One of the most important ways to minimise the risks in using technology is to ensure that the technology is secure. This includes Physical Security, Data Access Security, Software Security and Virus Protection.
Physical security
Ensuring the physical security of technology is one of the main ways to minimise the risks in using technology.
Physical security measures can be divided into two broad categories: security against environmental factors, such as fire, moisture, flood, heat, cold, power failure and animals; and security against human interference, either deliberate or accidental.
Physical security against environmental factors
The types of environmental security measures that can be taken depend on the types of technology being considered and where the technology is used. Security measures appropriate to technology that is designed to travel and/or be used in places with weak or non-existent infrastructures is different from technology that is static and used in office environments.
Where technology is powered by electricity (and most electoral technology is), it is crucial to secure the power source and to provide backup power supply equipment as an integral part of the technology system.
Power can be cut off without warning anywhere in the world. It is advisable to prevent the loss of data during a power interruption by connecting sensitive technology to an intermediary piece of equipment called a uninterruptible power supply (UPS). If the main power supply fails, the battery included in the UPS kicks into operation and power for a limited period during which time backups can be performed, if necessary.
Some UPS systems also issue a warning signal once the main power source fails so that users are alerted to the problem and can take the necessary steps to prevent accidental data loss and conduct a controlled closing down of the system. UPS prices increase with the amount of power they are able to supply, the sophistication of the warning signals and with the period of time they are able to operate.
While power supplies are meant to provide a constant level of electricity, they can on occasion over-supply power. This is called a “spike” and can burn some components of technology equipment. Therefore the use of a voltage regulator between the piece of equipment and the power supply is advisable unless a UPS with a voltage regulator function is in use.
In countries that have unreliable power grids or where power supply can be systematically erratic, intermittent or non-existent, there might be a need to provide a generator capable of powering all the necessary equipment for extended periods. Generators also increase in price with the power they are able to deliver.
Various kinds of generators can be used, powered by various kinds of fuel, typically petrol or diesel and they can be used as the main source of power supply or as a backup when the main power source fails. Generators can be coupled with UPS systems, so that the UPS can handle the transfer from the main power source to generator power.
Where a generator is used as the primary power source, it may be desirable to have one or more backup generators available in case the primary generator fails. Regular maintenance of generators can ensure that they operate effectively.
Another important aspect of physical security is ensuring that technology equipment, particularly computer equipment, is appropriately housed. Ideally, computer equipment is stored in sealed buildings with climate control, so that temperature and humidity are kept at constant, optimal levels, and dirt, dust, smoke and other contaminants are excluded. In many cases, normal building air conditioning systems that control cooling and heating are employed for this purpose.
In particularly harsh environments, however, or in the case of specifically sensitive equipment, normal air conditioning systems may not be sufficient, and special climate control systems may have to be installed. Concentrating equipment in dedicated, sealed rooms, with the climate controlled by a specialised, air conditioning system is one solution. These rooms need to be regularly and carefully cleaned, particularly for dust build-up (dust is attracted by the static electricity generated by computer equipment, especially video display screens).
Cigarette smoke residues can damage computer equipment. Ideally, smoking should not be permitted in workplaces for both the health of workers and their equipment.
It is advisable that equipment used out of doors or in unsecured buildings, such as equipment used by remote polling teams or in polling stations, come with its own secure containers to ensure that outside environmental factors such as dust or moisture do not affect it. It may be necessary to use equipment that is purposely built for use in remote locations, ensuring that it is robust and capable of functioning under adverse circumstances.
Telecommunications equipment also has special physical security needs. In particular, cables connecting computer networks need to be kept safe from harm. Cables are at risk of being gnawed by rodents and being tripped over by humans. Ways of safeguarding cables include shielding the cables inside ducts or strong sheaths, placing them inside walls, below floors and above ceilings, building false floors to enable cables to travel underneath them, burying cables underground or mounting them on poles. Where cables are at risk, alternatives such as microwave links could be considered.
Physical security against human factors
Many of the measures taken to secure technology against environmental factors can also be used to prevent accidental or deliberate human intervention with technology. Physical isolation, such as placing key items of technology like network servers, inside dedicated rooms, can help to reduce the chance of human intervention. Similarly, placing network cables inside walls, below floors and above ceilings makes them hard to access.
However, the most effective physical measure that can be taken to prevent human intervention in technology is to lock the technology inside secure premises. Modern technology has provided a wide range of sophisticated devices that can restrict entry to buildings and rooms to authorised persons only. These include:
- old-fashioned locks and keys
- locks operated by access code numbers (mechanical or computerised)
- locks operated by cards with magnetic strips
- locks that recognise biological features, such as finger prints, hand prints or retinas
- locks that require a combination of two or more of the above methods
The advantage of the more sophisticated locking systems that use computer systems to validate entry is that they can be used to monitor which individuals have accessed a facility and when. Locks that use biological features go one step further and ensure that only identified and verified individuals can enter a facility. Locks that do not incorporate biological features are not as secure since it is always possible for someone to steal someone else's entry card or access code numbers.
Surveillance is another form of security. Security guards can be used to verify entry to a facility. Security cameras can be used by security guards to monitor a range of access areas. Sensors can be used to monitor activity and set off alarms if security is compromised. If on-site security is too expensive, on-call security services can be employed at a lesser rate to patrol the premises from time to time and respond to alarm calls. Alarm systems can be set up that can not only ring a local alarm but can also set off an alarm at a remote security firm or police station.
While locks and surveillance systems are a good form of security, the overall level of security will only be as good as the weakest point in the security cordon. For example, many office buildings allow human access between floors in service ducts (usually for the purpose of providing air conditioning and cable access). It is important to ensure that access restrictions to technology cannot be overcome simply by a person climbing into an air-conditioning access point outside a secure area and getting into the secure area via the space above the ceiling.
If physical security to electoral technology is of high importance, it may be worth employing a security expert to conduct a security audit on the premises to ensure that all appropriate steps are taken.
The final form of security against undue human intervention in technology is to make it difficult or impossible for an unauthorised user to access or change the data held in computer systems. This can be achieved by restricting access to data through use of passwords and encryption.
Data access security
Much of the data held by an election management body (EMB) is sensitive information that is private or privileged and must be kept secure. Many computer programs used by EMBs must be safeguarded to ensure that election processes run fairly and that election results are not compromised by accidentally altered or deliberately sabotaged programs.
Physical security can be used to isolate computer equipment and prevent unauthorised access, but it is only the first line of defence. The next line of defence is data access security.
Password protection
The most common method of data access security is password protection. Several layers of password protection can be imposed. Computers can be set up to require a password before they can “boot up” and give users access to any of the data on the system, either on the computer's local hard drive or on the network. Networks can be configured to require all users to enter a correct user name and password before network access is permitted, so that even if an unauthorised user can operate a local computer they are not able to get onto the network.
Particular software programs can be password protected also, so that even if an intruder can gain access to the network, they cannot run particular programs. Finally, individual files can be password protected, so that intruders are not able to open them even if they gain access to the files or copy them to another system or to a removable disk.
Passwords are not foolproof, however. There are several basic rules that apply to use of passwords, aimed at ensuring that unauthorised users cannot discover them:
- Passwords are best never written down and left where an unauthorised used might find them. If passwords have to be written down, they need to be securely locked away.
- It is beneficial to change passwords regularly—about once a month is a good standard.
- The most effective passwords are the ones that are not obvious—the name of the user, the organisation, a relative, friend or famous person can be relatively easily guessed by others.
- The most secure passwords will contain a mixture of letters and numbers and, if the computer system is case sensitive, a mixture of upper and lower case letters, since such combinations are harder to crack.
- Short passwords are easier to crack—eight characters or more are considered a good length.
- Passwords are best not shared between colleagues, relatives or friends—each person can have their own password.
- In the case of very sensitive systems it may be advantageous for the computer system to keep track of which passwords are used at what times, and what data is accessed.
- It is desirable to limit the number of times in a session when a person can try to enter a password and fail. This is particularly important where password access is permitted on a public network like the Internet (some computer programs can be set up to automatically try huge numbers of possible passwords, if the system permits this).
- When an employee who is assigned a password resigns or leaves a workplace to work elsewhere, that person's password access is best revoked.
- System administrators need the ability to reset passwords for users who forget them.
- Anyone with password access to a computer system (including any externally employed contractors or systems administrators) will need to have a security clearance at a level appropriate to the data accessible on the system.
Limiting authorised access
Even where a user has log-in permission and a valid password, an EMB may not wish that user to access all the data held on the EMB's system. For example, casual staff employed to enter payroll data will have no need to access sensitive election results programs. Password access can be used to limit a user's right to access different parts of a system by applying different levels of access rights to different classes of users.
Where authorised access is provided, introductory screens displayed immediately after logging in can remind users of any legal requirements for maintaining the security of data and of any penalties that may apply to misuse of data.
Data storage locations
Another way to help keep data secure from unauthorised access is to limit the places in which data is stored. In networked computer systems, it is good practice to keep all data, particularly all sensitive data, on centralised servers rather than on local personal computers' hard drives. This practice means that any unauthorised intruder trying to access data has to pass two levels of security to reach data—both the local computers and the network server's. It is generally more difficult to gain unauthorised access to data on a server than it is on a personal computer.
Another advantage of keeping sensitive data on servers is that it limits the number of computers that need a very high level of security. One way to steal data is to physically steal the computer on which it is stored. While it may be too cumbersome, expensive or impractical to keep all personal computers under high security, it is usually highly desirable and more practical to do so with at least the servers.
Remote access to data
Many computer networks allow remote access to data, by connecting to the network over a public system such as the Internet or the telephone system by dial-up modem. This level of access makes it much easier for unauthorised users to access data, because they do not have to gain physical access to EMB premises or a computer linked to the EMB's private network.
A risk assessment can be made to determine whether the level of risk of exposing a network to public dial-up or Internet access is worth the added convenience of allowing authorised users to have remote access. If a decision is made that remote access is needed, a technical expert in minimising the risks of remote access can be employed to ensure that the system is secure as possible. To be most effective it is important to seek up-to-date advice as the technology involved in this area is constantly changing.
Since sensitive networks that allow remote access can be targets for “hackers” who specialise in breaking the security of high profile networks, every possible step needs to be taken to minimise it. One way to do so, particularly if remote access is only needed for a limited range of functions, is to isolate the most sensitive data and programs from that part of the network accessible remotely, so that it is not possible to reach it other than through a local network.
Another way to limit the risks of allowing remote access is to only allow access to copies of data, with no access permitted to the original sets of data.
Firewalls
Firewalls are technological barriers built into computer networks to control access to the networks. Firewalls are intended to prevent unauthorised users from accessing data and programs protected by the firewalls. Technical experts in this field can advise on appropriate firewall technology for a given system.
Audit trails
Audit trails can be used to log the activities of persons accessing sensitive data. Audit trails can show which staff accessed which data, and can also indicate what changes to data were made, when they were made, and who made them. Properly used (and not ignored or overlooked), such audit trails can be powerful tools for either verifying that security breaches have not occurred, or can identify any breaches that have occurred.
Software security
Computer software programs are made up of complex code. Computer programs that perform sensitive operations related to running an election must run correctly, or the success and legitimacy of an election could be jeopardized. For example, should an intruder breach security and get access to software’s code, changes could be made that alter the computer-reported results of an election in a way that would be very difficult to detect.
Software security, therefore, is another line of defence in the battle to ensure electoral technology is kept secure.
External auditors can scrutinise the code used in electoral computer systems and verify that it performs appropriately. Computer code that has been externally audited can then be “escrowed,” or kept in secure off-site storage in an independent authority's control. This allows for the escrowed version to be compared to the “live” version of the code used for an electoral event.
In this way, it becomes possible not only to verify that computer software is free of any hidden flaws or deliberate attempts at manipulation, but also to verify after the software has been used that its code has not been changed or tampered with since it was audited.
This level of security may not be necessary for all software used by election management bodies, however it is highly useful for crucial systems such as electronic voting and electronic vote counting systems.
Another way of proving the integrity of computer software is using "open source" software rather than proprietary software since code of open source software is publicly available and external programmers can audit the code and satisfy themselves that it performs properly. This may be desirable where competing political participants wish to independently verify software code used for electoral purposes. Whether the advantages of providing code openly outweigh the risks of identifying areas of weakness will be a matter of judgement in each particular case.
Virus protection
Computer “viruses” are a serious threat to all computer systems, particularly systems linked in networks and systems connected to the Internet and to email services. Virus protection software is an essential part of any computer system.
What is a computer virus?
Computer viruses are programs developed by mischievous or malicious programmers that are capable of being attached to software or data files or of being installed on accessed computers to perform a wide range of functions from the benign to the malign.
Benign viruses can simply perform harmless (but usually annoying) functions such as displaying a pop-up message. Malign viruses can corrupt or change data or programs, destroy computer files, or cause massive amounts of email to be generated, threatening the stability of networks by overwhelming them with data.
Viruses are spread by transferring infected or malicious files from one computer to another. This can happen by transferring files to removable data disks, by accessing or downloading files on the Internet or a network, or by files sent by email. Viruses can be executable files (with an '.exe' filename extension) or files in other formats, such as word processing files containing macros. Running these executable files or opening files containing infected macros can cause a computer virus program to run that can potentially do a great deal of damage.
Some viruses take hold of email programs. By accessing a user's list of stored email addresses, a virus can self-replicate itself by sending copies of the virus to each email address. The multiplying effect of this strategy means that a virus can spread to a large number of computers all around the world in a short space of time.
Computers hit by a virus attack can be severely damaged, and a lot of data can be lost or compromised. In the worst cases a computer's hard disk can be rendered useless, and all data on it lost. In this situation the best that can be done is to reformat the hard disk (wipe it clean and start again) and reload all the necessary software from backups.
The possibility of a virus attack is a very powerful incentive to conduct regular, thorough backups of programs and data.
Virus protection software
The way to protect a system against a virus attack is to use virus protection software. Virus protection software is designed to run in a computer either on demand or in the background, so that the user is unaware of it unless a problem arises. Virus protection software is designed to recognise known viruses and prevent them performing their intended functions.
In addition, as new viruses appear frequently, virus protection software is also designed to identify the possible activity of a virus and prevent it from functioning. For example, a typical virus protection program places a “tag” on each known executable file on a computer. If an unknown executable file attempts to run a program, the virus protection emits an alert to the user asking whether the user wishes the program to run. If the user confirms that the executable file appears to be a virus, the virus protection software can delete the virus from the system.
As new viruses are developed, virus protection software has to play a continual game of “catch-up” for each new virus. As a result, virus protection software has to be frequently updated to ensure that it is capable of identifying and dealing with the latest known viruses. A structured regime for updating virus protection software can be part of an EMB’s technology strategy.
Safe computer practices
Regardless of the presence of virus protection software, some viruses can still escape detection and infect a computer system. In order to guard against this possibility, data should be regularly backed up and users should be taught safe computer practices.
All users need to be aware of steps necessary to avoid catching a virus. First, virus protection software can be installed and running, not disabled. Systems administrators will often want to monitor virus software operation to ensure that users have not disabled their virus protection, or users can be restricted from disabling their virus protection.
Second, users need to be careful about opening files and particularly running executable programs if they are not sure that they are legitimately sent by a known source. Even emails from known contacts can be suspect, as viruses can control a user's email contact list and send messages using any name on the list.
Viruses sent by email can be accompanied by plausible and enticing messages that might encourage users to open the infected files. Users need to be cautious of such approaches.
If users are not confident that files or programs sent to them are legitimate they should not open them. If the files or programs appear to be inconsequential, they can be deleted from the computer including from the recycle bin. If the user is not sure whether a file or program is legitimate, the sender can be contacted to verify that the file or program is genuine.
When in doubt, a user is supposed to contact the relevant help desk or technical assistant for advice.
