Suspicions of Chinese interference in Canada and US presidential elections under close surveillance should, according to cybersecurity experts, encourage Élections Québec to review its plan to introduce Internet voting in time for the municipal elections in the fall of 2025.
“It’s the perfect recipe for disaster,” exclaims Duty cybersecurity expert Patrick Mathieu, founder of Hackfest, a Quebec summit on cybersecurity. “There are a lot of security elements that are missing from the call for tenders. We’re going too fast. »
The security requirements of Élections Québec in its call for tenders for an Internet voting solution that at least 21 municipalities will test during the 2025 elections are too vague, according to the Quebec expert. “We will end up with an application that will not be sufficiently secure. There is a great risk that its data will be easily accessible by any organized group or by foreign states,” adds Patrick Mathieu.
The case of Internet voting is doubly worrying, according to him, given that Élections Québec decided, Thursday noon, to cancel its call for tenders for “intrusion tests and security audits for the pilot project of Internet voting.
Élections Québec indicated to Duty having canceled it “since no firm responded, as happens for other calls for tenders”, according to a spokesperson. “That said, the selection process continues with regard to the call for tenders to target the supplier of an Internet voting solution. »
Expertise difficult to pin down
With other experts in the field, Patrick Mathieu has been expressing his fears on social networks for several days, in the hope of getting Élections Québec to react. However, the government organization wants to be reassuring. He says he has “a permanent team dedicated to cybersecurity” and adds that the call for tenders includes around a hundred security requirements which will be imposed on the supplier.
“The selected firm must have robust security components,” indicates Élections Québec. The security of the voting system that will be chosen will be based on a five-day test bench, then on a 20-day security audit carried out by external and independent firms.
“An audit at the end of the project should not be the only proof of security,” explains Patrick Mathieu. “And a 20-day audit is too short. We do this for applications that have no real security issues. You should take more time to do it well. »
Patrick Mathieu ultimately wonders why it is so urgent to introduce Internet voting next year. Experiments carried out in Ontario and elsewhere abroad in recent years tend to prove that Internet voting does not lead to any real increase in the rate of electoral participation, the objective behind this project launched six years ago on demand of the National Assembly.
The Quebec expert instead suggests that the government focus on a reliable digital identity solution, which will then facilitate the establishment of an online voting system.
For the moment, Élections Québec intends to fall back on the identification solution that the Ministry of Cybersecurity and Digital Technology uses on the SAAQclic site of the Société de l’assurance automobile du Québec. This identification tool is not entirely inclusive since it requires citizens who want to identify themselves online to present documents that not everyone necessarily has on hand.
See the long term
Montreal cybersecurity expert and vice-president of the firm ESI Technologies, Patrick Naoum, goes further. He sees shortcomings even in the way the call for tenders was written, which demonstrates the lack of regard shown by public bodies towards cybersecurity.
“We see it when reading the call for tenders,” he said. Several essential cybersecurity criteria are missing from the document. For example, it is unclear how security will be managed after the solution has been completed. Cybersecurity is constantly evolving, what will happen next? How are we going to maintain this development? »
Patrick Naoum posed these questions while attending a cybersecurity conference in Washington, United States. “Everyone here is worried about interference in the American elections. It makes all elections tricky these days. »
“Maybe this is not a good context for this Internet voting pilot project,” he concludes.