Hackers vs. DC voting system: Hackers win

Online system for overseas ballots is defeated during a trial run

The Washington, D.C., Board of Elections and Ethics threw down the gauntlet last week, challenging hackers to have a go at its online voting system. The hackers won the duel.

During a one-week trial of the Digital Vote by Mail system, a University of Michigan professor unleashed his students, and one of them breached the system, Mike DeBonis reports in the Washington Post. When someone cast a vote, the website played “The Victors,” Michigan’s fight song.

The fight song added a touch of humor, but it also revealed a serious flaw. Jeremy Epstein, a computer scientist working for Common Cause, told DeBonis that "in order to do that, they had to be able to change anything they wanted on the Web site."

The board developed the system with the Open Source Digital Voting Foundation with the goal of allowing military and overseas absentee voters to return their ballots more quickly and securely than by mail. The Military and Overseas Voter Empowerment Act, passed in 2009, put Washington and some other voting districts in a bind by requiring a 45-day round-trip for absentee ballots.

D.C.’s short window between the primary and general elections this year has made absentee voting by postal mail unlikely to be done in time, DeBonis writes. So the board pursued the online voting system for about 930 overseas voters.

Before the board conducted the test, Common Cause had warned it about potential problems with the system in letters from voting advocacy groups and computer experts. But the board maintained that the system was secure and invited hackers to attack it during the trial run.

With the system now back on the drawing board, D.C. voters will have to go back to mailing absentee ballots, faxing them or attaching them to an e-mail message.

The use of digital voting systems has fostered an ongoing debate over whether they’re secure and accurate.

One point of contention has been the need for a paper trail to confirm the accuracy of votes cast electronically. VerifiedVoting.org, a nonprofit group, keeps track of which states require voter-verified paper records.

Some other efforts have aimed to improve voting systems. A recent report by the Brennan Center for Justice at New York University School of Law recently called for a national database of voting system flaws to help investigate vulnerabilities.

If there’s a silver lining for Washington, it’s that the hack happened during a test rather than an actual election. The board is now aiming to have a working system ready by spring 2011.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Thu, Oct 7, 2010

To the comment regarding knowing about the election for a long time: you are absolutely correct. The problem is we don't know who the candidates are until two months before the election. Ballots have to be printed and mailed, etc. Registrars do accept faxed or e-mailed facsimile ballots for the military.

Thu, Oct 7, 2010 Just an IT Guy Colorado

Would it be possible to set up VPN tunnels from military bases overseas to an access point for voting agencies in the US? The State Voting agencies would be able to combine their resources and set up a cental site for military personnel to vote from their closest base. Allowing access from the internet will always be suspicious until we have a foolproof identification system introduced on the internet.

Thu, Oct 7, 2010

I sure hope one of our many advocacy legal aid groups takes this up and sues DC and every state that refuses to count the Military votes. It is OK for the troops to die for their country, yet not have the right to have their vote cast? No excuses. We have known about the next election for a long time. Lack of action on somebody's part should result in firings and lawsuits. Hold their feet to the fire

Thu, Oct 7, 2010 Dick Feltersnatch

Logic would say that anyone who challenges the world in an open forum to defeat "our web-based system" has drank too much vendor/contractor kool-aide. The challenge would be better served to spend time on quality systems and security engineering, and then use a black-hat team to verify, rather than suffer a public humiliation like this program did. There is nothing wrong with confidence, but it should be based upon independent verification and testing, not vendor's marketing collateral.

Wed, Oct 6, 2010 Albert A. Leon 959545

What are we doing about it, NOW! November is right around the corner! Vietnam Vet. (CIB) Al

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group