Pentagon's E-Voting System Flawed, Unfixable, Security Experts Say

Claiming that the system is deeply flawed and unfixable, four computer security experts said that the Pentagon's new Internet-based voting service is ripe for attack and should be discarded.

The quartet of security gurus -- three from academia and a former IBM researcher turned independent consultant -- took to task SERVE (Secure Electronic Registration and Voting Experiment), a system that will let selected voters, including military personnel, their dependents, and other expatriates, register to vote and place their ballots electronically via standard PCs and a Web browser.

The four are among a group of ten experts that the government asked to evaluate SERVE, and make up the team's contingent of security analysts.

Their unanimous thumbs down comes less than two weeks before the U.S. Department of Defense (DoD) puts SERVE into play on Feb. 3 for the South Carolina presidential primary. Although limited in its scope -- DoD estimates that approximately 100,000 voters will cast ballots using the system, since only those who reside in 50 counties of seven states can use SERVE this election year -- the program's goal is to eventually handle the votes by the six million U.S. citizens who live or are posted overseas.

But SERVE is inherently flawed, said the experts, and should be dumped ASAP."Using a voting system based on the Internet poses a serious and unacceptable risk for election fraud," said David Wagner, an assistant professor of computer science at UC Berkeley, and one of the four authors of the report. "The flaws are unsolvable because they're fundamental to the architecture of the Internet."

SERVE is designed to use standard PCs running Windows and either the Internet Explorer or Netscape Navigator browser to connect to a Web server. Voter registration and voting are done using the browser, and registrations and ballots are stored on a central Web server, which is then accessed by U.S.-based local election officials for downloading the information to their own systems.

Relying on Windows PCs and the Internet is the crux of the problem, said the experts.

"The press is full of stories of viruses and worms [on the Internet]," said Barbara Simons, another of the four who contributed to the report. "All it takes is an infection of the PCs used to access SERVE, and all bets are off."

Simons, Wagner, and their colleagues -- Avi Rubin of John Hopkins University and David Jefferson of Lawrence Livermore National Laboratory -- worry that the inherent insecurity of PCs and the Internet could attract hackers who would like nothing better than to disrupt a U.S. national election by mounting denial-of-service (DoS) attacks on the PCs, inserting bogus Web pages between the PCs and the real Web server to 'steal' votes, or even introduce malicious code to the system that would allow them to alter votes."A U.S. general election offers one of the most tempting targets for cyber-attack in the history of the Internet, whether the attacker's motive is overtly political or simply self-aggrandizement," the four said in their report.

Simons said that Internet-based voting could be subverted by anyone with a modicum of technical skills, including the traditional teenage hacker, terrorists, or even opposition political parties.

"But what really terrifies me is that this so-called 'experiment' will seem to work, that people will look at the results and because there were no detectable problems this time, conclude that it's a great idea to roll out across the board in 2008," said Simons.

An attack might not even be detected immediately, Simons and her colleagues asserted, just as less threatening Internet-based attacks often go undetected for long stretches. Even if this year's voting goes smoothly, they said, it doesn't mean future elections won't be compromised.

"Future attacks would, in fact, be more likely, both because there is more time to prepare an attack, and because expanded use of SERVE or similar systems would make the prize more valuable," they said."This is a slippery slope, and one that we think puts democracy at risk," Simons said, the reason why she and her colleagues are urging the DoD to shut down SERVE immediately.

While the four didn't have any foolproof solutions to offer up as an alternative for simplifying absentee balloting by the military, they suggested that a kiosk-based system, which would simply print out absentee ballots that voters could complete and mail back to the U.S., would be more secure than SERVE.

A spokesman for the Federal Voting Assistance Program, which overseas SERVE, did not respond to a call for comment.