eVote System Certification in the USA

1. eVote System Certification in the USA Federal vs. State

2. The Florida Recount Disaster of the year 2000 elections • Started the move towards eVote systems in the US • Old-fashioned manual punch card systems (Votomatic) • Often used in counties with low income, that had no money to buy new equipment • “hanging chads” – holes not fully punched through • Confusing paper ballot design • Uncertainty about voter intentions

4. The old federal certification process • National Association of State Election Directors (NASED), in effect since 1994 • No federal funding • Voting systems tested by “Independent Testing Authorities (ITA)” using 1990 Federal Election Commission Voting System Standards (VSS) • Slightly updated in 2002 (before HAVA passing) • NASED reviews ITA report and certifies a system as “meeting federal standards” • Conflict of Interest: ITAs are commercial companies; Vendors selects, and pays directly to the ITAs  ITAs have no interest in negative reports • Almost all systems used in US elections were NASED/ITA certified, yet the certification failed to prevent disasters like Florida 2000, or find the errors found in CA TTBR (see below)

5. "Help America Vote Act" (HAVA) • Passed in October 2002 • Objective: • Modernize US election technology to avoid situations like Florida 2000 in the future, through • Creation of the Federal Election Assistance Commission (EAC), which would • Establish uniform election system standards and create a new, more efficient federal certification system • And… 3.9 billion dollars in federal funding for states to buy new technology, guided by the EAC

6. New certification process delayed • HAVA requires the EAC to develop new voting systems standards by January 1, 2004 • These standards help states select technology to upgrade their election systems (using the federal funding) by January 1, 2006 • BUT: Appointment of EAC commissioners delayed by almost 10 months • BUT: only US$ 2 million (of the US$ 30 million planned 2003 EAC budget for testing and R&D) was provided •  No guidelines in 2003

7. 2004: Money without guidance • In 2004, of US$ 50 million budgeted for testing, research and development of standards, only US$ 1.2 million were paid out •  No standards / certification in 2004 • BUT: in 2004, US$1300 millionwas paid out to states to buy new technology • US Dept. of Justice insists on states having new equipment ready by January 1st, 2006 •  Huge new, unregulated market for voting equipment makers

8. Sell whatever you have, quickly • Equipment makers rush to market • Immature products, focus on features, not code design • Insecure software • Counties buy whatever looks good • No in-house IT expertise to evaluate • No EAC guidance on what’s good and what not •  Thousands of small and not-so-small disasters causes by faulty voting systems

9. First Guidelines only in late 2005 • Voluntary Voting System Guidelines (VVSG) published only in December 13, 2005 (designed by NIST, approved by EAC) • Went into effect only in 2007 • To bridge the gap, in June 2006, the EAC essentially took over the NASED/ITA program, with all its flaws • EAC’s own testing and certification program started only in January 2007

10. Current EAC System • Similar system as NASED (ITAs are now “voting system test laboratories” or VSTLs) • Testing against VVSG 2005 • BUT: similar conflict of interest (direct VSTL payment and selection) • Still voluntary, states may require EAC certification, but don’t have to • Better: “Quality Monitoring Program” reviews systems after certification, and may de-certify for vendor misinformation, use of non-certified versions in the field, unauthorized change, malfunction and bugs in the field, etc • Updated VVSG II are still not finished, EAC tests against 2005 standards

11. “Friendly testing VS adversarial testing • VVSG 2005 are fairly comprehensive, but EAC testing methods to verify them are not sufficient • EAC is “friendly” testing - defines test cases based on functions that the equipment is supposed to have • “Does it do what it says it does?” • Predictable, does not anticipate unusual situations or creative attacks • Adversarial testing: Assemble a group of smart people, and say “Lets see if we can break this!”  State certification programs like California TTBR, Ohio Everest, Florida SAIT

12. California Top-to-bottom-Review • Introduced in 2007 by Secretary of State (Sos) Debra Bowen in response to weak federal certification • All currently certified systems in use in CA are reviewed under new methodology • Severe security flaws found with all systems • SoS Office decertifies all systems for use in California (both Scanners and DREs) • Imposes strict usage conditions for re-certification • for Sequoia and Diebold, only early voting, on eDay only one machine per polling place (for disabled access) • all results from them must be manually recounted (100%) • Hart Intercivic may be used more freely • ES&S didn’t submit its software and was directly decertified • all vendors must produce plans to “harden” their equipment to protect against security vulnerabilities found by the TTBR

13. Consequences for the states • States had been rushed by the Dept. of Justice to buy machines by 1. Jan 2006, even without EAC guidance • Now, in CA, millions of US$ worth of equipment (especially DREs) sat in storage, and could not be used  wasted taxpayer dollars • Counties had to revert to paper elections (e.g. Santa Clara Ct) or buy different, certified machines, spending extra money

14. Modules of TTBR • Penetration analysis / Red Team attacks • first w/o system knowledge, then with full system knowledge • Source Code / Architectural review • Hardware review • Documentation review • Accessibility review •  Threat assessment, define use conditions to mitigate the security weaknesses found

15. Advantages • Vendor pays SoS, not test lab • SoS then selects team who will audit •  No conflict of interest • Audit teams are from State University (Professor and Grad students) – not commercial companies • Name and CV of each participating auditor is published online  academic reputation as guarantor of integrety • Teams elaborate report, SoS issues: • certification, • conditional certification (under use conditions), or • rejection • Complete reports of teams are available online, not just summaries

16. Handling system changes • SoS must be informed for each system change • SoS decides: • if the change is “minor” it “rolls over” the certification to the new version • otherwise, full new certification is required • Temptation for vendor to not declare system changes to avoid cost of re-certification • Case of ES&S – In Nov 2007, SoS sued ES&S for selling 972 AutoMARK Model A200 ballot-marking machines to several counties that contained hardware changes that had were not authorized by the Secretary of State • Settled against fine of $3.25 Million in 2009

17. Vendors squeezed by cost and deadlines • Problem: need for system upgrades often arise with short notice • Not enough time to develop new software and pass through certification process in time for elections (takes months) • Because EAC certification is weak, states have their own systems, but this forces vendors to pay for all the different certification in all states they want to sell in  Prohibitively costly and time consuming • Market consolidation, only strongest vendors survive

18. Outlook • One strong federal certification system (modeled on State best practice) should make state certification superfluous • Cheaper for vendors, easier market entry

19. Thank you! Ingo.boltz@gmail.com