I had always though I will not write anything related to politics. And yet today I am making an exception. The only reason I do so is because I believe that security has far bigger considerations and implications then just proving out if a cell phone or smart TV or laptop or server or an EVM can be hacked. So it is important to understand these consideration and implications.
First of all I start with a belief that any electronic device or system that works with some sort of computer language or commands, has some form of connectivity with other systems, and uses a program to deliver some specific functions has a potential to be hacked. It implies that Electronic Voting Machines can be hacked. So what?? Because Core Banking Systems can be hacked too, Airlines flight management systems can be hacked too and Nuclear Power Plants can be hacked too.
That being said all security vendors are constantly working to make systems more and more secure. Layer after layer of security is been designed and added to make these systems less vulnerable. Things like firewall, encryption, intrusion prevention, white listing, role based access controls, super user controls, adaptive access controls, location awareness and acceptable hours usage etc. have all made systems far more secure than they were earlier. Still no one can claim to have a fool proof and completely secure system.
While we continue to enhance our security capabilities we have to take into consideration some of the aspect like
1. Is the system designed to be secure and is it being upgraded with the latest improvements in security technologies - Weather it is a Nuclear Power Plan or and EVM continuous improvement is important.
2. Nature of the System - If a Nuclear Power Plant is hacked consequences can be catastrophic for millions or people, vegetation and landscape for the next hundreds of years. Although EVM hacking will have an impact but probably not as bad is the nuclear power plant.
3. Number of Systems - A nuclear power plant might have 6 or 7 layers of security. But once you bypass them you might have access to the entire power plant or at least a portion that can have significant impact. While an EVM might have just 2 or 3 layers of security; bypassing them might give you access to just that EVM. One can argue that just a few EVM's might not be good enough to change the course of the election result.
4. Complexity and Time required to hack - If the security layers are complex enough and they in turn make it more time consuming to hack; then the significant effort and time required to hack thousands of EVM's would be a big deterrent.
5. Location of Hacking - The nuclear power plant does not move but EVM's do. Hacking them when they are all put together in counting centers would be a lot easier when compared to hacking them at polling booth during polling. Simply because you might need thousands of hackers instead of a few due to location.
6. Detection - If a system is hacked then how soon can that be detected is a very important measure. Your ability to respond depends upon how fast you can detect. In case of the nuclear power plant one would want to detect any malicious activity and start responding at the same instant. The reality is that in a lot of systems security breach detection either never happens or takes too much time; sometimes years as in the case of yahoo mail.
7. Tamper Proof Audit Logging - The ability to log information about who did what, when, how, using what, before values, after values etc. is a critical functionality of security systems. Such information aids in forensic analysis during hacks. It can also be used to prove that things are working as expected. The key element though is "How these Audit Logs are tamper proof ?"
Above are just a few points to think about in the recent row of EVM Hacking in India. I am sure there are a lot more of them. My sole purpose with this post is to make the electorate more aware and thoughtful about the issue.
First of all I start with a belief that any electronic device or system that works with some sort of computer language or commands, has some form of connectivity with other systems, and uses a program to deliver some specific functions has a potential to be hacked. It implies that Electronic Voting Machines can be hacked. So what?? Because Core Banking Systems can be hacked too, Airlines flight management systems can be hacked too and Nuclear Power Plants can be hacked too.
That being said all security vendors are constantly working to make systems more and more secure. Layer after layer of security is been designed and added to make these systems less vulnerable. Things like firewall, encryption, intrusion prevention, white listing, role based access controls, super user controls, adaptive access controls, location awareness and acceptable hours usage etc. have all made systems far more secure than they were earlier. Still no one can claim to have a fool proof and completely secure system.
While we continue to enhance our security capabilities we have to take into consideration some of the aspect like
1. Is the system designed to be secure and is it being upgraded with the latest improvements in security technologies - Weather it is a Nuclear Power Plan or and EVM continuous improvement is important.
2. Nature of the System - If a Nuclear Power Plant is hacked consequences can be catastrophic for millions or people, vegetation and landscape for the next hundreds of years. Although EVM hacking will have an impact but probably not as bad is the nuclear power plant.
3. Number of Systems - A nuclear power plant might have 6 or 7 layers of security. But once you bypass them you might have access to the entire power plant or at least a portion that can have significant impact. While an EVM might have just 2 or 3 layers of security; bypassing them might give you access to just that EVM. One can argue that just a few EVM's might not be good enough to change the course of the election result.
4. Complexity and Time required to hack - If the security layers are complex enough and they in turn make it more time consuming to hack; then the significant effort and time required to hack thousands of EVM's would be a big deterrent.
5. Location of Hacking - The nuclear power plant does not move but EVM's do. Hacking them when they are all put together in counting centers would be a lot easier when compared to hacking them at polling booth during polling. Simply because you might need thousands of hackers instead of a few due to location.
6. Detection - If a system is hacked then how soon can that be detected is a very important measure. Your ability to respond depends upon how fast you can detect. In case of the nuclear power plant one would want to detect any malicious activity and start responding at the same instant. The reality is that in a lot of systems security breach detection either never happens or takes too much time; sometimes years as in the case of yahoo mail.
7. Tamper Proof Audit Logging - The ability to log information about who did what, when, how, using what, before values, after values etc. is a critical functionality of security systems. Such information aids in forensic analysis during hacks. It can also be used to prove that things are working as expected. The key element though is "How these Audit Logs are tamper proof ?"
Above are just a few points to think about in the recent row of EVM Hacking in India. I am sure there are a lot more of them. My sole purpose with this post is to make the electorate more aware and thoughtful about the issue.
No comments:
Post a Comment