“Military Grade Security” for elections is a non sequitur

Andrew Gumbel, author of Steal This Vote, op-ed in the LA Times: Stealing Oscar – The Academy of Motion Picture Arts and Sciences’ plan to allow voting by computer is an open invitation for cyber attacks and raises the risk of a fraudulent outcome. <read>

The academy said the software developed by the San Diego-based computer voting company Everyone Counts would incorporate “multiple layers of security” and “military-grade encryption techniques” to ensure that nothing untoward or underhanded could occur before PricewaterhouseCoopers, its accountancy firm, captured the votes from the Internet ether.

Unfortunately, leading computer scientists around the world who have looked at Internet voting systems do not share the academy’s confidence. On the contrary, they say the technology is vulnerable to a variety of cyber attacks — no matter how many layers of encryption there are — and risks producing a fraudulent outcome without anyone necessarily realizing it.

Who should we believe? Vendors selling internet voting or computer scientists?

Everyone Counts is certainly savvier than some of the computer voting machine manufacturers who emerged a decade ago. Chief Executive Lori Steele understands that clean elections are about accountability from end to end, not just some miracle machine that does all the work by itself.

She also did not contest the objections voiced by Dill and the other computer scientists. Rather, she argued that, whatever the flaws, carefully encrypted computers are far more reliable than paper ballots, which can potentially be manipulated by a single rogue election official. Everyone Counts puts its machines through a rigorous auditing process, she said, and even interrupted a recent election in Australia to conduct a surprise audit in the middle of the ballot count.

That argument might have been good enough for the academy and for PricewaterhouseCoopers, but it still alarms many software experts. “A surprise audit in the middle is interesting, but I don’t think that’s adequate for the job because there are still multiple ways to defeat it,” Dill said.

We point out that the greatest danger to internet voting is insider manipulation, even easier for a single rogue election official or network insider. No need to steal paper ballots and fill them out. No risk of being caught in an audit or recount of voter verified paper ballots.

Who should we believe? Vendors selling internet voting or computer scientists and government intelligence experts?

See this story from the New York Times: Traveling Light in a Time of Digital Thievery <read>

He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia — like Google, the State Department and the Internet security giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat — whether in pursuit of confidential government information or corporate trade secrets.

“If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,” said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence…
Targets of hack attacks are reluctant to discuss them and statistics are scarce. Most breaches go unreported, security experts say, because corporate victims fear what disclosure might mean for their stock price, or because those affected never knew they were hacked in the first place. But the scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010.

The chamber did not learn that it — and its member organizations — were the victims of a cybertheft that had lasted for months until the Federal Bureau of Investigation told the group that servers in China were stealing information from four of its Asia policy experts, who frequent China. By the time the chamber secured its network, hackers had pilfered at least six weeks worth of e-mails with its member organizations, which include most of the nation’s largest corporations. Later still, the chamber discovered that its office printer and even a thermostat in one of its corporate apartments were still communicating with an Internet address in China…

Last week, James R. Clapper, the director of national intelligence, warned in testimony before the Senate Intelligence Committee about theft of trade secrets by “entities” within China and Russia. And Mike McConnell, a former director of national intelligence, and now a private consultant, said in an interview, “In looking at computer systems of consequence — in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets — we’ve not examined one yet that has not been infected by an advanced persistent threat.

Finally we have the case of army private Bradley Manning, where it is alleged that a single low level insider, located overseas, had access to and the ability to steal almost unlimited volumes of confidential documents from multiple federal agencies.

Military grade “security”, a non sequitur if there ever was one!

Update:  Videos:

  • Andrew Gumbel provides the same information and some additional information <video>
  • CEO of Everyone Counts. Little if any information beyond the above story <video>

Leave a Reply

You must be logged in to post a comment.