[ISN] U.S. Bars Lab From Testing Electronic Voting

From: InfoSec News (alerts@private)
Date: Wed Jan 03 2007 - 23:32:58 PST


http://www.nytimes.com/2007/01/04/washington/04voting.html

By CHRISTOPHER DREW
January 4, 2007

A laboratory that has tested most of the nations electronic voting 
systems has been temporarily barred from approving new machines after 
federal officials found that it was not following its quality-control 
procedures and could not document that it was conducting all the 
required tests.

The company, Ciber Inc. of Greenwood Village, Colo., has also come under 
fire from analysts hired by New York State over its plans to test new 
voting machines for the state. New York could eventually spend $200 
million to replace its aging lever devices.

Experts on voting systems say the Ciber problems underscore longstanding 
worries about lax inspections in the secretive world of voting-machine 
testing. The action by the federal Election Assistance Commission seems 
certain to fan growing concerns about the reliability and security of 
the devices.

The commission acted last summer, but the problem was not disclosed 
then. Officials at the commission and Ciber confirmed the action in 
recent interviews.

Ciber, the largest tester of the nations voting machine software, says 
it is fixing its problems and expects to gain certification soon.

Experts say the deficiencies of the laboratory suggest that crucial 
features like the vote-counting software and security against hacking 
may not have been thoroughly tested on many machines now in use.

Whats scary is that weve been using systems in elections that Ciber had 
certified, and this calls into question those systems that they tested, 
said Aviel D. Rubin, a computer science professor at Johns Hopkins.

Professor Rubin said that although some software bugs had shown up 
quickly, in other instances you might have to use the systems for a 
while before something happens.

Officials at the commission and other election experts said it was 
essential for a laboratory to follow its quality-control procedures and 
document all its testing processes to instill confidence in the results.

Commission officials said that they were evaluating the overall 
diligence of the laboratory and that they did not try to determine 
whether its weaknesses had contributed to problems with specific 
machines.

Computer scientists have shown that some electronic machines now in use 
are vulnerable to hacking. Some scientists caution that even a simple 
software error could affect thousands of votes.

In various places, elections have been complicated by machines that did 
not start, flipped votes from one candidate to another or had trouble 
tallying the votes.

Until recently, the laboratories that test voting software and hardware 
have operated without federal scrutiny. Even though Washington and the 
states have spent billions to install the new technologies, the machine 
manufacturers have always paid for the tests that assess how well they 
work, and little has been disclosed about any flaws that were 
discovered.

As soon as federal officials began a new oversight program in July, they 
detected the problems with Ciber. The commission held up its application 
for interim accreditation, thus barring Ciber from approving new voting 
systems in most states.

Ciber, a large information technology company, also has a $3 million 
contract to help New York test proposed systems from six manufacturers. 
Nystec, a consulting firm in Rome, N.Y., that the state hired, filed a 
report in late September criticizing Ciber for creating a plan to test 
the software security that did not specify any test methods or 
procedures for the majority of the requirements. The report said the 
plan did not detail how Ciber would look for bugs in the computer code 
or check hacking defenses.

A spokeswoman for Ciber, Diane C. Stoner, said that the company believed 
that it had addressed all the problems and that it expected to receive 
its initial federal accreditation this month. Federal officials said 
they were evaluating the changes the company had made.

Ms. Stoner said in a statement that although the Election Assistance 
Commission had found deficiencies, they were not because Ciber provided 
incomplete, inaccurate or flawed testing, but because we did not 
document to the E.A.C.s liking all of the testing that we were 
performing.

She added that the test plan cited in New York was just a draft and that 
Ciber had been working with Nystec to ensure additional security 
testing.

The co-chairman of the New York State Board of Elections, Douglas A. 
Kellner, said Ciber had tightened its testing. But Mr. Kellner said 
yesterday that Nystec and Ciber continued to haggle over the scope of 
the security testing.

New York is one of the last states to upgrade its machines, and it also 
has created some of the strictest standards for them. Mr. Kellner said 
only two of the six bidders, Diebold Election Systems and Liberty 
Election Systems, seemed close to meeting all the requirements.

Besides Ciber, two other companies, SysTest Labs of Denver and Wyle 
Laboratories, in El Segundo, Calif., test electronic voting machines. 
Ciber, which has been testing the machines since 1997, checks just 
software. Wyle examines hardware, and SysTest can look at both.

The chairman of the Election Assistance Commission, Paul S. DeGregorio, 
said SysTest and Wyle received interim accreditations last summer. Mr. 
DeGregorio said two other laboratories had also applied to enter the 
field.

Congress required greater federal oversight when it passed the Help 
America Vote Act of 2002. Since then, the government also put up more 
than $3 billion to help states and localities buy electronic machines, 
to avoid a repeat of the hanging punch-card chads that caused such 
confusion in the 2000 presidential election.

The commission was never given a substantial budget, and it did not 
finish creating the oversight program until last month. Until then, the 
laboratories had been at the heart of the system to evaluate voting 
machines, a system that seemed oddly cobbled together.

While the federal government created standards for the machines, most of 
the states enacted laws to make them binding. The states also monitored 
the testing, and much of that work was left to a handful of current and 
former state election officials who volunteered their time.

As a result, voting rights advocates and other critics have long been 
concerned about potential conflicts of interest, because the 
manufacturers hire the laboratories and largely try to ensure 
confidentiality.

Michael I. Shamos, a computer scientist who examines voting machines for 
Pennsylvania, said about half had significant defects that the 
laboratories should have caught.

Besides certifying the laboratories, the Election Assistance Commission 
will have three staff members and eight part-time technicians to approve 
test plans for each system and check the results. The manufacturers will 
be required to report mechanical breakdowns and botched tallies, and Mr. 
DeGregorio said those reports would be on the agencys Web site.

Dr. Shamos said, This is not the sea change that was needed.

He said he was disappointed that the commission had hired some of the 
same people involved in the states monitoring program and that it never 
announced it had found problems with Ciber operations.

Dr. Rubin of Johns Hopkins said the laboratories should be required to 
hire teams of hackers to ferret out software vulnerabilities.

And the laboratories will still be paid by the voting machine companies, 
though a bill now in Congress could change that to government financing.

A recent appearance in Sarasota, Fla., by the SysTest Labs president, 
Brian T. Phillips, also raised eyebrows. After a Congressional election 
in the Sarasota area ended in a recount last month, the victorious 
Republican candidate hired Mr. Phillips as a consultant to monitor the 
states examination of whether there had been a malfunction in the voting 
machines.

Several critics questioned whether Mr. Phillips should have taken such 
work, either because of its partisan nature or because it represented 
such a public defense of the industry.

Mr. Phillips said he did not see any conflict because his laboratory had 
not tested the software used in Sarasota. And the project does not 
appear to have violated the ethics rules of the election commission.

Ian Urbina contributed reporting.

Copyright 2007 The New York Times Company


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Wed Jan 03 2007 - 23:44:14 PST