Wednesday, June 28, 2006

Hard Rain Journal 6-28-06: NYU Law School's Brennan Center Reports E-Voting Software Attacks are a Real Danger

NOTE: Words of Power explores the interdependence of security, sustainability and spirit. It monitors global risks and threats including global warming, terrorism, national disasters and health emergencies, cybercrime, economic espionage, etc. It also analyses issues and trends in the struggle for geopolitical hegemony, the pursuit of energy security and environmental security, the cultivation of human rights, and the strengthening of democratic institutions. Words of Power champions security, sustainability and spirit, both at work and in the home. The site has four components: Words of Power, which delivers in-depth commentary, and GS(3) Intelligence Briefing, which provides global risk-related news, are posted on an alternating, bi-weekly basis. Hard Rain Journal is posted daily, and provides updates and insights on developing stories. GS(3) Thunderbolts are posted as appropriate to deliver timely news on developing stories that require urgent attention. For more information on Richard Power, Words of Power and GS(3) Intelligence, go to

Hard Rain Journal 6-28-06: NYU Law School's Brennan Center Reports E-Voting Software Attacks are a Real Danger

By Richard Power

A task force at NYU Law School's Brennan Center for Justice has issued an important report on the vulnerabilities of electronic voting machines. It provides analysis of "security threats to the technologies used in Direct Recording Electronic voting systems (“DREs”), DREs with a voter verified auditable paper trail (“DREs w/ VVPT”) and Precinct Count Optical Scan (“PCOS”) systems." If you are interested in the health of democratic institutions anywhere in the world, but particularly in the USA (with its vast military-industrial complex, its monopolized news media, and its eroding civil liberties), this report deserves your urgent attention. I have included an excerpt from the report's executive summary below. Please review it, share it with other concerned citizens, and demand that your news media providers educate the public on the nature of the danger, and that your elected representatives take action to mitigate it.

Words of Power will continue to monitor and report on major developments in regard to e-voting and the theft of elections, I commend both Mark Crispin Miller's Notes from the Underground and Brad Friedman's BradBlog are the premier resources to referece in this struggle to enlighten and embolden the electorate.

NOTE: The Brennan Center's analysis "assumes that appropriate physical security and accounting procedures are in place." Based on my extensive experience in cyber security, I can assure you, that in most cases, "all appropriate physical security and accounting procedures" are not in place. I do not add this disturbing caveat to somehow lessen the criticality of focusing on electronic voting vulnerabilities, only to suggest that the context in which we address the issue must be broader, it must include other aspects of cyber security, e.g, physical access control, personnel security, backups, chain of custody, etc.

Related Posts:
SPECIAL EDITION: “Until this issue is burning on the mind of every citizen” -- Words of Power Interviews Mark Crispin Miller
Words of Power #22: Election Fraud As Information Warfare, And A National Security Issue

Here is an excerpt from the the report's executive summary:

Top Scientists from Government and Private Sector Unanimous in Assessment

The full report (the “Security Report”),which has been extensively peer reviewed by the National Institute of Standards and Technology (“NIST”), may be found at Following the analysis outlined here, the Brennan Center and Task Force members recommend countermeasures that should be taken to reduce the technological vulnerability of each voting system.

Three fundamental points emerge from the threat analysis in the Security Report:
■ All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national,state,and local elections.
■ The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level.
■ Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.

After a review of more than 120 potential threats to voting systems, the Task Force reached the following crucial conclusions:
For all threetypes of voting systems:
■ When the goal is to change the outcome of a close statewide election,attacks that involve the insertion of software attack programs or other corrupt software are the least difficult attacks.
■ Voting machines that have wireless components are significantly more vulnerable to a wide array of attacks. Currently, only two states, New York and Minnesota, ban wireless components on all voting machines.
For DREs without voter verified paper trails:
■ DREs without voter verified paper trails do not have available to them a powerful countermeasure to software attacks: post election automatic routine audits that compare paper records to electronic records.
For DREs w/ VVPT and PCOS:
■ The voter verified paper record,by itself,is of questionable security value. The paper record has significant value only if an automatic routine audit is performed (and well designed chain of custody and physical security procedures are followed). Of the 26 states that mandate voter verified paper records, only 12 require regular audits.
■ Even if jurisdictions routinely conduct audits of voter verified paper records, DREs w/ VVPT and PCOS are vulnerable to certain software attacks or errors. Jurisdictions that conduct audits of paper records should be aware of these potential problems.

There are a number of steps that jurisdictions can take to address the vulnerabilities identified in the Security Report and make their voting systems significantly more secure.We recommend adoption of the following security measures:
1. Conduct automatic routine audits comparing voter verified paper records to the electronic record following every election. A voter verified paper record accompanied by a solid automatic routine audit of those records can go a long way toward making the least difficult attacks much more difficult.
2. Perform “parallel testing”(selection of voting machines at random and testing them as realistically as possible on Election Day.) For paperless DREs, in particular,parallel testing will help jurisdictions detect software-based attacks, as well as subtle software bugs that may not be discovered during inspection and other testing.
3. Ban use of voting machines with wireless components. All three voting systems are more vulnerable to attack if they have wireless components.
4. Use a transparent and random selection process for all auditing procedures. For any auditing to be effective (and to ensure that the public is confident in such procedures), jurisdictions must develop and implement transparent and random selection procedures.
5. Ensure decentralized programming and voting system administration. Where a single entity, such as a vendor or state or national consultant, performs key tasks for multiple jurisdictions, attacks against statewide elections become easier.
6. Institute clear and effective procedures for addressing evidence of fraud or error. Both automatic routine audits and parallel testing are of questionable security value without effective procedures for action where evidence of machine malfunction and/or fraud is discovered. Detection of fraud without an appropriate response will not prevent attacks from succeeding.
Fortunately, these steps are not particularly complicated or cumbersome. For the most part, they do not involve significant changes in system architecture. Unfortunately, few jurisdictions have implemented any of these security recommendations.


Richard Power is the founder of GS(3) Intelligence and His work focuses on the inter-related issues of security, sustainability and spirit, and how to overcome the challenges of terrorism, cyber crime, global warming, health emergencies, natural disasters, etc. You can reach him via e-mail: For more information, go to

, , , , , , , , , ,