This November, as many as 50 million Americans could vote for president using some form of electronic touch-screen system, the vast majority of which have been designed by McKinney, Texas-based Diebold Election Systems. That has some IT and security researchers holding their breath because of the faulty track record of Diebold's technology and a government-endorsed testing and certification process that they say is deeply flawed. Those critics say that direct recording electronic (DRE) voting systems remain vulnerable to manipulation and malfunction, particularly in states that have ignored some recommendations of independent researchers, like Maryland has.
State election officials, on the other hand, say they are confident that appropriate safeguards are in place to ensure the security and accuracy of the 2004 vote.
Among the most pressing issues cited by critics are a lack of technical standards governing DRE software development, the failure of the government to impose transparency on the software testing and certification process, and the lack of technical security knowledge throughout the many state and local jurisdictions that oversee elections where DREs will be used.
Johns Hopkins University professor Aviel Rubin, who last year published a study of portions of the Diebold software code, says the quality of that code was below minimum standards for a production system. Rubin's report cites a lack of industry-standard change-control processes and documentation, as well as specific technical weaknesses.
Jonathan Gossels, founder of SystemExperts Corp. in Sudbury, Mass., says his review of the Diebold code showed that it was "amateurish" in its design. More important, the amount of code that has been studied and found wanting "is only the tip of the iceberg" of the millions of lines of C++ and Microsoft Windows-based code that powers the Diebold touch-screen systems and back-end management servers, says Gossels.
The testing procedures of vendors, particularly Diebold, are also under suspicion. Jerry Rudisin, CEO of Agitar Software Inc., a software testing company in Mountain View, Calif., says he suspects that the original Diebold code wasn't subjected to unit testing based on the lack of change-control documentation. And because of this, "a lot of bugs end up getting through to the deployed systems," he says.
A January 2004 study by the Innovative Solutions Cell at Columbia, Md.-based RABA Technologies LLC tested Diebold systems that were to be deployed for Maryland's March 2004 primaries. The study found the general lack of security awareness in the Diebold code "a valid and troubling revelation." In addition, the report confirmed Rubin's assertion that there was little evidence that widely accepted standards of software development had been followed.
Mystery Tests
One of the most critical aspects of the voting system development process is the testing and certification of hardware and software to ensure that they meet voluntary federal voting standards for security and reliability. Three vendors act as so-called independent testing authorities (ITA). However, IT experts are highly critical of the testing process because of its secrecy.
"Election officials are buying a software package, and there's not a lot of transparency," says Rudisin. "With voting software, you pretty much buy a pig in a poke."
Ciber Inc. in Greenwood Village, Colo., and SysTest Labs LLC in Denver act as the two software ITAs. Wyle Laboratories Inc. in El Segundo, Calif., is the hardware ITA. All of them refuse to provide details on how they test the voting equipment or on their findings.
"The ITAs that test these machines are hired by the vendors, so they are not independent and not neutral," says Rubin, who hasn't been allowed by Diebold to re-evaluate the source code since his initial study.
Diebold spokesman David Bear says the company stands behind the testing and source code reviews conducted by "independent, unbiased third parties." The reviews are done at the federal level using standards recommended by the Federal Election Commission and at the state level, he says.
Bear also says voting systems are only a small part of the election process, which has many built-in security precautions and redundancies. "The voting machines are completely stand-alone," he says. "No network connection of any kind—wired or wireless—is used during the voting process. The only connection to the machine at the polling place is the AC power cord."
Eric Lazarus, president of New York-based DecisionSmith, says the testing model for e-voting systems "is broken."
Lazarus, lead author of a report by the Brennan Center for Justice and the Leadership Conference on Civil Rights on improving DRE reliability, says 2% of systems should be put through exhaustive testing that simulates Election Day activity. The testing process most states use is based simply on how individual machines count a few test votes.
Supporting Arguments
Election officials for Maryland, Virginia and California, which have invested millions of dollars in Diebold DRE systems, say they're confident that the voting process can be made secure and reliable even if technical vulnerabilities exist hidden in the software.
"We will not overreact to scare-tactic headlines that do not reflect the long-established security protections required by law, policy and procedure," says Jean Jensen, secretary of the Virginia State Board of Elections (SBE), which hired Arlington, Va.-based CACI International Inc. to conduct an independent security assessment of the Diebold systems. She also points out that few of the e-voting critics "have presented any credentials regarding their expertise in election law or the policies and procedures."
All 46 localities in Virginia where DREs from six vendors will be used are developing security policies and procedures based on the CACI recommendations, and those procedures will be audited during the election, says Barbara Cockrell, spokeswoman for the IT manager at the Virginia SBE.
A DRE must be tested in an actual election before it can be sold in Virginia, says Cockrell, who adds that logic and accuracy tests are a key part of the certification process and that no system touches the public Internet.
Linda Lamone, administrator of the Maryland SBE, criticizes RABA's study of DRE use in Maryland, saying the researchers didn't "conduct the exercise in a polling-place environment under the purview of trained election workers ... and bipartisan election judges observing voters' activities."
But Michael Wertheimer, the primary author of the RABA report, says he's convinced that the state's election is a disaster waiting to happen. "Despite our recommendations, Maryland has decided that each county will get only one password to protect their precincts. That means only three passwords protect these counties," he says. "If any one of these passwords is compromised and exploited, Maryland is up for grabs. All it takes is one election official to allow someone five minutes' access to the server to completely rig the election."
Not quite, says Lamone. First, she says, no servers are located at polling places. Second, "neither the staff at the local boards of elections nor the election judges know the cryptographic keys to the units or the server administrative passwords," she says. "The alphanumeric keys are created at my office and are only known to people on my staff who need to know." Lamone adds that creating keys unique to each precinct would present "a logistical nightmare" and could endanger the security and efficiency of the election. Wertheimer remains skeptical about the state's preparations to use DREs. "Maryland refuses to put a firewall on servers that are connected via dial-up modems," he says. "They refuse to upgrade the Windows 2000 operating system with the latest security patches—they were 16 patches behind in January of this year."
Lamone says security experts hired by the state determined that since no component of the voting system is connected to the Internet, the firewall and patches recommended by RABA aren't necessary. Moreover, she adds, "a person would have to have knowledge of the encrypted security controls in place for sending the unofficial results by modem, as well as user identification requirements and passwords, to gain access to the server."
Still Time?
Lazarus and Gossels say there is still time for states to implement procedures that can lessen the likelihood of malfunctions and malicious activity and have jointly devised a scorecard that election administrators can use to rate the security and reliability of DRE systems. "The best that we can do in terms of security at this point is still not very good," Lazarus says. "But there's no excuse for not doing some of the easy things."
The bottom line, say Gossels, Lazarus and Wertheimer, is that there will be problems with DREs next month, ranging from malfunctions that cause polling places to close to potentially more nefarious incidents of tampering that nobody is able to detect.
"I am worried that election officials fail to recognize that elections run by computers require a completely different model than those run by paper," says Wertheimer. "It will take a catastrophic voting 9/11 to force change."
Autor: Dan Verton
Quelle: Computerworld, 18.10.2004
