CyberEye

Blog archive
Voting machine

Securing voting machines is only half the battle

America has a long and colorful history of election fraud. The electoral shenanigans of Chicago and Cook County in Illinois are legendary. And there is the 1948 Texas Senate race that Lyndon Johnson won by 87 votes in the infamous Ballot Box 13 from Jim Wells County. Some cynics would say Johnson stole that election. But vote buying was an old and honored tradition in South Texas, and if Johnson bought more of them than his opponent, Coke Stevenson, well, Coke had no one to blame but himself.

Still, election officials should be doing everything necessary to ensure against fraud in elections. I’m not talking about the fear of millions of undocumented aliens throwing an election. I’m talking about the real threat of manipulating the results from polling sites through unsecured electronic systems.

With the growing use of electronics in elections, the security of network connections to voting systems is becoming increasingly important.

There are a variety of electronic voting systems, or systems in which electronics play some part. At one end of the spectrum is the direct-recording electronic system in which a vote is recorded directly on a computer-based machine with no paper ballot. At the other end is the optical scan system, in which marked paper ballots are scanned and tallied electronically. Regardless of the type of ballot, if the results are reduced to digital data they typically are stored electronically and transmitted over some type of network.

The Election Assistance Commission maintains Voluntary Voting System Guidelines that states can use to certify voting equipment. But the system is voluntary, and even a certified system has to be configured properly to work securely. Too often, little attention is given to how those systems are connected to networks.

“It seems to be a pretty much a greenfield area now,” said Rainer Enders, chief technology officer of NCP Engineering, which provides secure access systems and VPNs.

Once a system is connected to a network, it can be exposed to the whole world if proper security is not put into place. This means the data from the system could be intercepted or modified during transmission, or the system itself could be breached and meddled with.

To date there have been no reports of large-scale problems of this type, and the chances of it having an impact on Tuesday’s elections probably are small. But if the last 20 years of IT history security have taught us anything, it is that if something can be done, eventually it will be done. The stakes and the incentives in this type of crime are high enough to attract considerable unwanted attention.

Fortunately, securing a networked voting system presents no particular challenge, Enders said. It doesn’t matter what type of information is being sent over the network, the solutions are the same.

“It’s critically important that as soon as you connect it to an external network it is secure and you don’t allow any unauthorized connections,” he said. And all data must be encrypted. “That is mandatory.”

Officials should not take too much comfort in the fact that election systems typically are up and operating for only a short time. “It does shorten the window of opportunity, but I don’t think it protects you too much,” Enders said. If an election system is being targeted, the attacker knows what that window is and will exploit it. He might not have time for a low and slow attack, but brute force is always an option.

The bottom line: This data is critical. “Don’t take shortcuts,” Enders said. “Use good, best-of-breed, standards-based security.”

Posted by William Jackson on Nov 02, 2012 at 9:39 AM


Reader Comments

Wed, Nov 7, 2012 RW-in-DC

Fraud, whether by registering ineligible voters or hijacking the votes of eligible voters should be an issue of concern to all participants in the electoral process.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities