Inside Risks 197, CACM 49, 11, November 2006
COTS and Other Electronic Voting Backdoors
Rebecca Mercuri, Vincent J. Lipsio, and Beth Feehan
During the U.S. 2006 primary election season, there was a flurry of media attention about electronic voting, when it was revealed that Diebold Election Systems had erroneously reported to a testing authority (CIBER) that certain Windows CE operating system files were commercial-off-the-shelf (COTS) but in fact also contained customized code. This is important because, remarkably, all versions of the federal voting system guidelines exempt COTS hardware and software from inspection, whereas modified components require additional scrutiny.
This loophole is anathema to security and integrity. In other critical computer-based devices (e.g., medical electronics or aviation), COTS components may be unit-tested once for use in multiple products, with COTS software typically integration-tested and its source code required for review. In contrast, for voting equipment, this blanket inspection exemption persists, despite having strenuously been protested by numerous scientists, especially in the construction of guidelines authorized by the Help America Vote Act (HAVA) . Nevertheless, special interests have prevailed in perpetuating this serious backdoor in the advisory documents used for the nation's voting system testing and certification programs.
Indeed, Diebold dismissed the discovered customizations as presenting only ''a theoretical security vulnerability that could potentially allow unauthorized software to be loaded onto the system'' ; a Diebold spokesman commented ''for there to be a problem here, you're basically assuming ... you have some evil and nefarious election officials who would sneak in and introduce a piece of software. ... I don't believe these evil elections people exist.'' But such naivete is laughable, as there is a long and well-documented history of such ''political machines'' and operatives in the U.S.
Uninspected COTS has caused other serious voting equipment problems to go undetected, even if tampering is not an issue, as reported in 2001 to the U.S. House Science Committee by Douglas Jones, when he related a 1998 example of ''an interesting and obscure failing [with the Fidlar and Chambers EV 2000] that was directly due to a combination of this exemption and a recent upgrade to the version of Windows being used by the vendor ... the machine always subtly but reliably revealed the previous voter's vote to the next voter.'' 
The strong resistance to closing this COTS backdoor was illustrated by the activities of the IEEE's P1583 Voting System Standards working group, while they were drafting a document to be submitted as input to the Election Assistance Commission's (EAC) Technical Guidelines Development Committee. A Special Task Group (STG) was formed to resolve COTS-related issues in the draft. Although all issues were resolved with strong consent by the STG's members , P1583's vendor-partisan editing committee unabashedly repeatedly refused (even after having been confronted before the entire working group) to incorporate any of the substantial COTS review requirements into the draft. Therefore, the version of the document released to the EAC still contained the exemption for COTS components, even though the working group had decided otherwise.
Numerous other aspects of America's voting equipment certification process are similarly lax. Another P1583 working group member, Stanley Klein, repeatedly pointed out to the EAC that the legacy low 163-hour Mean Time Between Failures rate specified in all versions of the voting system guidelines translated to an election day malfunction probability (potentially resulting in unrecoverable loss of votes) of 9.2% per machine, to no avail. Attempts to require a Common Criteria style evaluation were frustrated. Bizarrely, the guidelines allow for the risky use of wireless transceivers in voting machines, but do not require that the ballot data be provided in a format such that it is independently auditable. And although there is a federal certification process, there is no provision for decertification, even when a major security flaw has been exposed. The fact that any changes, including security-related ones, require recertification, has even been used as an excuse to avoid making needed updates. Indeed, the nature of U.S. elections is such that federal certification, as poor as it is, is not mandatory; one-fifth of the states have chosen to disregard it, some in lieu of even more haphazard and obfuscated examination processes.
This distressing situation will likely continue until large numbers of citizens, especially those with technical expertise, hold government officials accountable. You can help by communicating with your elected officials, beseeching them to do something about this now.
Beth Feehan (firstname.lastname@example.org) is a researcher focusing on HAVA implementation issues. Vincent Lipsio (email@example.com) is a software engineer who specializes in real-time and life-critical systems. Rebecca Mercuri (firstname.lastname@example.org) is a forensic computing expert who has been researching electronic voting since 1989.
1. Charles Corry, Stanley Klein, Vincent Lipsio, and Rebecca Mercuri, Comments to the Election Assistance Commission's Technical Guidelines Development Committee, December 2004. http://www.vote.nist.gov/ECPosStat.htm
2. Monica Davey, New Fears of Security Risks in Electronic Voting Systems, New York Times, May 12, 2006.
3. Douglas Jones, Testimony to the U.S. House Science Committee, May 22, 2001. http://www.cs.uiowa.edu/~jones/voting/congress.html
4. IEEE P1583 working group. http://www.Lipsio.com/COTS, http://grouper.ieee.org/groups/scc38/1583/
Other insightful articles in this regard include:
Security by Insecurity, Rebecca T. Mercuri and Peter G. Neumann, Inside Risks 161, CACM 46, 11, November 2003 http://www.csl.sri.com/users/neumann/insiderisks.html#160
Information System Security Redux, Peter G. Neumann, Inside Risks 160, CACM 46, 10, October 2003, http://www.csl.sri.com/users/neumann/insiderisks.html#159
Voting into Vapor, Craig Lambert, Harvard Magazine, November/December 2004 http://www.harvardmagazine.com/on-line/110471.html