Primary ConcernsBy Edward Cone | Posted 2004-03-03 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Electronic voting machines in Maryland survived their first test, but officials may want to install a firewall before the presidential election.The early returns are in and no voter fraud has been discovered in the wake of Maryland's first statewide use of touch-screen electronic voting machines, which took place during the Democratic primary on March 2. That's a good thing...right?
Maybe not, says the expert who outlined several specific steps Maryland needed to improve its security proceduresonly some of which the state managed to implement before the primary.
"Election officials will think that this validates the system, that now we can all see that it works just finebut that's not the case," says Michael Wertheimer, a systems-security consultant at Columbia, Md.-based RABA Technologies, the firm charged with advising Maryland on its voting security. "In fact, what this means is that when the November election comes aroundthe really important electiona malicious person will have had an opportunity to do reconnaissance."
Nonsense, says Linda Lamone, the state's director of elections. "This showed that our systems are secure," she said after the Super Tuesday vote ended with no major technology glitches. But can a voting system be secure without following a security recommendation as basic as installing an Internet firewall?
The primary was Maryland's first statewide election since purchasing more than $55 million worth of touch-screen electronic voting machines from North Canton, Ohio-based Diebold Election Systems Inc. in 2003.
The RABA report, commissioned by the state and released in mid-January, followed several critical analyses of touch-screen voting machines, including a damning report last summer from researchers at Johns Hopkins University. RABA found that Maryland's Diebold voting machines could be opened with a purloined key or simply pried open, then disabled or reprogrammed. Password protection was deemed inadequate. Researchers also found they were able to dial into the vote-tabulation server, raising the specter that hackers bent on election-tampering could do the same.
Maryland state officials responded prior to the March 2 vote by securing machines with tamper-proof tape, and by creating new, randomly generated passwords for key cards, although the latter was done only at a county level, not the precinct level suggested by the report.
A sampling of voters at Lutherville, Md., on Super Tuesday showed that the systems worked well on the surface. "The machine was easy to use," says Charlie Mitchell, 49. "The only thing I wondered about was what I had read about these machineswere the votes getting counted or not? I don't know."
Maryland failed to carry out other key recommendations as well, such as patching the Windows 2000 software used on its central computer system, and installing a firewall to protect that system. "We are disappointed," Wertheimer says.
Lamone says Maryland will follow through by November on the RABA recommendations it hasn't yet implemented. The state's claim: its Global Election Management System software has choked on patches in the past, meaning any fixes and subsequent independent testing might not have been completed in time. Maryland couldn't risk a system failure, since there was no backup to the touch-screen unitsthe state had already gotten rid of its old, optical-scan voting machines.
The risk of tampering is as old as voting itself, but technology makes it both harder to trace and possible on a larger scale, says political activist Kevin Zeese, who heads an advocacy group called Campaign for Verifiable Voting that wants stricter controls on Maryland's voting procedures.
"The Republicans say the Democrats are out to steal elections, the Democrats say the Republicans are and the Greens say they're both right," he cracks. The group has focused on Web-based activism, posting tools online that allow volunteers to write legislators and newspapers, put logos on their own websites, sign resolutions and so on. About 1,000 people have taken some sort of action through the site, Zeese says.
Diebold has not helped things. The company announced in January 2003 that it had accidentally revealed source code for its voting machines on the Internet, and found itself at the center of a political controversy when its chief executive wrote a letter later in the year pledging to help re-elect President George W. Bush.
Meanwhile, the two groups of professionals involvedelections officials and computer scientistsare talking past each other. Where their specialties overlap, they tend to disagree on both the big picture and the details. "These are wonderful people in elections, but they are not security professionals or information-technology professionals," says Wertheimer, a veteran of the National Security Agency who adds he has witnessed repeated attempts to hack systems at military sites, power grids and phone networks.
Lamone notes the machines had been extensively tested, with every unit undergoing logic and accuracy tests. But David Dill, a Stanford computer scientist who has been a high-profile critic of voting-machine security, says current logic and accuracy tests are inadequate. "They mostly consist of running scripts on the machines," Dill says. "It is incredibly easy to write malicious code that checks whether there is a script running and behaves perfectly in that case. A better test would be to run a mock election, but there are literally dozens of checks that malicious software could use to distinguish a mock election from a real election."
Dill says that testing procedures at the federal level are no better. "I can't even get good information about how carefully the software is inspected by the [federal] testing labs," he says.
Lamone dismisses RABA's success at physically breaking into boxes as unrealistic in the real world, given the presence of election observers, locked storage facilities and other traditional security methods.
But Wertheimer says the biggest risk of tampering with electronic voting machines is from insiderseither elections staff or vendors. "If you have five minutes with a server, you can load a CD and change everything," he says. The risks grow the farther upstream you go. Compromising a single machine might involve 150 votes, the average number of votes counted by a single machine, according to Wertheimer. Cracking a server at the county level in Maryland might mean access to tens of thousands of votes, with more than three million votes at stake at the state level.
"If malicious changes to the software are made before it is distributed to the individual machines, there is no way to defend against it," Dill says. "It can easily be hidden so that it is very unlikely to be detected by any amount of inspection or testing."
Computer experts say that paper ballots printed by the electronic machines would reduce risks of tamperinga position taken last fall by California voting officials.
"Name an electronic transaction that doesn't ask if you want a paper receiptat the bank, the gas pump, Amazon," Wertheimer says.
Indeed, Dill suggests that voting systems need tighter security, since voters' names aren't inscribed on ballots. "Compare that with banks, [which] have paper audit trails all over the place, all transactions have the names of the participants on themand they are still subject to insider fraud," he says. "It's a cost of doing business."
But many voting officials say printers are unreliable and the ongoing cost of paper ballots and storage are too high. "Paper will cause more problems than it solves," Lamone says.
Nevertheless, Lutherville voter William Myers, 74, says he expected a paper trail of some sort, but acknowledges he didn't see one. "Nothing is perfect, I suppose," Myers says.
Wertheimer admits that paper is "a nightmare" to store according to federal standards, but says the costs of building and upgrading security over time will be greater than those associated with paper. "Your local election judges have to be information-technology pros," he says. "Security is a process, not something you achieve. When you buy into an all-electronic solution, you are buying into a lifetime of increasing support, like patching your PC repeatedly against new viruses. You have to stay ahead of the hackers around the world."
Additional reporting by Sean Gallagher