To detect security vulnerabilities, Swiss Post regularly has the election and voting platform and the infrastructure of its new e-voting system put through its paces by IT experts from all over the world. Carrying out such public intrusion tests is a legal requirement of the Confederation.
Since last weekend, it’s been time for ethical hackers to target Swiss Post’s e-voting system again. This is the first time they have encountered the system configured for National Council elections, allowing them to test new functionalities. Swiss Post provides the e-voting environment for this purpose at the pit.evoting.ch URL. This is the latest system release and the 1:1 version of the infrastructure that is also used at real contests. It allows interested experts worldwide to simulate the vote casting procedure, detect security vulnerabilities and try to break through the infrastructure and penetrate the electronic ballot box. The public intrusion test will run from 8 to 31 July 2023.
The search for vulnerabilities is worthwhile
IT specialists who find a vulnerability will earn a reward. Swiss Post pays up to 250,000 francs for confirmed findings, depending on their severity.
Besides the public intrusion test, which Swiss Post conducts on a recurring but time-limited basis, the public review of the programming code, the specifications and other essential documentation of the e-voting system is ongoing. The latest versions of these documents are always publicly available on the GitLab specialist platform for specialists to check. Swiss Post has already received over 270 reports this way and paid out over 160,000 francs in rewards.
Swiss Post publishes all findings from the public review on the GitLab platform. It also summarizes and provides information about the results of the public intrusion test in the form of a report.
Around 3,400 hackers worldwide took part in the last public intrusion test in autumn 2022 to attack the system. No-one succeeded in penetrating the e-voting system, or even the electronic ballot box. A hacker reported a finding to Swiss Post and received a reward for it. Swiss Post has implemented the improvement for it in the current system version.
Why does ethical hacking lead to greater security?
Swiss Post’s new e-voting system enjoyed a successful premiere in the June 2023 votes in the Cantons of Basel-Stadt, St Gallen and Thurgau. However, even after its initial deployment, Swiss Post is continuing to develop the system, because security is the top priority in e-voting. The inclusion of ethical hackers in security audits is a particularly effective cybersecurity measure. Swiss Post was one of the first companies in Switzerland to launch a public bug bounty programme about two years ago and has gained valuable experience with it. Thanks to the reported findings, Swiss Post has been able to effectively eliminate vulnerabilities in its systems and continue to improve security – including for e-voting.
In the ongoing development of its e-voting system, Swiss Post is also guided by the catalogue of measures adopted by the Confederation and the cantons in March 2023.
Cybersecurity at Swiss Post
Digital technologies are fast-paced and evolving rapidly. Equally, cyber criminals are continually developing their attack methods. That’s why it is part of IT’s job to continuously check systems for improvements and security vulnerabilities.
Swiss Post combines various testing methods to ensure a high level of security for its IT applications. It deploys internal measures for this and has applications tested by specialized companies. Swiss Post has also been running public bug bounty programmes for several years. They allow private computer specialists with good intentions, so-called ethical hackers, to search for security vulnerabilities. To do this, they attack systems and try to penetrate them. If they succeed, they receive a financial reward from Swiss Post. The company takes the confirmed findings into account in developing the system, helping it to continuously improve its online services.
