Testimony of Joseph Lorenzo Hall, PhD, Chief Technologist, Center for Democracy & Technology
Hearing on “Voluntary Voting System Guidelines 2.0”
U.S. Election Assistance Commission
May 20, 2019
Chairwoman McCormick, Commissioners:
Thank you for the opportunity to speak to you today about the Voluntary Voting System Guidelines, version 2.0 (VVSG 2.0).
My name is Joseph Lorenzo Hall, I’m the Chief Technologist at the Center for Democracy & Technology (CDT). I oversee CDT’s Election Security and Privacy project, which focuses on educating the elections community about cybersecurity concepts and practices through a set of online interactive courses, “Election Cybersecurity 101” field guides, and by holding regular briefings and trainings for election officials, legislative staff, and journalists.
The VVSG Has Come Far, But Must Evolve Further
During my doctoral and postdoctoral work between 2004 and 2011, on behalf of the National Science Foundation’s ACCURATE center (A Center for Correct, Usable, Reliable, Accurate, and Transparent Elections), I was responsible for channeling expert input into public comments on each set of the VVSG and the Voting System Testing and Certification Program manual. In the time since 2004, we have seen the EAC, the VVSG, and the voting system testing and certification program change immensely for the better. Where it was originally a closely-guarded and highly-opaque system, it is now well-documented, much more effective, and it much better suits the needs of election officials, voting system manufacturers and the public, each of whom use information about voting system certification and their performance testing against common technical standards.
Adoption of the VVSG 2.0 guidelines and principles is an important opportunity to ensure that the voting system testing and certification program remains flexible and can continue to evolve with technical requirements adapting to meet the principles identified in the VVSG 2.0.
Important Considerations for VVSG 2.0
As the EAC moves to adopting and implement the VVSG 2.0 principles and guidelines, here are a number of important considerations from CDT’s perspective:
- Principles vs. requirements: The elections community is heartened to see the EAC with a full slate of commissioners and, crucially, a quorum with which to conduct regular business. The most critical aspect of developing and adopting the VVSG 2.0 is the need to design it to be flexible and agile, even when a quorum doesn’t exist. The currently proposed “two-level” structure specifies principles and guidelines at a high level separately from requirements, at a much lower level. In this model, the principles would be somewhat like a constitutional document of the voting system testing and certification program, outlining high-level ideas that should be relatively stable over time as new voting technologies come and go. Requirements would instead specify at a much lower-level the necessary elements of a testing and certification program. If past voting system standards are any indication, the number of requirements will be large; voting systems are complex systems. Any flexibility and adaptability of this new system would be lost if EAC commissioners had to vote on more than a handful of requirements.
We suggest that the EAC defines a separate process that outlines ongoing and regular public comment for VVSG requirements and a mechanism for members of the TGDC and EAC staff to flag requirements that might require Commission deliberation, discussion, or vote.
- Transitioning from one VVSG testing regime to another: A voting system testing standard does not provide much assurance if systems can be certified against vastly outdated standards developed many years ago. The new two-level VVSG structure will allow requirements to evolve in time, but in order for the underlying systems to also evolve, the testing and certification program must set hard boundaries past which any new voting system submissions must be certified against newer requirements.
Because voting systems are now tested as wholistic systems and not as individual components, and because they are certified against large monolithic standard specifications (e.g., the VVSG 1.1) instead of a frozen subset of continually evolving requirements, some current systems are performing wildly outside the expectations of election officials and users, for example display lag times associated with computers of twenty years ago. Instead, manufacturers should be required to commit to a dated “snapshot” (a subset) of VVSG requirements – for example, “all approved requirements for precinct-based optical scanning systems dated January 1, 2020” – and be allowed to be tested against those requirements (or any newer snapshot) for a period of 5 years. This would allow manufacturers to target a certain stable subset of requirements necessary to field a whole election system, but would require and encourage them to move to a more recent snapshot within 5 years. (This is just one candidate proposal and we encourage the EAC to solicit more ideas here, potentially in the form of a joint workshop with NIST on designing evolving voting system standards.)
- Adversarial testing and vulnerability handling: Two critical properties of well-engineered modern information systems are 1) their ability to withstand scrutiny by trained security experts and 2) having an effective process in place for fixing vulnerabilities when they are inevitably found. Security is a systems property that is notoriously difficult to test, often requiring specific kinds of expertise to identify and fix serious flaws.
Voting systems should be tested by dedicated computer and network security experts using adversarial testing methods – “penetration testing” – where a operational version of the system is attacked by an expert team trying to find bugs, flaws, and vulnerabilities. These kinds of penetration testing efforts will inevitably find issues and each voting system manufacturer must have an effective vulnerability handling process and standard vulnerability reporting mechanism in place (see the ISO standards for vulnerability handling and reporting: ISO 29147/30111). The testing and certification process should confirm that each manufacturer has an effective vulnerability handling and reporting program by tracking the reporting, handling, and resolution of bugs found in VSTL penetration testing. In addition, the EAC should hire a security testing program evaluator that could assess the quality of security testing at current Voting System Testing Laboratories (VSTLs) and potentially require them to hire outside penetration testing firms to fulfil this aspect of testing.
- Common Data Format: Work on various elements of a common data format that can be shared across election systems has been going on for years. Wider use of standardized common data formats could help promote a number of desirable aspects in a voting system, from composability – where pieces of one system can be more easily used with pieces of a second system – to transparency – for example, allowing election campaigns, journalists, auditors, and the public a common source of standardized election information.
In particular, the event logging specification developed by NIST and collaborators provides a starting point that, if promoted as a recommended or required element of voting system testing submissions could result in specific gains with respect to cybersecurity. Common event logs across the many systems involved in running an elections system could allow election officials and cybersecurity defenders to better understand when suspicious events may require further investigation, rather than having to make sense across wildly different, potentially proprietary log formats.
- Critical areas outside the scope of the VVSG: Recent years have seen a proliferation of components of voting systems – for example, electronic pollbooks – and methods of voting – for example, voting over the internet, by email, or by fax – that are currently out of scope of the VVSG and and have few associated standards. Each of these areas could use some attention from the standards process.
The EAC should explore extending its authority to encompass subsystems that may be commonly used with a certified voting system, even if that subsystem may not be strictly within the definition of a voting system. Unfortunately, if something is classified as an accessory to a certified voting system but that accessory can cause the voting system to fail, the accessory should be properly defined as part of the larger voting system. For example, electronic pollbooks are becoming a standard feature of modern polling places to improve the voter check-in flow and experience. However, they can have complex interactions with network resources; for example, when used in vote center deployments, they need to communicate with a central database to be able to prevent voters from being able to vote twice in different vote centers. When parts of the electronic pollbooks fail, there must be some process to ensure that voters can continue to cast votes; without that system-level protection, serious issues can happen, similar to what happened in Johnson County, IN in November 2018 where voters could not vote for four hours due to a communication problem between the electronic pollbooks and the the database.
Similarly, remote paperless voting methods – internet, email, fax – continue to be used without much guidance as to best practices for using these systems. While experts have substantial concerns with any form of paperless remote voting, if these methods are going to be used, guidance should exist to promote technically safe use of these systems, stressing they should only be used when no other voting method is possible. As just one example, it has been best practice for years now to ensure that web-based systems use secure forms of communication, notably, the HTTPS standard. If forms of internet voting exist that allow insecure communication (e.g., HTTP), this can often be easily fixed; organizations like CDT help businesses, government agencies, and NGOs move to more secure forms of communication that can reduce the ability for attackers to insert, drop, or modify data in transit.
- Beyond testing, standardizing practices: Unfortunately, the testing and certification program can only do so much; procedures or ingrained practices can override important security and usability considerations to the detriment of voters. The EAC is in a good position to define a baseline set of best practices and procedures for election administration, including cybersecurity, that can begin to standardize the procedural aspects of modern voting technologies, complementing the technical voting system standards and certification process. Ideally, in addition to a certified voting system that has met some level of testing against a considered technical standard, election officials could also be given a set of comprehensive reference materials that instruct and assist them in how to configure and deploy their voting system according to best practice.
Once again, thank you Chairwoman McCormick and to the Commission for the opportunity to speak today, and please feel free to contact me with any additional questions.