News
Spafford: E-voting Still Has Security Issues
The debate over the security of electronic voting machines hasn’t gone away after November’s elections in the U.S.
By Dave Gradijan
Other than paper, a number of different ideas have been discussed. For instance, one method that’s been talked about is to have a video recording of the screen. A couple of ideas involve a cryptographic algorithm to create a kind of cryptographic receipt. Some of those ideas have raised concerns about preserving the anonymity of voters.
IDG: Some of those ideas don’t sound like they’d get around the "black box" question with e-voting—that people don’t see what’s going on in the machine.
Spafford: There’s something that I think has been overlooked by a lot of people who work in this realm. The average voter does not have the technological sophistication to have confidence that the mechanism preserves their anonymity and their vote. Some of the methods that involve cryptography, for instance, while scientifically very sound, would be used by people who don’t understand the mathematics behind it and are mistrustful of the idea that they would have to take someone’s word that it works.
The method of having a paper record is a technology people can immediately grasp and understand. That’s really important. We want not only to protect the vote, but we want people to feel comfortable that their vote matters.
Anything that we do to make the system more complex or difficult to understand disenfranchises some people.
IDG: Some e-voting security critics have pointed to some major flaws, such as having e-voting machines networked with each other. In your view, why did that happen?
Spafford: You have to look at systemwide problems with fault tree analysis. It’s not an area where there’s a lot of expertise. Certainly, the companies involved followed the existing regulations. It’s hard to lay 100 percent of the blame on vendors.
It was a situation where states were required to go out and spend a lot of money in a short period of time without necessarily appropriate guidance. These companies responded, and they did, in large part, provide equipment that met the existing guidelines, which may not have addressed the potential problem.
IDG: Do you think the debate on e-voting has turned a corner with the TGDC vote?
Spafford: Not yet. The reason is that the issue is still not well understood by a number of local officials. Some of us in the community perhaps have not done the best job in describing the issue. We’re worried about the security aspects, but we’re also worried about reliability. For instance, what has happened in the Florida race is probably not a security breach. It’s probably poor design or machine failure.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
