Until trustable computing platforms are standard, secure hardware must be added to PCs used in online voting systems

What you need to know
Gartner believes that until trustable computing platforms are widely available in standard PCs, online voting will require significant investment in additional security methods (such as smart cards or "portable sandboxes") to maintain the integrity of elections. The open review of online voting software is also required for high security and trust.

Analysis
A standard security tenet is that the criticality of the application defines how strongly the system must be secured. Online voting systems require the highest levels of security to maintain the integrity of the election process. Standard PCs are not secure enough to meet the security requirements of online voting. Software and hardware capabilities must be added.

Security requirements for online voting
The critical security requirements for online voting are:

• Authentication -- Voters' real-world identities must be strongly proved, and voters must be certain that their votes are sent to a legitimate voting system.
• Confidentiality -- Voters must be confident that unauthorised parties can't determine how they voted.
• Confirmation/nonrepudiation -- Voters must be certain that their votes are counted toward the candidate for whom they voted.

The physical systems used for in-person voting and mail-in absentee balloting don't provide perfect levels of these three categories of security, as proved by the 2000 US presidential elections. However, election fraud on a mass scale is difficult, costly and hard to conceal in old-fashioned physical voting systems. Online voting systems that accept votes from any PC, anywhere, escalate the risk.

Trustable computers are required
The MyDoom worm (see "How to Limit Damage from the MyDoom Worm") is the most-recent example of globally spread malicious software attacks that install Trojan software onto Windows-based PCs. Trojan software looks like a standard application, but it can include hostile capabilities, such as keystroke capture, screen scraping and remote control. This software has been discovered on public computers in cybercafes, college campuses and copy shops, as well as on PCs. Spyware -- software covertly installed by Web sites on visiting PCs -- poses a similar threat.

If this type of software can run on a PC while a voter is entering his or her vote online, there can be no guarantee of authentication, confidentiality or nonrepudiation. This risk may be acceptable for online commerce and even online banking, where transactions can be cancelled if fraud is suspected. However, even in those markets, the Trojan software problem has led to the use of out-of-band authentication (such as password generator tokens or text messaging to cellular phones) or additional hardware, such as smart cards or biometrics, for high-value transactions. Online voting is one of the highest-value transactions.

A trusted execution environment (see "Trustable Computing Platforms Defined" and "Three Scenarios for Trustable Computing Platforms") is required on PCs that participate in online voting to enable secure voting. A trusted execution environment ensures that untrusted software can't run while trusted software is running. This capability is not available on the standard PC platform because the Windows operating system and Intel processor architecture don't support the necessary safeguards.

The Trusted Computing Group (TCG) consortium ("Trusted Computing Group Will Have Little Impact") is developing standards for trustable computing platforms that will support a trusted execution environment. This environment will be built around Microsoft's Next-Generation Secure Computing Base modifications to its Windows kernel and Intel's LaGrand technology improvements to the standard PC CPU/motherboard hardware. Prior to 2008, trustable computing platforms will not be available in more than 80 percent of PCs (0.7 probability).

Temporary solutions
Online voting can be done using several methods that involve various degrees of cost and intrusion into voters' PCs to ensure security (see Note 1 for examples of online voting pilot programmes).

• Smart cards -- Voters are issued smart cards that can execute voting software on the card, as well as store identification information. Voters must be given smart-card readers or use alternative approaches, such as Universal Serial Bus connections.
• "Scan and block" -- Online voting systems download an applet to the voter's PC that scans the PC for known or suspected hostile software. This approach won't detect all forms of hostile software and is subject to many forms of attack (see "Scan, Block and Quarantine to Survive Worm Attacks").
• "Portable sandboxes" -- Online voting systems require the voter to download a voting application to his or her PC that implements a virtual secure operating environment ("sandbox"). This limits most forms of attack, but leaves openings for sniffer software that could monitor keyboard input.
• "Precinct in a box" -- As a compromise to totally remote voting, inexpensive commercial off-the-shelf machines could be hardened and distributed in secured locations. Ballots for appropriate jurisdictions are securely transmitted to the machines, and voters retrieve only the ballot for their districts of record. This method is particularly suited to military users -- a PC in a US military compound in Baghdad could record ballots for voters from Portland, Maine, to Portland, Oregon. The votes are then securely transmitted and distributed to the appropriate jurisdictions.

The limitations of the standard Windows-based PC platform that have made it impossible to prevent software, music and video piracy, also make it impossible to provide the high level of security required for online voting.

Open review
A more general requirement for voting systems is transparency and trust. Voters must believe that the government running the election system can't sway its results. Physical voting systems have poll-station monitors, proctors and citizen involvement during elections, which gain such trust. Online voting systems will use technology that is opaque to voters. Expert review and source code escrow must be enforced to ensure that voting results are not compromised by voting system manufacturers, election officials or others.

The open-source review of online voting systems should be mandatory to provide the transparency necessary to avoid vote-rigging claims. Although few ordinary citizens have the expertise to review source code meaningfully, privacy and activist groups could sponsor such testing. Many security consultancies will do it for free. Open review will increase trust in the online voting system and quickly ensure its security.

Key issues
What are the most-effective technologies and best practices to protect networks, systems, applications and data?

What technologies may expose enterprise IT systems and data to damaging security breaches?

Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.