Episode 75
Christian Folini:
Trust is really the limiting factor. As we have seen in the U.S. Elections, you don't need an actual fraud. You don't need an actual weakness in an electronic system.
It's good enough if enough people, important people say and state it has been a fraud, people will follow. There is nothing to prove the absence of a problem if there was no problem. People don't trust you, and for society, this is a huge problem.
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host for the episode, Joseph Carson, chief security scientist and advisory CISO of Delinea. I'm really excited to have today's episode. Today is a very, very important topic.
But before I get started, I want to basically welcome an amazing guest on to the show. First time on the episode, first time on the podcast. Welcome, Christian. It's great to have you here, and I'm really interested by today's conversation. Can you give the audience a little bit about who you are, what you do, and some fun things that you get up to?
Christian Folini:
Thank you, Joe. Thanks for having me. I'm Christian Folini. I'm Swiss, I'm a security engineer. Actually, I have a background in medieval history, and somehow I went from medieval history into the IT security industry. I'm a web application viral specialist. I'm a co-lead of the OWASP ModSecurity Core Rule Set project where we tried to protect web servers from online attacks. But I also did a lot of work on system engineering for online voting in Switzerland.
I moderated a government dialogue with scientists around continuing problem with electronic voting and how Switzerland could address that on a 5- or 10-year horizon. I have a fairly broad area of topics I'm working on. I got to know Joe last year at a Swiss Cyber Storm conference that I'm co-hosting and organizing, and that's how we entered a conversation. I'm very happy to be on your podcast.
Joseph Carson:
Fantastic. Welcome. The medieval is always important background, especially for security because there's a lot of segues and a lot of relations in there. Absolutely, I mean for the audience, I did go and speak at the Cyber Swiss Storm conference and it was fantastic. It's one of the best conferences that I know.
I attended lots of conferences around the world, the audience might know. I get to travel quite a bit. But definitely, in my last year, it was one of the definitely prime conference of the year and really great hospitality, great location. If you ever get the opportunity, if you are in the area, I'd definitely recommend reaching out to Christian and making sure to get more details about the conference.
Christian Folini:
Thank you.
Joseph Carson:
For today's topic, today's topic is all about trust, and that's really the foundation of what systems and IT security is built on. It's really the foundation.
We hear a lot about zero trust. We hear a lot about the principle of least privilege. We hear about dynamic trust and building trust and security. Trust is really one of those big foundations. One of the things you mentioned around that you've been working on is the voting systems. When we're talking about trust, that's one of the biggest systems where trust, it has to be vital. It has to be non-repudiable. It has to be something that...
It's not something that you just assume or just accept. It has to be earned. I think that's one of the fundamentals here is trust, it has to be earned. Can you give me some of the things that you've seen around voting systems or systems that trust is very valuable and very important elements when it gets into security?
Christian Folini:
Yes. For those of the listeners who are not familiar with the Swiss online voting system, we have been doing tests with online voting for like 20 years now, and we still don't have a running online voting system. In fact, 2019, we hit headlines with a kind of disaster. The system was meant to be done, ready for introduction, and final step was publishing the source code and opening up for a public buck bounty program. The hackers ripped it apart within weeks and they had to stop the program. It was a huge catastrophe, no more trust in the system at all.
And then the year afterwards in 2020, government run a big dialogue with scientists around the question, "What is the problem?" There was a lot around cryptography, that was really the focus. This is how they ripped it apart, just the algorithms and namely the implementation didn't work at all. So too much trust in bad software.
One of the results of the dialogue was, we lack trust in this system, our population lacks trust in that system. How can we build trust and how can we gain or earn trust for that system? Apparently we need to fix the box. We need to be more transparent with the development and so on.
But it's absolutely an open question how they can make the population trust that system, and how can we introduce this midterm, long-term without undermining the trust in our political system? Switzerland is a very old democracy, so this is really valuable and people feel this is really important. You find quite a lot of people thinking, "We just need online voting. Somebody got to take care of it."
Joseph Carson:
Absolutely.
Christian Folini:
But there is a lot of bad feeling of people around, "Um, hmm, maybe not," or, "Let's wait," or "It's never going to be good enough." These questions are very hard to tackle. There might be future discussions around trust, and we don't know how to really earn trust.
Joseph Carson:
One of the things I'll find, being based on Estonia myself, the whole society here has been built around a digital society. It started off with that paperless path and turned into digital services and digital society, and government being a service provider to the citizens. The voting system, having that voting system being one of those first systems to build trust on, is definitely probably not the best one to start with.
You want to probably start sometimes smaller or sometimes things that you can start earning that trust at the beginning. Those foundations can segue off into the identity side and voting systems. I know in Estonia one of the first systems they did here was the tax one. That was the first system they actually built to enable you to do online taxes and do it in very efficiently because it was one of the bigger pain points. It was one of the bigger challenges for the citizens.
They started with the one that the citizens had the most pain around and were willing enough in order to actually go on and use that system because they didn't want to go and fill in paper forms and spent days in queues and how to go through audits. They decided here to go through one that was a bigger pain point, and then adds internet voting to it at the later stage.
To do the internet voting, the first one is probably definitely you want to build trust around it, but your point as well is to give it to pen testing and bug bounty towards the later stages in this cycle. We talk about security by design and security by default sometimes, and you want security to be built into the design process. That's one of the big things of OWASP. OWASP is about shifting left and moving security into the development process-
Christian Folini:
Absolutely.
Joseph Carson:
... to do that in a much later stage.
Christian Folini:
I remember a lot of conversations around this. Look, you guys, you need to open this up as soon as possible, as long as you're not in the headlines. Once you are near the finishing line, everybody will look at you, and there's sure going to be weaknesses. You want to have them early on so you have time to fix them. They learned it the hard way. What I like is they really learned it. The way the system is built now is they roll out the red carpet for hackers right now.
Joseph Carson:
That's the best way.
Christian Folini:
But they had to learn this the hard way.
Joseph Carson:
Because that's where you build the trust, making it open, making it available, getting people's views and opinions. That's where you start building the trust. As I mentioned, the foundation, in any election systems, whether being paper-based, machine-based, or internet-based, trust is the foundation of it. You have to have some type of trust.
When people trust in the voting system, no matter what the system or process is, whether being computer-based, internet voting, whether it being you go to a booth and you hit a button on a machine or you still fill in the paper form, it's trust in the system. It's trust in the transparency. That's where people have confidence in.
It's also making sure that the government is providing transparency around it as well. I think that's key and that's what really important to building the trust and have broader people be able to look at it and actually raise the concerns of certain areas so you can learn those lessons.
I think it's really important that you keep moving forward. I've seen many going back, "Let's go back to paper." But it still has problems as well. What I like is the more choices you have, when you have choices, each of them provides some type of integrity or oversight of each other. That's also important as well is that you're not putting all your eggs in one basket. You don't have one single point of failure.
One of the lessons here in Estonia, what was great, and it was only highlighted during COVID, when we had people having not been able to leave homes and we were restricted from going in public or getting within two meters, and then came the voting season. We had a election in the middle of COVID. The last thing you want people to be doing is going and standing in lines.
Christian Folini:
In the winter in small spaces.
Joseph Carson:
In small spaces, two meters apart. If we had to have people putting in lines two meters apart, the line would've been all around Estonia. It would've circled the entire country to get that proper distance.
So really get into one of big highlights was that having those different choices meant that people could vote from a safe location. It was actually good for their health. It was actually something that put them out of harm's way, and it meant that the elections could still go ahead.
Having those multiple choices is always a great way. There still is the mail-in vote if you wish to do it. There still is the electronic vote if you wish to do it, but they provide oversight of each other.
Christian Folini:
In our system we have a long tradition of mail-in voting, like 90-95% of Swiss voters use mail-in ballots. That is also why online voting was started very early on because from a process viewpoint, you just replace the mail-in ballot with a electronic ballot. It seems simple enough, but of course people had a very simplified view of security 20 years ago and mainly by the online security.
We learned our industry and we learned a lot about online security along the way. Initially, there were multiple Swiss system, and one system they rebuilt three time from scratch and always huge, huge improvements. Unfortunately, in the end, they ran out of money and had to give up. But that was a beautiful system.
Joseph Carson:
Let's look at some examples in the recent history. If you are then putting your trust in the postal service for mail-in voting, you're having to trust the postal service. If you look back, the Royal Mail recently in the UK had a major ransomware outage. If that was in the middle of Christmas, which meant that packages... I think my Christmas cards from my family didn't arrive until late January.
So if you're putting your trust, you have to have trust in the postal service then and you have the trust that that service is going to work and that your votes going to get counted.
That's the difference is that in a postal mailing or even electronic voting, you want to be able to know that your count actually counted. It was actually participated in the election as well. That's one of the advantages of internet voting as well is that you can definitely have an auditability. There's a transparency. Here in Estonia, you can actually log on and see your transactions.
Christian Folini:
The more we're using or developing the electronic voting system, the more we realize all the weaknesses of the mail-in ballots, that system. Of course, the whole postal system is optimized for money to be cheap and not reliability or the auditability. You drop your letter in a mailbox and you expect it to be counted, but there is no guarantee around that.
As you said, multiple channels start to protect each other because an attacker ultimately would have to attack the onsite voting, the mail-in ballots, and the electronic ones. The statistical methods are not here yet, namely the research is not here yet. But once we have done that, we can compare the results of the different channels and say, "Yeah, this makes sense," or, "There is something very odd in that region of the country with those ballots." I think that's really a strength of having multiple channels ultimately.
Joseph Carson:
If we look at where the attacks have been happening in, for example, focus on the voting side, it's actually trying to get the person to attacking their choice. You're hacking the person who's making the decision. Most of the voting, the resources that goes into hacking elections is actually in basically information wars. It's basically social media. That's where it's happening.
Honestly, very seldomly would you find that after the vote has been cast, whether it being mail-in, electronic, or internet, very seldom would those systems be compromised because there's the validation checks and auditability in place-
Christian Folini:
Yeah, there's a lot of security preventing attacks there while the social media is an open field. Just do whatever you want.
Joseph Carson:
Correct. Do whatever you want. It's getting the person, it's hacking that person's decision. It's getting them to, whether it being providing fraud on different politicians and different people, that's ultimately where the attacks are happening. It's in the social media side.
One of the great things that we had a conversation before we started recording was around what I really like in Estonia, I saw the great bill here is that the election opens typically 10 days or so before the vote gets closed, but you can also change your decision multiple times. I think that's great. That's actually, here in Estonia, just one of the things that...
We're in an election time here in Estonia. What I think is fantastic is I've been seeing Estonians from all around the world showing where they're voting from. People voting on vacation in Spain. They're voting in the middle of the night in Japan. Even the prime minister was shown that she was voting from a cafe, and showing that the ability to vote any time at any point in day end of the day at any location is great because it actually increases the ability for people who may not have the option of voting. Maybe they work night shifts. Maybe they're taking care of people in remote locations. Maybe they are accessible and they can't get to a certain locations, or they're just simply away. They're traveling at the time. That used to be always my problem was traveling.
But also what's happening now is that people are starting to see the news about maybe the direction the election is going, and people are thinking, "Hmm, maybe my choice was not the right choice," and now they have the ability to go back in and make a change.
Christian Folini:
All right. It's interesting.
Joseph Carson:
It means that the media are unable to predict the outcome because of that as well. Because you get a lot of people who are just the followers. You get a lot of people who just say, "I'm going to go with the flow and I'm just going to follow, if it was the U.S., the blue or the red," or whichever party you affiliate with. It means the media can't really push the direction from their news, which I also think is a great point as well.
Christian Folini:
The Swiss political system, especially in the sense we're a semi-direct democracy, so we vote four times a year, a lot of yes-no votes, and then actually this year in autumn we are going to have parliament elections as well. They want to reintroduce electronic voting for a test population in a couple of regions. We're counting the days whether they manage to present a system for the national votes.
But as you mentioned, changing your vote once you see how the results are going, that is absolutely taboo in Switzerland. You're not allowed to publish polls four or six week ahead of a vote. I mean, we do this four times a year, so we're always in voting mode. Once one vote is over, the next one starts. The next public vote is starting on whatever the question is, and two months ahead of the vote you get the final poll and then afterwards it's blind. You need to, is it good enough, will we win? How much advertising do we need to run? But there are no more polls and definitely no exit polls. It doesn't in Switzerland.
Joseph Carson:
One of the questions I've got around that is that if you're voting multiple times a year, how much time is spent on voting?
Christian Folini:
This is such a streamlined process. I mean, if I do mail-in ballots, like most Swiss people, it's two minutes and stamp, off you go. The problem that we have now-
Joseph Carson:
Okay, so there's not a lot of waste.
Christian Folini:
Yeah. A lot of young people, they don't have stamps anymore. You have municipalities where they have pre-stamped envelope and they have a higher percentage of people voting compared to those where you have to add a stamp yourself.
Joseph Carson:
There's a cost for the person voting.
Christian Folini:
Of course. Actually, 2-3% of more voters when you pay the post stamp.
Joseph Carson:
It sounds like the voting-
Christian Folini:
It runs with an electronic voting, no change in the voter share. That is not influencing the vote share.
Joseph Carson:
It sounds like the citizens are informing the postal service.
Christian Folini:
But having a stamp really is something.
Joseph Carson:
Funding the postal service. That's-
Christian Folini:
Actually the electronic voting system that we're introducing or the one that is still around is the Swiss post, and they went like, if somebody is cannibalizing our mail-in ballots, it's us because this is a growing share of our revenue, because letters are going down. We want to make sure nobody else is stealing that voting channel.
Joseph Carson:
The revenue. Money's worth.
Christian Folini:
Yeah.
Joseph Carson:
That's interesting.
Christian Folini:
They invested so much resources into that to make clear for the market, nobody is allowed to enter the electronic voting market if it's not Swiss Post anymore.
Joseph Carson:
For me, it sounds like one of the things definitely is the Swiss Post should actually think of being one of the identity providers, not just thinking about getting into just trying to monopolize the voting side, but actually becoming an identity provider.
Christian Folini:
That's definitely on the menu. We had a public vote on the last proposal. There are private companies or semi-private company like Swiss Post could play a key role and we said no. This is back to government. The identity provider will be closer to government. But Swiss Post definitely realized that, and digital trust is one of their focused goals as an enterprise where they want to develop-
Joseph Carson:
You can still separate it. You can still have the government being the trust anchor. They can be the verifier, but the issuer can still be done in other entities. They can be the one to deliver or to provide the service. I think that's what the big difference is that where's the trust maintained.
One of the things in Estonia, over the many years of the digital society, the way that they've done around the trust is that the government removes their ability to change history. That's one of the foundations of trust that it's built on. The ability for the government to remove their ability to change history, it's actually done it in quite an interesting way is that ultimately they sign everything. All the security, all the transactions get signed with a PKI and that transaction happens periodically. Ultimately though, it's done on the blockchain, so you end up having a root hash, and that root hash every month gets published in the Financial Times newspaper.
What that means is that the government effectively in a printed media, which means that that root hash is printed across 190 countries and millions of copies. It means that the government themselves, by doing that one action, by printing that root hash, the citizens have auditability of the government and the government no longer have the ability to change history.
I think that's the effective part is where your root of trust is maintained and how that root of trust is established and showing that the government itself-
Christian Folini:
It's very beautiful.
Joseph Carson:
I think it's a very intelligent way of showing the citizens that even you yourself, after a certain amount of time has passed, that you cannot change history. History becomes absolute, and then security, that history in audit logs and log files, it's something that we value of importance, and a government should also value that as well from a history perspective of when things are passed.
For me, when you're talking about whether the postal service should be the trust anchor, I don't think the postal service should be the trust anchor. Definitely, government is much better positioned to be the trust anchor, but they could be a service provider. Just like today in security, we have different identity service providers for authentication. The question always comes on to is, how do you establish the trust anchor in those? How is trust maintained? I think that becomes a big important part of it.
Christian Folini:
Yeah, I totally see that. I'm sure Swiss Post is right there if somebody has to have that role. They're so into that topic, and as it happens, Swiss Post is the Swiss enterprise where the citizens have the biggest trust. It's the private enterprise with the biggest trust among the population. It's a perfect fit for that role.
Joseph Carson:
I think that's ideal. You always have to look... There might be multiple. You might see the driver's license authority is another typical one that issues identity. The passport authority is another one that issues identity. They can all be some type of identity issuers.
This is one of the things that I've seen even as we move forward that we're starting to see even across the EU, the digital wallet being a very important part of this, that we're starting to see the digital wallet in the future. That brings the questions into the future of hard copy-based identities where your phone simply becomes a digital wallet extension of those.
It becomes also transparent across where that data can be, let's say... I wouldn't say the data be insured, but being able to validate questions should be shared such as, I can go back and say, "Am I allowed to drive in Switzerland?" And Switzerland, rather than me showing my driver's license, they can just ask the authority back in Estonia, "Is this person have a valid driver's license?" and they actually answer, comes back as, "Yes, it's valid." That's all typically you need to know.
But I think it's great seeing... What's some of the blocking issues? Where do you see the challenges going forward?
Christian Folini:
With the disaster, and it was literally a disaster in 2019, the regulation was redone to really limit the test runs of electronic voting. I don't see this introduced far and wide in the next 5 or 10 years. If they manage to finish the system in time and run it in the 2023 national elections, then I expect to have a slow expansion.
Trust is really the limiting factor. As we have seen in the U.S. elections, you don't need an actual fraud. You don't need an actual weakness in an electronic system. It's good enough if enough people, important people say and state it has been a fraud, people will follow. There is nothing to prove the absence of a problem if there was no problem. People don't trust you, and for society, this is a huge problem. For me, this is the strongest argument against the introduction of online voting.
Joseph Carson:
Absolutely.
Christian Folini:
I personally think that trust is maybe a function of time. If we have a very slow rollout, then our society and political system will get used to this system. We're going to have weaknesses, We're going to have problems, and each of these problems, our tests for society, whether we're able to handle that problem.
Maybe after 5 or 10 years people will get used to it, and the next idiot who stands up and say, "It's been a fraud and the election has been stolen," the other parties will say, "Hold on. You present us the proof, or we don't believe you. This is bullshit." That will take time to get into such a situation.
Joseph Carson:
The great thing here is the citizens can actually go and verify it themselves.
Christian Folini:
It takes a lot of know-how to do so.
Joseph Carson:
It's the transparency and auditability, which is key. In the U.S., you typically have the balance of powers. You've got Congress, you've got the government, and the White House. The justice and Congress and the White House are meant to oversee and have that balance of powers between each other. They're meant to provide oversight of each other. That's where people have trust in the system, so they don't have to worry about how it operates in their daily lives. They can just get on with it and let the oversight of that happen.
But when you question oversight and the oversight starts to have fragiles and cracks, and that's where the trust starts to deteriorate. But absolutely you're right, trust has to be earned over time. Sometimes even just starting with smaller elections, maybe ones that's not so important.
Christian Folini:
Absolutely. In test runs, limited audience, that certainly helps. How does that work in Estonia? A problem that we're seeing is, there is a relatively small part of the industry who's interested to learn how to verify this, how to audit this properly. The average citizen has no chance whatsoever to understand the mathematical proofs. But even inside a security industry, the relative few people who take the time sit down and read through the merits of documents that have been published in the meantime, to have a qualified opinion on the quality of this.
Where I see now and for whatever reasons in Swiss discussions, government is really strong that a lot of people now, next federal province level, the canton level in Switzerland, they've learned so much in the process. Then a couple of companies around, they have been running audits, conflict reviews, documentation reviews, but then wider audience, wider security industry, no participation in discussions. Meaning if we have a problem, we have very few neutral third parties who have a qualified opinion, who have the knowledge to really participate in the discussion to say, "Yes, what government says make sense. This is good enough." Journalists will just struggle to find anybody able to comment on a publication.
Joseph Carson:
I think that the deciding factor here in Estonia was 2007 when Estonia became the victim of a mass-scale cyber attack. What that was was the turning point. One that we identified is how well the systems performed, but also we find the areas of weaknesses. This was the fundamental defining point. That's where the government definitely invested and shifted a lot more working with industry more closely.
That was a time where industry and government came together to defend the country. That cooperation between industry and government continued and developed post that event. That's where the strength of that cybersecurity society and cooperation was built around. Sometimes it took an event to realize, one is that our systems are performing quite well, but here's areas that didn't do so well. How do we address those? How do we improve it? How do we become resilient?
Even to the point where 2007 that identified, one of the things during the talk that I give in Switzerland, there was a run that all the data was located in Estonia. If there was a land invasion, the threat and risk of that data being destroyed was high. Therefore, how do you de-risk that? That basically created the development and introduction of the data embassy.
Again, identifying those weaknesses, but it did take that event, that situation to highlight it and to bring it to the surface where we hadn't thought about those scenarios before. That turning point brought industry and government to much more closer working relationship. I think sometimes it takes an event, but sometimes it also takes a very proactive government that sees the importance of industry cooperation, and opens the doors and provides facilitation of it as well. That's what's important.
Christian Folini:
Got you. You would say there is definitely a feeling in the industry that we have a joint project here to protect our society from external attacks, and we need to investigate and give resources and be interested in what is happening? Because this is something I rarely see in Switzerland. This is something government is doing, and we couldn't care less because it's so complicated.
Joseph Carson:
Sometimes it's also how you do the message. You have to make sure, one it's not about... The important part here is not about... Security is not the priority. It's about maintaining services to the citizens. How you message it is key because many citizens don't really care about security in the government side. They're just concerned about the services they're getting is actually working and they trust them. This is what they care.
It's about making sure when you do message it... But that corporation between industry and government, it does have a very strong pillar of security and trust. But when you message it to citizens, it is all about maintaining resiliency of the services that you're providing to the citizens.
Christian Folini:
Yes, got this.
Joseph Carson:
That's what's key. I think this has been intriguing and very exciting conversation. I could go on this topic for hours. Anything for the audience who has been listening in? Any lessons that you've learned that you would suggest, or to other countries that might be listening in or other people that might be involved in the trust of systems? Any lessons that you would suggest that they would take away that would be important that they can act upon urgently?
Christian Folini:
If anybody in the audience is really into online voting, then this government dialogue was published in 2020 with a very readable report where you have all the open questions on a global level around online voting. All the scholarly open questions and the problems that are not being addressed. Research questions that are now being handled the next few down the road. I think that is a very good snapshot of online voting on a global level with Swiss perspective 2020. It's really worth to read.
Joseph Carson:
Fantastic. Christian, if you can give me the link to that, I can definitely make sure-
Christian Folini:
I can give you the link and you can publish it with the podcast.
Joseph Carson:
Fantastic. That's exactly what... Giving the audience the resources directly in the share notes makes it much easier for them. Any lessons learned from previous experiences I think is so valuable into what questions get raised. I think probably around the bug bounties and the feedback and the lessons would be greatly valuable for anyone who's looking at this.
I know while Estonia has been forefront and other countries are looking such as Switzerland and other countries around the world, I know even in the U.S. many states are looking at this as well to provide better service to their citizens. Anyone in the audience, if this is a path you're going down, we'll definitely make sure that you get the resources and definitely the valuable information to make sure that you don't repeat the same mistakes or same lessons again because it's not very productive use of our time. So definitely learn from others is valuable and important.
Christian, it's been fantastic having you on the show today. Really looking forward to the next time that we can catch up. We'll definitely make sure that we'll provide ways for the audience if they have questions for you, that we'll make sure that they have access to what's the best way to contact you. But again, Christian, it's been fantastic, and thank you for being on the show.
Christian Folini:
Thank you for having me. It was good fun.
Joseph Carson:
Absolutely. For the audience, this is the 401 Access Denied podcast, bringing you thought leadership, exciting hot topics and trends. Hopefully this has been a valuable episode for you. Stay tuned. Go back and listen to previous episodes. Every two weeks we come up with a new show. Stay safe, take care, and till the next time. Thank you.
Trust is really the limiting factor. As we have seen in the U.S. Elections, you don't need an actual fraud. You don't need an actual weakness in an electronic system.
It's good enough if enough people, important people say and state it has been a fraud, people will follow. There is nothing to prove the absence of a problem if there was no problem. People don't trust you, and for society, this is a huge problem.
Joseph Carson:
Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host for the episode, Joseph Carson, chief security scientist and advisory CISO of Delinea. I'm really excited to have today's episode. Today is a very, very important topic.
But before I get started, I want to basically welcome an amazing guest on to the show. First time on the episode, first time on the podcast. Welcome, Christian. It's great to have you here, and I'm really interested by today's conversation. Can you give the audience a little bit about who you are, what you do, and some fun things that you get up to?
Christian Folini:
Thank you, Joe. Thanks for having me. I'm Christian Folini. I'm Swiss, I'm a security engineer. Actually, I have a background in medieval history, and somehow I went from medieval history into the IT security industry. I'm a web application viral specialist. I'm a co-lead of the OWASP ModSecurity Core Rule Set project where we tried to protect web servers from online attacks. But I also did a lot of work on system engineering for online voting in Switzerland.
I moderated a government dialogue with scientists around continuing problem with electronic voting and how Switzerland could address that on a 5- or 10-year horizon. I have a fairly broad area of topics I'm working on. I got to know Joe last year at a Swiss Cyber Storm conference that I'm co-hosting and organizing, and that's how we entered a conversation. I'm very happy to be on your podcast.
Joseph Carson:
Fantastic. Welcome. The medieval is always important background, especially for security because there's a lot of segues and a lot of relations in there. Absolutely, I mean for the audience, I did go and speak at the Cyber Swiss Storm conference and it was fantastic. It's one of the best conferences that I know.
I attended lots of conferences around the world, the audience might know. I get to travel quite a bit. But definitely, in my last year, it was one of the definitely prime conference of the year and really great hospitality, great location. If you ever get the opportunity, if you are in the area, I'd definitely recommend reaching out to Christian and making sure to get more details about the conference.
Christian Folini:
Thank you.
Joseph Carson:
For today's topic, today's topic is all about trust, and that's really the foundation of what systems and IT security is built on. It's really the foundation.
We hear a lot about zero trust. We hear a lot about the principle of least privilege. We hear about dynamic trust and building trust and security. Trust is really one of those big foundations. One of the things you mentioned around that you've been working on is the voting systems. When we're talking about trust, that's one of the biggest systems where trust, it has to be vital. It has to be non-repudiable. It has to be something that...
It's not something that you just assume or just accept. It has to be earned. I think that's one of the fundamentals here is trust, it has to be earned. Can you give me some of the things that you've seen around voting systems or systems that trust is very valuable and very important elements when it gets into security?
Christian Folini:
Yes. For those of the listeners who are not familiar with the Swiss online voting system, we have been doing tests with online voting for like 20 years now, and we still don't have a running online voting system. In fact, 2019, we hit headlines with a kind of disaster. The system was meant to be done, ready for introduction, and final step was publishing the source code and opening up for a public buck bounty program. The hackers ripped it apart within weeks and they had to stop the program. It was a huge catastrophe, no more trust in the system at all.
And then the year afterwards in 2020, government run a big dialogue with scientists around the question, "What is the problem?" There was a lot around cryptography, that was really the focus. This is how they ripped it apart, just the algorithms and namely the implementation didn't work at all. So too much trust in bad software.
One of the results of the dialogue was, we lack trust in this system, our population lacks trust in that system. How can we build trust and how can we gain or earn trust for that system? Apparently we need to fix the box. We need to be more transparent with the development and so on.
But it's absolutely an open question how they can make the population trust that system, and how can we introduce this midterm, long-term without undermining the trust in our political system? Switzerland is a very old democracy, so this is really valuable and people feel this is really important. You find quite a lot of people thinking, "We just need online voting. Somebody got to take care of it."
Joseph Carson:
Absolutely.
Christian Folini:
But there is a lot of bad feeling of people around, "Um, hmm, maybe not," or, "Let's wait," or "It's never going to be good enough." These questions are very hard to tackle. There might be future discussions around trust, and we don't know how to really earn trust.
Joseph Carson:
One of the things I'll find, being based on Estonia myself, the whole society here has been built around a digital society. It started off with that paperless path and turned into digital services and digital society, and government being a service provider to the citizens. The voting system, having that voting system being one of those first systems to build trust on, is definitely probably not the best one to start with.
You want to probably start sometimes smaller or sometimes things that you can start earning that trust at the beginning. Those foundations can segue off into the identity side and voting systems. I know in Estonia one of the first systems they did here was the tax one. That was the first system they actually built to enable you to do online taxes and do it in very efficiently because it was one of the bigger pain points. It was one of the bigger challenges for the citizens.
They started with the one that the citizens had the most pain around and were willing enough in order to actually go on and use that system because they didn't want to go and fill in paper forms and spent days in queues and how to go through audits. They decided here to go through one that was a bigger pain point, and then adds internet voting to it at the later stage.
To do the internet voting, the first one is probably definitely you want to build trust around it, but your point as well is to give it to pen testing and bug bounty towards the later stages in this cycle. We talk about security by design and security by default sometimes, and you want security to be built into the design process. That's one of the big things of OWASP. OWASP is about shifting left and moving security into the development process-
Christian Folini:
Absolutely.
Joseph Carson:
... to do that in a much later stage.
Christian Folini:
I remember a lot of conversations around this. Look, you guys, you need to open this up as soon as possible, as long as you're not in the headlines. Once you are near the finishing line, everybody will look at you, and there's sure going to be weaknesses. You want to have them early on so you have time to fix them. They learned it the hard way. What I like is they really learned it. The way the system is built now is they roll out the red carpet for hackers right now.
Joseph Carson:
That's the best way.
Christian Folini:
But they had to learn this the hard way.
Joseph Carson:
Because that's where you build the trust, making it open, making it available, getting people's views and opinions. That's where you start building the trust. As I mentioned, the foundation, in any election systems, whether being paper-based, machine-based, or internet-based, trust is the foundation of it. You have to have some type of trust.
When people trust in the voting system, no matter what the system or process is, whether being computer-based, internet voting, whether it being you go to a booth and you hit a button on a machine or you still fill in the paper form, it's trust in the system. It's trust in the transparency. That's where people have confidence in.
It's also making sure that the government is providing transparency around it as well. I think that's key and that's what really important to building the trust and have broader people be able to look at it and actually raise the concerns of certain areas so you can learn those lessons.
I think it's really important that you keep moving forward. I've seen many going back, "Let's go back to paper." But it still has problems as well. What I like is the more choices you have, when you have choices, each of them provides some type of integrity or oversight of each other. That's also important as well is that you're not putting all your eggs in one basket. You don't have one single point of failure.
One of the lessons here in Estonia, what was great, and it was only highlighted during COVID, when we had people having not been able to leave homes and we were restricted from going in public or getting within two meters, and then came the voting season. We had a election in the middle of COVID. The last thing you want people to be doing is going and standing in lines.
Christian Folini:
In the winter in small spaces.
Joseph Carson:
In small spaces, two meters apart. If we had to have people putting in lines two meters apart, the line would've been all around Estonia. It would've circled the entire country to get that proper distance.
So really get into one of big highlights was that having those different choices meant that people could vote from a safe location. It was actually good for their health. It was actually something that put them out of harm's way, and it meant that the elections could still go ahead.
Having those multiple choices is always a great way. There still is the mail-in vote if you wish to do it. There still is the electronic vote if you wish to do it, but they provide oversight of each other.
Christian Folini:
In our system we have a long tradition of mail-in voting, like 90-95% of Swiss voters use mail-in ballots. That is also why online voting was started very early on because from a process viewpoint, you just replace the mail-in ballot with a electronic ballot. It seems simple enough, but of course people had a very simplified view of security 20 years ago and mainly by the online security.
We learned our industry and we learned a lot about online security along the way. Initially, there were multiple Swiss system, and one system they rebuilt three time from scratch and always huge, huge improvements. Unfortunately, in the end, they ran out of money and had to give up. But that was a beautiful system.
Joseph Carson:
Let's look at some examples in the recent history. If you are then putting your trust in the postal service for mail-in voting, you're having to trust the postal service. If you look back, the Royal Mail recently in the UK had a major ransomware outage. If that was in the middle of Christmas, which meant that packages... I think my Christmas cards from my family didn't arrive until late January.
So if you're putting your trust, you have to have trust in the postal service then and you have the trust that that service is going to work and that your votes going to get counted.
That's the difference is that in a postal mailing or even electronic voting, you want to be able to know that your count actually counted. It was actually participated in the election as well. That's one of the advantages of internet voting as well is that you can definitely have an auditability. There's a transparency. Here in Estonia, you can actually log on and see your transactions.
Christian Folini:
The more we're using or developing the electronic voting system, the more we realize all the weaknesses of the mail-in ballots, that system. Of course, the whole postal system is optimized for money to be cheap and not reliability or the auditability. You drop your letter in a mailbox and you expect it to be counted, but there is no guarantee around that.
As you said, multiple channels start to protect each other because an attacker ultimately would have to attack the onsite voting, the mail-in ballots, and the electronic ones. The statistical methods are not here yet, namely the research is not here yet. But once we have done that, we can compare the results of the different channels and say, "Yeah, this makes sense," or, "There is something very odd in that region of the country with those ballots." I think that's really a strength of having multiple channels ultimately.
Joseph Carson:
If we look at where the attacks have been happening in, for example, focus on the voting side, it's actually trying to get the person to attacking their choice. You're hacking the person who's making the decision. Most of the voting, the resources that goes into hacking elections is actually in basically information wars. It's basically social media. That's where it's happening.
Honestly, very seldomly would you find that after the vote has been cast, whether it being mail-in, electronic, or internet, very seldom would those systems be compromised because there's the validation checks and auditability in place-
Christian Folini:
Yeah, there's a lot of security preventing attacks there while the social media is an open field. Just do whatever you want.
Joseph Carson:
Correct. Do whatever you want. It's getting the person, it's hacking that person's decision. It's getting them to, whether it being providing fraud on different politicians and different people, that's ultimately where the attacks are happening. It's in the social media side.
One of the great things that we had a conversation before we started recording was around what I really like in Estonia, I saw the great bill here is that the election opens typically 10 days or so before the vote gets closed, but you can also change your decision multiple times. I think that's great. That's actually, here in Estonia, just one of the things that...
We're in an election time here in Estonia. What I think is fantastic is I've been seeing Estonians from all around the world showing where they're voting from. People voting on vacation in Spain. They're voting in the middle of the night in Japan. Even the prime minister was shown that she was voting from a cafe, and showing that the ability to vote any time at any point in day end of the day at any location is great because it actually increases the ability for people who may not have the option of voting. Maybe they work night shifts. Maybe they're taking care of people in remote locations. Maybe they are accessible and they can't get to a certain locations, or they're just simply away. They're traveling at the time. That used to be always my problem was traveling.
But also what's happening now is that people are starting to see the news about maybe the direction the election is going, and people are thinking, "Hmm, maybe my choice was not the right choice," and now they have the ability to go back in and make a change.
Christian Folini:
All right. It's interesting.
Joseph Carson:
It means that the media are unable to predict the outcome because of that as well. Because you get a lot of people who are just the followers. You get a lot of people who just say, "I'm going to go with the flow and I'm just going to follow, if it was the U.S., the blue or the red," or whichever party you affiliate with. It means the media can't really push the direction from their news, which I also think is a great point as well.
Christian Folini:
The Swiss political system, especially in the sense we're a semi-direct democracy, so we vote four times a year, a lot of yes-no votes, and then actually this year in autumn we are going to have parliament elections as well. They want to reintroduce electronic voting for a test population in a couple of regions. We're counting the days whether they manage to present a system for the national votes.
But as you mentioned, changing your vote once you see how the results are going, that is absolutely taboo in Switzerland. You're not allowed to publish polls four or six week ahead of a vote. I mean, we do this four times a year, so we're always in voting mode. Once one vote is over, the next one starts. The next public vote is starting on whatever the question is, and two months ahead of the vote you get the final poll and then afterwards it's blind. You need to, is it good enough, will we win? How much advertising do we need to run? But there are no more polls and definitely no exit polls. It doesn't in Switzerland.
Joseph Carson:
One of the questions I've got around that is that if you're voting multiple times a year, how much time is spent on voting?
Christian Folini:
This is such a streamlined process. I mean, if I do mail-in ballots, like most Swiss people, it's two minutes and stamp, off you go. The problem that we have now-
Joseph Carson:
Okay, so there's not a lot of waste.
Christian Folini:
Yeah. A lot of young people, they don't have stamps anymore. You have municipalities where they have pre-stamped envelope and they have a higher percentage of people voting compared to those where you have to add a stamp yourself.
Joseph Carson:
There's a cost for the person voting.
Christian Folini:
Of course. Actually, 2-3% of more voters when you pay the post stamp.
Joseph Carson:
It sounds like the voting-
Christian Folini:
It runs with an electronic voting, no change in the voter share. That is not influencing the vote share.
Joseph Carson:
It sounds like the citizens are informing the postal service.
Christian Folini:
But having a stamp really is something.
Joseph Carson:
Funding the postal service. That's-
Christian Folini:
Actually the electronic voting system that we're introducing or the one that is still around is the Swiss post, and they went like, if somebody is cannibalizing our mail-in ballots, it's us because this is a growing share of our revenue, because letters are going down. We want to make sure nobody else is stealing that voting channel.
Joseph Carson:
The revenue. Money's worth.
Christian Folini:
Yeah.
Joseph Carson:
That's interesting.
Christian Folini:
They invested so much resources into that to make clear for the market, nobody is allowed to enter the electronic voting market if it's not Swiss Post anymore.
Joseph Carson:
For me, it sounds like one of the things definitely is the Swiss Post should actually think of being one of the identity providers, not just thinking about getting into just trying to monopolize the voting side, but actually becoming an identity provider.
Christian Folini:
That's definitely on the menu. We had a public vote on the last proposal. There are private companies or semi-private company like Swiss Post could play a key role and we said no. This is back to government. The identity provider will be closer to government. But Swiss Post definitely realized that, and digital trust is one of their focused goals as an enterprise where they want to develop-
Joseph Carson:
You can still separate it. You can still have the government being the trust anchor. They can be the verifier, but the issuer can still be done in other entities. They can be the one to deliver or to provide the service. I think that's what the big difference is that where's the trust maintained.
One of the things in Estonia, over the many years of the digital society, the way that they've done around the trust is that the government removes their ability to change history. That's one of the foundations of trust that it's built on. The ability for the government to remove their ability to change history, it's actually done it in quite an interesting way is that ultimately they sign everything. All the security, all the transactions get signed with a PKI and that transaction happens periodically. Ultimately though, it's done on the blockchain, so you end up having a root hash, and that root hash every month gets published in the Financial Times newspaper.
What that means is that the government effectively in a printed media, which means that that root hash is printed across 190 countries and millions of copies. It means that the government themselves, by doing that one action, by printing that root hash, the citizens have auditability of the government and the government no longer have the ability to change history.
I think that's the effective part is where your root of trust is maintained and how that root of trust is established and showing that the government itself-
Christian Folini:
It's very beautiful.
Joseph Carson:
I think it's a very intelligent way of showing the citizens that even you yourself, after a certain amount of time has passed, that you cannot change history. History becomes absolute, and then security, that history in audit logs and log files, it's something that we value of importance, and a government should also value that as well from a history perspective of when things are passed.
For me, when you're talking about whether the postal service should be the trust anchor, I don't think the postal service should be the trust anchor. Definitely, government is much better positioned to be the trust anchor, but they could be a service provider. Just like today in security, we have different identity service providers for authentication. The question always comes on to is, how do you establish the trust anchor in those? How is trust maintained? I think that becomes a big important part of it.
Christian Folini:
Yeah, I totally see that. I'm sure Swiss Post is right there if somebody has to have that role. They're so into that topic, and as it happens, Swiss Post is the Swiss enterprise where the citizens have the biggest trust. It's the private enterprise with the biggest trust among the population. It's a perfect fit for that role.
Joseph Carson:
I think that's ideal. You always have to look... There might be multiple. You might see the driver's license authority is another typical one that issues identity. The passport authority is another one that issues identity. They can all be some type of identity issuers.
This is one of the things that I've seen even as we move forward that we're starting to see even across the EU, the digital wallet being a very important part of this, that we're starting to see the digital wallet in the future. That brings the questions into the future of hard copy-based identities where your phone simply becomes a digital wallet extension of those.
It becomes also transparent across where that data can be, let's say... I wouldn't say the data be insured, but being able to validate questions should be shared such as, I can go back and say, "Am I allowed to drive in Switzerland?" And Switzerland, rather than me showing my driver's license, they can just ask the authority back in Estonia, "Is this person have a valid driver's license?" and they actually answer, comes back as, "Yes, it's valid." That's all typically you need to know.
But I think it's great seeing... What's some of the blocking issues? Where do you see the challenges going forward?
Christian Folini:
With the disaster, and it was literally a disaster in 2019, the regulation was redone to really limit the test runs of electronic voting. I don't see this introduced far and wide in the next 5 or 10 years. If they manage to finish the system in time and run it in the 2023 national elections, then I expect to have a slow expansion.
Trust is really the limiting factor. As we have seen in the U.S. elections, you don't need an actual fraud. You don't need an actual weakness in an electronic system. It's good enough if enough people, important people say and state it has been a fraud, people will follow. There is nothing to prove the absence of a problem if there was no problem. People don't trust you, and for society, this is a huge problem. For me, this is the strongest argument against the introduction of online voting.
Joseph Carson:
Absolutely.
Christian Folini:
I personally think that trust is maybe a function of time. If we have a very slow rollout, then our society and political system will get used to this system. We're going to have weaknesses, We're going to have problems, and each of these problems, our tests for society, whether we're able to handle that problem.
Maybe after 5 or 10 years people will get used to it, and the next idiot who stands up and say, "It's been a fraud and the election has been stolen," the other parties will say, "Hold on. You present us the proof, or we don't believe you. This is bullshit." That will take time to get into such a situation.
Joseph Carson:
The great thing here is the citizens can actually go and verify it themselves.
Christian Folini:
It takes a lot of know-how to do so.
Joseph Carson:
It's the transparency and auditability, which is key. In the U.S., you typically have the balance of powers. You've got Congress, you've got the government, and the White House. The justice and Congress and the White House are meant to oversee and have that balance of powers between each other. They're meant to provide oversight of each other. That's where people have trust in the system, so they don't have to worry about how it operates in their daily lives. They can just get on with it and let the oversight of that happen.
But when you question oversight and the oversight starts to have fragiles and cracks, and that's where the trust starts to deteriorate. But absolutely you're right, trust has to be earned over time. Sometimes even just starting with smaller elections, maybe ones that's not so important.
Christian Folini:
Absolutely. In test runs, limited audience, that certainly helps. How does that work in Estonia? A problem that we're seeing is, there is a relatively small part of the industry who's interested to learn how to verify this, how to audit this properly. The average citizen has no chance whatsoever to understand the mathematical proofs. But even inside a security industry, the relative few people who take the time sit down and read through the merits of documents that have been published in the meantime, to have a qualified opinion on the quality of this.
Where I see now and for whatever reasons in Swiss discussions, government is really strong that a lot of people now, next federal province level, the canton level in Switzerland, they've learned so much in the process. Then a couple of companies around, they have been running audits, conflict reviews, documentation reviews, but then wider audience, wider security industry, no participation in discussions. Meaning if we have a problem, we have very few neutral third parties who have a qualified opinion, who have the knowledge to really participate in the discussion to say, "Yes, what government says make sense. This is good enough." Journalists will just struggle to find anybody able to comment on a publication.
Joseph Carson:
I think that the deciding factor here in Estonia was 2007 when Estonia became the victim of a mass-scale cyber attack. What that was was the turning point. One that we identified is how well the systems performed, but also we find the areas of weaknesses. This was the fundamental defining point. That's where the government definitely invested and shifted a lot more working with industry more closely.
That was a time where industry and government came together to defend the country. That cooperation between industry and government continued and developed post that event. That's where the strength of that cybersecurity society and cooperation was built around. Sometimes it took an event to realize, one is that our systems are performing quite well, but here's areas that didn't do so well. How do we address those? How do we improve it? How do we become resilient?
Even to the point where 2007 that identified, one of the things during the talk that I give in Switzerland, there was a run that all the data was located in Estonia. If there was a land invasion, the threat and risk of that data being destroyed was high. Therefore, how do you de-risk that? That basically created the development and introduction of the data embassy.
Again, identifying those weaknesses, but it did take that event, that situation to highlight it and to bring it to the surface where we hadn't thought about those scenarios before. That turning point brought industry and government to much more closer working relationship. I think sometimes it takes an event, but sometimes it also takes a very proactive government that sees the importance of industry cooperation, and opens the doors and provides facilitation of it as well. That's what's important.
Christian Folini:
Got you. You would say there is definitely a feeling in the industry that we have a joint project here to protect our society from external attacks, and we need to investigate and give resources and be interested in what is happening? Because this is something I rarely see in Switzerland. This is something government is doing, and we couldn't care less because it's so complicated.
Joseph Carson:
Sometimes it's also how you do the message. You have to make sure, one it's not about... The important part here is not about... Security is not the priority. It's about maintaining services to the citizens. How you message it is key because many citizens don't really care about security in the government side. They're just concerned about the services they're getting is actually working and they trust them. This is what they care.
It's about making sure when you do message it... But that corporation between industry and government, it does have a very strong pillar of security and trust. But when you message it to citizens, it is all about maintaining resiliency of the services that you're providing to the citizens.
Christian Folini:
Yes, got this.
Joseph Carson:
That's what's key. I think this has been intriguing and very exciting conversation. I could go on this topic for hours. Anything for the audience who has been listening in? Any lessons that you've learned that you would suggest, or to other countries that might be listening in or other people that might be involved in the trust of systems? Any lessons that you would suggest that they would take away that would be important that they can act upon urgently?
Christian Folini:
If anybody in the audience is really into online voting, then this government dialogue was published in 2020 with a very readable report where you have all the open questions on a global level around online voting. All the scholarly open questions and the problems that are not being addressed. Research questions that are now being handled the next few down the road. I think that is a very good snapshot of online voting on a global level with Swiss perspective 2020. It's really worth to read.
Joseph Carson:
Fantastic. Christian, if you can give me the link to that, I can definitely make sure-
Christian Folini:
I can give you the link and you can publish it with the podcast.
Joseph Carson:
Fantastic. That's exactly what... Giving the audience the resources directly in the share notes makes it much easier for them. Any lessons learned from previous experiences I think is so valuable into what questions get raised. I think probably around the bug bounties and the feedback and the lessons would be greatly valuable for anyone who's looking at this.
I know while Estonia has been forefront and other countries are looking such as Switzerland and other countries around the world, I know even in the U.S. many states are looking at this as well to provide better service to their citizens. Anyone in the audience, if this is a path you're going down, we'll definitely make sure that you get the resources and definitely the valuable information to make sure that you don't repeat the same mistakes or same lessons again because it's not very productive use of our time. So definitely learn from others is valuable and important.
Christian, it's been fantastic having you on the show today. Really looking forward to the next time that we can catch up. We'll definitely make sure that we'll provide ways for the audience if they have questions for you, that we'll make sure that they have access to what's the best way to contact you. But again, Christian, it's been fantastic, and thank you for being on the show.
Christian Folini:
Thank you for having me. It was good fun.
Joseph Carson:
Absolutely. For the audience, this is the 401 Access Denied podcast, bringing you thought leadership, exciting hot topics and trends. Hopefully this has been a valuable episode for you. Stay tuned. Go back and listen to previous episodes. Every two weeks we come up with a new show. Stay safe, take care, and till the next time. Thank you.