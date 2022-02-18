The Superior Electoral Court (TSE) released this Wednesday (16) the answers provided by its technicians to the Army Cyber ​​Defense Center, which became part of a transparency commission formed by the Court to oversee the electoral process. In the document, the TSE reports having identified a total of 712 risks in its information technology projects since the 2018 elections.

According to the court, all of them were recorded in a risk management tool, “from their identification to their effective treatment, with a history of escalation and contingency measures”.

It then presented charts ranking these risks. Of the total, there were 68 risks considered critical, 257 high risks, 230 moderate risks and 157 small risks. There is also a division by election: in 2018, 207 risks were identified; in 2020, 292 risks; and in 2022, 213.

The data were provided in response to questions from General Heber Garcia Portella, who heads the Army’s cyber defense area and makes up the Electoral Transparency Commission (CTE), created last year by the president of the TSE, Minister Luís Roberto Barroso.

At the end of last year, Portella presented 80 questions and requests for information to the TSE on the security of electronic voting. Last Monday (14th), Barroso informed that the answers had been sent and this Wednesday (16th) he released them in a 69-page document and an annex with more than 700 pages, containing technical information and internal decisions of the Court that describe security procedures.

One of these resolutions deals with risk management. Risk is defined as “the possibility of an event occurring that will have an impact on the achievement of objectives, measured in terms of impact and probability”. This resolution also disciplines how to deal with risks. The answer to them may be to “accept risk by conscious choice”; “transfer or share the risk”; “avoiding the risk by deciding not to start or discontinue the activity that gives rise to the risk”; or “mitigate or reduce the risk by decreasing its probability of occurrence or minimizing its consequences”.

There is also a third chart that breaks down the risks by escalation level. Of the 712 registered, 651 were identified at the “project manager” level, another 53 at the “coordinator” level, 5 at the Information Technology Technical Commission (CTTI) and 3 are linked to the TSE director general.

The document sent to the Army does not give more details about the risks linked to the computerized election program in the last 4 years.

This Tuesday, in a press interview, Minister Edson Fachin, who will assume the presidency of the TSE at the end of the month, said that there is concern about cybersecurity in this year’s elections.

“There are risks of attacks from different forms and origins. It has been said and published, for example, that Russia is an example of such origins. The alert about this is maximum and is growing. The war against security in cyberspace of Justice Election was declared some time ago,” he said.

Attacks ‘not uncommon’

The document, however, answers dozens of other questions about the security of the electronic voting system. In most responses, there are technical descriptions of equipment, structures and systems used to prevent fraud in electronic voting.

In one of the questions, for example, the Army asked the TSE what are the control mechanisms used to prevent a “denial of service (DoS/DDoS) attack” from interfering with the transmission of voting data to the TSE totalizing system.

The TSE replied that the transmission of voting data does not use the TSE’s “communication links” with the internet, but only “internal links”. In case of need to use the internet, the contracts with the operators provide that they must mitigate “all DDoS attacks”. Then, they say that these attacks “are not rare”.

“DDoS attacks towards the Electoral Justice are not rare, having occurred even in the 1st Round of the 2020 Municipal Elections. During a DDoS attack, the technical teams of the operators interact with the TSE teams to effect the blocks and restore services . This is a highly operationalized practice and, therefore, tested in order to assess its effectiveness”, says the document.

In the 2020 municipal election, there was an abnormal delay in totaling the data. At the time, the TSE reported that the problem occurred in the central computer, but was resolved on the same day.

New polls did not undergo external audit

In another question, the Army asked the TSE if any external audits will be carried out on the new electronic voting machines (2020 model). He noted that this model was not made available to external technicians who participated in the Public Security Test (TPS) last year, in which the TSE invites experts to try to invade the polls and then correct any vulnerabilities.

The TSE responded that its own technicians audit the manufacture of urns directly on the production line, inspecting the entire manufacturing process, “in order to verify that the finished product, an electronic urn, conforms to the established project and the

other specifications of the bidding notice”.

Then, he informed that in the 2021 TPS, the tested urn was of the 2015 model, “because the 2020 model was still under development and the systems are still under development”.

In this year’s elections, a total of 577,125 electronic voting machines will be used. Of these, 224,999 (38.9%) are from the 2020 model, which did not pass the Public Safety Test. The TSE stated that as of March, the software will be available for testing, but only those internally, carried out by the Court itself.

Read the full responses here and here the full annex with additional information from the TSE.