< Back to table of 'First Report - December 2004 Contents'
Part 2 – Work of the Commission
2.7 Security
Security at Elections
Under the current system of paper voting, members of an Garda Síochána attend at polling and counting centres while votes are being cast and counted and they participate in the transportation and custody of ballot boxes between centres. The investigation of alleged electoral offences is also a matter for an Garda Síochána.
It was of interest to the Commission to establish whether and how the security aspects of elections and the opportunities for criminal activity, particularly as regards computer fraud, were likely to be affected by the introduction of electronic voting.
Members of an Garda Síochána were therefore invited to examine the electronic voting system and the procedures for its use and to participate in the evaluation of its security aspects. The views of an Garda Sochána on these matters were accordingly reported to the Commission and, while they remain confidential to the Commission, they are reflected in its conclusions and recommendations as set out in this report.
System Security Policy
A discussion of the security requirements specified for the system in the context of recognised security standards is contained in Appendix 2B PDF. It is concluded that security features of the system outlined in the published statements5 are self-defining instead of being measured against internationally recognised criteria and that such criteria appear to be absent from the original specification for the system.
Third Party Interference
The reports at Appendix 2B PDF and Appendix 2C PDF also highlight a number of areas in which the system components might be vulnerable to third party interference. The threats considered include some deceptions of lesser likelihood in relation to the use of the voting machine but also threats to its internal components and software, and physical threats to the ballot modules and the hardened PC.
Physical Security
The set of two colour-coded keys for the operation of the programming reading unit (which programs and reads the ballot modules before and after the poll respectively) are understood to be common to all machines and are thus interchangeable. This is stated by the manufacturer to be a function of the simplicity of the system leading to its ease of use.
While the provision of unique keys for each machine would undoubtedly present its own difficulties on polling day, the use of common key sets clearly lends itself more readily to situations where it is sought to subvert or influence the outcome of the election by either interfering with a number of programming reading units or by obtaining one for the purpose of programming or reading one or more ballot modules without authority.
A further issue concerning the use of these key sets is described at Appendix 2D PDF. As both keys are required to be turned on in order to use either the programming or the reading slot on the programming reading unit, there is no physical distinction (apart from the slot used) between the configuration of the keys when programming and when reading ballot modules. It is suggested that this could lead to inadvertent overwriting of a ballot module.
The reports at Appendix 2B PDF and Appendix 2D PDF describe how it was found possible to bypass physical and electronic security measures implemented in respect of the “hardened” PC and then to overwrite or modify the software.
Custody and Transport
In view of the significant issues which can arise through unauthorised access to voting machines and other equipment and software used for electronic voting, it is of vital importance that there are correspondingly substantial procedures and controls in place to minimise the likelihood of such access, both at election time and between elections. This requirement is accentuated by the fact that voting equipment is stored at numerous different locations around the country.
The requirements for enhanced procedures and controls in this area (and for these to be fully and clearly documented) are discussed in the reviews of documentation and procedures described at Appendix 2F PDF and Appendix 2G PDF and relate to issues surrounding the manufacture, transport, custody, deployment and use of the equipment, both at and between elections.
5Security and Audit Features of the Election Management System (Department of the Environment, Heritage and Local Government, January 2004).
< Back to table of 'First Report - December 2004 Contents' |
