Estonia, the only country in the world where voters elect their leaders through online balloting, is taking steps to fend off potential hacking attacks as cyber-security fears intensify.
A software overhaul for the system, introduced in 2005, is ready for testing before local elections in October, according to Tarvi Martens, the National Electoral Committee’s head of e-voting. The upgrade includes anti-tampering features known as end-to-end verifiability that addresses security concerns from groups such as the Organization for Security and Cooperation in Europe, he said.
“End-to-end verifiability is the ‘Holy Grail’ for electronic voting,” Martens said this month in a phone interview. “When we talk about international criticism, the new software now addresses it.”
The Baltic nation of 1.3 million people — a technology hub that helped create Skype, hosts NATO’s cyber-defense center and files 99 percent of tax returns online — is on alert after the U.S. said Russia hacked its 2016 presidential election. Estonia, an unwilling member of the Soviet Union for 50 years, blames the Kremlin for a massive cyber attack 10 years ago that disabled government, media and banking websites for hours. Russia denies involvement in the U.S. or Estonia incidents.
While almost a third of votes were cast electronically in Estonia’s 2015 general elections, Prime Minister Juri Ratas said last week in an interview that “daily work is needed to improve its security as any breach would undermine the credibility of the entire system.”
In 2014, an expert group led by University of Michigan Professor Alex Halderman, recommended the “immediate withdrawal” of Estonian internet voting, citing “major” security risks. The OSCE urged Estonia to ensure end-to-end verifiability the following year. While some members of the ruling Center Party want e-voting to be discontinued, the ruling coalition plans to cut the period to three days from seven to make paper-based and electronic voting more uniform.
To cast their ballot, voters need an ID card and must clear two levels of authentication protected by pass codes. The Estonian Information System Authority, which oversees the government’s cyber security, says the system can’t be breached, while Martens says versatile authentication and adaptability to different sizes of voter pools mean the new software could be used by other countries.
Estonia’s system is very different from that of the U.S., according to Martens. The attacks on America included incursions into voter databases and software systems.
“The problems in the U.S. aren’t about internet voting — they’re about voting machines,” Martens said. “There are a lot of machines and no one is able to oversee the software that goes into each one. With internet voting, there’s a single piece of software that can be controlled.”