INDEPENDENT NEWS

SAIC Report On MD. Diebold Voting Machines

By: SAIC
Published: Thu 25 Sep 2003 09:22 PM
SAIC Report On MD. Diebold Voting Machines
EXECUTIVE SUMMARY
This report presents the results of a risk assessment of the AccuVote-TS voting system as currently implemented in Maryland by the State Board of Elections (SBE) and the Local Boards of Elections (LBEs). This Risk Assessment report includes evaluations of threats, vulnerabilities, security controls, and risks associated with the AccuVote-TS system and possible impacts to the State and the integrity of its elections process from successful exploitation of identified weaknesses.
This Risk Assessment was performed using the methodology documented in National Institute of Science and Technology (NIST) SP 800-30, Risk Management Guide for Information Technology Systems, and in the State of Maryland’s Certification and Accreditation Guidelines. This assessment consists of agency-directed, independent verification of systems, software, and processes associated with the system. This assessment provides an in-depth analysis of security controls, including comprehensive personnel interviews, documentation reviews, site surveys, and evaluation of the system’s hardware and software. Overall, this assessment measures the level of assurance that the security controls for the system are fully formed and documented, correctly implemented, and effective in their application.
Findings & Recommendations
In the course of this Risk Assessment, we reviewed the statements that were made by Aviel. D. Rubin, professor at Johns Hopkins University, in his report dated July 23, 2003. In general, SAIC made many of the same observations, when considering only the source code. While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the State of Maryland’s implementation of the AccuVote-TS voting system, and the election process controls or environment. It must be noted that Mr. Rubin states this fact several times in his report and he further identifies the assumptions that he used to reach his conclusions. The State of Maryland procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report. However, these controls, while sufficient to help mitigate the weaknesses identified in the July 23 report, do not, in many cases meet the standard of best practice or the State of Maryland Security Policy.
This Risk Assessment has identified several high-risk vulnerabilities in the implementation of the managerial, operational, and technical controls for AccuVote-TS voting system. If these vulnerabilities are exploited, significant impact could occur on the accuracy, integrity, and availability of election results. In addition, successful exploitation of these vulnerabilities could also damage the reputation and interests of the SBE and the LBEs. This Risk Assessment also identified numerous vulnerabilities with a risk rating of medium and low that may have an impact upon AccuVote-TS voting if exploited.
This assessment of the current security controls within the AccuVote-TS voting system is dependent upon the system being isolated from any network connections. If any of the AccuVote-TS voting system components, as presently configured and architected, were connected to a network, the risk rating would immediately be raised to high for several of the identified vulnerabilities. SAIC recommends that a new risk assessment be performed prior to the implementation of a major change to the AccuVote-TS voting system. Additionally, SAIC recommends a similar assessment to be performed at least every three years, regardless of system modification.
We recommend that SBE immediately implement the following mitigation strategies to address the identified risks with a rating of high:
1. Bring the AccuVote-TS voting system into compliance with the State of Maryland Information Security Policy and Standards.
2. Consider the creation of a Chief Information Systems Security Officer (CISSO) position at SBE. This individual would be responsible for the secure operations of the AccuVote-TS voting system.
3. Develop a formal, documented, complete, and integrated set of standard policies and procedures. Apply these standard policies and procedures consistently through the LBEs in all jurisdictions.
4. Create a formal, System Security Plan. The plan should be consistent with the State of Maryland Information Security Policy and Standards, Code of Maryland Regulations (COMAR), Federal Election Commission (FEC) standards, and industry best practices.
5. Apply cryptographic protocols to protect transmission of vote tallies.
6. Require 100 percent verification of results transmitted to the media through separate count of PCMCIA cards containing the original votes cast.
7. Establish a formal process requiring the review of audit trails at both the application and operating system levels.
8. Provide formal information security awareness, training, and education program appropriate to each user’s level of access.
9. Review any system modifications through a formal, documented, risk assessment process to ensure that changes do not negate existing security controls. Perform a formal risk assessment following any major system modifications, or at least every three years.
10. Implement a formal, documented process to detect and respond to unauthorized transaction attempts by authorized and/or unauthorized users.
11. Establish a formal, documented set of procedures describing how the general support system identifies access to the system.
12. Change default passwords and passwords printed in documentation immediately.
13. Verify through established procedures that the ITA-certified version of software and firmware is loaded prior to product implementation.
14. Remove the SBE GEMS server immediately from any network connections. Rebuild the server from trusted media to assure and validate that the system has not been compromised. Remove all extraneous software not required for AccuVote-TS operation. Move the server to a secure location.
15. Modify procedures for the Logic and Accuracy (L) testing to include testing of time-oriented exploits (e.g., Trojans).
16. Discontinue the use of an FTP server to distribute the approved ballots.
17. Implement an iterative process to ensure that the integrity of the AccuVote-TS voting system is maintained throughout the lifecycle process.
The system, as implemented in policy, procedure, and technology, is at high risk of compromise. Application of the listed mitigations will reduce the risk to the system. Any computerized voting system implemented using the present set of policies and procedures would require these same mitigations.
ENDS

Next in World

Gaza: Rate Of Attacks On Healthcare Higher Than In Any Other Conflict Globally Since 2018
By: Save The Children
The rate of attacks per month on healthcare in Gaza since the beginning of the war has been higher than in any other recent conflict globally, standing at an average of 73 attacks each month, according to new analysis by Save the Children.
Green Light For New Cholera Vaccine, Ukraine Attacks Condemned, Action Against Racism, Brazil Rights Defenders Alert
By: UN News
A new oral vaccine for cholera has been given the green light for manufacture by the UN health agency allowing for the massive scale-up of lifesaving immunisation in the world’s most vulnerable communities.
Grand Slam Champion Garbiñe Muguruza Announces Retirement Ahead Of Laureus World Sports Awards
By: Laureus
The 30-year-old initially stepped back from tournament tennis in 2023 and ahead of the Laureus World Sports Awards – taking place in Madrid on Monday, April 22 – officially ended her competitive career and revealed that her future will include ...
Going For Green: Is The Paris Olympics Winning The Race Against The Climate Clock?
By: Carbon Market Watch
The 2024 Paris Olympics promises a gold-winning climate performance and to set the pace for future games. Our in-depth assessment reveals that, despite improvement, the carbon footprint of the Olympics remains far too high to be sustainable. This ...
NZDF Working With Pacific Neighbours To Support Solomon Islands Election
By: New Zealand Defence Force
A New Zealand Defence Force (NZDF) contingent of more than 200 personnel has been providing logistical support to Solomon Islands, on behalf of the Ministry of Foreign Affairs and Trade, as the country geared up for today’s general election.
Ceasefire The Only Way To End Killing And Injuring Of Children In Gaza: UNICEF
By: UN News
Advocating for a ceasefire is the best way to support the people of Gaza, including children in the north who are dying of hunger, a Spokesperson for the UN Children’s Fund (UNICEF) said on Thursday
View as: DESKTOP | MOBILE
Scoop Contact About Services Newsagent Login
Connect Submit News Social Media Scoop Network
Ethical Paywall Accredited Orgs. Licensing Terms of Use
© Scoop Media