Electronic-voting security scrutinized at symposium

GAITHERSBURG, Md. - With the 2004 U.S. presidential election looming, election officials from around the U.S. joined computer scientists, voting machine vendors and others on Wednesday and Thursday to air growing concerns -- and some intense disagreements -- about the security and reliability of electronic-voting systems.

Dire warnings of computer scientists who are security experts at times seemed as welcome as the proverbial skunk at a garden party during the symposium called "Building Trust and Confidence in Voting Systems," held at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Md.. Faced with limited budgets and resources, election officials and voting systems vendors repeatedly questioned the feasibility of developing and implementing security standards to the level recommended by the computer science community -- what one questioner in the audience called defense department appetites "on a Wal-Mart budget."

And while the Help America Vote Act of 2002 (HAVA) allocates billions of dollars in funding to election system upgrades, the timeframe for spending the money means that officials will likely buy systems before new voluntary standards are set by the newly formed Election Assistance Commission (EAC). HAVA charges NIST with supporting the EAC in standards development.

IT experts at the symposium questioned whether the current system of testing and accreditation of voting systems against voluntary standards is effective, given recent reports that scrutinized DRE (direct recording electronic) systems from leading vendors and found high-risk vulnerabilities in the machines. Those reviews include a joint Johns Hopkins University and Rice University review of source code from a Diebold Inc. system that was leaked onto the Internet this year; an analysis of the same system by Science Applications International Corp. on behalf of the state of Maryland; and a security review of four systems, including Diebold's, by Compuware Corp. for the state of Ohio.

A co-author of the Johns Hopkins report argued that the current accreditation regime is insufficient, and that the logic and accuracy tests conducted by laboratories certifying that systems meet existing voluntary standards do not test computer security.

"It's easy to hide code in large software packages, and virtually impossible to detect back doors," said Avi Rubin, an associate professor of computer science and technical director of the Information Security Institute at Johns Hopkins in Baltimore.

Rubin disputed the argument put forward by Brit Williams, a computer science professor at Georgia's Kennesaw State University and evaluator of election systems for that state, that a system with known vulnerabilities can be surrounded with procedures that ensure a safe, secure election. "Good procedures are no excuse for deploying machines that are grossly insecure," Rubin said.

Particularly worrisome to security experts is that using current DREs does not provide an independent record of votes cast in case there are serious concerns that a system has malfunctioned or its security has been breached.