September 25, 2003

Maryland Releases SAIC's Report on Electronic Voting Security

In early August 2003 the state of Maryland hired a third-party consulting firm (SAIC) to perform an analysis of Diebold's AccuVote-TS voting system. On September 24, 2003, Maryland made SAIC's report public. To quote the SAIC report, "[t]he system, as implemented in policy, procedure, and technology, is at high risk of compromise." Despite the problems identified in the Hopkins/Rice and SAIC reports, Maryland is still planning to proceed with the 55.6 million dollar purchase of Diebold AccuVote-TS voting terminals. To help mitigate the risks identified in the security analyses, Maryland proposed a set of technological changes to Diebold's voting machines as well as procedural changes to the election process. While this may help "raise the bar," it is impossible to know whether any security analysis identifies all the possible vulnerabilities present in an analyzed system. By only patching the known vulnerabilities, Maryland is not actually ensuring that the voting system will be secure. Rather, Maryland should follow security engineering best practices, which state that security can only be assured through a rigorous design process that considers security from a project's conception, not through a set of patches applied after the fact. It appears that the state of Maryland has had to compromise on the security of the voting system due to the election calendar. The Maryland State Board of Elections states that "an alternative system could not be implemented in time to conduct the March 2004 Presidential Primary election and could jeopardize the November 2004 Presidential General election." Unfortunately, by compromising on security, the integrity and privacy of these elections may still be in jeopardy.
Posted by Tadayoshi Kohno at 01:33 PM | Comments (161)