State to check counties' election systems

By MICHELLE NICOLOSI
SEATTLE POST-INTELLIGENCER REPORTER  04 February 2005

The Washington Secretary of State's Office is launching a statewide audit of county election offices to make sure that local election systems are secure and are using only state-approved software and voting machines.

The audit follows similar reviews in Maryland and California, which found that some election offices had used unapproved elections software, lacked basic security training, and had a number of other "high-risk vulnerabilities."

An audit done in California in 2004 found that Diebold Elections Systems which provides elections systems to King County and a number of other counties in Washington had illegally installed unapproved versions of election software in a number of California counties without telling the state.

And recent studies done in Maryland found that "the state of Maryland election system ... contains considerable security risks."

Two reports there found that local elections offices lacked "security awareness training ... well-documented procedures for maintaining the integrity of systems, and the ability to detect and recover from security breaches in a timely manner."

Washington's statewide audit is being done partly to detect and correct these problems if they exist in Washington, said Paul Miller, elections information manager at the Secretary of State's Office.

"What we want to be able to do is to go review the counties' security procedures for managing their systems, to check on what versions (of software) are being used," said Miller. "We want to assure that all the voting systems are in compliance."

The audit scheduled to start early this summer and to end sometime before the 2006 elections will also give state experts an opportunity to explain "best practices" to local officials who may not understand how to keep their computer systems secure, he said.

"The world of voting systems has changed, (and) the counties don't always have the resources to be able to keep up with it. We are putting together the ability to help counties monitor the security of their system," he said.

  
 
One of the Maryland studies commissioned by the state and conducted by RABA Technologies in Maryland found that aspects of some systems sold by Diebold were easily hacked, and designed with a "general lack of security awareness."

Diebold spokesman David Bear said some recent studies have raised "valid issues that have been addressed."

"There were a lot of vulnerabilities," said Pamela Woodside, chief information technology officer for Maryland's state elections office. A number of fixes and security measures were put in place, and the machines Maryland uses for elections are now secure, she said.

But, she said, many states "don't have the same controls that we do." Some are still using predictable passwords one of Maryland's statewide elections passwords used to be 1111 and are not following other basic security measures, she said.

Miller oversaw King County's election systems before moving to the secretary of state's office in 2000, and administered a system that had some of the vulnerabilities he'll now be helping other counties correct.

During his tenure in King County, the county housed the GEMS vote tabulating system on a server that also had Microsoft Access database software installed on it. A sophisticated user with access to that computer and its passwords could have manipulated vote databases by using Microsoft Access, Miller said.

Miller said that in order to take advantage of that vulnerability, a person would have had to have the key to the room where the computer was kept and the password to the machine. Few people had that kind of access, he said. Vote-counting checks and balances in place at the time also meant that if anyone had manipulated the data in this way, it would have been detected, he said. "There were adequate security procedures in place," he said.