Officials at Bellevue, Wash.-based VoteHere, Inc., announced Monday
evening they have found the intruder who was able to gain access to its
corporate network in October.
Jim Adler, VoteHere president and chief executive officer, said his
team has been working with agents from the FBI and Secret Service for
the past two months to discover the identity of the culprit. At the
request of these officials, he said the breach wasn’t announced to the
public so an investigation could be completed without warning the
perpetrator.
“We have this person’s name, we know where this person lives; we
identified that within 24 hours of the break-in and we gave that
material over to the authorities,” Adler told interenetnews.com.
It’s now in the hands of the authorities, Adler said, whether or not to
press charges against the individual.
“If there’s a case there, and based on the tens or hundreds of megabytes
of evidence that we collected and turned over to them, as well as what
the Secret Service collected, they have to make that final
determination,” he said.
The person was able to gain access to the e-voting manufacturer’s
files through a known vulnerability in the network’s operating system
that wasn’t patched with the latest security updates.
Any information gathered from the network is useless from a security or
verification perspective, Adler said.
“We have disclosed all of our technology and are doing an internal
review on our source code, which we intend to release in the next couple
months,” he said. “There’s no ‘security through obscurity’ approach at
VoteHere.”
The breach does, however, shine a light on an e-voting industry that
has been fielding questions on the security of the products they sell to
organizations conducting elections, most notably the federal and state
governments. That doesn’t mean e-voting machines are not safe for
elections today, contends Jeff Baum, Gartner Research vice president on
public policy. While the manufacturing industry making the machines have
some work to do, so do the people operating the new machines.
“The biggest issue we have right now is not that the systems aren’t
safe, but that the procedures aren’t,” he told internetnews.com.
“People don’t follow common sense procedures when they’re using most
voting equipment, not just electronic voting equipment.
“We have to make sure that we have got procedures, processes and
rules in place that allow us to operate both safely, securely and
reliably,” Baum added.
Earlier this year, information popped up on Web sites around the
world documenting the security flaws in Diebold, Inc. ,
e-voting machines. The documents showed several areas within the
company’s e-voting system where a person could alter or otherwise edit
the tallies made during an election, whether from a hacker or a person
within the Diebold company or election organization.
Officials at Diebold Election Systems tried to
shut down the sites publishing the information, but not before
government officials caught wind of the security issues and launched a
campaign to amend the Help America Vote Act of 2002 (HAVA). The Act
called for funds to help states upgrade their voting systems from punch
cards to newer, more efficient and secure technology.
Seven months after HAVA was made a law, the Democratic-led Voter
Confidence and Increased Accessibility Act of 2003 was proposed, which
required any new technology used in HAVA to have a paper audit trail.
Since then, the U.S. House of Representatives bill has stalled at under
a 100 signatures, though three Republicans recently endorsed the new
measures and two voter verification bills were proposed in the Senate
this month, the Voter Confidence and Increased Accessibility Act of 2003
and Protecting American Democracy Act of 2003.
“As I have said all along, making sure that the votes of our
citizens are counted properly is not a partisan issue,” said Rep. Rush
Holt (D-NJ) in a statement recently. “I am confident that more
Republicans will join me so that together we can pass this legislation
and make sure that every vote cast in every future election is counted
accurately.”
Holt and the other Representatives supporting the bill support the
use of an ATM-like Direct Recording Machine (DRE), which prints out a
record of a person’s vote while retaining a digital vote within its
database. The DRE also has the capability to let the user change their
vote if the printed record doesn’t match with their intended vote. A
printed, “official” record is also kept for election auditors.
Most e-voting machine manufacturers use their own proprietary
software on a hardware platform. In the case of VoteHere, it uses
Compaq’s iPAQ machines after a
deal struck between the two companies in 2000. In 2001, Compaq and
Cisco Systems took a $10
million investment stake in the VoteHere company.
Diebold uses a touch-screen station running its own Global Election
Management System (GEMS) software.
Gartner’s Baum said the solution to tomorrow’s e-voting machines
lies in the hands of everyone in the voting process, from the
manufacturers to Congress to the citizens placing the votes.
“All have to get involved with this process in order for it to
work,” he said. “So what we’re looking at is strong private-public
partnerships.”