The Cyber Threat To Germany's Elections Is Very Real

Authorities say they’re ready for the worst, but recent attacks suggest otherwise.

The logo of Germany's newly created national cyber attack protection office.
The logo of Germany's newly created national cyber attack protection office, a subsidiary of the federal IT security agency BSI, is pictured in Bonn on June 16, 2011.  (Wolfgang Rattay / Reuters)

One afternoon in early September, a small group of journalists, policy makers, and visitors in Berlin gathered for a lunch panel discussion, titled “Who’s hacking the election—how do we stop the attackers?” Hans-Georg Maassen, the head of the Federal Office for the Protection of the Constitution (BfV), Germany’s domestic-security agency, was the guest of honor. In his remarks, he warned of the dangers of what’s known as white propaganda”: information illegally collected and disseminated by hackers with the intent of manipulating public opinion against the German government and disrupting its upcoming parliamentary elections. “We and our partners are of the opinion that the background [of the hack on the Democratic National Committee] in the U.S. was Russian,” he said. Russian military intelligence, his office alleged, was very likely responsible for hacking and leaking top DNC officials’ emails during the 2016 campaign season, exposing sensitive internal-party communications that drove a wedge through the party. Maassen warned that a cyber attack on the German government now, so close to the country’s vote on September 24th, remained a possibility.

Such a hack would not be new. Two years earlier, the IT system of the Bundestag, Germany’s lower house of parliament, was hit by a large-scale attack; in the months that followed, further incursions infiltrated Chancellor Angela Merkel’s Christian Democratic Union of Germany (CDU), the foreign ministry, and the finance ministry. The breaches were blamed on the Kremlin-linked hacking unit APT28, or Fancy Bear, the same group tied to the DNC hack and the cyber attack in France on the campaign of President Emmanuel Macron just days before the country’s election.

Maassen assured his listeners that Berlin was prepared for whatever may be in store in the weeks ahead. Germany’s top security agencies had been fortifying their defenses for months, readying for an eleventh-hour hack while shoring up weak spots, including the software used to tally ballots on September 24th, he said.

But two days after the lunch in Berlin, Die Zeit published a deep investigation into PC-Wahl, a widely used vote-counting software system in Germany. A team of reporters and three IT analysts uncovered alarming security holes that could allow hackers to manipulate results on local and state levels with ease. The Chaos Computer Club (CCC), a Berlin-based hacker association tasked with confirming the investigation’s results, outlined myriad weak links in PC-Wahl, which is owned by the company vote iT. For one, CCC found a username and password for PC-Wahl’s internal service area that gave the hackers unobstructed access to the software code. PC-Wahl also collects results on an unencrypted spreadsheet-like file , opening the door for hackers to falsify numbers. While some flaws in the software’s security architecture were to be expected, these vulnerabilities were gaping, numerous, and easily exploitable.

In another investigation published earlier this month, Der Spiegel revealed a hodgepodge of software providers employed by different regions, with PC-Wahl believed to be in use in at least half of Germany’s 16 states. “The software we looked at is so easy to hack that if you were a major adversary, it wouldn’t take you long to hack the other software, too,” Frank Rieger, a spokesman for CCC, told me, adding that other software packages were also poorly protected. “Germany used to joke about the U.S. and its election technology as being so chaotic, but it turned out … when it comes to vote tallying software, the same holds true here.”

German authorities insist they’ve long been aware of these vulnerabilities, and have been working to safeguard the election. In a statement released after the investigation dropped, the Federal Office for Information Security (BSI) said it had already been working with vote iT to improve security, and that the company was taking further steps to fortify its software. The Federal Returning Officer, which oversees federal elections, said it had urged vote iT to install software updates immediately and add more protections for the day of the election, like requiring results to be confirmed on the phone as they are transmitted up the chain.

Vote iT did not yet respond to a request for comment. It is a private company, however, and with just days to go to the election, Berlin has little real recourse now beyond calling for urgent patches to the problems.

Germany and the West are increasingly reckoning with subversive forces from beyond their borders that put government agencies, critical infrastructure, and companies under threat. Berlin has recognized that the battlefield is shifting, but so is the enemy. And European governments have yet to develop a cogent strategy for rebuffing hackers intent on undermining democracy—especially when that democracy is dependent upon technology that can easily be compromised.

Despite the flaws CCC uncovered, it did point out that polling workers must verify results and report inconsistencies at the local level, helping them catch voting discrepancies quickly. Germans also cast their votes on paper ballots; even if the software that tallies the vote is compromised, the ballots themselves cannot be. Still, preliminary results that reach the media on election day could be compromised, and analysts fear irregularities could rattle voters’ faith in the country’s democratic process. In its annual report released this summer, the Federal Office for the Protection of the Constitution (BfV) described the use of cyber attacks as a tool to undermine democracy with “massive consequences for the domestic political situation.” The agency pointed to the DNC hack as a clear attempt to influence the U.S. vote in favor of Donald Trump.

All this comes as Germany grapples with the rise of its own political outsider, the right-wing nationalist Alternative for Germany (AfD) party. Since its founding in 2013, it has come to champion anti-foreigner and nationalist sentiments that have shattered long-held taboos in Germany and challenged its system of consensus politics. The party also advocates friendlier ties with Russia, and has denounced the current government’s diet of sanctions and reproach towards Moscow. It has already accused mainstream parties and media outlets of colluding to squash any real opposition. It is also on track to becoming the third-largest party in the Bundestag.

Stefan Heumann, co-director of the Stiftung Neue Verantwortung (SNV), a Berlin-based think tank focused on technological change, told me the worst-case scenario is one in which election observers discover problems with the results and the government is forced to call for a recount. “If you have to do a recount there is a sort of shadow [over the vote], especially for [those on] the fringes because they have their conspiracy theories,” he said, referring to the AfD.

Even if voting software is not compromised, the government remains a target for hackers. In the 2015 breach—the broadest and deepest Germany has suffered—attackers used Trojan viruses to compromise the email accounts of at least 15 MPs. It took months, however, for federal investigators to recognize the scale of the attack and take the IT system offline, and install new software and hardware across the Bundestag. The hackers have not released the stolen material yet; some lawmakers have speculated there was simply nothing of interest in official Bundestag emails. But others fear the leaked material could still be published in the coming days, or even after the vote.

Bettina Hagedorn, a Social Democrat in the Bundestag, was one of the victims. “I kept trying to figure out what they might have been searching for on my computer that would’ve been relevant and I couldn’t think of anything,” she told me. Experts said the prime targets appeared to be lawmakers working on Russian policy or related fields. Though Hagedorn does not fit the bill, she does sit on the appropriations committee, which oversees the intelligence services’ budget. “On the one hand, I trust that they improved the security. And on the other, I think all of us know it could happen [again] at anytime,” Hagedorn said. “It’s a major election campaign season and any possible hackers see it as an opportunity.”

The attacks would continue. In the first half of 2016, the BSI recorded more than 400 hacks a day on government networks that could not be recognized by commercial malware software. Roughly one a week could be linked to a foreign-intelligence agency.

Meanwhile, the specter of “black propaganda”—trolls, social media bots and fake news used to wage disinformation campaigns—also looms large. In January 2016, Russian media reported the alleged rape of a 13-year-old Russian-German girl by a group of refugees in Berlin. She had fabricated the attack, she later admitted, but not before Russian-Germans took to the streets in protest and Sergei Lavrov, the Russian foreign minster, had accused Berlin of covering up the story. Earlier this year, after the Social Democratic Party’s Martin Schulz announced his candidacy for chancellor, a story claimed his father had been a concentration camp guard—also untrue. It briefly made waves but was easily discredited.

In August, SNV led a study into the impact of fake news, examining a test case involving prominent evangelical leader Margot Käßmann. The AfD claimed that Käßmann, speaking at a church assembly event in Berlin in May, had said that any citizen with two German parents and four German grandparents was a neo-Nazi. Her words had been taken out of context and manipulated. Still, the story spread rapidly on right-wing media, Facebook, and Twitter. It was shared and posted more than 27,000 times in the days following. Major media outlets debunked the story within two days, but there was far less interest in the correction. The conclusion: Germans, too, are vulnerable to false stories.

Even so, Heumann of SNV argued that disinformation campaigns require a deeply polarized society to really flourish and Germans are still far less divided than Americans. The German media are an important watchdog, and they expect a hack or leak. A majority of Germans still trust traditional print and broadcast outlets.

“If the mainstream media immediately frame these stories in the context of disinformation, announcing it could be a hack and we need to be careful, far fewer Germans would share it and be vulnerable to being influenced,” Heumann said.

Weeks after the U.S. election last November, Merkel invited a data scientist to brief her cabinet on the dangers of bots, trolls, and fake news in shaping voters’ opinions. In June, the Bundestag approved a law aimed at corralling fake news and hate speech by forcing social networks like Facebook and Twitter to delete criminal content—hate speech, defamation, and incitements to violence—within 24 hours, or face massive fines. The Interior Ministry is considering forming a new agency to combat fake news. The government has directed significant resources towards cyber security; in addition to the BSI and the BfV, the military has also added a cyber command team. Seven government bodies, including the intelligence agency, have banded together to create a joint cyber-defense center.

Yet it is also the cornerstones of Germany’s democracy—its institutions, its consensus politics, and its social cohesion—that have become the target of hackers looking to sow discord; these could prove far more difficult to protect.

“Campaigns are at the heart of our democracy and they need to be out in the public,” Heumann said. “We need to have a broader debate and think about the boundaries of what’s acceptable, and what practices further undermine our democracy that we should not allow.”