Security analysts recommend scrapping online voting plans

A group of security analysts who have evaluated Defense Department plans for an online voting pilot have recommended that the plan be scrapped because its security cannot be ensured.

The analysts concluded “Internet voting presents far too many opportunities for hackers or even terrorists to interfere with fair and accurate voting.”

DOD said it has no intention of stopping the program.

“Security was our Number One priority when we started on this concept,” DOD spokesman Glenn Flood said. “The concerns raised by this minority group are not new to us. Measures have been put in place, and we have been working with state and local election officials to ensure the integrity of the system.”

The Secure Electronic Registration and Voting Experiment is a DOD program being operated by the Federal Voting Assistance Program. The goal is to ease absentee voting procedures for U.S. citizens living or serving overseas. SERVE is an expansion of a small program that counted a handful of overseas military votes in 2000. In this year’s primary and general elections, as many as 100,000 voters from 50 counties in Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah and Washington will be eligible to use the Web system.

Accenture LLP of Chicago received a contract to develop SERVE in 2002. The contract runs through March 2005 to allow for post-election review. Eligible voters will be able to register and cast votes from any PC with an Internet connection running Microsoft Windows 95 or later operating systems. Users access SERVE through the www.serveusa.gov website.

A 10-member Security Peer Review Group put together by the Federal Voting Assistance Program evaluated the system. A minority report was issued by four members of the group: David Jefferson of the Lawrence Livermore National Laboratory, Aviel D. Rubin of Johns Hopkins University, David Wagner of the University of California at Berkley and Barbara Simons, a consultant formerly with IBM Corp.

They said inherent flaws in proprietary software, the Internet and PCs from which votes would be cast make the process too risky to be used in a real election. Threats include:

  • Insider flaws, inserted in software by programmers

  • Denial-of-service attacks, which could delay or prevent a voter from casting a ballot

  • Spoofing attacks, in which a voter could be redirected to a phony Web site that could block or alter a vote

  • Malicious code on a PC that could let a third party monitor or manipulate the voting.


  • The analysts said the report was not intended as criticism of the Federal Voting Assistance Program or the work done on SERVE.

    “The real barrier is not a lack of vision, skill, resources or dedication,” the report said. “It is the fact that, given the current Internet and PC security technology, the FVAP has taken on an essentially impossible task.”

    Rubin, an outspoken critic of online voting systems, said a successful test this year, when stakes are low because of the relatively low number of voters involved, could result in an expansion in future elections without addressing basic security concerns.

    “I’m not against computers,” Rubin said at a conference in Washington last month. But a lack of assurances in an online voting system could undermine the democratic process. “In order for democracy to work, people need to have confidence in the election system,” he said.

    Flood said weaknesses in the Internet infrastructure were taken into account in designing SERVE.

    “The only 100-percent safe solution from a security standpoint is not to do it,” he said. “That is not an option.”

    About the Author

    Connect with the GCN staff on Twitter @GCNtech.

    Featured

    • Defense
      Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

      Army wants to spend nearly $1B on cloud, data by 2025

      Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

    • Congress
      Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

      Jim Langevin's view from the Hill

      As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

    Stay Connected

    FCW INSIDER

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.