Voting systems hacked in test

The successful invasions will be weighed in state's security review.

By Jim Sanders - Bee Capitol Bureau

Teams of computer hackers participating in a first-of-its-kind experiment in California have succeeded in breaking into all three electronic voting machines they targeted.

The systems were invaded in ways ranging from altering votes via a laptop computer to physically breaking into an electronic ballot box with small, concealable tools, the hackers reported to the state Friday.

Secretary of State Debra Bowen released a summary of the experts' findings Friday as part of a wide-ranging research project into the accessibility, security and viability of electronic balloting.

"It's a big deal for many people in this country," Bowen said of the hacking. "We are a democracy, and our very existence as a democracy is dependent on our having voting systems that are secure, reliable and accurate."

The hackers reported successful invasions that could "alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails."

But Stephen Weir, head of the state association of county registrars, said the hacking was not an accurate portrayal of risk because researchers were given extensive access to the voting machines and their proprietary codes.

"This wasn't someone stealing the car -- it was someone taking the car with permission," Weir said.

Counties routinely lock up their voting machines to prevent sabotage, keep detailed access records, employ camera surveillance and conduct extensive testing to ensure accuracy, Weir said.

Perhaps the most important thing about the state's experiment, Weir said, was that the experts did not report finding any sabotage or illicit devices in voting machines to suggest they are handling ballots improperly.

"There's no smoking gun here," he said.

Bowen declined to comment specifically on flaws uncovered, saying she needed more time to review the findings released Friday.

Bowen said it is important to determine whether counties have adequate procedures to bar access or heighten security in ways that would prevent voting machines from being hacked.

"That's a matter for us to investigate, and pull apart, and analyze," she said.

Bowen will hold a public hearing Monday to solicit public, expert and industry comment on the voting machines, used statewide.

Bowen conceivably could move to decertify voting machines she deems unsecure.

Bowen said she has made no decision on what, if any, security changes are needed -- but she plans to do so by next Friday.

"I think it's important to point out that I'm not in competition or in an antagonistic posture with voting system vendors or local elections officials," she said. "We're all in this together."

The hacking experiment focused on machines by three voting-system firms -- Diebold, Sequoia and Hart. A fourth company, Election Systems & Software, did not provide vital data in time for its system to be reviewed, Bowen said.

The University of California conducted the state's "top-to-bottom" review of electronic voting machines under a $1.8 million contract with the secretary of state's office.

Bowen, unveiling the project May 9, noted that California has spent about $450 million on new voting systems in recent years, yet the "result is that people have more questions about whether votes are being counted as they are cast."

Nationwide, numerous questions have been raised about the security of electronic balloting, which encompasses everything from touch-screen voting machines to optical scan devices that count paper ballots.

During the October 2003 gubernatorial recall election, thousands of ballots in Alameda County for Democratic Lt. Gov. Cruz Bustamante were recorded on electronic machines as votes for Socialist John Burton before the error was corrected.

In Florida, Democrat Christine Jennings demanded an investigation last year into an electronic voting machine that she claims malfunctioned and cost her nearly 18,000 votes in a House of Representatives race that she lost by only 369 votes.

California counties use electronic machines extensively, but the state also requires that votes be documented in paper records that can be reviewed by voters and auditors.

Kim Alexander, president of the California Voter Foundation, a nonprofit public policy group, said the hacking successes reported Friday are disturbing but ultimately could lead to improvements.

"I think it's a wake-up call for the whole nation," Alexander said.

Officials of the Sequoia and Hart firms declined to comment in detail Friday on the successful hackings, saying they had just received the state's report and had not had time to study it. Diebold representatives could not be reached.

"This testing was not done in an official elections environment, with any of the procedures and processes employed ... by hard-working elections officials," said Michelle M. Shafer, a spokeswoman for Sequoia.

"Technology is only one piece of a system of checks and balances in voting security," added Josh Allen, a Hart spokesman, in a written statement.

The Sacramento Bee, 2100 Q St., P.O. Box 15779, Sacramento, CA 95852

(916) 321-1000