Report by Science Application International Corp. on
Maryland's Proposed Electronic Voting System
Avi Rubin is Technical Director of the Information Security Institute
at Johns Hopkins University and an Associate Professor in the
Department of Computer Science
In July a team of computer security researchers from Johns Hopkins and Rice universities, including myself, made public our concerns that significant vulnerabilities existed in an electronic voting system being sold for use in elections throughout the United States. At the time, the State of Maryland had entered into an agreement to purchase such a system from Diebold Election Systems for $55.6 million. In response to our concerns, the state hired an independent consultant, Science Application International Corp., to review the proposed electronic voting system.
On Wednesday, Sept. 24, the state released a heavily redacted version of the SAIC report, which nevertheless identified "high-risk vulnerabilities in the implementation of the managerial, operational and technical controls for AccuVote-TS system." The vulnerabilities, the consultant concluded, could jeopardize the accuracy and integrity of election results.
I was pleased to see that an independent third-party, with full access to the manufacturer's software code and hardware system, had come to many of the same conclusions we had concerning serious security holes. By studying a limited amount of information about this voting system that had been posted on a public Web site, our team had uncovered opportunities for tampering. SAIC found even more security flaws. As one newspaper pointed out on Thursday, "the review released yesterday paints a less-than-flattering picture of how an election would have been run in Maryland had the Hopkins study not drawn attention to problems."
I was astonished and deeply disappointed, however, to learn that state officials have decided to proceed with their purchase of the Diebold machines. It appears that the state officials who proposed this plan either did not read or did not understand the SAIC report. Based on the SAIC findings, the state should be putting the purchase and implementation of this election system on hold until the consultant determines it is safe to proceed.
Instead, state election officials believe all of the vulnerabilities in this system can be corrected by next March. I do not. I do not think it is realistic to say the system can be fixed this quickly. Software is very complex, and any electronic voting system should be subject to rigorous code review and security engineering practices that require considerable experience, discipline and time. I also believe that the same certification process that failed to uncover the security vulnerabilities that we disclosed, and that were identified by SAIC, should not be counted on to certify the "fixed" version of the system, as is proposed by the state.
I am concerned about what has not been made public. The pages released by the state represent less than a third of the 200-page document. The rest was "redacted," kept secret, according to the state, so as not to provide a "road map" to hackers who might wish to tamper with the voting system. But if Diebold and state election officials plan to fix these security problems before the system is used, there should be no need to keep these vulnerabilities secret.
In the wake of errors attributed to outdated punchcard voting equipment, I understand the public's rush to embrace computer technology. Yet as a computer scientist I believe that the fundamental design of the Diebold machines is unsound. In our haste to replace old technology, we should not settle for flawed electronic systems that risk the integrity of our election process. We can design better voting systems.
Related News Releases Concerning This
Go to Headlines@HopkinsHome Page