Was The German Election Hacked?

Uploaded on 2017-10-03 in NEWS-Cybersecurity News, GOVERNMENT-National, FREE TO VIEW

On September 24th, 2017, federal elections took place in Germany to elect Germany’s next parliament, the 19th Bundestag. 

The Christian Democratic Union (CDU) won the majority of votes with 33%, making this Angela Merkel’s fourth term in office.

Merkel has been a steadfast supporter of the European Union, and much of the EU’s viability can be credited to Germany’s economic prowess and political stability. This made Germany an appealing yet somewhat challenging target for the likes of Russian President Vladimir Putin, whose interference in Western elections has unfolded in a dramatic and unprecedented fashion. The question on much of the world’s mind was, could the German election successfully be hacked?

There are two primary ways that modern elections can be interfered with:

  • The most direct method is to attack the election apparatus itself which is often easier said than done unless you happen to be a dictator in control of the entities delivering election results. 
  • The other method, and the one that has been the most prolific, is to attempt to influence the electorate to support or oppose candidates or initiatives of the attacker’s choosing. 

With the rise of the Internet and social media, it’s not hard to spool up tons of fake social media accounts and use them to spread rumors, lies, or even amplify real news when it benefits attackers’ motives. It’s often hard to gauge the true impact of these efforts on election results, however; even for the attackers.
A Tale of Election Software

Many German states use a software created by vote iT to count votes from local and national elections, called PC-Wahl. IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analysed the software and found numerous security flaws. Neumann is quoted as stating 
"We did this in our spare time. Everybody's worried about state sponsors and professional hackers, if we can do this in a couple of evenings of sitting around in our apartments, you can imagine how easily this could be accomplished by a state actor."

Vote iT told German news magazine Der Spiegel that there were “no security-related weaknesses in the software.” Nevertheless, patches were soon issued.  German hacker collective Chaos Computer Club (CCC) corroborated these findings, releasing a report warning that this software is easily manipulated. Passwords were either found online or easily guessed, and encryption methods were out of date. Germany’s top technology security agency, BSI, later ordered PC-Wahl’s security to be improved.

CCC previously uncovered vulnerabilities in German election voting systems in 2006 by circumventing their security measures and reprogramming voting computers to play chess. The German Federal Constitutional Court has since eliminated use of voting computers, resulting in the return to pen and paper votes.

As a result of the move back to pen and paper, attacking the election apparatus in German elections poses a particular challenge. This analog system would require significant resources to affect the outcome of the election if trying to boost numbers directly at the polls.  

Each voter casts two votes in a system that blends an additional member system with elements of a first-past-the-post system. Parties must win at least 5% of the second vote to enter parliament, a mandate put down to prevent splinter parties from bogging down the government such as with the Weimar Republic of the 1920s. The Weimar Republic was characterised by instability and short governing terms due to a large number of political parties that failed to compromise on key issues.
Individual voters, therefore, do not directly cast a ballot for the new chancellor as voters do for the President of the United States. Within the US a disparity of results between the popular vote and electoral college is a sometimes expected, if not frustrating event for many voters. 

Any disparity of reported results and actual votes in Germany would instead incite a resoundingly more chaotic result, potentially leading to calls for another election.

Should someone look to meddle with the German election, their only realistic option would be to interfere with the software responsible for tallying or reporting the results. 

Votes are collected and disseminated through digitised means determined by each region. And, although the paper votes could always be recounted, any strife would likely degrade confidence in the democratic system. 

As a result of suspected interference in recent elections, we now find ourselves wondering if attackers will attempt to manipulate each major election. It may be the case that, for whatever reasoning, the recent German election seems to have been spared of any significant attempts at outside manipulation. 

Regardless, there will be more major elections soon in Western countries and we will once again be asking ourselves if attackers will try to influence the results. 

Anomali

You Might Also Read: 

Fake Facebook Ads Surged During The US Presidential Election:

Germany May Go Offensive After Russian Cyber Attacks:

Angela Merkel’s Ally Caught In Cyber Attack As Elections Loom:

Germany Gets Tough On Social Media:

 

« Deloitte Hit by Cyber Attack: Clients' Private Data Exposed
Could the US Use A Cyber Attack To Take Down N. Korea? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

National Defense Industry Association (NDIA) - USA

National Defense Industry Association (NDIA) - USA

The National Defense Industrial Association Cyber Division contributes to US national security by promoting interaction between the cyber defense industry, government and military.

Cyber Exchange

Cyber Exchange

Cyber Exchange provides a focal point for UK organisations connected with, or with an interest in, cyber security to connect, engage and collaborate.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

Audea

Audea

Audea is a consultancy firm specialising in cybersecurity, risk and compliance. We provide professional services addressing all areas of Cybersecurity and GRC.

BullWall

BullWall

BullWall is a digital innovator dedicated to fight cybercrime in its many forms. Our overarching purpose is to stop new and unknown strings of ransomware attacks in its tracks.

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

FREE eBook: Practical Guide To Optimizing Your Cloud Deployments

AWS Marketplace eBook: Optimizing your cloud deployments to accelerate cloud activities, reduce costs, and improve customer experience.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

HackNotice

HackNotice

HackNotice Teams is an all-in-one encompassing tool that monitors threats within your organization, different vendors, and third parties whose services you use.

The IoT Academy

The IoT Academy

The IoT Academy is a reputed Ed-Tech Institute that provides training in emerging technologies such as embedded systems, the Internet of Things (IoT), Data Science and many more.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Security Compliance Associates (SCA)

Security Compliance Associates (SCA)

The sole focus of SCA is safeguarding critical information and complying with information security regulations.

Cytex

Cytex

Cytex is the All-in-One solution for SMB data protection & compliance needs.

Synergy ECP

Synergy ECP

Synergy ECP has a talented, dedicated staff to provide a broad range of services to the defense and intelligence industries.

PlanNet 21 Communications

PlanNet 21 Communications

PlanNet 21 Communications is Ireland most specialised technology solution provider.