As you may recall, my day job involves com­puter secu­rity. A sig­nif­i­cant ele­ment in secu­rity is threat mod­el­ing, where one lays out the over­all struc­ture of the sys­tem, iden­ti­fies areas of threats (defined as the­o­ret­i­cal means of attack), finds cor­re­spond­ing vul­ner­a­bil­i­ties (defined as prac­ti­cal imple­men­ta­tions of threats), and rates them based on their over­all risk to the system.

In the case of vot­ing, I’ve worked out threat mod­els based on the archi­tec­ture of vot­ing sys­tems com­mon to the United States. I did this sev­eral years ago, in fact, because the topic has been dis­cussed fre­quently at var­i­ous secu­rity con­fer­ences. Unsur­pris­ingly, the focus at com­puter secu­rity con­fer­ences has been on elec­tronic vot­ing machines, but I was prompted to look out­side the obvi­ous. After all, to the man with a ham­mer, the world is made of nails; to the com­puter secu­rity con­fer­ence attendee, the secu­rity vul­ner­a­bil­i­ties of inter­est are in com­put­ers. I wanted to go fur­ther, so I looked at the entire system.

Where are some of the threats? What vul­ner­a­bil­i­ties arise from them? How bad are they? And what can and should be done about them? (more…)