NEC's lax attitude
Check finds vulnerabilities in voting, ballot counting systems
The overall election management system of the National Election Commission has been found to be effectively defenseless to hacking attacks.
A joint security check by the National Intelligence Service and Korea Internet & Security Agency detected a number of vulnerabilities in the voting and ballot counting systems and the internal operational system of the commission.
The intelligence agency discovered there had been eight hacking attacks on the commission in the past two years, including seven thought to be from North Korea. It then notified the commission of the attacks, and demanded it undergo security checks by the agency.
The commission refused, citing its status as a constitutionally independent institution. But finally it accepted the agency's demand for security check amid the growing public opinion that checks were inevitable after alleged recruitment irregularities involving the children of some of its senior officials came to light.
Security checks found that a successful hack could potentially classify those who cast their ballots in early voting as not having voted, and vice versa. Unregistered voters could be listed as registered voters. It could also allow hackers to steal image files of stamps to be printed on ballot papers. The results of ballot sorting could be changed. For example, a ballot sorted out for candidate A could be changed into one for candidate B. A hacker could alter the results of the vote counts. It was possible to print out early-voting ballots in quantity without authorization. The internal management system of the commission had also been attacked. These were the findings after checking just 5 percent of equipment of the commission.
It is shocking that the commission has so far used such shabby systems to manage presidential, general and local elections.
The commission denied the findings of the security check. It argued that the technical possibility of hacking attacks on its election management systems does not mean it is vulnerable to actual election rigging. It also said that institutional safeguards were in place to make it virtually impossible to manipulate the outcomes of an election.
But the results of the security check that confirmed technical vulnerabilities to hacking attacks cannot be overlooked. The commission failed to realize on its own that its systems had been hacked for about two years. It failed to respond properly too after being notified by the intelligence service. As public pressure mounted, it finally accepted security checks. Its refutations sound like excuses to evade responsibility.
As to whether voting and ballot counting were hacked in actual elections, the intelligence service said it did not check, but the check results are enough to incite suspicions that it happened. The commission's election management was too slack to take its refutation at face value. Hacking attacks presumed to be from North Korea happened several times.
Now that weak points have been found in the election management system, it is obvious that the commission must take thorough steps to protect itself from hacking. Also an external agency needs to further probe the commission's exposed security vulnerabilities and those found to have neglected security despite notifications by the intelligence service must be held responsible.
If an election result is reversed due to ballot count manipulation, the political and social repercussions would be beyond imagination. With the National Assembly elections just six months away, it has become urgent to tighten security. If distrust of the commission and vote-rigging suspicions persist, counting votes manually is worth considering as a way to prevent suspicions.
South Korea must deal with North Korea, which seeks opportunities all the time to hack elections in the South. Related authorities should be cautious about even a slight chance of election hacking. If employment irregularities had not been exposed and without strong public opinion that an overall check on the commission was necessary, the commission would not have received any security check so far. The commission's easygoing attitude toward hacking attacks and its habitual refusal of any inspection from outside must change.
Source: Yonhap News Agency