California Secretary of State Debra Bowen has released the first set of reports from her “Top to Bottom Review” of voting systems. Part of the review was a “Red Team” exercise lead by Matt Bishop of UC Davis. The Red Team’s task was to act like bad guys and find ways into the machines.
The teams did find potentially serious security flaws in all three voting systems tested, allowing them to bypass both physical and software security. A summary of the Red Team report is available here.
Bishop noted, however, that the machines themselves are just one part of what makes an election secure. Bishop is one of the principals of the Computer Security Lab at UC Davis, recognized as a Center of Excellence by the National Security Agency.
“In my 30 years in this field, I’ve never seen a system that was perfectly secure, but proper policies and procedures can substantially improve the security of systems. Paper ballots aren’t perfect, either, but we’ve been working with them longer so we know more about how to control the weaknesses in a paper-based system,” he said.
Bishop told the New York Times he was surprised how easy it was to break through both physical and software defenses on the machines.
Professor Bishop said that all the machines had problems and that one of the biggest was that the manufacturers appeared to have added the security measures after the basic systems had been designed.
By contrast, he said, the best way to create strong defenses is “to build security in from the design, in Phase 1.”
The testing was carried out over the past two months in a secure room in the Secretary of State’s offices.
Copies of the public reports are available here. Bishop will testify at a public hearing today at the Secretary of State’s offices in Sacramento.
Update: The hearing is being webcast live here and broadcast on the California Channel.