The 2008 presidential election could be interesting.
After four years, more than $3 billion taxpayer dollars, and an alphabet soup of newly created bureaucracies, electronic voting isn’t safe.
Key members of the Technical Guidance Development Committee (TGDC) that drafted federal guidelines for designing and testing electronic voting machines admit that significant flaws in the machines could be exploited by hackers to change the outcome of local or national elections.
Whitney Quesenbery, a member of the TGDC, warned that the credibility of the electoral process would be irreparably damaged if election officials were unable to disprove an allegation that a system had been hacked.
“We don’t want to have a mass experiment,” she told internetnews.com. “But indeed that’s what we’re doing.”
Some of the most respected names in cryptography and cyber security say that the TGDC’s guidelines fail to mandate any independent means of verifying results.
The guidelines, called the Voluntary Voting System Guidelines (VVSG), also leave gaping security holes, they say, by allowing wireless communications with electronic voting machines and by exempting commercial off-the-shelf (COTS) software from testing.
But government officials charged with enacting these guidelines insist there’s nothing to worry about, and that if there were, there’s nothing they could do about it anyway.
The evidence would argue otherwise.
A just-released study by the Brennan Center for Justice at NYU School of Law demonstrates the existence of these flaws. The report said the nation’s three commonly purchased electronic voting systems remain needlessly vulnerable to computer hacking, and lays out steps to remedy the flaws.
The authors of the report, who include renowned experts like Ron Rivest, Bruce Schneier, Howard Schmidt, and others, conclude that simple steps could be implemented to effectively thwart the most significant types of attacks.
According to Quesenbery, the less-than-ideal guidelines were published because of political expediency and infighting between members responsible for drawing up the security section of the VVSG.
Quesenbery told internetnews.com that the guidelines skirted important issues, not for substantive reasons, but at least in part because its members were riven by internal dissention. “Voices were pretty loud on both sides,” she said.
The results of the Brennan Center’s study are probably not what President Bush had in mind when he signed the Help American Vote Act of 2002 (HAVA), which spawned the Election Assistance Commission (EAC), a federal agency that created the Technical Guidance Development Committee (TGDC).
The Brennan study outlines an objective methodology for assessing threats to electronic machines and taking appropriate measures to mitigate them.
The report proposes countermeasures and election procedures to thwart attacks on the three systems: Direct Recording Electronic (DRE) voting systems; DREs with voter-verified auditable paper trail (VVPT); and Precinct Count Optical Scan systems.
According to the authors of the study, analysis of threats to these systems shows that it is possible to counter the most pernicious types of attacks — those that only require a small number of attackers. Any attack that requires a large number of conspirators would be easily discovered, they say.
Some members of the TGDC said they were well aware of vulnerabilities of the voting machines while they drafted the guidelines. They included members of the National Institute of Standards and Technology (NIST), as well as Ron Rivest, who is known as one of the fathers of public key encryption. Rivest also happens to be one of the authors of the Brennan Center study.
Rivest, who was outvoted on certain provisions in the TGDC guidelines, admits that he is not at all satisfied with the VVSG as it stands.
“If we were to leave it like this, I would be very unhappy,” he told internetnews.com.
The best possible standards?
One of the flaws, according to experts, is that voting machines are enabled with wireless communication devices.
They maintain that wireless features can be used on Election Day to trigger malware that has been hidden in the machine’s source code.
Despite being aware of this vulnerability, the TGDC did not ban wireless features, because many jurisdictions already use voting machines with those functions, said Quesenbery.
“There simply weren’t enough votes” to decertify machines that are currently in use, she said.
But the TGDC may have been getting mixed signals from the EAC commissioners who nominated them.
Quesenbery said there has always been a question whether the group was to be writing the best standards possible or writing standards that ensure existing machines will remain.
“And would VVSG 2005 end up disqualifying machines that had passed VVSG 2002 and, you know, it’s pretty obvious the way those debates went,” she added.
Next page: Leaving a Paper Trail
Leaving a Paper Trail
Paul Degregorio, chairman of the EAC, defended the VVSG, saying that the voting systems are secure. The ones with wireless capabilities, he said, are able to transmit results but cannot receive any transmissions, thus making them impervious to manipulation.
But Lance Gough, executive director of the Chicago Board of Elections, admitted that the machine in use in Chicago does receive wireless acknowledgment of receipt on Election Day.
Paul Kocher, president and chief scientist at CryptographyResearch, told internetnews.com that wireless “certainly simplifies the job of an adversary who needs to access the machines during the election.”
“Anybody who thinks that wireless is not a security risk in these types of environments doesn’t have any understanding of what the failure modes of these systems are.”
The Brennan Center study recommends the use of some form of independent verification system, which would counteract most important attempts at subverting an election.
According to Kocher, a system that allows voters to see a paper printout of their votes before dropping it into a ballot box is one way to prove the trustworthiness of the systems.
“If there is significant fraud, you’ll catch it,” he said.
EAC on The Defensive
But the VVSG does not mandate the use of a VVPT, said Rivest, who also supports IDV. This is because the EAC told the committee members that this wasn’t their prerogative.
Donetta Davidson, EAC commissioner and a former TGDC member, explained the directive.
“There were a lot of great ideas,” she said. “But where is the funding going to come from?”
Maybe that’s what the EAC was supposed to do with the $3.2 billion budget it was given to help local jurisdictions upgrade their equipment.
Complacency concerning COTS may also have something to do with it.
Davidson dismissed the notion that malicious code can be introduced into electronic voting machines, particularly in COTS, which the VVSG says does not have to be tested.
However, Doug Jones, an associate professor of computer science at the University of Iowa, has demonstrated (PDF) several instances where holes in COTS currently in use in electronic voting machines can or have been exploited by malware.
Peter Neumann, principal scientist at SRI International Computer Science Laboratory, added that, “anyone who has access to the Microsoft platform on the voting machine can change anything.”
The Force of Law
The EAC also rejected charges that the VVSG is not strict enough. Degregorio said that the guidelines do not have the force of law anyway because the states, and not the federal government, regulate elections.
But by his own count, almost 40 states use existing national guidelines as the basis for their own regulations, and the VVSG must be used by independent testing labs who pre-certify voting machines before states even agree to consider them.
Moreover, the Department of Justice will use the VVSG to assess compliance with sections of HAVA that are mandatory.
Remedies, Said Brennan
The study offers a detailed threat analysis, as well as remedies that could be implemented to protect electronic voting systems.
Howard Schmidt, former chief security officer at Microsoft and a former Bush adviser on cyber security, said that election officials must implement threat analysis before the 2006 elections, let alone the 2008 presidential elections.
They “should read this report and do whatever they can to implement its recommendations in time for the 2006 elections,” he said in a statement.
Rivest also expressed the hope that the study, “will pave the way for widespread adoption of better safeguards.”
So why haven’t they been adopted?
Davidson of the EAC said she was aware of the study while writing the guidelines, but said it was discussed too late in the process for its recommendations to be included in the VVSG.
But TGDC meeting minutes show that NIST staffer John Kelsey, one of the Brennan Center study authors, presented results of the study to the committee in September 2005, three months before the VVSG was published.
Davidson said the recommendations will be considered for the next version of the VVSG, which is to be updated every four years.
That means 2009.