Security in electronic voting machines
With the approach of the electoral year in Brazil, speculation begins on one of the main themes related to digital security: the veracity of the results of electronic voting machines used in voting in our country.
The presidential elections will take place in the second half of 2022 and, in my view, the tendency is for discussions on the subject to acquire a lot of volume on social networks. As much as the electronic vote has been a reality in Brazil for 25 years, we may come across candidates and voters who put the security and credibility of this method in check.
And what can be done to try to restore people’s trust in the electronic electoral system?
The 1st step took place in the last week of November this year, when the Superior Electoral Court (TSE) opened the 6th phase of safety tests for electronic voting machines. The process involved 26 investigators, known as “good hackers”, who will put into practice 29 plans and simulations of attacking the equipment to try to find possible weaknesses.
Being 100% protected from attacks is an almost impossible challenge to meet with the advancement of technology and cybercrime techniques, but it is essential that we try to be as close to the ideal. To achieve this goal, the TSE made the source codes for the ballot boxes and the electronic voting system available to partner investigators so that they could examine them and plan strategies to try to break down possible ballot box security barriers — which makes the process even safer and can help to avoid real scams.
- See also: Electronic ballot box security poses no risk to election, says TSE
Another important factor in the testing phase was the “dismantling” of the voting machine so that the “good hackers” understood the entire architecture, interface, and technology of these devices — in addition to the hardware and software components they have.
Given the recent attacks on government agency systems, the Ministry of Health and the Court of Justice of Rio Grande do Sul, for example, it is essential that the TSE carry out this type of simulation to ensure the security of the 2022 presidential elections. there is no lack of studies showing that the attacks, especially those of ransomware, will continue to be a trend for years to come.
A point highlighted by the minister of the TSE, Luís Roberto Barroso, is that the electronic ballot box has no connection with any network. This is critical, from a cybersecurity perspective, to deter external attacks. Furthermore, after the source codes were inspected by investigators, the entire contents were sealed and locked in a TSE vault — after all, you can’t play with your luck.
However, the focus regarding the control and auditing of this process should not only be on the ballot boxes themselves, but also on the databases in which this information is stored and how, subsequently, the results are disseminated. A rigorous security and auditing process in this part of the electoral system must always be carried out, because, thinking like a hacker, this “heart” of the system is the most interesting point to be reached.
At Sophos, the company I lead in Brazil, we have developed several studies and reports over the years that monitor the actions of cybercriminals in the most varied spheres. According to the 2nd part of the report The State of Ransomware 2021, titled The IT Security Team: 2021 and Beyond, released in June this year, Brazil was the 3rd country in the world to observe the highest rate of increase in the number of cyber attacks in 2020, with 78% growth.
- Read also: TSE presents new electronic voting machine manufactured by Positivo
In addition, the average amount that companies in Brazil pay cybercriminals to recover their data after a ransomware attack is 570 thousand dollars (on average 2 million and 800 thousand reais). However, the total cost caused by the ransomware impact is even higher: around 800 thousand dollars (around 4 million reais), considering, for example, the time the user was with the environment unavailable, backup restoration, hiring agents for remediation, among others.
We must be increasingly concerned about the cyber security of companies and our personal devices, so when we talk about government agencies and systems that can compromise the security of such an important and decisive moment, such as an election, care cannot be different. After all, an attack aimed at an urn that could eventually be vulnerable could put the entire future of the country at risk, in addition to seriously injuring the ethical principles of democracy.
André Carneiro, columnist of TechWorld, has about 20 years of experience in the security industry. At Sophos, he served as a channel account executive and sales engineer. Since September 2019, he has been the brand’s country manager for Brazil and, in this position, he leads Sophos’ growth strategy in Brazil, expanding the company’s reach in different markets.