Study: Fed 'Guidelines' Imperil E-Voting Security - Page 2

Leaving a Paper Trail

Paul Degregorio, chairman of the EAC, defended the VVSG, saying that the voting systems are secure. The ones with wireless capabilities, he said, are able to transmit results but cannot receive any transmissions, thus making them impervious to manipulation.

But Lance Gough, executive director of the Chicago Board of Elections, admitted that the machine in use in Chicago does receive wireless acknowledgment of receipt on Election Day.

Paul Kocher, president and chief scientist at CryptographyResearch, told internetnews.com that wireless "certainly simplifies the job of an adversary who needs to access the machines during the election."

"Anybody who thinks that wireless is not a security risk in these types of environments doesn't have any understanding of what the failure modes of these systems are."

The Brennan Center study recommends the use of some form of independent verification system, which would counteract most important attempts at subverting an election.

According to Kocher, a system that allows voters to see a paper printout of their votes before dropping it into a ballot box is one way to prove the trustworthiness of the systems.

"If there is significant fraud, you'll catch it," he said.

EAC on The Defensive

But the VVSG does not mandate the use of a VVPT, said Rivest, who also supports IDV. This is because the EAC told the committee members that this wasn't their prerogative.

Donetta Davidson, EAC commissioner and a former TGDC member, explained the directive.

"There were a lot of great ideas," she said. "But where is the funding going to come from?"

Maybe that's what the EAC was supposed to do with the $3.2 billion budget it was given to help local jurisdictions upgrade their equipment.

Complacency concerning COTS may also have something to do with it.

Davidson dismissed the notion that malicious code can be introduced into electronic voting machines, particularly in COTS, which the VVSG says does not have to be tested.

However, Doug Jones, an associate professor of computer science at the University of Iowa, has demonstrated (PDF) several instances where holes in COTS currently in use in electronic voting machines can or have been exploited by malware.

Peter Neumann, principal scientist at SRI International Computer Science Laboratory, added that, "anyone who has access to the Microsoft platform on the voting machine can change anything."

The Force of Law

The EAC also rejected charges that the VVSG is not strict enough. Degregorio said that the guidelines do not have the force of law anyway because the states, and not the federal government, regulate elections.

But by his own count, almost 40 states use existing national guidelines as the basis for their own regulations, and the VVSG must be used by independent testing labs who pre-certify voting machines before states even agree to consider them.

Moreover, the Department of Justice will use the VVSG to assess compliance with sections of HAVA that are mandatory.

Remedies, Said Brennan

The study offers a detailed threat analysis, as well as remedies that could be implemented to protect electronic voting systems.

Howard Schmidt, former chief security officer at Microsoft and a former Bush adviser on cyber security, said that election officials must implement threat analysis before the 2006 elections, let alone the 2008 presidential elections.

They "should read this report and do whatever they can to implement its recommendations in time for the 2006 elections," he said in a statement.

Rivest also expressed the hope that the study, "will pave the way for widespread adoption of better safeguards."

So why haven't they been adopted?

Davidson of the EAC said she was aware of the study while writing the guidelines, but said it was discussed too late in the process for its recommendations to be included in the VVSG.

But TGDC meeting minutes show that NIST staffer John Kelsey, one of the Brennan Center study authors, presented results of the study to the committee in September 2005, three months before the VVSG was published.

Davidson said the recommendations will be considered for the next version of the VVSG, which is to be updated every four years.

That means 2009.