NIST and Computer Security Competencies and Resources to Support E-Voting and Security Ed Roback Chief, Computer Security Division Information Technology Laboratory July 9, 2004
2 NIST Security Statutory Mandates Federal Information Security Management Act (FISMA) of 2002 Federal security standards and guidelines Minimum requirements Categorization standards Support of Information Security and Privacy Advisory Board (ISPAB)
3 Statutory Mandates (concluded) Cyber Security Research and Development Act of 2002 Extramural research support Fellowships Intramural research Checklists National Research Council (NRC) study
4 General Security Issues with E-Voting Systems Accidental misuse Non-malicious errors Voter manipulation Over voting, voter coercion Vote manipulation Modifying vote tallies Adding/deleting votes Results verification Modification of the software/firmware Addition/deletion of software/firmware
5 Specific Risks to E-Voting Systems Unauthorized modification of system components Alteration of system audit trails Modification/prevention of vote recording Adding vote data Adding duplicate votes
6 Specific Risks to E-Voting Systems (concluded) Modifying calculated vote totals Modifying vote tallies in transit Preventing access to individual votes and vote tallies Unauthorized access to vote data Unauthorized access to security-relevant data, e.g., audit logs Unauthorized disclosure of voting data Denial of service during or after an election
Security Control RisksRelated NIST Documents and Standards Access ControlUnauthorized modification, unauthorized access FIPS 190, FIPS 196, SP , SP AssuranceUnauthorized modification, Modifying votes, preventing vote recording, denial of service FIPS 140-2, Common Criteria, SP , SP , SP A IntegrityDuplicate/fraudulent votes, modifying vote totals, modifying tallies in transit FIPS 180-2, FIPS , FIPS 198, SP , SP AuditingAltering audit trails, modifying vote record, preventing vote recording SP , SP ConfidentialityUnauthorized disclosure of vote data, audit data, system configuration FIPS 46-3, FIPS 197, SP , SP , SP A Available via csrc.nist.gov
8 Applicable NIST Security Activities Cryptographic Standards and E-Authentication Key management guidance Identity management infrastructure Emerging Technologies Smartcard infrastructure Wireless/Mobile device security Checklists/benchmarks Management and Assistance Guide for selecting IT security products and services Certification and Accreditation (C&A)
9 Applicable NIST Security Activities (concluded) Security Testing Cryptographic Module Validation Program (CMVP) Certification and Accreditation (C&A) National Information Assurance Partnership (NIAP) Additional NIST security-related competencies Protocols Network Security Forensics Biometrics
10 Contact Information Ed Roback, Chief, Computer Security Division 100 Bureau Dr., Stop 8930 Gaithersburg, MD phone: Web site: csrc.nist.gov