Voting System Security as per the VVSG

Transcription

1 Voting System Security as per the VVSG Austin Conference on State Certification Testing for Voting Systems (2017) Michael Santos Test Manager SLI Compliance

2 Elements of Security Outside Vendor Control Is the Voting manufacturer responsible for all aspects of security? An effective security program requires well-defined security practices by the purchasing jurisdiction and the personnel managing and operating the system. These practices include: Administrative and management controls for the voting system and election management--including access controls Internal security procedures Adherence to, and enforcement of, operational procedures (e.g., effective password management) Security of physical facilities Organizational responsibilities and personnel screening

3 Objectives of Security for Voting Systems What is meant by Security? The objectives of the security standards for voting systems are: To protect critical elements of the voting system To establish and maintain controls to minimize errors To protect the system from intentional manipulation, fraud and malicious mischief To identify fraudulent or erroneous changes to the voting system To protect secrecy in the voting process

4 Security, as per the VVSG Security requirements of the VVSG are intended to address a broad range of risks to the integrity of a voting system. These include: Unauthorized changes to system capabilities for: Defining ballot formats Casting and recording votes Calculating vote totals consistent with defined ballot formats Reporting vote totals Alteration of voting system audit trails Changing, or preventing the recording of a vote Introducing data for a vote not cast by a registered voter Changing calculated vote totals Preventing access to vote data-- individual votes and vote totals by unauthorized individuals Preventing access to voter identification data and data for votes cast by the voter such that an individual can determine the content of specific votes

5 Elements of Security What are the main areas of Security within a Voting system? Physical Address security measures and procedures that prevent disruption of the voting process at the polling place and corruption of voting data. Access Control Address procedures and system capabilities that limit or detect access to critical system components in order to guard against loss of system integrity, availability, confidentiality, and accountability. Software Address the installation of software, including firmware, in the voting system and the protection against malicious software. Note that this includes auditing of the system. Telecommunications and Data Transmission: Address security for the electronic transmission of data between system components or locations over private, public, and wireless networks.

6 Physical Security What is Physical Security? Polling Place Security Vendors shall develop and provide detailed documentation of measures to enable poll workers to physically protect and perform orderly shutdown of voting equipment The measures shall provide for the protection of the polling place voting equipment allow the immediate detection of tampering with vote casting devices and precinct ballot counters. control physical access to a telecommunications link if such a link is used Central Count Location Security Vendors shall develop and document in detail the measures to be taken in a central counting environment. These measures shall include physical and procedural controls related to the handling of ballot boxes, preparing of ballots for counting, counting operations and reporting data

7 Access Control Security What is Access Control? Access controls provide assurance that system resources such as data files, application programs, and computerrelated facilities and equipment are protected against unauthorized operation, modification, disclosure, loss or impairment. Software access controls Effective password management Segregation of duties security software programs designed toprevent or detect unauthorized access to sensitive files Hardware access control keeping computers in locked rooms to limit physical access Security tape, ties Keyed access

8 Software Security What is Software Security? Software and Firmware Installation Installation of system applications are correct and unmodified Protection Against Malicious Software Procedures are developed and documented to deploy protection against the many forms of external threats Software Distribution Document all software including voting system software, third party software (such as operating systems and drivers) to be installed on the certified voting system Software Setup Validation Verify that the correct software is loaded, that there is no unauthorized software, using the reference information (hash codes/digital signatures) from the National Software Reference Library (NSRL) (EAC)

9 Software Security What is Audit? Audit Audit trails are essential to ensure the integrity of a voting system. The audit record data is essential to the complete recording of election operations and reporting of the vote tally. These include: Pre-election System Readiness In-Process Vote Tally Maintain a permanent record of all original audit data that cannot be modified or overridden but may be augmented by designated authorized officials in order to adjust for errors or omissions (e.g., during the canvassing process) Detect and record every event The real time audit record shall be active whenever the system is in an operating mode, with the time-and-date stamp. This record shall be available at all times, though it need not be continually visible.

10 TeleCommunications and Data Transmission Security Telecommunications and Data Transmission Areas that must be addressed by telecommunications and data transmission security capabilities, include: data integrity, detection and prevention of data interception protection against external threats.

11 Data integrity, detection and prevention of data interception Data integrity, detection and prevention of data interception Ensure the receipt of valid vote records is verified at the receiving station. This should include standard transmission error detection and correction methods such as checksums or message digest hashes. Implement an encryption standard currently documented and validated for use by an agency of the U.S. government Provide a means to detect the presence of an intrusive process, such as an Intrusion Detection System

12 Protection against external threats Protection against external threats. Use protective software at the receiving-end of all communications paths to: i. Detect the presence of a threat in a transmission ii. Remove the threat from infected files/data iii.prevent against storage of the threat anywhere on the receiving device iv. Provide the capability to confirm that no threats are stored in system memory and in connected storage media

13 Election System Security Critical Focus Areas to Consider Election system security is more critical now than ever and is as important as voting system security.

14 Questions?