We analyzed the election software that is used, and has been used for years, in all Dutch elections. Our conclusion: this software is very vulnerable.
On the 13th of March, Herbert Bos appeared on RTL Nieuws to summarize these findings. He is on briefly after 7 seconds, and then again at 3m17s (also with Sebastian, Marco and Sanjay, who did the heavy lifting for the analysis, together with Andrei).
Surprisingly, Minister Ollongren does not think there is a problem, even though we show vulnerabilities as bad as integer overflows that allow attackers to manipulate overall results even from compromised local polling stations.
The news broadcast, our analysis, and the independent analysis by Sijmen Ruwhof, did lead to questions from the parliament, and some members of parliament explicitly echoed Herbert’s analysis. The issue was also reported in most newspapers and on Tweakers.
Brain Drain
Prof. Herbert Bos, Prof. Michel van Eeten, and Prof. Bart Jacobs on the 24th released a joint Dutch statement and proposal on the inadequacy of academic cybersecurity funding in The Netherlands. Funding that is up to 50x higher in neighboring countries is causing a drain of talented researchers away from The Netherlands.
Cybersecurity Investment Proposal
The proposal calls for the development of a three-pronged strategy to maintain the high academic standard of Dutch research organizations, funded by in total a budget of €100 million over 10 years, in a combination of public and private investment.
- €40M (public): fund open tenders for non-permanent PhD and postdoc projects, where both pure-CS and interdisciplinary proposals will be considered. Examples might be legal, medical and organizational fields.
- €20M (public): a budget of €2M/year for which universities may apply to either (a) hire permanent staff for a newly appointed cybersecurity professor; or (b) retain staff, done by a cybersecurity professor with at least 5 years proven record, to establish areas of new research.
- €40M (private): The establishment of a pool of inter-organizational cybersecurity experts. The organizations will be a combination of research, government and industrial organizations that host the members. These members will then share knowledge, deepen knowledge (by following an external or industrial PhD program), and provide operational expertise in emergencies.
Coverage
This proposal was covered in Computable last week and Prof. Bos was a guest on BNR News Radio at 06:00 AM this morning for discussion.
The current proposal for new legislation in The Netherlands for intelligence and security agencies has issues. More safeguards are needed: open letter (Dutch only).
Systems and Network Security Group at VU Amsterdam