Experts outline e-voting security requirements

Computerworld - A panel of IT security experts yesterday proposed a series of detailed recommendations that they said state and local jurisdictions must act on immediately to ensure the security of electronic voting systems and the accuracy and transparency of the November presidential election.
In a report released by the Brennan Center for Justice at the New York University School of Law and the Leadership Conference on Civil Rights, four high-profile IT security experts, including Howard Schmidt, a former White House cybersecurity adviser, outlined a comprehensive strategy for certifying the security and reliability of touch-screen direct recording electronic (DRE) voting systems. Those systems will be used by 30% of registered voters in the upcoming presidential election.
While analysts in the security and elections communities praised the report, most agreed that it may have come too late for states and local jurisdictions to act upon.
Chief among the panel's eight recommendations is a call for elections officials to hire a well-qualified, independent security team to examine the potential for operational failures and malicious attacks against DRE voting systems. According to the report, such an expert security team "must be free of any business relationships with any voting system vendors or designers" and must be granted unfettered access to all software code and configuration data.
The panel also recommended that all jurisdictions contract for independent "red team" exercises to uncover any hidden physical and electronic vulnerabilities in DRE systems. And it urged election officials to make public information about the level of cooperation received from DRE system vendors.
Site-specific security procedures and physical security also weighed heavily in the panel report. For example, the experts urged jurisdictions to use "tamper tape" on all vulnerable hardware devices and to document strict procedures for repair of systems. An investigation after the 2000 election, for example, found that all 32,000 of Maryland's touch-screen terminals had the same locks and keys, making every machine accessible to anyone with one of the keys. The keys could also be easily reproduced at three local hardware stores.
In addition, systems that malfunctioned in Fairfax County, Va., were removed for repair and returned to service during election day, the report said -- raising the possibility that votes could have been altered with no process in place to spot any problems.
Margaret Luca, a spokeswoman for Fairfax County, disputed the assertion that the machines were put back into service.
She said the audit logs from each machine show that they were not returned to service on Election Day except to collect the vote