Transcript Jan 22, 2004
Security researchers say an Internet voting system for U.S. citizens overseas is so insecure that it should be ditched.
The Pentagon developed a Web-based Internet voting system for soldiers and other Americans abroad. The Secure Electronic Registration and Voting Experiment, or SERVE, will get its first test February 3rd in South Carolina's primary election. Six other states have signed on.
The Pentagon stands by its system, but computer security experts from Johns Hopkins University, The Lawrence Livermore National Laboratory, University of California Berkeley, and an independent researcher, claim that SERVE is highly vulnerable to malicious hackers or even terrorists. The four security experts are among 10 the Pentagon asked to study SERVE to look for vulnerabilities.
David Wagner is assistant professor of computer science at UC Berkeley.
WAGNER: When people vote from insecure home computers over an insecure network you can end up with an insecure election. So for instance, we've suffered from virus attacks in the computer industry in the past. Now imagine a custom virus that specially targets SERVE. If you vote from an infected machine the virus could change your vote without you realizing it. So we could very easily see vote fraud on a massive scale. It could be launched from outside of U.S. soil and might even go completely undetected.
How is SERVE supposed to work?
WAGNER: The SERVE system is very familiar. If you've ever bought anything over the Web you will understand how to use the voting system. You use a Web browser, and you select your choices using a Web browser.
Go into a little more detail -- how would a malicious hacker or even a terrorist compromise this system?
WAGNER: We identified several different risks to the system. One of the risks is that all of the votes are stored on a single, central server. That server presents a very tempting, large, single point of failure. If that computer gets hacked, all the votes cast through SERVE could be viewed or modified. Another risk is denial of service attacks, which could render the SERVE Web site unreachable. Defense Department spokesman Glenn Flood says the Pentagon is confident the Internet voting system is secure. He says the Pentagon has already addressed the concerns raised by the security researchers. SERVE is scheduled to be used for primary elections in Arkansas, Florida, Hawaii, North Carolina, South Carolina, Utah and Washington.And as a result many voters might be unable to vote on election day. So there could be significant disruption to an online election.
What ought to be done?
WAGNER: We're recommending that the system be shut down. Unfortunately, there seems to be no way to fix these problems.
