Voting security: policies versus technologies
Originally Published on NevadaNewsmakers.com, 8/15/2007 2:59:41 PM
The Sequoia voting system is among “the most tested, secure, accurate, auditable and accessible voting systems in our nation’s history,” according to a statement on the company’s website. Either that, or it’s a product that could have been better engineered by any U. C. Berkeley student who did well in an undergraduate computer security class taught by Professor David Wagner. Wagner was a team leader for the recent “top-to-bottom review” of California’s voting system security, and he’s fairly confident that a serious student in his course would have avoided many of the design flaws that showed up in the Sequoia system review.
Sequoia seems equally confident in its product, even after a long list of successful hacks were performed on it during the review, which was ordered by the California Secretary of State. Scrutiny by teams of computer scientists revealed numerous deficiencies in the system, and a level of security one would expect “in a system where security just doesn’t matter,” by David Wagner’s account.
Sequoia Voting Systems, maker of Nevada’s election equipment, called the tests “irresponsible and misleading.” The company’s primary assertion is that they were performed under unrealistic conditions. Sequoia claims the results of the tests are distorted, because of failure to include a defense team — “people, procedures, and processes” to protect the system while the so-called Red Team was making hay with its technical vulnerabilities. Security threats to the system have therefore been overstated.
This is the central question. To what extent should election security be assured by the design of the equipment, and to what extent by the people who run the elections? As a general practice, information systems are protected through layers of technical features combined with elements of personnel and policy management. Both are necessary, and this is Sequoia’s point.
But over-reliance on people and procedures could be fatal to security for a poorly-engineered system, according to U.C. Berkeley’s Wagner. The human element is crucial, but it’s not sufficient.
“One reason our results are so worrying,” says Wagner, “is that we found that every single one of the technological defenses could be breached. Because the security of the software is so weak, you’re completely reliant on poll workers and election officials… They have to work much harder to adequately protect elections than they otherwise would.
“Our current (election) procedures were designed under the assumption that the software was a lot more secure than it actually is,” Wagner continues. “That’s troubling because any procedural mistake at any point can have serious consequences for the integrity of the election.”
On this point Wagner gets a certain oblique agreement from Sequoia. In hearing testimony, the company offered a point-by-point refutation of some of the vulnerabilities ascribed to it, but not always on technical grounds. Often, Sequoia’s recommended “fix” for a technical attack on the system is a people fix, suggesting that the system would be invulnerable, so long as the election workers are well-trained, ever-vigilant, and not corruptible.
The dreaded “yellow-button attack,” for instance, which has been a major source of buzz among election watchdogs. The Sequoia voting machine can be switched to manual mode by simply reaching around to the back of the machine and pressing the activation button. This would allow a voter to vote repeatedly, rather than just once.
Sequoia recommends turning the machines around, so the back of the units faces the poll workers. This assumes that the poll workers will be consistently attentive throughout a long election day, never busy with other duties, and most important, not distracted by an accomplice whose job it is to chat up the poll workers while the yellow-button attacker does his work.
Repeatedly, Sequoia invokes personnel, procedure, and policy as a defense for the system’s known vulnerabilities. Audits, training, anti-virus and anti-spyware updates, secure storage of equipment, camera surveillance. Such measures are important, says Wagner. But they don’t mitigate the system’s blatant flaws.
“I’m a little concerned that the response seems to be deny, deny deny,” he says. The design problems need to be acknowledged, and then they can be addressed.
Wagner suggests that the focus on people and policy is a way for Sequoia to shift blame to county election officers. Elections managers in both states, though, seem to be in verbal lockstep with the vendor, however, taking their talking points directly from Sequoia’s own statements.Explore posts in the same categories: Uncategorized comment below, or link to this permanent URL from your own site.