As the November presidential election approaches, it would seem that as many questions linger today regarding the security of the nation’s electronic voting systems as there were four years ago.
After the hanging chad debacle of the 2000 presidential run-off many states moved to update their outdated voting machines and replace them with new ATM-like systems that record votes electronically.
However, well before the 2004 election, IT security experts who had the chance to examine the devices began flagging concerns related to the ability of some e-voting machines to be hacked or otherwise tampered with.
Most memorably, security researchers from the academic sector including David Dill and Avi Rubin released a study highlighting critical vulnerabilities in source code used in the underlying operating system of e-voting machines made by Diebold, one of the biggest names on the market.
Some states chose not to use the devices as a result, while others still utilized the affected technologies, but many of the problems in the systems apparently went unaddressed, as in 2007, California Secretary of State Debra Brown revoked certification for e-voting kiosks made by Premier Election Solutions (Diebold) along with those made by Hart InterCivic, and Sequoia Voting Systems, two other well-known providers.
In their review of the machines, California officials found that all of the companies’ products included woefully insecure software code.
Yet, many states still use the affected machines today.
As a result, leading security experts believe that loopholes remain in the e-voting process that need to be addressed as aggressively as possible, noted in a new report released by code analysis specialists Fortify.
“Election officials, at both the state and federal level, must work with voting machine vendors to ensure security and robustness is built into the software at the core of elections,” the security vendor contends.
To help solve the problem, the report calls on elections officials and voting machine manufacturers to partner with government officials to outline and enforce expanded security metrics for the development of e-voting software.
Fortify suggests that election officials need to adopt a process more similar to Microsoft’s Secure Computing initiative and Security Development Lifecycle (SDLC) to succeed in such efforts, which jibes with the Business Software Assurance (BSA) pitch that the security company uses to pitch its code analysis tools.
Another process that could help improve the security of e-voting systems could be to apply a formal certification program for makers of the technologies — similar to the program that the Payment Card Industry (PCI) Council has created for all makers of credit card processing applications, the report submits.
“Although the nature of elections introduces unique problems when compared with other areas, such as banking, the fundamental problem of developing software that behaves as intended is ubiquitous throughout the business sector,” the company contends. “BSA focuses on the concept that organizations must take security into consideration during planning and design, implementation and testing, and deployment and maintenance in order to adequately mitigate the risks introduced by software.”
Whether or not you’re buying Fortify’s specific development philosophy, it would seem vital that election organizers begin to adopt the same security controls being adopted by people like financial services providers and companies responsible for securing vitally important code bases, such as Microsoft.
“It is simply dangerous to rely on today’s electronic voting machines to deliver a fair and accurate election,” said Rubin, a professor of computer science at John Hopkins University. “The software flaws we uncovered before the 2004 election continue to plague today’s voting systems.”
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.