Electronic-voting security scrutinized at symposium

GAITHERSBURG, Md. – With the 2004 U.S. presidential election looming, election officials from around the U.S. joined computer scientists, voting machine vendors and others on Wednesday and Thursday to air growing concerns — and some intense disagreements — about the security and reliability of electronic-voting systems.

Dire warnings of computer scientists who are security experts at times seemed as welcome as the proverbial skunk at a garden party during the symposium called “Building Trust and Confidence in Voting Systems,” held at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Md.. Faced with limited budgets and resources, election officials and voting systems vendors repeatedly questioned the feasibility of developing and implementing security standards to the level recommended by the computer science community — what one questioner in the audience called defense department appetites “on a Wal-Mart budget.”

And while the Help America Vote Act of 2002 (HAVA) allocates billions of dollars in funding to election system upgrades, the timeframe for spending the money means that officials will likely buy systems before new voluntary standards are set by the newly formed Election Assistance Commission (EAC). HAVA charges NIST with supporting the EAC in standards development.

IT experts at the symposium questioned whether the current system of testing and accreditation of voting systems against voluntary standards is effective, given recent reports that scrutinized DRE (direct recording electronic) systems from leading vendors and found high-risk vulnerabilities in the machines. Those reviews include a joint Johns Hopkins University and Rice University review of source code from a Diebold Inc. system that was leaked onto the Internet this year; an analysis of the same system by Science Applications International Corp. on behalf of the state of Maryland; and a security review of four systems, including Diebold’s, by Compuware Corp. for the state of Ohio.

A co-author of the Johns Hopkins report argued that the current accreditation regime is insufficient, and that the logic and accuracy tests conducted by laboratories certifying that systems meet existing voluntary standards do not test computer security.

“It’s easy to hide code in large software packages, and virtually impossible to detect back doors,” said Avi Rubin, an associate professor of computer science and technical director of the Information Security Institute at Johns Hopkins in Baltimore.

Rubin disputed the argument put forward by Brit Williams, a computer science professor at Georgia’s Kennesaw State University and evaluator of election systems for that state, that a system with known vulnerabilities can be surrounded with procedures that ensure a safe, secure election. “Good procedures are no excuse for deploying machines that are grossly insecure,” Rubin said.

Particularly worrisome to security experts is that using current DREs does not provide an independent record of votes cast in case there are serious concerns that a system has malfunctioned or its security has been breached.

While many of the systems have redundant components, so that votes are recorded in multiple places, that is only used to protect against “obvious things like power failures,” according to Douglas Jones, an associate professor of computer science at the University of Iowa in Iowa City who has been a voting machine examiner for that state since 1994. In his conference presentation, Jones added that there is a window of opportunity, albeit of just a few milliseconds, when there is no independent data path, and he pointed out that it is possible to build a system where two redundant mechanisms independently record the voter’s action.

Those who are concerned with the security of DREs are calling for audit trails with the systems that allow a voter to verify that a vote has been properly recorded by the machine. How to implement those audit trails is a subject of controversy: A vocal group is demanding voter-verifiable paper audit trails, and recently succeeded in convincing the California secretary of state to mandate that approach. But many election officials seem strongly opposed to introducing that requirement, arguing that adding printers to systems will increase not only costs but the likelihood of mechanical failures as printers break down, jam or run out of paper. Colorado Secretary of State Donnetta Davidson also warned attendees that in recounts when the paper doesn’t match the machine tally there will be no way to know which total to trust and “we’ll end up in court.”

The symposium did see some agreement on the issue of conformance testing to the new specifications that are to be set by the EAC: there appeared to be a consensus that developing the tests is going to be an enormous undertaking. NIST invited Patrick Curran, manager of Java conformance testing at Sun Microsystems Inc., to provide his perspective on the issue. Curran called the current voting systems standard a “broad and ambiguous specification” and observed that “You guys have got a big job ahead of you.” He did caution that with regard to security, “don’t plug holes in the hardware and software specification by defining processes that humans must implement.”

Questioned by attendee Hans von Spakovsky of the U.S. Department of Justice’s Civil Rights Division about whether it’s a good idea that commercial off-the-shelf (COTS) components of election systems are currently exempt from conformance testing, conference speakers appeared to agree that the exemption is troubling. But the feasibility of such testing is a problem.

“Philosophically we do agree that COTS should not be exempted. But do you have access to the source code?” said Herb Deutsch, who chairs the IEEE committee on voting equipment standards and is employed by Election Systems & Software Inc., a DRE vendor. “If it’s a Microsoft operating system, what do you do?”

That gulf between the theoretical and practical is characteristic of the electronic-voting controversy, as computer scientists maintain that no software can be made provably secure and must therefore include audit trails, while election officials need to run elections that go smoothly and where there are no doubts about the outcome. No one wants a repeat of Florida in the 2000 election, the nightmare scenario that HAVA was intended to avert.

Some election officials even charge that the computer security specialists who have joined the voting systems debate are needlessly undermining the confidence of voters. However, according to Iowa’s Jones, the opposite is true.

“Trustworthy systems must rest on one central principle: trust no-one,” Jones said.