eVote System Certification in the USA

Federal vs. State

Started the move towards eVote systems in the US

Old-fashioned manual punch card systems (Votomatic)

Often used in counties with low income, that had no money to buy new equipment

“hanging chads” – holes not fully punched through

Confusing paper ballot design Uncertainty about voter intentions

National Association of State Election Directors (NASED), in effect since 1994

No federal funding Voting systems tested by “Independent Testing

Authorities (ITA)” using 1990 Federal Election Commission Voting System Standards (VSS)

Slightly updated in 2002 (before HAVA passing) NASED reviews ITA report and certifies a system as

“meeting federal standards” Conflict of Interest: ITAs are commercial

companies; Vendors selects, and pays directly to the ITAs ITAs have no interest in negative reports

Almost all systems used in US elections were NASED/ITA certified, yet the certification failed to prevent disasters like Florida 2000, or find the errors found in CA TTBR (see below)

Passed in October 2002 Objective:

◦ Modernize US election technology to avoid situations like Florida 2000 in the future, through

◦ Creation of the Federal Election Assistance Commission (EAC), which would

◦ Establish uniform election system standards and create a new, more efficient federal certification system

And… 3.9 billion dollars in federal funding for states to buy new technology, guided by the EAC

HAVA requires the EAC to develop new voting systems standards by January 1, 2004

These standards help states select technology to upgrade their election systems (using the federal funding) by January 1, 2006

BUT: Appointment of EAC commissioners delayed by almost 10 months

BUT: only US$ 2 million (of the US$ 30 million planned 2003 EAC budget for testing and R&D) was provided

No guidelines in 2003

In 2004, of US$ 50 million budgeted for testing, research and development of standards, only US$ 1.2 million were paid out

No standards / certification in 2004

BUT: in 2004, US$ 1300 million was paid out to states to buy new technology

US Dept. of Justice insists on states having new equipment ready by January 1st, 2006

Huge new, unregulated market for voting equipment makers

Equipment makers rush to market Immature products, focus on features, not

code design Insecure software Counties buy whatever looks good No in-house IT expertise to evaluate No EAC guidance on what’s good and what not Thousands of small and not-so-small

disasters causes by faulty voting systems

Voluntary Voting System Guidelines (VVSG) published only in December 13, 2005 (designed by NIST, approved by EAC)

Went into effect only in 2007

To bridge the gap, in June 2006, the EAC essentially took over the NASED/ITA program, with all its flaws

EAC’s own testing and certification program started only in January 2007

Similar system as NASED (ITAs are now “voting system test laboratories” or VSTLs)

Testing against VVSG 2005 BUT: similar conflict of interest (direct VSTL

payment and selection) Still voluntary, states may require EAC certification,

but don’t have to Better: “Quality Monitoring Program” reviews

systems after certification, and may de-certify for vendor misinformation, use of non-certified versions in the field, unauthorized change, malfunction and bugs in the field, etc

Updated VVSG II are still not finished, EAC tests against 2005 standards

VVSG 2005 are fairly comprehensive, but EAC testing methods to verify them are not sufficient

EAC is “friendly” testing - defines test cases based on functions that the equipment is supposed to have

“Does it do what it says it does?” Predictable, does not anticipate unusual

situations or creative attacks

Adversarial testing: Assemble a group of smart people, and say “Lets see if we can break this!” State certification programs like California TTBR, Ohio Everest, Florida SAIT

Introduced in 2007 by Secretary of State (Sos) Debra Bowen in response to weak federal certification

All currently certified systems in use in CA are reviewed under new methodology

Severe security flaws found with all systems SoS Office decertifies all systems for use in California (both

Scanners and DREs) Imposes strict usage conditions for re-certification

◦ for Sequoia and Diebold, only early voting, on eDay only one machine per polling place (for disabled access)

◦ all results from them must be manually recounted (100%)◦ Hart Intercivic may be used more freely◦ ES&S didn’t submit its software and was directly decertified

all vendors must produce plans to “harden” their equipment to protect against security vulnerabilities found by the TTBR

States had been rushed by the Dept. of Justice to buy machines by 1. Jan 2006, even without EAC guidance

Now, in CA, millions of US$ worth of equipment (especially DREs) sat in storage, and could not be used wasted taxpayer dollars

Counties had to revert to paper elections (e.g. Santa Clara Ct) or buy different, certified machines, spending extra money

Penetration analysis / Red Team attacks ◦ first w/o system knowledge, then with full system

knowledge Source Code / Architectural review Hardware review Documentation review Accessibility review Threat assessment, define use conditions

to mitigate the security weaknesses found

Vendor pays SoS, not test lab SoS then selects team who will audit No conflict of interest

Audit teams are from State University (Professor and Grad students) – not commercial companies

Name and CV of each participating auditor is published online academic reputation as guarantor of integrety

Teams elaborate report, SoS issues:◦ certification, ◦ conditional certification (under use conditions), or◦ rejection

Complete reports of teams are available online, not just summaries

SoS must be informed for each system change SoS decides:

◦ if the change is “minor” it “rolls over” the certification to the new version

◦ otherwise, full new certification is required

Temptation for vendor to not declare system changes to avoid cost of re-certification◦ Case of ES&S – In Nov 2007, SoS sued ES&S for selling

972 AutoMARK Model A200 ballot-marking machines to several counties that contained hardware changes that had were not authorized by the Secretary of State

◦ Settled against fine of $3.25 Million in 2009

Problem: need for system upgrades often arise with short notice

Not enough time to develop new software and pass through certification process in time for elections (takes months)

Because EAC certification is weak, states have their own systems, but this forces vendors to pay for all the different certification in all states they want to sell in Prohibitively costly and time consuming

Market consolidation, only strongest vendors survive

One strong federal certification system (modeled on State best practice) should make state certification superfluous

Cheaper for vendors, easier market entry

Thank [email protected]