Five or six weeks ago, I posted a long entry about computer voting. In it, I said that a properly designed, secured, reviewed, and audited computer-based voting system could be far better than the voting systems we've had until now, but that the computer-based systems that are available today — and are being deployed — do not qualify. Yesterday's Washington Post underscores the failure to qualify with this article:
To determine what it would take to hack a U.S. election, a team of cybersecurity experts turned to a fictional battleground state called Pennasota and a fictional gubernatorial race between Tom Jefferson and Johnny Adams. It's the year 2007, and the state uses electronic voting machines. Jefferson was forecast to win the race by about 80,000 votes, or 2.3 percent of the vote. Adams's conspirators thought, "How easily can we manipulate the election results?"
The experts thought about all the ways to do it. And they concluded in a report issued yesterday that it would take only one person, with a sophisticated technical knowledge and timely access to the software that runs the voting machines, to change the outcome.
Voting-machine vendors, such as Diebold, of course, downplay the report and deny the problems:
"It just isn't the piece of equipment," said David Bear, a spokesman for Diebold Election Systems, one of the country's largest vendors. "It's all the elements of an election environment that make for a secure election."What we have to remember, though, is that even if it's true that the vulnerabilities "would be extremely difficult to exploit," the rewards for success are sufficiently great that I get no comfort from considering the difficulty, nor from the (unsubstantiated) claim that it hasn't happened yet.
"This report is based on speculation rather than an examination of the record. To date, voting systems have not been successfully attacked in a live election," said Bob Cohen, a spokesman for the Election Technology Council, a voting machine vendors' trade group. "The purported vulnerabilities presented in this study, while interesting in theory, would be extremely difficult to exploit."
And as to the difficulty, well, the report says that "it would take only one person, with a sophisticated technical knowledge and timely access to the software that runs the voting machines, to change the outcome." An insider, perhaps, from the Election Technology Council? Diebold's CEO was quoted in 2004 as saying that he would do whatever it took to deliver Ohio to George Bush in the election. Given that sort of statement, can anyone be confident that there's useful protection against the sort of attack the report describes?
As always, I'd like to see the full report — these brief blurbs in the newspaper are never adequate. (Wouldn't it be nice if the online articles had links to the original material they reference, when that material is availble? I don't know whether it's available in this case, but it often is, and it's never linked from the online newspaper articles.)