Brennan Center Task Force Says Software Attacks Pose Real Danger to All Electronic Voting Machines

June 27, 2006

For Immediate Release
Tuesday, June 27, 2006

Contact Information:
Scott Schell, 917 226-0237
Kafayat Alli-Balogun, 212 998-6735

Brennan Center Task Force Says Software Attacks Pose Real Danger to All Electronic Voting Machines

WASHINGTON, DC - The Brennan Center Task Force on Voting System Security,
an initiative of the Brennan Center for Justice at NYU School of Law,
today released a report and policy proposals concluding that all three
of the nation’s most commonly purchased electronic voting systems are
vulnerable to software attacks that could threaten the integrity of a
state or national election.

“As electronic voting machines
become the norm on Election Day, voters are more and more concerned
that these machines are susceptible to fraud,” said Michael Waldman,
the Brennan Center’s Executive Director. “In fact, we’ve learned a lot
from our study. These machines are vulnerable to attack. That’s the bad
news. The good news is that we know how to reduce the risks and the
solutions are within reach.”

“I hope that election officials and
lawmakers around the country read this report and take a hard look at
adopting these policies in time for the 2006 elections,” said Howard A.
Schmidt, former White House Cyber Security Advisor and former Chief
Security Officer of Microsoft and eBay.

The government and
private sector scientists, voting machine experts, and security
professionals on the Task Force worked together for more than a year.
The members of the non-partisan panel were drawn from the National
Institute of Standards and Technology (“NIST”), the Lawrence Livermore
National20Laboratories2C leading research universities, and include
many of the nation’s foremost security experts.

The Task Force
surveyed hundreds of election officials around the country; categorized
over 120 security threats; and evaluated countermeasures for repelling
attacks. The study examined each of the three most commonly purchased
electronic voting systems: electronic machines (“DREs”) with – and
without – a voter verified paper trail, and precinct-counted optical
scan systems (“PCOS”). The report, The Machinery of Democracy: Protecting Elections in an Electronic World, is the first-ever systematic analysis of security vulnerabilities in each of these systems. The report’s findings include:

  • All of the most commonly purchased electronic voting systems
    have significant security and reliability vulnerabilities. All three
    systems are equally vulnerable to an attack involving the insertion of
    corrupt software or other software attack programs designed to take
    over a voting machine.
  • Automatic audits, done randomly and
    transparently, are necessary if paper records are to enhance security.
    The report called into question basic assumptions of many election
    officials by finding that the systems in 14 states using voter-verified
    paper records but doing so without requiring automatic audits are of
    “questionable security value.”
  • Wireless components on
    voting machines20are20particularly vulnerable to attack. The report
    finds that machines with wireless components could be attacked by
    “virtually any member of the public with some knowledge of software and
    a simple device with wireless capabilities, such as a PDA.”
  • The
    vast majority of states have not implemented election procedures or
    countermeasures to detect a software attack even though the most
    troubling vulnerabilities of each system can be substantially remedied.

Among the countermeasures advocated by the Task Force are routine
audits comparing voter verified paper trails to the electronic record;
and bans on wireless components in voting machines. Currently only New
York and Minnesota ban wireless components on all machines; California
bans wireless components only on DRE machines. The Task Force also
advocated the use of “parallel testing”: random, Election Day testing
of machines under real world conditions. Parallel testing holds its
greatest value for detecting software attacks in jurisdictions with
paperless electronic machines, since, with those systems, meaningful
audits are not an option.

The Task Force’s report was made
public today in the Rayburn House Office Building. Congressmen Rush
Holt (D-NJ) and Tom Cole (R-OK) praised the report’s findings and
called for enactment of H.R. 550, the Voter Confidence and Increased
Accessibility Act, the most comprehensive bill before Congress
addressing electronic voting security.

Said Lawrence20Norden,
Chair of the Brennan Center Task Force on Voting System Security: “The
Brennan Center is committed to all our policy recommendations shared
today with the public and Members of Congress, and we have not taken a
position yet on any pending legislation. We’ll be working closely with
Mr. Holt, Mr. Cole, and other lawmakers dedicated to protecting our
elections.”

“I see this as an historic report because it’s the
first time we’ve systematically examined security concerns presented by
all of the electronic voting systems in use,” said Professor Ronald
Rivest of MIT. “The report will be invaluable for any election official
grappling with electronic security and, hopefully, will pave the way
for widespread adoption of better safeguards.”