Thursday, April 20, 2023

Only two e-voting companies pass Upguard cybersecurity test


A recent study by cybersecurity consulting firm Upguard has revealed that only two e-voting technology companies have cleared its security test. In an article posted on its website, the global company details how it selected 6 of the biggest names in e-voting and ranked them according to their CSR (cybersecurity rating).

This Upguard study is important in shedding light into the state of cybersecurity in the e-voting industry. It should raise red flags, and spur election authorities into paying more serious attention to the cybersecurity posture of their vendors.

The study gave London-based Smartmatic the highest score with an 808 CSR out of a possible 950, making it the only one in the sample to earn the rating of Good. The rest either received a rating of Warning or Average.

“Relatively speaking, Smartmatic’s security posture is decent,” the article said. The article cites some issues with Smartmatic’s website that the company needs to remedy. Namely: disabled HTTP Strict Transport Security, lack of secure cookies, and disabled DMARC.

Coming in second with 561 CRS is ClearBallot which was rated Average. It was cited for its “semi-bolstered website perimeter security posture” but was cautioned about common flaws such as lack of SSL, HTTP Strict Transport Security, DMARC and DNSSEC that “plague its web presence.”

The rest of the companies received a rating of Warning, with OSET Foundation scoring 390, Dominion Voting 342, Unisys Voting Solutions 219. Bringing up the rear was ES&S with a dismal 143 CSR, which the study attributed to “a myriad of perimeter security flaws, saying “For example, lack of sitewide SSL render its website vulnerable to man-in-the-middle (MITM) attacks, while the exposure of ports typically assigned to file sharing services and database communications give attackers additional potential attack vectors. A lack of DMARC and DNSSEC also contribute to ES&S' low score.”

While public is not normally interested in cybersecurity as it relates to e-voting, this discovery should change that, and should prompt heightened vigilance in ensuring that all e-voting systems are designed with security in mind.

Strong authentication and authorization mechanisms; use of encryption to protect data in transit and at rest; incorporation of regular security audits and testing to identify and address vulnerabilities; and rigorous independent testing and certification to ensure their security and reliability. All these practices should be baked into every e-voting system.