informa
/
Perimeter
News

California Hammers on E-Voting

Comprehensive audit and penetration test designed to end voters' fears about electronic voting

Debra Bowen is tired of all the hype about vulnerabilities in e-voting systems. And next week, she and a herd of researchers are going to do something about it.

Bowen, the secretary of state for Calif., said yesterday that the state is ready to begin a "top-to-bottom review" of its e-voting systems, using three teams of experts from universities and private companies all over the state. The researchers will review all of the data they can find about hacking electronic polling systems, and they will try to break into the systems themselves.

Just how vulnerable such voting machines are -- and their underlying software -- has been a sore subject debated by politicians, jurists, and technology experts. (See E-Voting Tested on Election Day, E-Voting Hacks Facts, and Diebold Disses Democracy.) Many states have shunned the electronic systems and reverted to punch cards or good old-fashioned paper ballots marked with a pencil.

The Calif. review, which will begin May 14 and run through July, will result in one of three conclusions, Bowen says:

  • Calif.'s systems will be found to be secure, and voters can rest easy.
  • The systems will be found to be flawed but fixable with additional security measures.
  • The systems will be found to be so flawed that they will have to be decertified and eliminated from the state's voting process.

    The review, which will be led by the University of California, will consist of three separate review teams, each with about seven people, Bowen says. Each team will evaluate documents pertaining to e-voting vulnerabilities, conduct a source-code audit on the state's currently-used voting systems, and execute a "red team penetration test" to see if they can break into the systems and tamper with voting results.

    The state will spend about $1.8 million on the review, which is said to be the first of its kind among state governments. Calif. has spent or allocated more than $450 million on computerized voting equipment in the past few years, the state says.

    The tests will not focus solely on the systems used to cast ballots, but will also investigate the systems used to count ballots, including tabulating devices, software, and peripherals, the state says. Among the vendors to be tested are Diebold, ES&S, and Hart Interactive.

    The vendors will be required to submit all currently-certified equipment used in Calif., as well as new systems they hope to sell to the state in the future, according to the state. If a vendor chooses not to submit a particular model or declines to participate in the tests, then the excluded equipment may immediately be decertified.

    The results of the penetration tests will not be made public, but Bowen says the teams will issue reports on their progress. Several other states -- including N.Y. -- are also considering conducting reviews of their voting systems, particularly after Congress' decision last week to investigate anomalies that occurred in Fla.'s 13th district in 2006.

    — Tim Wilson, Site Editor, Dark Reading

  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5