RealTime IT News

VoteHere Reports Network Break-in

Officials at Bellevue, Wash.-based VoteHere, Inc., announced Monday evening they have found the intruder who was able to gain access to its corporate network in October.

Jim Adler, VoteHere president and chief executive officer, said his team has been working with agents from the FBI and Secret Service for the past two months to discover the identity of the culprit. At the request of these officials, he said the breach wasn't announced to the public so an investigation could be completed without warning the perpetrator.

"We have this person's name, we know where this person lives; we identified that within 24 hours of the break-in and we gave that material over to the authorities," Adler told interenetnews.com.

It's now in the hands of the authorities, Adler said, whether or not to press charges against the individual.

"If there's a case there, and based on the tens or hundreds of megabytes of evidence that we collected and turned over to them, as well as what the Secret Service collected, they have to make that final determination," he said.

The person was able to gain access to the e-voting manufacturer's files through a known vulnerability in the network's operating system that wasn't patched with the latest security updates.

Any information gathered from the network is useless from a security or verification perspective, Adler said.

"We have disclosed all of our technology and are doing an internal review on our source code, which we intend to release in the next couple months," he said. "There's no 'security through obscurity' approach at VoteHere."

The breach does, however, shine a light on an e-voting industry that has been fielding questions on the security of the products they sell to organizations conducting elections, most notably the federal and state governments. That doesn't mean e-voting machines are not safe for elections today, contends Jeff Baum, Gartner Research vice president on public policy. While the manufacturing industry making the machines have some work to do, so do the people operating the new machines.

"The biggest issue we have right now is not that the systems aren't safe, but that the procedures aren't," he told internetnews.com. "People don't follow common sense procedures when they're using most voting equipment, not just electronic voting equipment.

"We have to make sure that we have got procedures, processes and rules in place that allow us to operate both safely, securely and reliably," Baum added.

Earlier this year, information popped up on Web sites around the world documenting the security flaws in Diebold, Inc. , e-voting machines. The documents showed several areas within the company's e-voting system where a person could alter or otherwise edit the tallies made during an election, whether from a hacker or a person within the Diebold company or election organization.

Officials at Diebold Election Systems tried to shut down the sites publishing the information, but not before government officials caught wind of the security issues and launched a campaign to amend the Help America Vote Act of 2002 (HAVA). The Act called for funds to help states upgrade their voting systems from punch cards to newer, more efficient and secure technology.

Seven months after HAVA was made a law, the Democratic-led Voter Confidence and Increased Accessibility Act of 2003 was proposed, which required any new technology used in HAVA to have a paper audit trail. Since then, the U.S. House of Representatives bill has stalled at under a 100 signatures, though three Republicans recently endorsed the new measures and two voter verification bills were proposed in the Senate this month, the Voter Confidence and Increased Accessibility Act of 2003 and Protecting American Democracy Act of 2003.

"As I have said all along, making sure that the votes of our citizens are counted properly is not a partisan issue," said Rep. Rush Holt (D-NJ) in a statement recently. "I am confident that more Republicans will join me so that together we can pass this legislation and make sure that every vote cast in every future election is counted accurately."

Holt and the other Representatives supporting the bill support the use of an ATM-like Direct Recording Machine (DRE), which prints out a record of a person's vote while retaining a digital vote within its database. The DRE also has the capability to let the user change their vote if the printed record doesn't match with their intended vote. A printed, "official" record is also kept for election auditors.

Most e-voting machine manufacturers use their own proprietary software on a hardware platform. In the case of VoteHere, it uses Compaq's iPAQ machines after a deal struck between the two companies in 2000. In 2001, Compaq and Cisco Systems took a $10 million investment stake in the VoteHere company.

Diebold uses a touch-screen station running its own Global Election Management System (GEMS) software.

Gartner's Baum said the solution to tomorrow's e-voting machines lies in the hands of everyone in the voting process, from the manufacturers to Congress to the citizens placing the votes.

"All have to get involved with this process in order for it to work," he said. "So what we're looking at is strong private-public partnerships."