E-vote at Risk
Despite vendor assurances, researchers remain concerned about the security and reliability of electronic voting systems.
Computerworld - This November, as many as 50 million Americans could vote for president using some form of electronic touch-screen system, the vast majority of which have been designed by McKinney, Texas-based Diebold Election Systems. That has some IT and security researchers holding their breath because of the faulty track record of Diebold's technology and a government-endorsed testing and certification process that they say is deeply flawed.
Those critics say that direct recording electronic (DRE) voting systems remain vulnerable to manipulation and malfunction, particularly in states that have ignored some recommendations of independent researchers, like Maryland has.
State election officials, on the other hand, say they are confident that appropriate safeguards are in place to ensure the security and accuracy of the 2004 vote.
Among the most pressing issues cited by critics are a lack of technical standards governing DRE software development, the failure of the government to impose transparency on the software testing and certification process, and the lack of technical security knowledge throughout the many state and local jurisdictions that oversee elections where DREs will be used.
Johns Hopkins University professor Aviel Rubin, who last year published a study of portions of the Diebold software code, says the quality of that code was below minimum standards for a production system. Rubin's report cites a lack of industry-standard change-control processes and documentation, as well as specific technical weaknesses.
Jonathan Gossels, founder of SystemExperts Corp. in Sudbury, Mass., says his review of the Diebold code showed that it was "amateurish" in its design. More important, the amount of code that has been studied and found wanting "is only the tip of the iceberg" of the millions of lines of C++ and Microsoft Windows-based code that powers the Diebold touch-screen systems and back-end management servers, says Gossels.
The testing procedures of vendors, particularly Diebold, are also under suspicion. Jerry Rudisin, CEO of Agitar Software Inc., a software testing company in Mountain View, Calif., says he suspects that the original Diebold code wasn't subjected to unit testing based on the lack of change-control documentation. And because of this, "a lot of bugs end up getting through to the deployed systems," he says.
A January 2004 study by the Innovative Solutions Cell at Columbia, Md.-based RABA Technologies LLC tested Diebold systems that were to be deployed for Maryland's March 2004 primaries. The study found the general lack of security awareness in the Diebold code "a valid and troubling revelation." In addition, the report confirmed Rubin's assertion that there was little evidence that widely accepted standards of software development had been followed.
One of the most critical aspects of the voting system development process is the testing and certification of hardware and software to ensure that they meet voluntary federal voting standards for security and reliability. Three vendors act as so-called independent testing authorities (ITA). However, IT experts are highly critical of the testing process because of its secrecy.
This pilot fish is a contractor at a military base, working on some very cool fire-control systems for tanks. But when he spots something obviously wrong during a live-fire test, he can't get the firing-range commander's attention.
- IT Certification Study Tips
- Register for this Computerworld Insider Study Tip guide and gain access to hundreds of premium content articles, cheat sheets, product reviews and more.
- Reduce federal infrastructure risk with compliance management and situational awareness
- IBM continuous monitoring and management solutions deliver real-time situational awareness to help federal agencies understand vulnerabilities, and protect the infrastructure.
- SANS: Next-Generation Datacenters = Next-Generation Security
- This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials
- SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center
- Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter
- This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the... All Government IT White Papers
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their...
- DevOps with PureApplication System: Reduce cost and speed delivery with an integrated IBM Cloud solution Join this webcast to hear what ING Netherlands has been able to achieve while deploying DevOps tools from IBM Rational. An ING executive...
- All Government IT Webcasts