E-voting: Have we rushed to market?

By Anne Saita, News Writer 01 Nov 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Anxiety over the accuracy of millions of electronic votes cast tomorrow comes from a question raised often in the IT security community: Did we rush a product to market despite unresolved or even unknown security issues?

"What I see is you've got three or four different voting machines that are being authenticated by nongovernmental bodies," said David Lynch, an IT security expert who has followed both the United States' and Ireland's e-voting initiatives. "The technology is there. These machines do what they are supposed to do, which is count. The issue really comes down to one of trust."

Lynch, vice president of marketing for San Jose, Calif.-based application software provider Array Networks, says he hasn't seen enough effort made by the electronic voting industry to ensure a high level of trust. Almost 30% of U.S. ballots will be cast electronically this election season, and many are forgoing paper-based backups due to time and costs.

More on e-voting Activists fear e-voting security glitches Political activists and IT experts fear security glitches could affect e-voting machines -- and the outcome of a close presidential race.   E-voting worries Security issues surrounding e-voting mire the technology in controversy.   How secure is your ballot? Voting takes center stage tomorrow with many casting their first electronic ballots. There are pros and cons to the technology, but questions of security remain in the forefront.

"In the high-tech world, you see this a lot -- people running to deploy solutions without considering the human element or the audit element," he said. In the business world, deploying faulty software could lead to security breaches -- a risk some companies assume for competitive reasons. But under these circumstances, Lynch said, "If this thing goes south, the risk is 3-1/2 years in litigation trying to figure out who is going to run the country."

He also said it sends a mixed signal in an era of increased privacy and information security regulation, where legislation like HIPAA and Sarbanes-Oxley Act demand more strict, demonstrable data controls.

"Would this deployment pass a typical Sarbanes-Oxley audit that most companies are forced to go through today? I look at it and say no it won't," Lynch said. "So we've got a different standard."

Voting modernization mandates are an outgrowth of the debacle following the 2000 presidential elections, in which paper-based ballots wreaked havoc with the election process. To avoid a repeat, counties nationwide have since deployed direct-recording electronic (DRE) machines to streamline votes and ensure accurate counts. But security experts have challenged whether the proper policies, procedures, standards and audit capabilities are in place.

Plenty of noise has come from the computer security community since a copy of Diebold Election Systems' source code was lifted off an FTP server and distributed across the Internet. Computer scientists from Johns Hopkins and Stanford universities later sounded alarms that the systems were vulnerable to vote tampering. Others from equally prestigious places like MIT and Carnegie Mellon University argued those claims were unfounded.

This summer e-vote opponent Rebecca Mercuri urged Black Hat and DefCon conference attendees to break into e-voting machines -- with consent -- to prove their weaknesses. But, Mercuri reported months later, neither vendors nor hackers had taken her up on her challenge.

Meantime, Carnegie Mellon computer science professor Michael I. Shamos again offered $10,000 to anyone who could tamper undetectably with a well-designed DRE. Now in its eight year, Shamos has yet to find anyone willing to accept his wager (which also involves upfront money from the challenger), even after modifying the challenge to avoid digital copyright restrictions.

"I haven't had any takers since anyone who knows his stuff knows he can't tamper undetectably with a voting system," Shamos said last week in an e-mail exchange. "No one will accept the challenge they're sure to lose."

Shamos helped convince a Maryland judge this summer to let voting officials use Diebold AccuVote TS Electronic Voting Systems after activists sued to prevent their use in this week's elections. Maryland, along with Georgia and California, has one of the largest concentrations of e-voting machines in tomorrow's races. Diebold has a lion's share of the market -- 45% -- among four major suppliers.

"Don't believe that a system is unsafe just because a few computer scientists say so," Shamos says. "And don't listen to their claims of insecurity unless they can show you in what way the systems are unsafe."

Tags: Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary