California Internet Voting Task Force
Technical Committee Recommendations
Table of Contents
The VSDC, for purposes of this document, is that part of the infrastructure that receives ballots from the Internet and secures them. It may be replicated, it may be geographically distributed, and it may or may not be at the same location as the rest of the vote-handling infrastructure. We also assume that the VSDC may be managed by a vendor or contractor to the county, rather than by county employees.
However the vote-handling infrastructure is architected, there are strong engineering requirements on the design and location of the VSDC. In the following requirements, quantitative estimates of the engineering parameters required depend strongly on the size of the county and significance of the election. The certification panel and the county procurement personnel should make sure that the actual fielded system is built to a scale appropriate to the county or counties in question.
Requirement: The VSDC must be physically secureóat least as secure against physical intrusion as the county election agency where votes are stored and tallied.
Locked doors and guards would be prudent, especially in the last days of the i-voting window.
Requirement: The VSDC must be engineered for highly reliable vote storage.
The highest priority mission of the VSDC is to store ballots (in encrypted form) and, above all, not to lose any of them. This requires that the storage system used for votes must be redundant, must be invulnerable to power failures, and perhaps make use of write-once storage, such as CD-R.
Requirement: The VSDC must be architected for high availability.
"High availability" means that the VSDC must be up and available for voting for all but a negligible fraction of the time during the window in which i-voting is permitted. It should be engineered with redundant servers, redundant communication, and with smooth failover procedures so that if one resource goes down, the others remaining can automatically take up its slack with no loss of votes and minimal disruption.
Figure 1 shows, for example, redundant vote servers, each with redundant disks, and redundant connections to the Internet through multiple ISPís. Redundant resources should be architected for smooth failover. The VSDC will also need a battery-powered UPS (uninterruptable power supply) and a backup power generator to guard against power failures.
Requirement: The VSDC must have sufficiently high-bandwidth connections to the Internet.
It will need enough communication capacity to handle the maximum rate of votes that might reasonably be expected in the last hours that i-voting is permitted, and do so even if some of the connections to the Internet are down or are under denial-of-service attack.
Requirement: The VSDC servers must have sufficient computational performance to provide responses back to voters in a few seconds.
Fast response indicating that their ballot has been received is important for voter satisfaction and confidence, and it must be achieved even if some of the vote servers are down.
Requirement: The VSDC should have a connection to the county premises if it is not located there.
The connection does not need to be as secure, high-performance, or highly-available as the other parts of the VSDC.
Requirement: The VSDC must be equipped with systems and procedures to withstand most attacks on its servers, including denial-of-service attacks.
This requirement is generally met partly with some kind of "firewall", a system of special computers that filter traffic, and partly through vigilance on the part of operators, who should be wary of attacks and prepared to take fast action.
The firewall should block all incoming packets on all ports except those involved in voting, and should be configured to filter malformed packets and any other suspicious traffic.
A denial-of-service attack on a server is an attack designed either to clog the communications channels leading to the server so that requests to it and responses from it cannot get through, or to crash the server repeatedly so it gets no work done, or to overload the server with fraudulent requests that force it to take all of its time checking and rejecting them instead of dealing with legitimate requests. Such an attack does not aim to take control of the server or get it to do any specific thing; it just aims to keep the server from getting its work done, thereby "denying service" to all users as if there were a massive system failure. In the case of the vote servers of the VSDC, a successful attack would effectively prevent it from accepting votes.
There are numerous well-known denial-of-service attacks. Many can be ameliorated by careful firewall configuration. Others can be defended with the help of excess resources on the server, and redundant servers with smooth failover techniques. But the most comprehensive approach is to vigilantly monitor the server(s) and networks for such an attack and to be prepared quickly to cut communications with the network(s) from which the attack originates (although that would also cut off voters originating from that network). This requires skilled systems personnel. Any vendor or contractor who bids on a contract for i-voting in a California county should demonstrate that they have the resources and skills needed to defend against such attacks.