Angela Merkel billboard for Germany's Federal election

Photo via Cineberg/Shutterstock (Licensed)

Could hackers derail one of the most important elections in Europe?

The ghosts of 2016 are haunting Germany as voters head to the polls.


Jonathan Keane

Layer 8

There’s one shadowy figure that will likely linger in the minds of Germans on Sunday as they head to the voting booths to elect the country’s government: the hacker.

Chancellor Angela Merkel and her Christian Democratic Union (CDU) party are expected to retain their position in government with a coalition of other parties. It’s the third high-profile election on mainland Europe in 2017, following the Netherlands and France. Both staved off far-right contenders to bring some stability to the European Union, which is contending with Brexit negotiations and relations with U.S. President Donald Trump.

After last November’s U.S. presidential election and talk of Russian interference, German officials have repeatedly issued warnings about maintaining the election’s security. As election day approaches, the specter of hacking threats still looms.

German media has reported that officials have a “cautious all clear” for Sunday. However, in early September, researchers from the Chaos Computer Club found vulnerabilities in the software used to tally votes from constituencies. They found the software, PC-Wahl, did not verify its updates, used default credentials making “takeover quite feasible,” and did not use secure connections for transferring data.

The one saving grace is that it would have been unlikely to alter tallies without detection.

“The software is used to aggregate and forward the results of certain constituencies to provide an early extrapolation or preliminary result,” said researcher Thorsten Schroeder. The votes themselves are still carried out with pen and paper.

“However, the worst case could cause confusion and mistrust in democratic procedures,” he said, which would be “fuel to the fire of populism.”

Schroeder doesn’t believe that there will be a major attack carried out against the German election on September 24—but he does believe there needs to be more responsibility taken by software vendors.

“The software is the opposite of what I would call contemporary or safe. But I have to admit that it should be safe for the upcoming purpose under the given requirements. The remaining risks can be handled safely when following enactments and requirements of the election official,” he said.

“I’m generally concerned about the ‘crapware’ that is bought and used by our government to solve problems and requirements like collecting election results.”

BSI is Germany’s national cybersecurity agency, which advises the Bundeswahlleiter, or Federal Returning Officer, on election IT security. The agency said it has made recommendations to the vendor for improving the software and “has provided extended crisis reaction capacities for possible incidents.”

Software vendor Vote IT said in a statement that it was implementing further security measures.

“In close cooperation with the Federal Returning Officer the BSI is prepared for different scenarios,” a BSI spokesperson said. “Apart from this, the BSI advises the German Bundestag [parliament] and the political parties.”

BSI’s spokesperson added: “The BSI runs pen tests and web checks to identify potential vulnerabilities, in order to have them closed. Moreover, BSI has intensified its situation monitoring until after the election and provides further emergency response capacities in order to be able to react to potential IT security incidents.”

Germany is no stranger to cyberattacks. The government’s domestic intelligence agency, BfV, accused Russia of orchestrating an attack in 2015 on the Bundestag in an attempt to steal sensitive intelligence data.

A year later, Merkel’s CDU party was targeted by phishing attacks that attempted to access confidential party data. According to security firm Trend Micro, the culprits behind both attacks are linked to Pawn Storm, a cyberespionage campaign from Fancy Bear, an infamous Russian hacking group accused of tampering in the 2016 U.S. presidential election.

Germany has a rocky relationship with Russia. Merkel supported E.U. sanctions against Russia over the Ukrainian conflict but is open to lifting such sanctions if peace is reached.

Most parties are “in favor of dialogue and deterrence,” said Christel Zunneberg of think tank European Council on Foreign Relations, “so maintaining the sanctions, incrementally increase or decrease them but continue dialogue. That’s the mainstream position of German parties and also Merkel.”

The German election will be an important one for the stability of Europe. Polls continue to show that Merkel is likely to be re-elected, but voters in the U.S. and U.K. have shown that polls cannot be relied on as much as before.

Since the election of Trump, Merkel has aired her concerns over Germany and Europe’s relationship with the U.S. and diminishing shared values.

“What’s interesting is that Merkel, in her previous party manifesto in 2013, spoke of the U.S. as the most important friend outside Europe,” said Zunneberg. “In her current party manifesto, the U.S. has been referred to as the most important partner, so there is a change in rhetoric there.”

Merkel is not without her detractors at home. The chancellor’s open policy during the refugee crisis has emboldened far-right and anti-immigration parties and groups, such as Alternative für Deutschland (AfD), which is tipped to win some seats. She remains steadfast, though, and won the only TV debate against main opposition leader Martin Schulz of the Social Democratic Party.

While migration and security has dominated, digital policy has popped up with proposals for the creation of a digital policy ministry, similar to that of other E.U. members, but how serious the next government will take cyber issues remains to be seen. “I’m excited what our new government is really going to do for their cyber [policies] during the upcoming legislature,” said Schroeder.

Correction: An earlier version of this article misattributed a quote from a BSI spokesperson to another party. We regret the error.

The Daily Dot