Transcript Federal vs. State       Started the move towards eVote systems in the US Old-fashioned manual punch card systems (Votomatic) Often used in counties with low.

Federal vs. State






Started the move towards eVote systems in
the US
Old-fashioned manual punch card systems
(Votomatic)
Often used in counties with low income, that
had no money to buy new equipment
“hanging chads” – holes not fully punched
through
Confusing paper ballot design
Uncertainty about voter intentions







National Association of State Election Directors (NASED), in
effect since 1994
No federal funding
Voting systems tested by “Independent Testing Authorities
(ITA)” using 1990 Federal Election Commission Voting
System Standards (VSS)
Slightly updated in 2002 (before HAVA passing)
NASED reviews ITA report and certifies a system as
“meeting federal standards”
Conflict of Interest: ITAs are commercial companies;
Vendors selects, and pays directly to the ITAs  ITAs have
no interest in negative reports
Almost all systems used in US elections were NASED/ITA
certified, yet the certification failed to prevent disasters
like Florida 2000, or find the errors found in CA TTBR (see
below)


Passed in October 2002
Objective:
◦ Modernize US election technology to avoid
situations like Florida 2000 in the future, through
◦ Creation of the Federal Election Assistance
Commission (EAC), which would
◦ Establish uniform election system standards and
create a new, more efficient federal certification
system

And… 3.9 billion dollars in federal funding
for states to buy new technology, guided by
the EAC





HAVA requires the EAC to develop new voting
systems standards by January 1, 2004
These standards help states select technology
to upgrade their election systems (using the
federal funding) by January 1, 2006
BUT: Appointment of EAC commissioners
delayed by almost 10 months
BUT: only US$ 2 million (of the US$ 30 million
planned 2003 EAC budget for testing and
R&D) was provided
 No guidelines in 2003





In 2004, of US$ 50 million budgeted for testing,
research and development of standards, only US$ 1.2
million were paid out
 No standards / certification in 2004
BUT: in 2004, US$ 1300 million was paid out
to states to buy new technology
US Dept. of Justice insists on states having
new equipment ready by January 1st, 2006
 Huge new, unregulated market for voting
equipment makers







Equipment makers rush to market
Immature products, focus on features, not
code design
Insecure software
Counties buy whatever looks good
No in-house IT expertise to evaluate
No EAC guidance on what’s good and what
not
 Thousands of small and not-so-small
disasters causes by faulty voting systems




Voluntary Voting System Guidelines (VVSG)
published only in December 13, 2005 (designed
by NIST, approved by EAC)
Went into effect only in 2007
To bridge the gap, in June 2006, the EAC
essentially took over the NASED/ITA program,
with all its flaws
EAC’s own testing and certification program
started only in January 2007






Similar system as NASED (ITAs are now “voting
system test laboratories” or VSTLs)
Testing against VVSG 2005
BUT: similar conflict of interest (direct VSTL payment
and selection)
Still voluntary, states may require EAC certification,
but don’t have to
Better: “Quality Monitoring Program” reviews systems
after certification, and may de-certify for vendor
misinformation, use of non-certified versions in the
field, unauthorized change, malfunction and bugs in
the field, etc
Updated VVSG II are still not finished, EAC tests
against 2005 standards





VVSG 2005 are fairly comprehensive, but EAC
testing methods to verify them are not sufficient
EAC is “friendly” testing - defines test cases
based on functions that the equipment is
supposed to have
“Does it do what it says it does?”
Predictable, does not anticipate unusual
situations or creative attacks
Adversarial testing: Assemble a group of smart
people, and say “Lets see if we can break this!” 
State certification programs like California TTBR,
Ohio Everest, Florida SAIT






Introduced in 2007 by Secretary of State (Sos) Debra Bowen in
response to weak federal certification
All currently certified systems in use in CA are reviewed under
new methodology
Severe security flaws found with all systems
SoS Office decertifies all systems for use in California (both
Scanners and DREs)
Imposes strict usage conditions for re-certification
◦ for Sequoia and Diebold, only early voting, on eDay only one machine per
polling place (for disabled access)
◦ all results from them must be manually recounted (100%)
◦ Hart Intercivic may be used more freely
◦ ES&S didn’t submit its software and was directly decertified
all vendors must produce plans to “harden” their equipment to
protect against security vulnerabilities found by the TTBR



States had been rushed by the Dept. of
Justice to buy machines by 1. Jan 2006, even
without EAC guidance
Now, in CA, millions of US$ worth of
equipment (especially DREs) sat in storage,
and could not be used  wasted taxpayer
dollars
Counties had to revert to paper elections (e.g.
Santa Clara Ct) or buy different, certified
machines, spending extra money

Penetration analysis / Red Team attacks
◦ first w/o system knowledge, then with full system
knowledge





Source Code / Architectural review
Hardware review
Documentation review
Accessibility review
 Threat assessment, define use conditions
to mitigate the security weaknesses found





Vendor pays SoS, not test lab
SoS then selects team who will audit
 No conflict of interest
Audit teams are from State University (Professor and Grad
students) – not commercial companies
Name and CV of each participating auditor is published online 
academic reputation as guarantor of integrety

Teams elaborate report, SoS issues:

Complete reports of teams are available online, not just
summaries
◦ certification,
◦ conditional certification (under use conditions), or
◦ rejection


SoS must be informed for each system change
SoS decides:
◦ if the change is “minor” it “rolls over” the certification to
the new version
◦ otherwise, full new certification is required

Temptation for vendor to not declare system
changes to avoid cost of re-certification
◦ Case of ES&S – In Nov 2007, SoS sued ES&S for selling
972 AutoMARK Model A200 ballot-marking machines to
several counties that contained hardware changes that
had were not authorized by the Secretary of State
◦ Settled against fine of $3.25 Million in 2009




Problem: need for system upgrades often arise
with short notice
Not enough time to develop new software and
pass through certification process in time for
elections (takes months)
Because EAC certification is weak, states have
their own systems, but this forces vendors to pay
for all the different certification in all states they
want to sell in  Prohibitively costly and time
consuming
Market consolidation, only strongest vendors
survive


One strong federal certification system
(modeled on State best practice) should make
state certification superfluous
Cheaper for vendors, easier market entry
Thank you!
[email protected]