Georgia Electronic Voting System

1
Georgia Electronic Voting System

• Testing and Security
• Voting Systems Testing Summit
• November 29, 2005

2
Brit WilliamsKSU Center for Election Systems

• bwilliam_at_kennesaw.edu
• http//elections.kennesaw.edu

3
Georgia Voting System

• Global Election Management System (161)
• AccuVote Ballot Scanners (400)
• AccuVote Voting Stations (26,000)
• Voter Card Encoders (6000)

4
November 2002 - Present

• First used in general election of 2002
• Used in over 2,000 state, county, and municipal
  elections
• The usual glitches caused by people
• Not a single glitch attributable to the voting
  system

5
Features and Enhancements

• Allows voters to vote quickly and accurately
• Provides an easy user interface for elderly and
  infirm
• Provides multiple languages
• Allows visually impaired to vote unassisted
• Reduces under-votes by a factor of five

6
Responsible Organizations

• Election System Vendor (Diebold)
• Qualified Federal Testing Laboratory (ITA)
• KSU Center for Election Systems (State)
• County Election Offices (Local)

7
Election System Vendor

• Designs and builds the Election System
• Submits the Election System to the ITA to verify
  compliance with Federal Voting System Standards
• After obtaining NASED/EAC qualification and
  receiving approval from the State, installs the
  System in the counties

8
Qualified Federal Testing Laboratory

• Reviews the System for compliance with the
  Federal Voting System Standards
• Issues Qualification Report to NASED/EAC on
  Complete System
• Submits the Qualified System to the KSU Center
  for Election Systems where State Certification is
  performed

9
KSU Center for Election Systems

• Reviews the System for compliance with State of
  Georgia Election Code and Rules
• Tests the System for the presence of any
  unauthorized/fraudulent code
• Develops a validation (HASH) program used to test
  the System installed in the counties
• Verifies that the System installed by the vendor
  in the county is identical to the system received
  from the ITA and certified by the KSU Center for
  Election Systems.

10
County Election Offices

• Maintains, stores and protects the System
• Uses the System in accordance with Georgia law
  and rules to conduct elections.

11
Security Threats

• Election Fraud
• Election/Precinct Disruption
• Intentional
• Accidental

12
Layers of System Security

• Software
• Procedural
• Physical

13
Software Security

• User IDs
• Passwords
• Audit Trails

14
Procedural Security

• Qualification Testing
• Certification Testing
• Acceptance Testing
• System Access
• Who, What , When, and Why

• Logic and Accuracy Testing
• Election Monitoring
• Election Reconciliation

15
Physical Security

• Servers are always kept in locked offices
• No extraneous software installed on servers
• No network connectivity
• Physical access limited to authorized personnel
• Touch screen units secured, locked and sealed
  when not in use

16
Protecting System Integrity
Three distinct functions must be performed to
protect the integrity of the System

• Verify the System at Receipt.
• Verify the System at Installation.
• Verify the System in Operation.

17
Function 1
Verify the System at Receipt. Using the
System as delivered from the ITA

• Set up and conduct sample elections with known
  outcomes that are representative of Georgia
  general and primary elections.
• Conduct high-volume tests to determine capacity
  limits of the System.
• Conduct tests to determine the Systems ability
  to recover from various types of errors.

18
Function 2
Verify the System at Installation. Ensure that
the System installed in the Counties is
identical to the System received from the ITA
and certified by the State.

• Prepare a validation program that will detect any
  changes to the System installed in the Counties.
• Run the validation program against the System
  installed in the County (after vendor
  installation).
• Provide the County with a copy of the validation
  program.

19
Function 3
Verify the System in Operation. Ensure that
the System is performing properly, that all
precinct ballots are correct and that the
System has not been modified in any way.

• Logic and Accuracy Tests are performed prior to
  each election.
• Performance of all System components is verified.
• Specific ballot information for each memory card
  in each precinct is verified.
• Touch screen units are set for election, locked,
  and sealed.
• Validation program is run after any suspicious
  event.

20
Overview of Security Relationships
Election System Vendor
Qualified Federal Testing Laboratory
Trusted Organizations
Function 1
Counties
KSU Center for Election Systems
Function 3
Function 2
21
Validation Program (Hash)

• Based on NIST standards contained in FIPS 180-2,
  established in August 2002.
• Run hash on the System certified by the KSU
  Center for Election Systems. This creates File
  1.
• Run hash-cmp to compare File 1 with a new
  hash on the System in the County.
• They must be identical.

22
Hash Program Details

• Based on NIST certified SHA-1 contained in FIPS
  180-2, August 2002.
• Computes
• 32 bit CRC
• 128 bit MD 5 Hash
• 160 bit SHA-1 Hash
• The probability that this hash would not detect a
  program modification is estimated to be 1 in
  1,000,000,000