With the just published Technical Guideline TR-03162, the German Federal Office for Information Security specifies security requirements for conducting online social security elections. A day earlier, the Federal Ministry of Health had announced the "Ordinance on the technical and organizational requirements for the implementation of an online election as part of the model project pursuant to Section 194a of the Fifth Book of the German Social Code (Sozialgesetzbuch)" – briefly online election regulation – submitted yesterday 1. October 2020. It will enable eligible voters in the 2023 social security elections to cast their ballots online as an alternative to absentee voting.
The Online Election Ordinance refers in § 4 to securing the elections according to the based "state of the art", which the BSI underpins in TR-03162 with corresponding measures. In the future, a publication in the Federal Gazette is to refer to updated security measures. The guideline first describes the basic specifications and requirements for the implementation of the model project. The information security concept to be drawn up for the elections is to be based on the methodology and systematics of the BSI IT-Grundschutz, which is briefly introduced in TR-03162.
Concrete requirements for security
Security-relevant topics such as the establishment of an information security management system (ISMS), current cryptographic methods for encryption, electronic signatures and time stamps, and trust services are dealt with first. In addition, the policy lists potential attack vectors ranging from tampering with voting directories, to distributing malicious code, to falsifying results, to influencing voters, and more. The further structure of the guideline systematically works through the individual steps of an election with concrete specifications – preparation, execution, determination of the election result and post-processing.