|

 
|
| | Name : | Stanley A. Klein | Organization : | N/A | Post Date : | 9/30/2005 |
| Comment : | Appendix B
Threat Summary from IEEE P1583 Draft 5.3.2 (provided to EAC/TGDC)
5.1.2.3 Threat Summary
This section lists generic threats to which a voting system may be subject. It is, of course, not
possible to enumerate all threats, but this establishes a lower bound on the threats that must be
defended against.
Assumptions:
a. The persons who may be attempting to compromise the election process, and thereby
the voting equipment, may be wellfinanced.
b. Given adequate unmonitored access there are motivated people who have the
training and ability to compromise the election equipment.
c. The need for anonymity (where required by cognizant authority) of voter ballot
reduces or entirely removes many traditional forms of auditing commonly used for
other electronic systems (such as ATMs in banks).
d. Strong physical security is required to prevent unauthorized or unmonitored access
during unattended storage periods.
e. For elections, the principal asset is governmental power. That power is transferred by
the results of counting voted secret ballots. Hence, integrity of the voted ballot is
critical through the entire process from capturing the voter's intent, casting it into the
ballot box, counting it to produce the election results, and finally retaining it to
resolve disputes.
f. The persons attempting to compromise the election process could be insiders with
full knowledge of the election system including, but not limited to, political
operatives, vendor personnel, polling place workers, or election administrators. | |
|
|