E-voting: Have we rushed to market? 
 
By Anne Saita, News Writer
01 Nov 2004 | SearchSecurity.com  
 Anxiety over the accuracy of millions of electronic votes cast tomorrow comes from a question raised often in the IT security community: Did we rush a product to market despite unresolved or even unknown security issues?

"What I see is you've got three or four different voting machines that are being authenticated by nongovernmental bodies," said David Lynch, an IT security expert who has followed both the United States' and Ireland's e-voting initiatives. "The technology is there. These machines do what they are supposed to do, which is count. The issue really comes down to one of trust."

Lynch, vice president of marketing for San Jose, Calif.-based application software provider Array Networks, says he hasn't seen enough effort made by the electronic voting industry to ensure a high level of trust. Almost 30% of U.S. ballots will be cast electronically this election season, and many are forgoing paper-based backups due to time and costs. 
 
 

"In the high-tech world, you see this a lot people running to deploy solutions without considering the human element or the audit element," he said. In the business world, deploying faulty software could lead to security breaches a risk some companies assume for competitive reasons. But under these circumstances, Lynch said, "If this thing goes south, the risk is 3-1/2 years in litigation trying to figure out who is going to run the country."

He also said it sends a mixed signal in an era of increased privacy and information security regulation, where legislation like HIPAA and Sarbanes-Oxley Act demand more strict, demonstrable data controls.

"Would this deployment pass a typical Sarbanes-Oxley audit that most companies are forced to go through today? I look at it and say no it won't," Lynch said. "So we've got a different standard."

Voting modernization mandates are an outgrowth of the debacle following the 2000 presidential elections, in which paper-based ballots wreaked havoc with the election process. To avoid a repeat, counties nationwide have since deployed direct-recording electronic (DRE) machines to streamline votes and ensure accurate counts. But security experts have challenged whether the proper policies, procedures, standards and audit capabilities are in place.

Plenty of noise has come from the computer security community since a copy of Diebold Election Systems' source code was lifted off an FTP server and distributed across the Internet. Computer scientists from Johns Hopkins and Stanford universities later sounded alarms that the systems were vulnerable to vote tampering. Others from equally prestigious places like MIT and Carnegie Mellon University argued those claims were unfounded.

This summer e-vote opponent Rebecca Mercuri urged Black Hat and DefCon conference attendees to break into e-voting machines with consent to prove their weaknesses. But, Mercuri reported months later, neither vendors nor hackers had taken her up on her challenge.

Meantime, Carnegie Mellon computer science professor Michael I. Shamos again offered $10,000 to anyone who could tamper undetectably with a well-designed DRE. Now in its eight year, Shamos has yet to find anyone willing to accept his wager (which also involves upfront money from the challenger), even after modifying the challenge to avoid digital copyright restrictions.

"I haven't had any takers since anyone who knows his stuff knows he can't tamper undetectably with a voting system," Shamos said last week in an e-mail exchange. "No one will accept the challenge they're sure to lose."

Shamos helped convince a Maryland judge this summer to let voting officials use Diebold AccuVote TS Electronic Voting Systems after activists sued to prevent their use in this week's elections. Maryland, along with Georgia and California, has one of the largest concentrations of e-voting machines in tomorrow's races. Diebold has a lion's share of the market 45% among four major suppliers.

"Don't believe that a system is unsafe just because a few computer scientists say so," Shamos says. "And don't listen to their claims of insecurity unless they can show you in what way the systems are unsafe."