June 10, 2004
Functionality vs. Security
Avi Rubin's May 5th testimony on the reliability of voting machines [pdf] is an interesting read. Especially this section:
I’d like to stress one important point. Security and functionality are completely different things. Functionality is whether or not something works when it is used as planned. Functionality can be tested, and the tests can be used to make predictions about the future behavior of a system. Security, on the other hand, has to do with how a system behaves under unanticipated circumstances with an active, dynamic adversary trying to subvert it. By definition, you cannot test a system for security the way you test for functionality. It is inappropriate and incorrect to draw conclusions about the security of a system based on its past performance. The fact that this argument is consistently put forward in defense of the security of the DREs [electronic voting machines] demonstrates just how much real security expertise is needed in this process. You would not design a heart implant without feedback from cardiologists. You would not design defense systems for the physical security of this country without consulting military experts, and you should not design systems for computerized elections in this country without consulting computer security experts. I can assure you from my analysis of the Diebold machines that no such expertise was utilized.
The bottom line? After the debacle of the 2000 election in Florida our election officials spent wildly in the hope of avoiding a repeat. The problem is the election officials had no clue what they were buying, traditional tests were insufficient, and the technology vendors were happy to rush an immature product to market to chase election reform dollars.