The Pied Piper Syndrome, 2004-07-19
Making electronic voting terminals more like slot machines won't keep elections secure from tampering.
“
"...it stands to reason that voting machine security should be concentrated on the aftermath of an attack, and not the attack itself."
”
Of course, anyone who knows the whole story will immediately realize that in the end, the Piper actually steals away all the children (save one) after the local town-folk cheated him out of his thousand guilders fee. Had the owners of the business considered all the available information, I doubt seriously that they would have decided upon that particular moniker.
In the continuing debate over the use of e-voting machines to replace paper-ballots, I fear that both sides -- those designing controls around these systems, and those critical of said security measures -- are falling prey to the same kind of short-sightedness.
By way of example, a recent dialog regarding the insecurity of electronic voting machines compared them with slot machines, and found them lacking. Much was made of the fact that a computerized slot machine could withstand a Taser gun attack without evident failure, while an e-voting machine apparently could not.
This is a kind of security-modeling-by-resemblance, and it takes away from designing a security foundation that actually serves the needs.
When designing security around a new technological process, we must first consider what problems we seek to remedy. For a video poker machines, that's obvious: if it gets broken into, manipulated, or zapped into dispensing money, someone gets away with the cash. Being "tamper resistant" is the most important element in countering that scenario. The tamper resistant properties of the unit -- including standing up to a little high-voltage -- is what protects the asset.
But despite a certain physical and architectural resemblance to their casino cousins, e-voting machines have a completely different threat model, and need to value a completely different set of security properties.
The asset that these units seek to protect is the integrity of the data it holds. Consequently, it is much more important to have mechanisms in place that immediately alert officials to the fact that voting data was somehow altered, such as cryptographic and algorithmic checks, than any physical means that attempts to prevent attacks in the first place. These machines must be "tamper evident," not zap-proof.
Data Integrity
If e-voting critics really want to take a lesson from Vegas, they should look at the history of gambling machine security. New means of stealing money still come along from time to time, and new measures are taken to prevent it. (There was a time where a piece of aluminum foil could make a slot machine pay out. ) There will always be new attacks against these units, some trivially simple, and at some point cash will be lost.
There's no reason to think e-voting machines can hold up better. Knowing this, it stands to reason that voting machine security should be concentrated on the aftermath of an attack, and not the attack itself. Regardless of how someone breaks an electronic ballot, the fact that it was broken into must remain the most important point of knowledge -- data integrity must be required. The attack vector can be addressed later; we must first know if any votes were tainted, and we need a plan for recovering lost votes.
Other comparisons fare little better than the slot machines. Academics have suggested ATM machines as a model for e-voting machines, and one of the largest e-voting players, Diebold, also makes cash machines. ATMs are very physically secure, and even possess data integrity mechanisms (like having crypto keys embedded in the keypads rather than some extraneous software exchange). But, here, too, the security is directed at protecting cash, not data. Moreover, ATM's are hardly invulnerable themselves: they're increasingly deployed on insecure networks. (I write about just this scenario in Syngress' new book, "Stealing the Network: How to Own a Continent.")
We've already seen the dangers of applying the wrong kind of security to e-voting. Earlier deployments of Diebold's physically secure voting machines used a Microsoft Access database to store and tally votes. Diebold
This is what happens when any security measure is designed without first determining what issues it sets out to solve. As elections draw near, it is time that we as a security community revisit this topic. We can't let facile comparisons lead us like the Piper away from e-voting's true problem.
