One afternoon in early September, a small group of journalists, policy makers, and visitors in Berlin gathered for a lunch panel discussion, titled “Who’s hacking the election—how do we stop the attackers?” Hans-Georg Maassen, the head of the Federal Office for the Protection of the Constitution (BfV), Germany’s domestic-security agency, was the guest of honor. In his remarks, he warned of the dangers of what’s known as “white propaganda”: information illegally collected and disseminated by hackers with the intent of manipulating public opinion against the German government and disrupting its upcoming parliamentary elections. “We and our partners are of the opinion that the background [of the hack on the Democratic National Committee] in the U.S. was Russian,” he said. Russian military intelligence, his office alleged, was very likely responsible for hacking and leaking top DNC officials’ emails during the 2016 campaign season, exposing sensitive internal-party communications that drove a wedge through the party. Maassen warned that a cyber attack on the German government now, so close to the country’s vote on September 24th, remained a possibility.
Such a hack would not be new. Two years earlier, the IT system of the Bundestag, Germany’s lower house of parliament, was hit by a large-scale attack; in the months that followed, further incursions infiltrated Chancellor Angela Merkel’s Christian Democratic Union of Germany (CDU), the foreign ministry, and the finance ministry. The breaches were blamed on the Kremlin-linked hacking unit APT28, or Fancy Bear, the same group tied to the DNC hack and the cyber attack in France on the campaign of President Emmanuel Macron just days before the country’s election.
Maassen assured his listeners that Berlin was prepared for whatever may be in store in the weeks ahead. Germany’s top security agencies had been fortifying their defenses for months, readying for an eleventh-hour hack while shoring up weak spots, including the software used to tally ballots on September 24th, he said.
But two days after the lunch in Berlin, Die Zeit published a deep investigation into PC-Wahl, a widely used vote-counting software system in Germany. A team of reporters and three IT analysts uncovered alarming security holes that could allow hackers to manipulate results on local and state levels with ease. The Chaos Computer Club (CCC), a Berlin-based hacker association tasked with confirming the investigation’s results, outlined myriad weak links in PC-Wahl, which is owned by the company vote iT. For one, CCC found a username and password for PC-Wahl’s internal service area that gave the hackers unobstructed access to the software code. PC-Wahl also collects results on an unencrypted spreadsheet-like file , opening the door for hackers to falsify numbers. While some flaws in the software’s security architecture were to be expected, these vulnerabilities were gaping, numerous, and easily exploitable.