RealTime IT News

Study: Fed 'Guidelines' Imperil E-Voting Security

The 2008 presidential election could be interesting.

After four years, more than $3 billion taxpayer dollars, and an alphabet soup of newly created bureaucracies, electronic voting isn't safe.

Key members of the Technical Guidance Development Committee (TGDC) that drafted federal guidelines for designing and testing electronic voting machines admit that significant flaws in the machines could be exploited by hackers to change the outcome of local or national elections.

Whitney Quesenbery, a member of the TGDC, warned that the credibility of the electoral process would be irreparably damaged if election officials were unable to disprove an allegation that a system had been hacked.

"We don't want to have a mass experiment," she told internetnews.com. "But indeed that's what we're doing."

Some of the most respected names in cryptography and cyber security say that the TGDC's guidelines fail to mandate any independent means of verifying results.

The guidelines, called the Voluntary Voting System Guidelines (VVSG), also leave gaping security holes, they say, by allowing wireless communications with electronic voting machines and by exempting commercial off-the-shelf (COTS) software from testing.

But government officials charged with enacting these guidelines insist there's nothing to worry about, and that if there were, there's nothing they could do about it anyway.

The evidence would argue otherwise.

A just-released study by the Brennan Center for Justice at NYU School of Law demonstrates the existence of these flaws. The report said the nation's three commonly purchased electronic voting systems remain needlessly vulnerable to computer hacking, and lays out steps to remedy the flaws.

The authors of the report, who include renowned experts like Ron Rivest, Bruce Schneier, Howard Schmidt, and others, conclude that simple steps could be implemented to effectively thwart the most significant types of attacks.

Raised voices

According to Quesenbery, the less-than-ideal guidelines were published because of political expediency and infighting between members responsible for drawing up the security section of the VVSG.

Quesenbery told internetnews.com that the guidelines skirted important issues, not for substantive reasons, but at least in part because its members were riven by internal dissention. "Voices were pretty loud on both sides," she said.

The results of the Brennan Center's study are probably not what President Bush had in mind when he signed the Help American Vote Act of 2002 (HAVA), which spawned the Election Assistance Commission (EAC), a federal agency that created the Technical Guidance Development Committee (TGDC).

The Brennan study outlines an objective methodology for assessing threats to electronic machines and taking appropriate measures to mitigate them.

The report proposes countermeasures and election procedures to thwart attacks on the three systems: Direct Recording Electronic (DRE) voting systems; DREs with voter-verified auditable paper trail (VVPT); and Precinct Count Optical Scan systems.

According to the authors of the study, analysis of threats to these systems shows that it is possible to counter the most pernicious types of attacks -- those that only require a small number of attackers. Any attack that requires a large number of conspirators would be easily discovered, they say.

Some members of the TGDC said they were well aware of vulnerabilities of the voting machines while they drafted the guidelines. They included members of the National Institute of Standards and Technology (NIST), as well as Ron Rivest, who is known as one of the fathers of public key encryption. Rivest also happens to be one of the authors of the Brennan Center study.

Rivest, who was outvoted on certain provisions in the TGDC guidelines, admits that he is not at all satisfied with the VVSG as it stands.

"If we were to leave it like this, I would be very unhappy," he told internetnews.com.

The best possible standards?

One of the flaws, according to experts, is that voting machines are enabled with wireless communication devices.

They maintain that wireless features can be used on Election Day to trigger malware that has been hidden in the machine's source code.

Despite being aware of this vulnerability, the TGDC did not ban wireless features, because many jurisdictions already use voting machines with those functions, said Quesenbery.

"There simply weren't enough votes" to decertify machines that are currently in use, she said.

But the TGDC may have been getting mixed signals from the EAC commissioners who nominated them.

Quesenbery said there has always been a question whether the group was to be writing the best standards possible or writing standards that ensure existing machines will remain.

"And would VVSG 2005 end up disqualifying machines that had passed VVSG 2002 and, you know, it's pretty obvious the way those debates went," she added.

Next page: Leaving a Paper Trail