Real Viruses, Real Voting Systems, Real Concern
The notable election systems snafu news items of the week is a virus infection of Windows-based election systems sold by Premier Systems (Diebold) and used in Florida’s Pinellas county.
As a cause for alarm, the incident is pretty low, in that the infection was by ordinary Windows OS viruses, which can cripple a Windows system in a generic way. That’s not the much-speculated "targeted malware" that acts to change election data in the cases where the virus gets a foothold on an actual voting system machine.
On the other hand, I think that there are two other ways in which the incident is significant. First, it shows the vulnerability of the back-office components of an election system, rather than the more often-touted security problems with polling systems such as ballot scanners or touch screen DREs. In this case, the election system component was a tabulating system – something much more likely to effect the outcome of a whole race in a county, or of the county’s contribution to state and federal races’ rallies.
Second, as Tampa’s local news explains, the systems were "scrubbed." But in doing so, the systems were changed, and it’s impossible to ever determine (short of rebuilding them) whether the systems are again in their original, certified, and (hopefully) predictable state. It shows that a lack of integrity (the ability for systems to be modified) allows any number of situations — including malicous code attacks — to put a system into a fundamentally untrusted state. And a week after the initial incident, there’s no word on whether the systems will be used in spite of this.
That’s why high-integrity systems components — all components — are a key part of OSDV’s architecture for the open-source alternative to commercial, proprietary, closed election systems.
For a more authoratative assessment of the security significance, I’ll quote from remarks by a technical professional who knows a whole lot more about election systems technology and security than I do.
Two Windows viruses made it onto tabulating software in one
Florida county. I guess it was only a matter of time before this happened, but now it has.
In one important sense, this is minor. I’d imagine that this incident will likely have no noticeable impact on this particular election. But in another sense, this is noteworthy, because it vividly illustrates the risk of viral infection.
Essentially every major voting study in the past two years has raised serious concerns about viral spread of malicious code (e.g., Princeton’s Diebold analysis, the SAIT Lab analysis of the ES&S iVotronic, the California TTBR, the Ohio EVEREST study). Those studies were concerned about viruses that were specifically tailored to attack particular voting systems and to spread as part of the ordinary operation of the voting system. In comparison, the two viruses seen in Florida are generic Windows viruses that only have the capacity to spread from Windows machine to Windows machine and are not specifically tailored to spread through a voting systems or to target a voting system. Nonetheless, because the voting system’s central tabulation machine is a Windows machine,
it can be infected by ordinary Windows viruses. These two viruses are pretty benign, compared to the damage that could be caused by a virus specific tailored to attack a voting system.
Nonetheless, this is concerning, because it indicates that — under ordinary operating procedures — even a generic virus that’s not customized to attack voting systems can spread and affect the voting system. A virus specifically customized to attack voting systems could be vastly more damaging, both in spreading efficiently and at doing damage. If these two generic viruses could infect a Florida voting system, then a custom "weaponized" virus could do so, too. Moreover, because ordinary virus scanners only try to defend generic Windows viruses (and only ones that are already known to the virus companies), it would not be difficult to ensure that a specially customized virus would go undetected by ordinary Windows virus scanners.
The next time sometime tells you that there would be no way for viruses or malicious code to infect a voting equipment, keep this example in mind. The next time that someone tells you that their procedures would prevent viruses, or that they’ve "locked down" their machines so that this couldn’t happen to them, remember this example.
This incident doesn’t tell us anything that we didn’t already know, but it as an illustrative example, it may be useful, because this is not just speculation — it really happened.