This article will appear in the September issue of The Voter, monthly newsletter of the League of Women Voters of the Los Altos-Mountain View Area. Reprinted here with permission.
…In many ways, I think voters and counties are the victims of a federal certification process that hasn’t done an adequate job of ensuring that the systems made available to them are secure, accurate, reliable and accessible. Congress enacted the Help America Vote Act, which pushed many counties into buying electronic systems that – as we’ve seen for some time and we saw again in the independent UC review – were not properly reviewed or tested to ensure that they protected the integrity of the vote. That’s what my decisions are about – protecting the integrity of the vote.
- Secretary of State Debra Bowen, quoted in the California Progress Report, August 4, 2007.*
Just before midnight on Friday August 3, Secretary of State Debra Bowen made the dramatic announcement that she was decertifying all of electronic voting systems tested in her Top to Bottom (TTB) review, as well as the ES&S InkaVote system that was submitted too late for testing. She conditionally recertified all except the InkaVote, but some of the conditions are quite arduous.
Each recertification order contained a long list of detected problems and a still longer list of conditions the vendors must satisfy in order to be recertified. Here is a small sample:
In addition, Bowen required all vendors to produce plans for “hardening” their equipment to protect against some of the security vulnerabilities detected by the TTB. Some of the other requirements were general, applying to all vendors, and some were specific to a particular vendor’s systems.
• Only one DRE (Direct Recording Electronic, generally touch-screen) unit may be used per polling location (Diebold and Sequoia) on Election Day or during early voting. This restriction does not apply to the Hart InterCivic machines. At least 5 votes must be cast on the single DREs to protect privacy.
• All votes cast on DREs must be manually counted, using the voter verified paper audit trails.
• Jurisdictions must reinstall all software and firmware on all machines (Diebold, Sequoia, Hart).
• Any post-election auditing requirements are to be paid for by the vendor (Diebold, Sequoia, Hart).
Prior to her decision, Bowen’s office had released devastating reports from the red teams (“good guys” who try to break into systems to see how vulnerable they are) and the source-code review teams. Both University of California groups found that all the machines that were tested had major security holes and were insecure and unreliable.
Bowen also released an accessibility review report that concluded, “the three tested voting systems are all substantially noncompliant when assessed against the requirements of the HAVA and specified in the 2005 VVSG guidelines.” The documentation reports have yet to be released.
Because the California legislature had moved the date of the primaries to February 2008 and because any decertification would have to have been announced no later than six months prior to the next election-- specifically August 3-- all the teams were under enormous time pressure, as was the secretary of state.
On March 26 Bowen’s office notified vendors of the upcoming TTB review and asked them for working models of the voting machines, as well as copies of the software, hardware, and documentation, for the systems to be tested.
Diebold, Sequoia, and Hart InterCivic all eventually complied. ES&S, however, did not provide all the requested items until June 26. This left too little time to test the ES&S InkaVote system, which is used solely in Los Angeles. As of this writing, we do not know if the InkaVote will be tested and conditionally certified or if Los Angeles will use some other voting system or hand-counted paper ballots.
Vendors delays caused testing and analysis to start late. As the red team overview report stated:
The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities. [Emphasis in original]. The red team reports and source-code reports were released July 27 and August 2, respectively. Because the investigators did not want to provide a road map for subverting elections, individual machine reports had both a public and a confidential portion. The confidential versions were given to Bowen with the request that she provide them to the vendors. But even the public versions are incredibly damning. Indeed all of the reports, which together comprise the most extensive and comprehensive review of currently deployed computerized voting systems ever conducted, reveal significant, widespread, and elementary vulnerabilities and failures.
The vendors, joined by some election officials, immediately attacked Bowen’s reports. They focused on the red team reports, even though the code review reports, as well as the accessibility report, were at least as negative. Diebold stated:
Secretary Bowen’s top-to-bottom review was designed to ignore security procedures and protocols that are used during every election. Her team of hackers was given unfettered access to the equipment, the source code, and all other information on security features provided by DESI to the Secretary of State's office. And she refused to include in the review the current version of DESI’s touch screen software with enhanced security features. Local election officials in California have put in place proper policies and procedures which compliment the security features of DESI’s voting solutions. We will continue to work with them to ensure that on Election Day every vote cast on DESI voting solutions is safe, secure and accurate. A similar theme was sounded by Sequoia:
California’s Top-to-Bottom Review was not conducted in a true election environment. . . This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks. This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation’s democracy that our customers - and all election officials – carry out every day in their very important jobs of conducting elections in California and throughout the United States. . . The methodology used implies that election authority “insiders” have unlimited access to equipment, with no surveillance of their activities through automated methods. This is untrue. Election jurisdictions have several methods of insider deterrence and apprehension. These include cameras in the elections warehouse and computer rooms, audit logging on election database servers and workstations, and laws that make tampering with election equipment a felony at both state and national levels.
Hart InterCivic echoed the complaints:
Putting isolated technology in the hands of computer experts in order to engage in unrestricted, calculated, advanced and malicious attacks is highly improbable in a real-world election. . . Hart InterCivic's Voting Systems are secure, accurate, reliable and accessible for all voters. It is difficult to imagine that automobile manufacturers, in response to negative crash test results, would argue that their cars would not crash, because safe drivers or good road conditions would prevent such crashes. Yet that is precisely the kind of argument being made by voting machine vendors.
Matt Blaze, leader of the group that analyzed Sequoia’s software, addressed some of the negative comments about the red team reports made by election officials and vendors:
We found significant, deeply-rooted security weaknesses in all three vendors' software. Our newly-released source code analyses address many of the supposed shortcomings of the red team studies, which have been (quite unfairly, I think) criticized as being "unrealistic". It should now be clear that the red teams were successful not because they somehow "cheated," but rather because the built-in security mechanisms they were up against simply don't work properly. Reliably protecting these systems under operational conditions will likely be very hard. Barbara Simons, an expert on electronic voting, is a former president of the Association for Computing Machinery, a fellow of the American Association for the Advancement of Science, and the first woman to receive the Distinguished Engineering Alumni Award from the College of Engineering at U.C. Berkeley, from which she earned a Ph.D. in computer science. She joined IBM’s Research Division in 1981, taking early retirement in 1998. She is a member of the League of Women Voters of the Los Altos-Mountain View Area. This article is an excerpt from a book she is co-authoring with Doug Jones, “Who's Minding the Vote? The Perils and Politics of Electronic Voting Technologies,” to be published next summer.
The problems we found in the code were far more pervasive, and much more easily exploitable, than I had ever imagined they would be. . .
In spite of the short time and other sub-optimal conditions, the project found deeply-rooted security weaknesses in the software of all three voting systems reviewed.
I was especially struck by the utter banality of most of the flaws we discovered. Exploitable vulnerabilities arose not so much from esoteric weaknesses that taxed our ingenuity, but rather from the garden-variety design and implementation blunders that plague any system not built with security as a central requirement. There was a pervasive lack of good security engineering across all three systems, and I'm at a loss to explain how any of them survived whatever process certified them as secure in the first place. Our hard work notwithstanding, unearthing exploitable deficiencies was surprisingly -- and disturbingly -- easy. . .
Unfortunately, while finding many of the vulnerabilities may have been straightforward enough, fixing them won't be. . . [The voting systems] need to be re-engineered from the ground up. No code review can ever hope to identify every bug, and so we can never be sure that the last one has been fixed. A high assurance of security requires robust designs where we don't need to find every bug, where the security doesn't depend on the quixotic goal of creating perfect software everywhere.
In the short term, election administrators will likely be looking for ways to salvage their equipment with beefed up physical security and procedural controls. That's a natural response, but I wish I could be more optimistic about their chances for success. Without radical changes to the software and architecture, it's not clear that a practical strategy that provides acceptable security even exists. There's just not a lot to work with.
I don't envy the officials who need to run elections next year.
* You can download Bowen's decertification decisions, together with the TTB reports, here. Bowen's quote and an overview of the significance of the TTB review may be seen here.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
There are no comments currently....