Increased use of open source software could fortify U.S. election system security, according to an op-ed published last week in The New York Times.
Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines in the Voting Machine Hacking Village staged at the recent DefCon hacking conference in Las Vegas.
“Despite its name, open-source software is less vulnerable to hacking than the secret, black box systems like those being used in polling places now,” Woolsey and Fox wrote.
“That’s because anyone can see how open-source systems operate,” they explained. “Bugs can be spotted and remedied, deterring those who would attempt attacks.”
Open source software has proven to be so reliable and secure that it’s being used by the U.S. Defense Department, NASA and the U.S. Air Force, noted Woolsey and Fox.
Despite the benefits of open source software, Microsoft and other companies selling proprietary voting systems have lobbied aggressively against moving to open source, Woolsey and Fox contended.
“If the community of proprietary vendors, including Microsoft, would support the use of open-source model for elections, we could expedite progress toward secure voting systems,” they suggested.
Microsoft did not respond to our request to comment for this story.
“There’s a role for proprietary software,” said Lawrence Rosen, an intellectual property attorney with Rosenlaw & Einschlag and former general counsel for the Open Source Initiative.
“Everything doesn’t have to be open source,” he told LinuxInsider, “but when we’re talking about elections software that requires the confidence of the voters, that’s different from whether my car radio is proprietary or open.”
Woolsey and Fox’s Times piece was particularly timely, coming as it did on the heels of the cracking fest at the Voting Machine Hacking Village.
“They confirmed what we already knew,” said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology. “These are extremely vulnerable machines.”
“Think of what a voting machine is,” he told LinuxInsider. “It’s a 1980s PC with zero endpoint security in a black box where the code is proprietary and can’t be analyzed.”
Although the researchers at DefCon impressed the press when they physically hacked the voting machines in the village, there are more effective ways to crack an election system.
“The easiest way to hack an election machine is to poison the update on the update server at the manufacturer level before the election,” Scott explained. “Then the manufacturer distributes your payload to all its machines for you.”
Security Through Obscurity
Advocates for open source elections software argue that more transparency is needed in the systems.
“With closed source systems, you really have no idea what they’re doing,” said Nicko van Someren, executive director for the core infrastructure initiative at The Linux Foundation.
“Diligent states will do some sort of auditing of their own, but we know from history that any sort of security audit on any sort of code seldom shows up everything,” he told LinuxInsider.
“The more people you have examining the code, the more vulnerabilities you’re likely to find,” van Someren added.
Although largely discredited, a belief persists that keeping source code secret is more secure than open sourcing code.
“That’s wrong-minded,” van Someren said. “In practice, hackers can look at binaries and still find vulnerabilities.”
Still, an ostrich attitude about security still prevails at some businesses, according to Brian Knopf, senior director of security research at Neustar.
“There are still some companies that have the idea that if they bury their head in the sand, if I ignore everyone else and don’t provide access, then no one will find anything,” he told LinuxInsider. “Clearly, that’s not the truth.”
Can’t Hack Paper
If elections systems makers aren’t willing to go the open source route, they at least need to open their code to expert eyes outside their organizations, maintained Mark Graff, CEO of Tellagraff.
“The source could be placed in escrow so an expert panel could look at it,” he told LinuxInsider, ” but I don’t think that’s worked in the past, and I don’t know if you could line up the commercial interests to agree to do what the experts say.”
A simpler solution to the security problem involves paper ballots and post-election ballot auditing, said Barbara Simons, president of VerifiedVoting.
After all the votes are cast, a sampling of paper ballots would be compared manually to the electronic tally to determine the accuracy of the vote.
“Open source is good thing — we support it — but there are always bugs that are not going to be caught,” Simons told LinuxInsider.
“What we need are paper ballots and manual post-election ballot audits,” she said.
“If we have those, even with proprietary software, we can protect our election from being hacked,” Simons maintained. “You can’t hack paper.”
The misconception being promulgated here is that "more eyes looking at the code" equates to "security". This could not be further from the truth. I AM an avid supporter of open source technologies, and a career open source security practitioner, and I can tell you that there is far more to securing elections than simply "looking" at the voting application’s code. For example, "testing" the code in a runtime environment for known vulnerabilities would yield greater confidence that the application is actually secure.
At the present time, a quick search of the National Vulnerability Database with the keyword "Linux kernel" returns 2,340 matching records. In the scheme of "more eyes" security, who would be "looking" for these underlying vulnerabilities?
But leaving aside the underlying linux operating system vulnerabilities and focusing exclusively on the voting application code, who in the "more eyes" security scheme is going to check the code against vulnerability categories?
Open source is made secure by a series of security techniques that are applied to the platform; Run-time testing the voting application, hardening the operating system, addressing the hardware’s attack vectors, and penetration testing are a few of these security techniques.
No. As with so many tech solutions, the focus here is successfully solving a "problem" without bothering to ask if what they are doing may have unintended consequences. Here techies distract from the real problem: The political right has no interest in developing secure elections in which everyone can vote. They have strong interests in allowing states to determine voting because they control states. This work distracts from that problem, and seems to offer a "solution" that is not only politically impossible, but ignores the real issue. I think you need someone on staff who can see beyond a computer screen.
Last time I checked the Air Force was part of DoD.