks against the election system but rather hacking of a politician’s e-mail. Have the Estonian politicians and officials been warned against that threat?

TP: When they say that the American election was hacked, it means that one man’s private mail account and one party’s information system were broken into. In case of the French election allegedly the computers of Emmanuel macron’s campaign team were hacked. As far as we know, state systems used to organize elections, have not been hacked. Most cyber-attacks still begin with a regular person. If a person clicks on a link or attachment he should not touch, he creates premises for hacking.

But there are also many other events during chairmanship. What are the potential targets besides election?

TP: Generally one has to consider the impact. They would probably seek for opportunities to discredit out reputation and to reduce the public’s confidence in the state. All measures suitable for that purpose can be used.

Many countries have experimented with e-election, but eventually given up. What do you think, why is it so?

TP: Estonia is different from the rest of the world by every citizen having mandatory electronic identity, which is based on the ID card – something other European countries have not.  If we compare the e-election pilot projects tested in Switzerland or France, these systems, unlike Estonia, were based on identification via passwords sent to voters by post or e-mail. Our ID card has two-level authentication. If you have to identify yourself by using PIN1 code and give digital signatures by using PIN2 code, it is much more secure than election based on passwords.