Network Security, Vulnerability Management

As the election approaches, e-voting security concerns remain

When it comes down to it, voting systems -- electronic or other -- serve one important purpose: They must convince the loser that they have lost fairly.

The public, though, has other stringent criteria it wants voting systems to meet: Votes must be traceable and when results get close, they should be available to be rechecked. Systems also must be secure, accurate, reliable and readily accessible.

Electronic voting machines, able to tally the votes faster and easier, have the advantage of efficiency.

Ben Jun, an RSA Conference advisory board member and vice president of technology at data security company Cryptography Research, said that with a higher level of public scrutiny, e-voting booths are different from other public machines, such as ATMs.

As a result, these systems have been the subject of repeated analysis for their security -- vote tampering is a real concern -- and their ability to account for votes.

According to the findings of a 2007 review of the voting systems in California, e-voting machines aren't secure. After finding a number of security vulnerabilities in all of the machines analyzed, Secretary of State Debra Bowen has significantly restricted the use of such systems in the state, limiting them to one per polling place, only to be used by disabled voters.

“It was a big deal because as far as the counties were concerned, completing a review of voting machines in 2007 when you have a big election in 2008 was short notice,” Brian Chess, founder and chief scientist at security software provider Fortify, told SCMagazineUS.com.

E-voting includes both touch-screen and optical-scan units. With optical-scan systems, voters mark their ballot by hand,then the ballots are scanned, tabulated and written to a memory card.

But it is the touch-screen machines that have come under fire. Numerous studies have shown that it would be easy to introduce malicious software to these machines, potentially allowing rogue insiders or malicious outsiders to sway an election.

A recently released report from Princeton University researchers shows that New Jersey's e-voting system could be easily hacked in roughly seven minutes. The report said this exploit would be practically undetectable. 

Chris Riggall, spokesman for Premier Election Solutions whose parent company is e-voting machine manufacturer Diebold, told SCMagazineUS.com that the studies claiming it's possible to introduce malicious code into e-voting machine software have never been conducted in a real-world voting environment, where there are safeguards.

Riggall added that with e-voting, instances of fraud haven't happened yet, while other forms of voting have experienced known fraud.

“Voting in America” report
A recent report titled “Voting in America” by Fortify rated six typical voting techniques, from best to worst.

Direct Recording Electronic (DRE), or touch-screen, voting was rated as the fourth best. Hand-counted paper is considered the preferred voting technique, followed by optical scan and absentee voting.

DRE voting was only rated ahead of lever machine and punch-card voting.

According to Fortify, the benefits of DREs are their privacy, ease of use, ability to support multiple languages, ability to accommodate voters with disabilities and the instantaneous results.

About a third of all ballots are cast on DRE machines, Chess said. Though there are some advantages, DRE voting was rated one of the worst because of its lack of verifiability and accuracy. Some e-voting machines have been cited as more secure, namely those with a voter-verified paper audit trail (VVPAT) capability.

Every time a vote is recorded on systems with that technology, there is a printout for the voter, so there is a paper record that can be recounted if necessary.

Jun said he is a proponent of VVPAT technology.

“The whole point of the system is to have a very strong check,” Jun said. “Unfortunately there are some [counties] that have purchased machines without this option and I think that's a mistake.”

On Tuesday, 104,000 Diebold touch-screens and 22,000 optical-scan ballot tabulators will be deployed throughout the country. Almost 70 percent of the Diebold touch-screens in the field come outfitted with VVPAT, Riggall said.

The majority of jurisdictions using Diebold equipment, though, will be voting on the optical-scan system. Only one optical-scan tabulator is needed per precinct, though some precincts may have up to 20 touch-screen units operating at once, Riggall said.

Still, VVPAT technology won't make these machines completely auditable.

“This modification hasn't been 100 percent effective — printers jam and run out of ink, and the glass that protects receipts from tamper becomes scratched and difficult to see through,” the Fortify report states.

In its report, Fortify also recommends measures to ensure the security of e-voting systems going forward.

Future improvements to the election process should be made as a collaborative effort among state and federal election officials and e-voting machine vendors to ensure security is built into the machine's software, the report concludes. Vendors also should work with the commercial sector to conduct code review and penetration testing on machines, the report recommends.

“Is America Ready to Vote?” report
Another new report detailing how prepared each state is to deal with voting system failure on Election Day also prefers other voting systems over DRE machines.

Is America Ready to Vote?” was conducted by the Brennan Center for Justice at New York University's School of Law, Common Cause Education Fund and the Verified Voting Foundation.

The report states that optical-scan ballot systems offer advantages over DRE systems -- with or without VVPAT technology -- and should replace DREs. But if DREs are used, they should include VVPAT technology.

The report indicates, however, that 19 states use machines without VVPAT technology.

“Such records can be an important check to ensure that corrupt software or a programming error did not result in incorrect machine total,” the report states.

Even with VVPAT technology as an additional safeguard, it won't provide any benefit if the paper record is not audited, which the vast majority of states don't do, the report says.

“Paper records will not prevent programming errors, software bugs or the introduction of malicious software into voting systems,” according to the report.

Will open-source code help?
Open-source or proprietary?

It's a debate that has been going on for at least the past decade and reaches beyond e-voting machines, Chess said. Is code more secure if it is open or closed?

“As far as I'm concerned it's basically a draw,” Chess said.

Jun said he doesn't think making the source code of e-voting machines open to public review will necessarily make the machines more secure.

But Ed Felten, professor of computer science at Princeton University, disagrees. He said that having e-voting machines' source code open to public scrutiny does help secure an election by improving voter confidence.

“Even those who cannot read the source code itself can have more confidence in knowing that it is available to experts,” Felten said.

Yet, all this talk about applying auditing capabilities and securing software means nothing if a polling worker with a malicious agenda illegally accesses a machine or miscounts votes.

All computerized voting is vulnerable to inside manipulation, Bev Harris, founder of election watchdog Black Box Voting, told SCMagazineUS.com. States and counties cannot ensure a secure and accurate election, only the public can do that.

“You cannot remain sovereign if votes are counted in secret by government insiders," she said in an email. "Therefore, the core issue is whether all votes are counted in public, not whether machines are 'secure.' A machine can never be secure against its own administrator."

She cited an example of a voting district that has welcomed the public into the vote-counting process: Humboldt County, Calif. publishes ballots on the web so the public can review the count.

Riggall, the Diebold spokesman, said e-voting provides more protections against the threat of inside manipulation compared to paper-ballot voting. 

The machines print out a results tape at the end of an election that looks like a cash register receipt. If available, VVPAT also would be reviewable.

“The security bar for e-voting machines keeps getting raised and that's a good thing,” Riggall said.


 


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.