Security probe into NSW iVote system finally delivers findings

An independent review into the NSW government’s iVote system has found that while security of the online voting platform is enough to get it over the line, more could be done to lift defences.

The NSW Electoral Commission finally released the long-awaited report [pdf] on Wednesday, which was conducted by former secretary of the federal Attorney-General’s Department Roger Wilkins.

The 120-page report, which includes a separate risk assessment of the system by PwC, has been complete for at least the last six months, but has been held back by the government until now.

It was commissioned by the NSW Parliament’s joint standing committee on electoral matters last year to consider the security of iVote ahead of next year’s state general election.

The upshot of the report contributed to by experts like Australia's national cyber security adviser Alastair MacGibbon is that the security of iVote remains adequate for its limited use.

“The short answer is this: given the relative insignificance of the number currently involved in internet voting, and given the intention of tightening current practices through the iVote refresh project, security is adequate,” Wilkins concluded.

But with the numbers of people using internet voting expected to increase, and a national internet voting platform currently being considered by Australia’s electoral commissioners, he said there was a need to “lift security to a higher level” – which NSWEC has agreed with.

“It is not that security is not currently being attended to. Rather, it is not attended to as systematically and comprehensively as it needs to be, given the emerging threat environment and the fact that internet voting is now becoming “critical infrastructure,” Wilkins said.

Much of this comes down to a “lack of resources and capability constraints” at NSWEC, which could be solved if resources were pooled in the creation of a national online voting platform.

Wilkins said this assessment had been confirmed by PwC risk assessment, which had been commissioned by NSWEC to assist the report.

Limited chance of tampering

The report also concludes that the is only a “fairly small” chance that someone would want to tamper with the iVote system, be capable of doing so, and that such interference would not be detected.

Wilkins said that “the probability that anyone will actually be motivated to interfere with iVote, given its current relative insignificant electoral impact, is very low”.

Even if tampering did occur, and large discrepancies between iVote and traditional voting emerged in similar demographic areas, both electoral officials and political parties would be ‘put on inquiry’ to see if the results are correct.

“Tampering would have to be very clever and subtle to 'get under the radar'. If it is that subtle, its ability to make large differences in electoral outcomes is likely limited,” Wilkins said.

He noted that the argument against internet voting by University of Melbourne cryptographic researcher Dr Vanessa Teague and her team had “cause me most concern”.

That submission argued against internet voting as “there is no electronic voting system that cannot in theory be penetrated and manipulated”.

But Wilkins said that “on balance” he was “not persuaded” because that there have been documented cases of “penetration and manipulation” happening with physical voting systems.

“The key difficulty I have with this argument is that it places too much weight on theoretical possibility and not enough on empirical likelihood, or probability of things occurring,” he said.

Key vulnerabilities

But while the chances tampering may be limited, a number of key vulnerabilities have emerged as significant concerns surrounding iVote.

There was consensus from both Wilkins and submissions that E2E verification – or the gold standard for voting systems that gives confidence in a result – is “not adequately incorporate[d]” into iVote.

“Given how critical verification is to security, and given that the individual voter is the only person who can verify the content of their own vote, I think electoral commissions should seriously consider making verification mandatory.” he said.

Monitoring and auditing of transactions was also found to be inadequate, increasing the risk of undetected intrusion, as was the testing regime around iVote.

Scrutiny of the iVote system by political parties, experts and the public, including the source code, behind the system, which has not been made public, was also questioned.

Many of these issues are expected to be addressed through the iVote refresh that kicked off well before security of the iVote system report was completed.

But Wilkins said that by doing this the government did “not appear to have allowed the time, or had the scope, to radically rethink iVote” before refreshing iVote.

National system could address security concerns

While outside the brief of the report, Wilkins’ first recommendation is that a national platform and capability for internet voting is “very important” for Australia’s federal system, and should be developed.

“Some of the jurisdictions are going to find it difficult to put an internet voting system in place by themselves,” he said.

“In any event there are clearly efficiencies and significant advantages if internet voting were to be advanced by all the Australian states and territories and the Commonwealth collectively.”

Wilkins puts forward that electoral commissioners from each jurisdiction come together to collectively develop a platform that is jointly owned and maintained, which could be used for any election in any jurisdiction.

This is already being considered by the Electoral Council of Australia and New Zealand, which has created an Internet Voting Working Group that has been directed to prepare a project plan outlining “a proposed way forward for the development of a national internet voting service”.

“One of the big advantages of this is that it allows better utilisation of knowledge at a national level about cyber security – both the threats and positive mitigation,” he said.

“It also has the advantage of creating national standards on security and integrity that would be observed uniformly across all Australian elections.”

Wilkins also recommended that NSWEC put in place “comprehensive protective security strategy” that contains a cyber security strategy and response plans for responding to possible intrusions and tampering to better attended to security.

“The strategy should encompass more than iVote and include all assets and facilities managed or controlled by NSWEC, including, for example, the storage of information about voters,” he said.

Systematic vulnerability testing that goes beyond penetration testing should also be established to “test whether the system can be ‘gamed’ or ‘manipulated’”.

There is also a need to ensure that the agency “properly understand and control what is expected of third parties providing hardware, software and services” that relate to iVote, while ensuring that contracts and arrangements “mandate appropriate security requirements”.

Other recommendations include that NSWEC:

• Insist on verifying a person using the document verification service (DVS) before they register to use iVote;
• Consider opening up the process of E2E verification so that political parties and other interested parties are able to monitor how the process;
• Make the iVote system software public so it can be assessed by experts;
• Publish statistics about iVote’s use after an election, including the number of votes cast and the number of votes verified; and
• Review the staffing and resourcing of the iVote team.

The last word

The NSWEC said it supported all but one of the report’s 29 recommendations, including three that it supports in principle.

The only recommendation it would not support was to “consider making it part of casting a valid vote via the internet to also verify that vote”, as voters are the only ones who are in a position to do this.

“The NSWEC believes that further consideration needs to be given to Recommendation 14 (compulsory vote verification) before a final decision can be made regarding its adoption,” it said.

The agency indicated that the new iVote system would offer “simpler, smartphone-based verification”, but that introducing mandatory verification “runs the risk of disenfranchising voters who are unable to verify their vote”.

Elsewhere, the agency was less combative, but indicated that many recommendations would ultimately require additional funding from government to implement.

NSWEC said it would develop a cyber security strategy, and engage consultants to assess the physical and technical security risk assessment and develop a risk management plan.

There are also plans to conduct a series of external vulnerability assessments into the iVote system, as well as release the system source code following the 2019 state election.

The agency said it had already undertaken a review of its risk management framework in light of PwC risk assessment, which was the big four firm is now satisfied with.

The agency has also improved contract arrangements with private contractors through its iVote refresh project.