Copyright © 2007 jsd
The Pima County Division of Elections has put out a notice (reference 1) “to solicit input regarding the Pima County Election Security Plan.”
I surmise from reference 2 that the “Election Security Plan” they are talking about is reference 5. The only source I know of for this is as an attachment to reference 3. (If this is not the right “Security Plan”, please let me know, the sooner the better!)
Here are some specific observations. (See section 2 for additional discussion.)
That is, Division of Elections needs to have a comprehensive plan, covering all phases of operations.
Why? Because security needs to be baked-in, like the straw in the biblical bricks. It is not satisfactory to make bricks without straw and then sprinkle straw over them later.
Actually there are two sorts of plans that are needed:
This needs to be part of the overall operational plan. This may seem mundane, but it needs to be done right. Mundane things like this contribute to security in an important way. If we see a seal on the GEMS CPU, or on something else, how do we know it is the right seal?
This is an example illustrating that many details have been left out of reference 5.
There needs to be a well-codified procedure for what happens, for instance, if a box of ballots comes in from the field with its seals broken. Reference 5 says this "shall require immediate notification of Pima County Elections" ... but this leaves us with the question, what happens next? Mere "notification" doesn’t solve the problem. Should workers notify and then count the ballots? Or notify and then set the ballots aside? Should they re-seal the box pending further action, to prevent further problems?
And what will Pima County Elections do after they have been notified? It is nice that this problem has been foreseen; now the next step should be to foresee some solutions.
There needs to be a plan for restoring confidence in the GEMS hardware. It is not easy to solve this problem without the risk of making things worse. Much worse. A broken seal could easily signify the beginning of an attack.
As a rule, the sharing of userIDs is a bad idea. It is a violation of fundamental security principles. It leaves no record (except via the surveillance cameras) of who actually was at the computer. There needs to be a better way of accounting for who made what changes.
The split password idea does not solve this problem at all. It means that two people were present at the moment of login, but we don’t even know which two ... and the second person is free to leave immediately thereafter. There is nothing in the procedure to suggest that the second person takes any responsibility for what happens after login.
If you want to have each login countersigned by a second person, that’s fine ... but both the login and the countersigning need to be done using individual, unshared userIDs ... and individual, unshared passwords.
Individual userIDs with individual passwords are necessary as a prerequisite for item 8, for controlling access during the inevitable personnel turnover, for limiting the damage caused by the compromise of one password, and for many other reasons.
In particular, it there are multiple copies of the git repository, and no one person has access to all the copies, it becomes much harder for anyone to make surreptitious changes in any of the version-controlled documents.
Reference 9 mentions the importance of unalterable logs. The County Administrator’s report (reference 3) calls for the introduction of “change control”.
A proper operational plan would include an item-by-item recitation of these flaws, along with a plan for mitigating each one.
And what about retention of other records, such as sign-in and sign-out logs?
It might make more sense to make a short list of what is allowed, and to forbid everything else. Why? Well, for starters, it would have been hard to foresee that it would be necessary to forbid Cropscan boxes.
Also: At present the County refuses to give observers the records of votes cast in previous elections. This is a problem, yet reference 5 does not offer any hint as to how this problem might be solved. In fact there are good reasons why such records should be released, and no good reasons why they should be withheld, as discussed in reference 8.
A proper security program has many elements. It is sometimes useful to categorize these as follows:
It is true, indeed proverbial, that you cannot have security without physical security. Reference 3 recommends spending millions of dollars to upgrade the physical security of buildings and facilities.
It is also true that you need to have systematic procedures with baked-in security. Reference 5 touches on some procedural issues. Some of them (such as split passwords) are not very good procedures, but at least this illustrates the sort of procedural detail that is needed. More generally, management needs to instill an attitude, a habit, a culture of incorporating security and transparency into every activity.
Last but not least, computers and computerized equipment need secure software and firmware. This is the moose on the table. This is the huge, huge problem that nobody is talking about.
The problem is that the Diebold software is terrible. Year after year, in report after report, the software is found to be deficient. As reference 11 put it, «Systems that are architecturally unsound tend to exhibit “weakness-in-depth” — even as known flaws in them are fixed, new ones tend to be discovered. In this sense, the Diebold software is fragile.»
The iBeta forensic report to the County (reference 4) pointed out that it is possible to steal an election in such a way as to leave “no clue that the files had been altered or replaced”. This is just completely unacceptable.
The County has not solved this problem, and apparently does not even have a plan for solving this problem. Reference 3 gives the impression that the County does not even recognize this as being a problem.
Reference 3 suggests replacing some voting equipment because it is “old” – not because it is horrifically insecure, but merely because it is “old”. Let’s be clear: replacing worn-out hardware will not alleviate the main security problem. Diebold software running on new hardware will still be horrifically insecure.
Fixing this problem will not be easy, because software quality problems afflict not only Diebold but its principal competitors as well. The California Secretary of State recently found it necessary to decertify Diebold, Hart InterCivic, Sequoia, and especially ES&S. See reference 12.
Lately there has been a campaign to encourage mail-in ballots. This is a mistake. This needs to be reversed. The policy should be that only persons who really need to use a mail-in ballot should do so.
Alas, this problem is not easily fixed because Diebold’s principal competitors are as bad or worse.
However, even if this problem is not easily fixed, it still needs to be fixed. It must remain the focus of attention until it is fixed.
Polling-place fraud is retail fraud. It happens (usually) on the scale of onesies and twosies. We should be much more worried about wholesale fraud, which is more likely to occur in back rooms.
Reference 5 takes a few steps in the right direction, but it is not a satisfactory plan. It cannot be converted into a satisfactory plan by minor editing here and there.
The County needs to call in an expert to prepare a comprehensive operational plan that includes baked-in security in all phases of operations.
The County needs to take strong measures to identify and procure a secure voting and counting system.
It appears that none of the staff involved in the preparation of reference 5 have sufficient expertise to prepare a plan of the sort that is needed. This conclusion is based on what we learned from the recent court case as well as from reference 5 itself. (I can go into details if anybody really needs them.)
NOTICE OF THE PIMA COUNTY DIVISION OF ELECTIONS PUBLIC HEARINGS REGARDING THE PIMA COUNTY ELECTION SECURITY PLAN
The Pima County Division of Elections will hold public hearings at the dates, times and places listed below to solicit input regarding the Pima County Election Security Plan. Anyone may submit comments or suggestions pertaining to the Election Security Plan at the public hearing. Written comments or suggestions will also be accepted by the Pima County Division of Elections Office, 3434 E. 22nd Street, Tucson, Arizona 85713 until Friday, December 14, 2007 at 5:00 p.m.
These hearings are accessible for persons with disabilities. Requests for accommodations must be at least 48 hours in advance by contacting (520) 351-6830.
Friday, December 7, 2007 @ 2:00 p.m. Oro Valley Public Library 1305 W. Naranja Drive Meeting Room Oro Valley, Arizona Monday, December 10, 2007 @ 2:00 p.m. JLK/Bear Canyon Library 8959 E. Tanque Verde Road Meeting Room Tucson, Arizona Tuesday, December 11, 2007 @ 2:30 p.m. Pima County Public Works Building 201 N. Stone Avenue Basement, Conference Room "C" Tucson, Arizona Friday, December 14, 2007 @ 2:00 p.m. Green Valley Library 601 N. La Canada Drive Meeting Room Green Valley, Arizona
Copyright © 2007 jsd