Back to the red pencil – Cyber threats to the Dutch elections

Eva Schoenmaker | 13 March 2017

Red pencil elections

Over the weekend, media reports surfaced about the fears of Russian interference in UK elections, with GCHQ reportedly warning political parties that hackers “steal and leak internal emails or publish private databases of voters’ political views in an attempt to damage the standing of political parties with the public.” A more immediate election takes place on Wednesday March 15, as the Dutch General Election – complete with the controversial Geert Wilders – opens its polling stations. But what are the threats facing this upcoming election?

There have been real concerns about cyber threats to the Dutch General Elections. According to the 2015 annual report by the Dutch General Intelligence and Security Service (AIVD), Russia, China and Iran have posed significant threats to Dutch security over the past years. According to the security service, part of the cyber espionage has been aimed at obtaining political documents, showing that there has been interest by foreign parties in Dutch affairs. Reports even accuse APT28 and APT29 (Cozy Bear and Fancy Bear), which are suspected Russian state actors, of attempting to compromise Dutch politicians’ emails and social media accounts. These discussions were most prominently featured in the news in January and February of 2017, with only weeks to go to the elections, underlining discussions of how foreign entities might seek to affect the elections.

Concerns over the Voting Systems

While the Dutch have been voting with paper and a red pencil for years, the counting of the votes was done electronically. Based on recent reports of cyber threats to elections, Dutch news organization RTL has published an article claiming the systems counting the votes are poorly secured. Data from local stations is transferred to a thumb drive, which are distributed to a local gathering point, from which they are then sent to one central location.

The Netherlands did briefly consider using voting machines, before swiftly dismissing the idea in 2009 as it would be too easy to hack. It turns out, according to researcher Sijmen Ruwhof, the current system was just as poorly constructed. The hash code to decrypt the files with local election results is publicly available through the instruction video by the Dutch Electoral Council. Furthermore, web browsers are needed to use the vote counting software as well as an unsecured (but local) HTTP connection, which significantly increases the opportunities to exploit vulnerabilities. Ruwhof points to further practices demonstrated in the video for the vote counting software that are generally considered bad practice, such as: skipping security checks, sending hash codes at the same time as the protected file, not removing files after they were printed, and generally poor security hygiene (read the full report here). As a result, the decision was made February 1st that all votes would be counted manually to mitigate any potential for interference.

 

Dutch Electoral Council 

Figure 1: A screenshot of a instructional video by the Dutch Electoral Council

Possible Motivations

Opinions appear to differ on whether outside forces would want to influence the Dutch elections. Russia is taken as the leading example by Tony van der Togt from the Clingendael Institute in The Hague, arguing that while there have been threats from Russia in the past such as during the MH17 research, the Dutch General Elections might not even be interesting to them. He points out that unlike some other European populists, Wilders has no interest in improving Russian – Dutch relations. On the other hand, co-founder of Fox-IT Ronald Prins, suggests that “the Dutch elections are good practice for [the Russians].” In fact, Prins argued, compromised emails might still be published, as Russia has stolen military government information in the past.

Motivations are further muddied by nuances in the Dutch political system. Whereas the U.S. election came down to a campaign between two people, the Dutch political system operates slightly differently. Discrediting one individual does not necessarily lead to the election of their rival. This is down to three factors:

  1. The House of Representatives (Tweede Kamer der Staten-Generaal) is operated by a cabinet formed by a coalition. Even if a party wins, they usually have to join with the party coming in second place in order to secure a majority in the House (though a minority coalition is not ruled out).
  2. While each party has their appointed top candidates for the elections (lijsttrekker), this does not guarantee the top candidate of the biggest party will become Prime Minister.
  3. The Netherlands has a number of political parties eligible for seats in the House. During the 2017 elections 28 parties are eligible for one (or more) of the 150 seats. This then means, cyber threats motivated by attempting to influence the election results might not produce significant results due to the complexity and unpredictability of the forming of the coalition. 

 

Although there are cyber threats to the General Elections, due to the nature of the Dutch system and precautions already taken, these will be more limited in scope than they were to the U.S. presidential elections. Perhaps that’s why Dutch citizens are more concerned with taking various online tests to see which party best matches their ideas, or they are busy trying to keep their digital pet politician alive.