Elections at Cyberost. About the risk of voting and disinformation with a cyber security expert
– There are very clickbait articles on this subject that this is the end of the election, the election to cancel, etc. This is a gap, but it is not worth panic – says Mateusz Chrobok, a cyber security expert, when asked about the possibility of lining under other people, thanks to the false application of Mobat. In an interview with Bankier.pl, we also talked about disinformation, Poland's resistance to cyberrataki and e-wild defects.
There is information on the network that during Sunday elections there may be attempts to use false Mdowody. What is the problem?
Currently, you can try to impersonate others, using a fake version of the Mobcian application, which can be bought for a dozen or so zlotys and found in different places – not only in Darknet, but also on a telegram, e.g.. Members of the electoral commission are to check whether the application “moves” and thus verify the data: name, surname, PESEL. The problem is that if someone has your data, e.g. from a large leak, they can create a false application with your data and a photo and vote for you.
Clickbait articles appear on this subject that this is the end of elections, an election to cancel, etc. This is a gap. I think that PKW has done badly without changing the approach – the verification consists in scanning the static QR code by the user on your phone and you can show anything later, e.g. a false identity in a fake mobitel.
Why isn't it worth panic? Let's imagine what you would have to do so that the use of this gap could work on a scale and actually affect the election result. It would have to be hundreds of thousands, if not millions of votes cast. You would have to involve hundreds, if not thousands of people who would have to obtain this data and go from committee to the commission. In the case of such a great action, the probability that something will fail is huge.
I think that the best we can do is to go to elections calmly. If only to check if someone has voted on our behalf and if it is so, we just report it, that we would know as a society that such incidents occur.
How to remove this gap to the next elections?
There is a very nice technology in the mobile, used to verify another person based on QR code. Why don't we use it? I don't know. Perhaps the point is that you would have to announce tenders for telephones for the commission. I am convinced that this is not a technological problem, but a process problem that can be solved. This existing method that was already verified, in my opinion would work great.
What threatens our choices in the cyber layer?
First of all, disinformation. It is easiest to affect people through emotions. Social media are largely responsible for this. Recently, half a million zlotys were spent on the META platform for three candidates in a very short time to influence those who see these ads. The beneficiaries are companies that show these ads – they get money for it. Probably only after the election the investigations will end, which will explain what really happened.
I think that such reports from the last minute, often without a clear source, will be a lot and it will be another wave of disinformation trying to influence our voices. One of the most famous actions that I recommend checking is conducted by GRU, or Russian services. It operates in Germany, in Poland and many other places all the time. His name is “doppelganger”, or “shape -like”. At one time I made a movie on this topic to explain how it works.
Imagine clicking on some clickbait Facebook advertising – for example, about the actor who died. After clicking, they check who you really are, what age you are, whether you are from Poland, and redirect you to an article that is supposed to arouse emotions – for example, disgusted you with a candidate or candidate. It is a mechanism of persuasion that works because they have a lot of money and can choose the message to manipulate recipients on an ongoing basis. They try to act like this in many European countries.
Can we counteract this at the state level? Poland has any strategy of fighting disinformation on the web at all?
As far as I know, a unit dealing with counteracting disinformation works in NASK. If something worries us, you can also report it as an incident to CERT Polska, through incident.cert.pl or by sending an SMS to 8080. I hope that these services work together and that they also contact other institutions
And are our systems ready for cyber attacks, e.g. DDOS?
From what we know, the DDOS attack on PKW systems happened historically by configuration errors, but I am convinced that the lesson was pulled out of it and we will be better prepared. At the moment, listening to what colleagues from the security industry say, we are doing really well. We defend all elements of critical infrastructure.
This does not mean that there are no attacks – there are constant attempts to disrupt functioning – but I hope that this time it will be fine, and even if such a ddos happens, we have spare methods of action – physical procedures. Of course they are slower, but we are able to cope. The immunity is that even when one thing fails, we have emergency procedures.
Hacctivists sympathizing with Russia boast that they managed to “put” the airport page for 5 minutes, they took a screenshot and make great propaganda that “poljaki” can not fly now because they blocked infrastructure. Only it was for 5 minutes before the appropriate mechanisms worked and then they failed. They need this propaganda primarily for internal use.
You have recently recorded the material in which you explain, problems related to online choices. At first glance, this may not seem a bad idea. Speed, convenience, lower costs. Where is the hook?
The catch is that such systems are comfortable, fast and theoretically they can be easily created, but it is difficult to audit and understand. And thus exclude a part of a society that does not quite know how it works technically. Transparency is one of the most important elements of the election – the point is not to exclude people who, for example, cannot use the mobstor application.
There are several problems, mainly technological, because at the moment such a system would have to be very complicated. We would have to trust the word for people who say that the system is safe, and this is not the point to give all power into the hands of several people who understand this. I am a fan of digitization and facilitations, but taking into account experience from abroad – it can be seen that the impact on the choices may exist. By voting online, you can show who you voted for, which can make it easier to buy.
From my point of view, it's a nice idea, but not for now. We do not have solutions yet that would not discriminate against people who will not vote digitally. There are a lot of problems. For example, what if someone votes for you digitally, and then you vote physically? Which voice counts – earlier or later? There are many such issues to solve, so I wouldn't do it on Hurr.
Estonia is the main argument of e-voice supporters, where in previous elections, in 2023, more than half of the society cast votes remotely, so someone may ask why they managed to go there in Poland?
This is not a good example, although you have to give them that they are quite transparent and quick to implement corrections to the system. However, there are counterarguments, for example regarding certificates or digital identity certificates, which they use to confirm that you are really. It turned out that there were gaps there and they had to be urgently replaced for 700,000 people.
Another problem, and at the same time a feature of their system, is that during voting you can change your mind and vote several times. This is specially designed to give the opportunity to change the decision. However, this causes a risk, especially for people who do not cope well in the digital world – above all the elderly and susceptible to manipulation. If someone steals their identity, they can also vote on their behalf, just before the end of the election.
I have experience related to counteracting frauds, identity theft, deepfakes and other methods that allow you to act in someone's name. These problems bloom and there are more and more of them. I think that there may be a lot of such abuses where there will be not only money but the result of the election.
So the main problems are trust and technology. Is there any solution for the second of them on the horizon, maybe blockchain?
The blockchain lobby claims that Blockchain will solve all problems. The only question is how it would work. If Blockchain is public and everyone can check the register, there is a problem how to guarantee the secrets of elections. Of course, there are methods such as the evidence of Zero Knowledge, but when I start talking about such technologies, we will lose half of the readers here and most people will simply have to say “ok, I take the word” because he will hear some strange, incomprehensible concepts.
And then the fama will go anyway, that it was all set and it will be difficult to defend it. Clickbait theories about forgery will spread quickly. This technology will understand a handful of people in Poland, and I am afraid that the voice of experts will not be louder than the screams dissatisfied with the results. In my opinion, this can lead to greater destabilization, manipulation and as a result of the weakening of civil society.
Mateusz Chrobok – Cyber security expert, passionate about new technologies, develops startups and educates on his YouTube channel. Professionally, he fights online fraud and deals with cybersecurity. Founder of the educational platform uzmnie.pl.
