Ohio Study Confirms Voting Systems Vulnerabilities

bratgitarre writes "A comprehensive study of electronic voting systems (PDF) by vendors ES&S, Hart InterCivic and Premier (formerly Diebold) found that 'all of the studied systems possess critical security failures that render their technical controls insufficient to guarantee a trustworthy election'. In particular, they note all systems provide insufficiently protection against threats from election insiders, do not follow well-known security practices, and have 'deeply flawed software maintenance' practices." Some of these machines are the ones California testers found fault with last week.

Re:Power Corrpution Apathy

[jc42]

Why is it so difficult to comprehend a system that tabulates votes and leaves an audit trail?

Actually, that's one of the major difficulties. With an election, an audit trail must have an important property that isn't required by a financial system's audit trail: The audit trail must not expose a voter's actual votes.

With financial systems, there's no serious problem if the auditing system allows the bank employees to see the numbers in a customer's records. There are even situations where it's considered reasonable for a government agency to access an individual's financial records.

But with voting, exposing an individual's vote to either election employees or government agencies immediately enables such things as vote buying and vote extortion, which would pretty much eliminate the very reason for having the election.

The basic principal of auditing financial systems is to have everything stored redundantly in several different forms, with different people in charge of the different kinds of data, and a lot of cross-checking to spot inconsistencies. This does entail a minor problem of exposure of the data to the outside world, but that's not considered fatal, and can be mostly controlled by fining the people responsible for the exposure. With voting systems, none of this is true. Exposing the votes is a fatal flaw, and the people responsible are very rarely punished. All too often, they're the ones who end up running the government.

It's sorta tricky to come up with an election auditing system that keeps votes secret, while verifying that those votes are accurately counted.

Root cause of election system flaws

As someone who has some insight into one of the named companies, I'm aware of several of the root-cause problems experienced:

• Regulatory-driven reactive security model: The firm views security as something specified by their regulators and only seeks to meet that requirement. They do not perceive any value-added benefit from exceeding client specifications. This results in a product that matches specifications written by election commission consultants, who are hardly qualified to develop security standards.
  
• Reliance on vendor security: One firm perceives their solution as the process of assembling their proprietary election software with other vendors products (hardware, operating systems, etc.). They do not recognize any responsibility for the security of components they sourced and did not create themselves. Operating system flaws are "Microsoft's fault," for instance, and they do not see the need to have internal competencies in identifying, hardening, etc. other than those specified by client specification/contract.
  
• Ignorance of InfoSec best practices: Numerous standards and best practices are very much unknown. The ISO standards, for instance, were something completely new to one firm's head of information security, as were specific practices (e.g. system hardening, code reviews, link encryption practices, etc.). Information security is heavily siloed in the firm and does not seem to integrate with many of the aspects of election system administration.
  
• Lack of a risk-management perspective: Two of the vendors I've evaluated are reactive in the identification and treatment of IT risks. They will respond to external party audit findings, but do not possess the capacity to practively seek them out internally.
  
• Out-gunned internal security expertise: When a firm believes a manager with a Security+ certification is an "expert in security," you can expect a serious lack of depth. External experts are not sought out as they typically expose the lack of internal expertise and the company develops a false confidence in its security capability.
  
• Security findings by outside parties are rejected as unrealistic: The recent California test was seen as unrealistic and not likely to be encountered in a real election environment.
  

In their defense, this condition is rather common for most small firms (as well as many larger ones). As one used to working in an aggressive private industry regulatory environment, I'd suggest that these election firms become aware that their current process is not capable of sufficiently handling its security requirements and establish an industry body, or expect significantly more aggressive Federal intervention.

Re:Voting is a joke on basic principles!

[Attila+Dimedici]

Sorry, you obviously are a product of the modern educational system. The Founding Fathers actually thought this through, that is why the Constitution is written the way it is, with the various provisions and the Bill of Rights. Or as Winston Churchill once said, "Democracy is the worst form of government, except for all the other ways that have been tried."