E-voting system security, integrity under fire

Computerworld - WASHINGTON -- IT security researchers have uncovered significant vulnerabilities in the electronic voting systems that nearly 30% of all registered voters will use in the upcoming presidential election, raising concerns about what already looks to be one of the most divisive elections in U.S. history.
In testimony before the U.S. Election Assistance Commission yesterday, security researchers said that without voter-verifiable paper receipts, the 50 million Americans who will use electronic voting machines this fall will have no way of knowing if their votes were recorded properly. Even worse, the code base powering the systems is so large and complex that there's little way for election officials to be sure it is free of malicious code designed to manipulate election results.
"My biggest concern is that in a very large trusted computing base, the threat of somebody with access to the development environment of the code base, particularly the vendor, basically is in position to make the outcome of the election come out how they would like, and it's virtually undetectable," said Avi Rubin, a professor at the Johns Hopkins University Information Security Institute. "The trusted computing base is approximately 50,000 lines of computer code sitting on top of tens of millions of lines of [operating system] code. It is impossible to secure such a large trusted computing base," said Rubin.
Commission members also expressed concern about the potential for vendors to influence elections, especially since some have taken active roles in operating polling stations and, in the case of Diebold Election Systems' CEO Walden O'Dell, stated publicly the intent to deliver election results to President George W. Bush.
Rubin recently had 40 Ph.D. candidates design Trojan horse programs to assess the security of the systems. "I was astounded to see the cleverness and ease with which the malicious code was hidden and how difficult it was to find," Rubin told the commission. "In the short term, meaning November 2004, a voter-verifiable paper ballot is necessary. It's the only way to get around all of the security problems in the machines" and, if necessary, to conduct meaningful recounts.
Rubin, who has come under fire from IT vendors and their Washington lobby, the Information Technology Association of America, recently worked as a polling official to observe the process firsthand. While that experience forced him to rethink some of his early concerns about the security of the system, he came away with new concerns about the risk of manipulation and fraud.
"At the end of the day, the memory cards were taken out