Economics affairs ministry looking to tighten up e-voting security
The Ministry of Economic Affairs and Communications is planning an independent audit and security analysis on e-elections in Estonia, with a view to introducing security-enhancing innovations ahead of next autumn's local elections.
Part of the issue is confusion over division of responsibilities between at least three bodies: the National Electoral Committee (VKK), the State Information System Authority (RIA) and the ministry itself.
All three bodies will work together on making the improvements, BNS reports, and will include improving security measures, code analysis, updating the election website and risk assessments, monitoring cyberspace, updating guides and information materials, and improving options for observing elections, the ministry said.
Foreign Trade and Information Technology Minister Raul Siem (EKRE), whose role falls under the economic affairs ministry's purview, said that independent audit and risk assessment is one of the most important activities in increasing transparency. "We are used to the option of e-voting, but the system must be secure and transparent," Siem said.
"We need to understand that e-elections are not simply a question of belief, but a matter of national security. In today's digital world, cyber security must be taken with the utmost seriousness. If we underestimate this and do not direct our best competencies to ensure it, we risk a real and direct threat to national security," Siem went on.
Siem was making his remarks a few days after former interior minister Mart Helme (EKRE) cast doubt on the reliability of Estonia's e-voting system, a system seen as a beacon globally on how to conduct polls online. EKRE has in the past criticized the e-voting system in terms of susceptibility to electoral fraud.
State cyber security policy leader: System at present not as good as could be
Helme had also called the recent, predominantly paper/postal-based presidential elections in the U.S. a fraudulent exercise.
Raul Rikk, who heads up the state's cyber security policy, concurred that the security of state information systems is not organized optimally at present.
Riik said: "For example, the electoral office does not have sufficient financial resources to carry out all high-level cyber security functions. The office does not have a cyber security manager and the necessary experts whose main task would be to organize the cyber security of the elections.".
"As the electoral office's capacity to ensure the cyber security of elections is very low, it outsources certain cyber security functions to RIA and companies. This is not a bad thing in itself, but in this case the question arises as to who manages cyber security risks holistically and ensures that all election-related cyber security measures are adequately implemented," Rikk said.
Exercising supervision over the provision of cyber security is the fiefdom of the VKK, he added.
Meanwhile, Raul Siem said that his portfolio is responsible for security and transparency issues, but lacks a legal framework, given the VKK oversees the actual preparation and organization of elections.
This should change from 2022, he said, with clearer division responsibilities set out, Siem said.
This would however be after the next elections in Estonia.
Raul Rikk said the proposed amendments will give RIA the task of organizing election cyber security.
Rikk said: "Security management will be two-stage - RIA organizes cyber security and the Ministry of Economic Affairs and Communications checks the cyber security of the whole process and gives the National Electoral Committee an opinion on whether cyber security is organized at a sufficient level to use electronic systems for conducting elections."
E-voting in Estonia is conducted online, either using an ID card or mobile ID to authenticate. Voting is open a few days before election day and a vote can be recast if the voter so wishes, until election day itself, when a vote is final. Data on e-votes is generally available a few hours ahead of the overall vote, including paper and overseas votes, for instance at Estonia's foreign missions.
All three levels of elections - general, local and European - use e-voting. The President of the Republic of Estonia is not elected directly by the people, largely in an effort to avoid undue party politicization of the role, but instead is selected via a succession of ballots at the Riigikogu and, if necessary, at regional electoral college level.
The main argument in favor of permitting e-votes in the advance voting period to be recast is to account for coercion which and individual could theoretically experience when using their own laptop and away from a polling station.
For more on how Estonia's e-voting system works, see this interview with Professor Robert Krimmer, recently appointed chief of the University of Tartu's new e-governance research group.
Follow ERR News on Facebook and Twitter and never miss an update!
Editor: Andrew Whyte