This is the accessible text file for GAO report number GAO-05-956 entitled 'Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed' which was released on October 21, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: September 2005: Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-956]: GAO Highlights: Highlights of GAO-05-956, a report to congressional requesters: Why GAO Did This Study: The Help America Vote Act of 2002 established the Election Assistance Commission (EAC) to help improve state and local administration of federal elections and authorized funding for state and local governments to expand their use of electronic voting systems. EAC began operations in January 2004. However, reported problems with electronic voting systems have led to questions about the security and reliability of these systems. GAO was requested to (1) determine the significant security and reliability concerns identified about electronic voting systems, (2) identify recommended practices relevant to ensuring the security and reliability of these systems, and (3) describe actions taken or planned to improve their security and reliability. What GAO Found: While electronic voting systems hold promise for improving the election process, numerous entities have raised concerns about their security and reliability, citing instances of weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete voting system standards (see below for examples). It is important to note that many of these concerns were based on specific system makes and models or a specific jurisdiction’s election, and there is no consensus among election officials and other experts on their pervasiveness. Nevertheless, some have caused problems in elections and therefore merit attention. Federal organizations and nongovernmental groups have issued both election-specific recommended practices for improving the voting process and more general guidance intended to help organizations manage information systems’ security and reliability. These recommended practices and guidelines (applicable throughout the voting system life cycle) include having vendors build security controls and audit trails into their systems during development, and having election officials specify security requirements when acquiring systems. Other suggested practices include testing and certifying systems against national voting system standards. The federal government has begun efforts intended to improve life cycle management of electronic voting systems and thereby improve their security and reliability. Specifically, EAC has led efforts to (1) draft changes to existing federal voluntary standards for voting systems, including provisions addressing security and reliability; (2) develop a process for certifying voting systems; (3) establish a program to accredit independent laboratories to test electronic voting systems; and (4) develop a library and clearinghouse for information on state and local elections and systems. However, these actions are unlikely to have a significant effect in the 2006 federal election cycle because important changes to the voting standards have not yet been completed, the system certification and laboratory accreditation programs are still in development, and a system software library has not been updated or improved since the 2004 election. Further, EAC has not consistently defined specific tasks, processes, and time frames for completing these activities; as a result, it is unclear when their results will be available to assist state and local election officials. Examples of Voting System Vulnerabilities and Problems * Cast ballots, ballot definition files, and audit logs could be modified. * Supervisor functions were protected with weak or easily guessed passwords. * Systems had easily picked locks and power switches that were exposed and unprotected. * Local jurisdictions misconfigured their electronic voting systems, leading to election day problems. * Voting systems experienced operational failures during elections. * Vendors installed uncertified electronic voting systems. Source: GAO analysis of recent reports and studies. [End of table] What GAO Recommends: To help ensure the security and reliability of electronic voting systems, GAO is recommending that EAC define specific tasks, processes, and time frames for improving the national voting systems standards, testing capabilities, and management support available to state and local election officials. In commenting on a draft of this report, EAC agreed with the recommendations and stated that the commission has initiatives under way or planned in these areas. The commission also sought additional clarification and context on reported problems. www.gao.gov/cgi-bin/getrpt?GAO-05-956. To view the full product, including the scope and methodology, click on the link above. For more information, contact David Powner at (202) 512- 9286 or pownerd@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Significant Concerns Have Been Raised about the Security and Reliability of Electronic Voting Systems: Recommended Practices Address Electronic Voting Systems' Security and Reliability: National Initiatives Are Under Way to Improve Voting System Security and Reliability, but Key Activities Need to Be Completed: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Selected Recommended Practices for Voting System Security and Reliability: Appendix III: Summary of Selected Guidance on Information Technology Security and Reliability: Appendix IV: Resolutions Related to Voting System Security and Reliability: Appendix V: Comments from the Election Assistance Commission: Appendix VI: Comments from the National Institute of Standards and Technology: Appendix VII: GAO Contacts and Staff Acknowledgments: Bibliography: Tables: Table 1: Common Types of Security and Reliability Concerns Viewed in Terms of the Voting System Life Cycle: Table 2: Federal Initiatives Related to Improving the Security and Reliability of Voting Systems: Table 3: Nongovernmental Initiatives to Improve Voting System Security and Reliability: Table 4: EAC Security and Reliability Practices for All Types of Voting Systems: Table 5: EAC Security and Reliability Practices for Optical Scan Voting Systems: Table 6: EAC Security and Reliability Practices for Direct Recording Electronic Voting Systems: Table 7: NIST Security and Reliability Practices for Electronic Voting Systems: Table 8: Brennan Center Example Security and Reliability Practices for Direct Recording Electronic Voting Systems: Table 9: Election Center Security and Reliability Practices for Elections: Table 10: National Task Force on Election Reform Security and Reliability Practices for Voting Systems: Table 11: Caltech/MIT Security and Reliability Practices for Voting Systems: Table 12: Caltech/MIT Security and Reliability Practices for Electronic Voting Systems: Table 13: League of Women Voters Security and Reliability Practices for All Voting Systems: Table 14: League of Women Voters Security and Reliability Practices for Optical Scan Voting Systems: Table 15: League of Women Voters Security and Reliability Practices for Direct Recording Electronic Voting Systems: Table 16: A Compendium of Recommended Mitigation Measures to Address Selected Concerns with Electronic Voting Systems' Security and Reliability: Table 17: Examples of NIST Publications Addressing System Security and Reliability: Table 18: Resolutions Related to Security and Reliability of Electronic Voting Systems and Plans for Implementing Them in Future Standards: Figures: Figure 1: Stages of an Election Process: Figure 2: Precinct-Count Optical Scan Tabulator and Central-Count Optical Scan Tabulator: Figure 3: Two Types of DRE Systems--Pushbutton and Touchscreen: Figure 4: States Requiring the Use of Federal Voting System Standards and States Requiring National Certification Testing: Figure 5: A Voting System Life Cycle Model: Abbreviations: COTS: commercial off-the-shelf: DRE: Direct Recording Electronic: EAC: Election Assistance Commission: HAVA: Help America Vote Act: IT: information technology: NIST: National Institute of Standards and Technology: TGDC: Technical Guidelines Development Committee: Letter September 21, 2005: Congressional Requesters: After the 2000 elections, Congress, the media, and others cited numerous instances of problems with the election process. In light of these concerns, we produced a series of reports in which we examined virtually every aspect of the election process, including challenges associated with electronic voting systems.[Footnote 1] In these reports, we emphasized the contributions and necessary interactions of people, process, and technology to address these challenges. Subsequently, in October 2002, Congress passed the Help America Vote Act (HAVA), which authorized funding for local and state governments to make improvements in election administration, including upgrading antiquated voting systems. In addition, HAVA created the Election Assistance Commission (EAC) to provide support for election improvements and to administer payments to states under the act. As states have expanded their use of electronic voting systems, the media and others have reported problems with these systems that have caused some to question whether they are secure and reliable. In view of the importance and growing role of electronic voting systems, you asked us to (1) determine the significant security and reliability concerns that have been identified about these voting systems; (2) identify recommended practices relevant to ensuring the security and reliability of such systems; and (3) describe the actions that federal agencies and other organizations have taken, or plan to take, to improve their security and reliability. To determine concerns and recommended practices, we analyzed over 80 recent and relevant reports related to the security and reliability of electronic voting systems. We focused on systems and components associated with vote casting and counting, including those that define electronic ballots, transmit voting results among election locations, and manage groups of voting machines. We assessed the various types of voting system issues reported to determine categories of concerns. We discussed the reports, concerns, and recommended practices with elections officials, citizen advocacy groups, and system security and testing experts, including members of GAO's Executive Council on Information Management and Technology.[Footnote 2] To describe actions to improve the security and reliability of electronic voting systems, we reviewed and analyzed pertinent documentation, such as EAC's draft voluntary voting system guidelines (which are expected to replace the 2002 voting system standards), and we attended public meetings and interviewed officials from EAC, its Technical Guidelines Development Committee (TGDC), and the Department of Commerce's National Institute of Standards and Technology (NIST). We also identified activities being performed by citizen advocacy groups, academic and standards bodies, and others that are intended to improve the security and reliability of electronic voting systems, reviewed materials from these activities, and discussed them with representatives of these groups. Appendix I provides additional details on our objectives, scope, and methodology. We performed our work from January through August 2005 in the Washington, D.C., metropolitan area, in accordance with generally accepted government auditing standards. Results in Brief: While electronic voting systems hold promise for a more accurate and efficient election process, numerous entities have raised concerns about their security and reliability, citing instances of weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete voting system standards, among other issues. For example, studies found (1) some electronic voting systems did not encrypt cast ballots or system audit logs, and it was possible to alter both without being detected; (2) it was possible to alter the files that define how a ballot looks and works so that the votes for one candidate could be recorded for a different candidate; and (3) vendors installed uncertified versions of voting system software at the local level. It is important to note that many of the reported concerns were drawn from specific system makes and models or from a specific jurisdiction's election, and that there is a lack of consensus among election officials and other experts on the pervasiveness of the concerns. Nevertheless, some of these concerns were reported to have caused local problems in federal elections-- resulting in the loss or miscount of votes--and therefore merit attention. Federal organizations and nongovernmental groups have issued recommended practices and guidance for improving the election process, including electronic voting systems, as well as general practices for the security and reliability of information systems. For example, in mid-2004, EAC issued a compendium of practices recommended by election experts, including state and local election officials.[Footnote 3] This compendium includes approaches for making voting processes more secure and reliable through, for example, risk analysis of the voting process, poll worker security training, and chain of custody controls for election day operations, along with practices that are specific to ensuring the security and reliability of different types of electronic voting systems. As another example, in July 2004, the California Institute of Technology and the Massachusetts Institute of Technology issued a report containing recommendations pertaining to testing equipment, retaining audit logs, and physically securing voting systems.[Footnote 4] In addition to such election-specific practices, numerous recommended practices are available that can be applied to any information system. For instance, we, NIST, and others have issued guidance that emphasizes the importance of incorporating security and reliability into the life cycle of information systems through practices related to security planning and management, risk management, and procurement.[Footnote 5] The recommended practices in these election-specific and information technology (IT) focused documents provide valuable guidance that, if implemented effectively, should help improve the security and reliability of voting systems. Since the passage of HAVA in 2002, the federal government has begun a range of actions that are expected to improve the security and reliability of electronic voting systems. Specifically, after beginning operations in January 2004, EAC has led efforts to (1) draft changes to the existing federal voluntary standards[Footnote 6] for voting systems, including provisions related to security and reliability, (2) develop a process for certifying, decertifying, and recertifying voting systems, (3) establish a program to accredit the national independent testing laboratories that test electronic voting systems against the federal voluntary standards, and (4) develop a software library and clearinghouse for information on state and local elections and systems. However, these actions are unlikely to have a significant effect in the 2006 federal election cycle because the changes to the voluntary standards have not yet been completed, the system certification and laboratory accreditation programs are still in development, and the software library has not been updated or improved since the 2004 elections. Further, EAC has not defined tasks, processes, and time frames for completing these activities. As a result, it is unclear when the results will be available to assist state and local election officials. In addition to the federal government's activities, other organizations have actions under way that are intended to improve the security and reliability of electronic voting systems. These actions include developing and obtaining international acceptance for voting system standards, developing voting system software in an open source environment (i.e., not proprietary to any particular company), and cataloging and analyzing reported problems with electronic voting systems. To improve the security and reliability of electronic voting systems, we are recommending that EAC establish tasks, processes, and time frames for improving the federal voluntary voting system standards, testing capabilities, and management support available to state and local election officials. EAC and NIST provided written comments on a draft of this report (see apps. V and VI). EAC commissioners agreed with our recommendations and stated that actions on each are either under way or intended. NIST's director agreed with the report's conclusions. In addition to their comments on our recommendations, EAC commissioners expressed three concerns with our use of reports produced by others to identify issues with the security and reliability of electronic voting systems. Specifically, EAC sought (1) additional clarification on our sources, (2) context on the extent to which voting system problems are systemic, and (3) substantiation of claims in the reports issued by others. To address these concerns, we provided additional clarification of sources where applicable. Further, we note throughout our report that many issues involved specific system makes and models or circumstances in the elections of specific jurisdictions. We also note that there is a lack of consensus on the pervasiveness of the problems, due in part to a lack of comprehensive information on what system makes and models are used in jurisdictions throughout the country. Additionally, while our work focused on identifying and grouping problems and vulnerabilities identified in issued reports and studies, where appropriate and feasible, we sought additional context, clarification, and corroboration from experts, including election officials, security experts, and key reports' authors. EAC commissioners also expressed concern that we focus too much on the commission, and noted that it is one of many entities with a role in improving the security and reliability of voting systems. While we agree that EAC is one of many entities with responsibilities for improving the security and reliability of voting systems, we believe that our focus on EAC is appropriate, given its leadership role in defining voting system standards, in establishing programs both to accredit laboratories and to certify voting systems, and in acting as a clearinghouse for improvement efforts across the nation. EAC and NIST officials also provided detailed technical corrections, which we incorporated throughout the report as appropriate. Background: All levels of government share responsibility in the U.S. election process. At the federal level, Congress has authority under the Constitution to regulate presidential and congressional elections and to enforce prohibitions against specific discriminatory practices in all federal, state, and local elections. Congress has passed legislation that addresses voter registration, absentee voting, accessibility provisions for the elderly and handicapped, and prohibitions against discriminatory practices.[Footnote 7] At the state level, individual states are responsible for the administration of both federal elections and their own elections. States regulate the election process, including, for example, the adoption of voluntary voting system guidelines, the state certification and acceptance testing of voting systems, ballot access, registration procedures, absentee voting requirements, the establishment of voting places, the provision of election day workers, and the counting and certification of the vote. In total, the U.S. election process can be seen as an assemblage of 55 distinct election systems--those of the 50 states, the District of Columbia, and the 4 U.S. territories. Further, although election policy and procedures are legislated primarily at the state level, states typically have decentralized voting processes, so that the details of administering elections are carried out at the city or county levels, and voting is done at the local level. As we reported in 2001, local election jurisdictions number more than 10,000, and their sizes vary enormously--from a rural county with about 200 voters to a large urban county, such as Los Angeles County, where the total number of registered voters for the 2000 elections exceeded the registered voter totals in 41 states.[Footnote 8] Administering an election is a year-round process involving the following stages: * Voter registration. Local election officials register eligible voters and maintain voter registration lists. This includes updating registrants' information and deleting the names of registrants who are no longer eligible to vote. * Absentee and early voting. Election officials design ballots and other systems to permit eligible people to vote in person or by mail before election day. Election officials also educate voters on how to vote by these methods. * Election administration and vote casting. Election officials prepare for an election by arranging for polling places, recruiting and training poll workers, designing ballots, and preparing and testing voting equipment for use in casting and tabulating votes. Election day activities include opening and closing polling places and assisting voters in casting votes. * Vote counting and certification. Election officials tabulate the cast ballots, determine whether and how to count ballots that cannot be read by the vote counting equipment, certify the final vote counts, and perform recounts, if required. As shown in figure 1, each stage of an election involves people, processes, and technology. Figure 1: Stages of an Election Process: [See PDF for image] [End of figure] Electronic Voting Systems Support Vote Casting and Counting: Electronic voting systems hold promise for improving the efficiency and accuracy of the election process by automating a manual process, providing flexibility for accommodating voters with special needs, and implementing controls to avoid errors by voters and election workers. In the United States today, most votes are cast and counted by one of two types of electronic voting systems: optical scan systems and direct recording electronic (DRE) systems. Such systems include the hardware, software, and firmware used to define ballots, cast and count votes, report or display election results, and maintain and produce audit trail information--as well as the documentation required to program, control, and support the equipment. A description of both technologies follows. Optical Scan Systems. Optical scan voting systems use electronic technology to tabulate paper ballots. Although optical scan technology has been in use for decades for such tasks as scoring standardized tests, it was not applied to voting until the 1980s. According to Election Data Services, Inc., a firm specializing in election data statistics, about 31 percent of registered voters voted on optical scan systems in the 2000 election, and about 35 percent of registered voters voted on optical scan systems in the 2004 election. An optical scan system is made up of computer-readable paper ballots, appropriate marking devices, privacy booths, and a computerized tabulation device. The ballot, which can be of various sizes, lists the names of the candidates and the issues. Voters record their choices using an appropriate writing instrument to fill in boxes or ovals, or to complete an arrow next to a candidate's name or the issue. In some states, the ballot may include a space for write-ins to be entered directly on the ballot. Optical scan ballots are tabulated by optical-mark-recognition equipment (see fig. 2), which counts the ballots by sensing or reading the marks on the ballot. Ballots can be counted at the polling place-- referred to as a precinct-count optical scan[Footnote 9]--or at a central location. If ballots are counted at the polling place, voters or election officials put the ballots into the tabulation equipment, which tallies the votes; these tallies can be captured in removable storage media that are transported to a central tally location, or they can be electronically transmitted from the polling place to the central tally location. If ballots are centrally counted, voters drop ballots into sealed boxes and election officials transfer the sealed boxes to the central location after the polls close, where election officials run the ballots through the tabulation equipment in the presence of observers. Figure 2: Precinct-Count Optical Scan Tabulator and Central-Count Optical Scan Tabulator: [See PDF for image] [End of figure] Software instructs the tabulation equipment how to assign each vote (i.e., to assign valid marks on the ballot to the proper candidate or issue). In addition to identifying the particular contests and candidates, the software can be configured to capture, for example, straight party voting and vote-for-no-more-than-N contests. Precinct- based optical scanners can also be programmed to detect overvotes (where the voter votes for two candidates for one office, for example, invalidating the vote) and undervotes (where the voter does not vote for all contests or issues on the ballot) and to take some action in response (rejecting the ballot, for instance). In addition, optical scan systems often use vote-tally software to tally the vote totals from one or more vote tabulation devices. If election officials program precinct-based optical scan systems to detect and reject overvotes and undervotes, voters can fix their mistakes before leaving the polling place. However, if voters are unwilling or unable to correct their ballots, a poll worker can manually override the program and accept the ballot, even though it has been overvoted or undervoted. If ballots are tabulated centrally, voters would not be able to correct any mistakes that may have been made. Direct Recording Electronic (DRE) Systems. First introduced in the 1970s, DREs capture votes electronically, without the use of paper ballots. According to Election Data Services, Inc., about 12 percent of voters used this type of technology in the 2000 elections and about 29 percent of voters used this technology in the 2004 elections. DREs come in two basic models: pushbutton or touchscreen. The pushbutton model is the older technology and is larger and heavier than the touchscreen model (see fig. 3). Figure 3: Two Types of DRE Systems--Pushbutton and Touchscreen: [See PDF for image] [End of figure] Pushbutton and touchscreen models also differ significantly in the way they present ballots to the voter. With the pushbutton model, all ballot information is presented on a single "full-face" ballot. For example, a ballot may have 50 buttons on a 3-by 3-foot ballot, with a candidate or issue next to each button. In contrast, touchscreen DREs display the ballot information on an electronic display screen. For both pushbutton and touchscreen models, the ballot information is programmed onto an electronic storage medium, which is then uploaded to the machine. Both models rely on ballot definition files to tell the voting machine software how to display ballot information on the screen, interpret a voter's touches on a button or screen, and record and tally those selections as votes. Local jurisdictions can program these files before each election or outsource their programming to a vendor. For touchscreens, ballot information can be displayed in color and can incorporate pictures of the candidates. Because the ballot space on a touchscreen is much smaller than on a pushbutton machine, voters who use touchscreens must page through the ballot information. Despite their differences, the two DRE models have some similarities, such as how the voter interacts with the voting equipment. For pushbutton models, voters press a button next to the candidate or issue, which then lights up to indicate the selection. Similarly, voters using touchscreens make their selections by touching the screen next to the candidate or issue, which is then highlighted. When voters have finished making their selections on a touchscreen or a pushbutton model, they cast their votes by pressing a final "vote" button or screen. Until they hit this final button or screen, voters can change their selections. Both models also allow voters to write in candidates. While most DREs allow voters to type write-ins on a keyboard, some pushbutton types require voters to write the name on paper tape that is part of the device. Further, although these systems do not use paper ballots, they retain permanent electronic images of all the ballots, which can be stored on various media, including internal hard disk drives, flash cards, or memory cartridges. According to vendors, these ballot images can be printed and used for auditing and recounts. Some of the newer DREs use smart cards as a security feature. Smart cards are plastic devices--about the size of a credit card--that use integrated circuit chips to store and process data, much like a computer. These cards are generally used as a means to open polls and to authorize voter access to ballots. For instance, smart cards for some systems store program data on the election and are used to help set up the equipment; during setup, election workers verify that the card is for the proper election. Other systems are programmed to automatically activate when the voter inserts a smart card; the card brings up the correct ballot onto the screen. In general, the interface with the voter is very similar to that of an automated teller machine. Like optical scan devices, DREs require the use of software to program the various ballot styles and tally the votes, which is generally done through the use of memory cartridges or other media. The software is used to generate ballots for each precinct in the voting jurisdiction, which includes defining the ballot layout, identifying the contests in each precinct, and assigning candidates to contests. The software also is used to configure any special options, such as straight party voting and vote-for-no-more-than-N contests. In addition, for pushbutton models, the software assigns the buttons to particular candidates, and, for touchscreen models, the software defines the size and location on the screen where the voter makes the selection. Vote-tally software is often used to tally the vote totals from one or more units. DRE systems offer various configurations for tallying the votes. Some contain removable storage media that can be taken from the voting device and transported to a central location to be tallied. Others can be configured to electronically transmit the vote totals from the polling place to a central tally location. These systems are also designed not to allow overvotes. For example, if a voter selects a second choice in a two-way race, the first choice is deselected. In addition to this standard feature, different types of systems offer a variety of options, including many aimed at voters with disabilities. In our prior work,[Footnote 10] we reported that the following features were available on some models of DRE: * A "no-vote" option. If allowed by the state, this option helps avoid unintentional undervotes. This provides the voter with the option to select "no vote" (or abstain) on the display screen if the voter does not want to vote on a particular contest or issue. * A "review" feature. This feature requires voters to review each page of the ballot before pressing the button to cast the vote. * Visual enhancements. These features include, for example, color highlighting of ballot choices and candidate pictures. * Accommodations for voters with disabilities. Examples of options for voters who are blind include Braille keyboards and audio interfaces.[Footnote 11] At least one vendor reported that its DRE accommodates voters with neurological disabilities by offering head movement switches and "sip and puff" plug-ins.[Footnote 12] Another option is voice recognition capability, which allows voters to make selections orally. * An option to recover spoiled ballots. This feature allows voters to recast their votes after their original ballots are cast. For this option, every DRE at the poll site could be connected to a local area network. A poll official would void the original "spoiled" ballot through the administrative workstation, which is also connected to the local area network. The voter could then cast another ballot. * An option to provide printed receipts. This option, provided by a voter-verified paper audit trail system, provides the voter with a paper printout or ballot when the vote is cast. This feature is intended to provide voters and/or election officials with an opportunity to check what is printed against what is recorded and displayed. HAVA Is Expected to Enhance the Federal Role in Election Processes: In October 2002, Congress passed the Help America Vote Act (HAVA) to provide states with organizations, processes, and resources for improving the administration of future federal elections. The act also specified time frames for the availability of these organizations, processes, and resources. The act was intended, among other things, to encourage states to upgrade antiquated voting systems and technologies and to support the states in making federally mandated improvements to their voting systems, such as ensuring that voters can verify their votes before casting their ballot, providing records for manual auditing of voting systems, and establishing maximum error rates for counting ballots. Organizations. HAVA established the Election Assistance Commission (EAC) and gave this commission responsibility for activities and programs related to the administration of federal elections. This independent federal agency consists of four presidential appointees confirmed by the Senate, as well as support staff, including personnel inherited from the former Office of Election Administration of the Federal Election Commission. EAC commissioners were appointed in December 2003, and the commission began operations in January 2004. EAC is intended to serve as a national clearinghouse and resource for the compilation of information and procedures on election administration. Its responsibilities relative to voting systems include: * adopting and maintaining voluntary voting system guidelines; * managing a national program for testing, certification, decertification, and recertification of voting system hardware and software; * maintaining a clearinghouse of information on the experiences of state and local governments in implementing the guidelines and operating voting systems; and: * conducting studies and other activities to promote effective administration of federal elections. HAVA also established three organizations and levied new requirements on a fourth to assist EAC in establishing voting system standards and performing its responsibilities, including standards and responsibilities involving the security and reliability of voting systems: * The Technical Guidelines Development Committee (TGDC) is to assist EAC in developing voluntary voting system standards (which are now called guidelines). This committee includes selected state and local election officials and representatives of professional and technical organizations. It is chaired by the Director of the National Institute of Standards and Technology. * The Standards Board brings together one state and one local official from each of the 55 states and territories to review the voluntary voting system guidelines developed by TGDC and provide comments and recommendations on the guidelines to EAC. * The Board of Advisors is made up of 37 members--many from various professional and specialty organizations.[Footnote 13] Like the Standards Board, the Board of Advisors reviews the voluntary voting system guidelines developed by TGDC and provides comments and recommendations to EAC. * The Department of Commerce's National Institute of Standards and Technology (NIST) provides technical support to TGDC, including research and development of the voting system guidelines. NIST is also responsible for monitoring and reviewing the performance of independent testing laboratories (previously known as independent testing authorities) and making recommendations for accreditation and revocation of accreditation of the laboratories by EAC. NIST's responsibilities for improving the security and reliability of electronic voting systems include identification of security and reliability standards for voting system computers, networks, and data storage; methods to detect and prevent fraud; and protections for voter privacy and remote voting system access. Processes. HAVA provides for three major processes related to the security and reliability of voting systems: updating voluntary standards, accrediting independent testing laboratories, and certifying voting systems to meet national standards. HAVA specifies the organizations involved, activities to be undertaken, public visibility for the processes, and, in some cases, work products and deadlines. These processes are described below. * Updating standards. EAC and TGDC were given responsibility for evaluating and updating the Federal Election Commission's voluntary voting system standards of 2002. TGDC is to propose standards changes within 9 months of the appointment of all of its members, and EAC is to hold a public hearing and a comment period for the standards changes and allow at least 90 days for review and comment by the standards and advisory boards before voting on the standards. EAC and its boards are also to consider updates to the standards on an annual basis. * Accrediting laboratories. NIST's director is charged with evaluating the capabilities of independent nonfederal laboratories to carry out certification testing of voting systems within 6 months after EAC adopts the first update to the voluntary voting system standards.[Footnote 14] Through its National Voluntary Laboratory Accreditation Program, NIST is to recommend qualified laboratories for EAC's accreditation, provide ongoing monitoring and reviews of the accredited laboratories, and recommend revocation of accreditation, if necessary. * Certifying systems. EAC is to establish processes for certifying, decertifying, and recertifying voting systems. HAVA allows the current processes (as conducted under the National Association of State Election Directors) to continue until the laboratory accreditation processes to be developed by NIST are established and laboratories are accredited by EAC to conduct certification testing. States may also use the nationally accredited testing laboratories for testing associated with certification, decertification, and recertification of voting systems to meet state certification requirements. The majority of states currently rely on federal standards, but do not require national certification testing to ensure that voting systems meet functional, performance, and quality goals. On the basis of an April 2005 review of state statutes and administrative rules, EAC identified at least 30 states that require their voting systems to meet federal standards issued by the Federal Election Commission, EAC, or both (see fig. 4). As for certification, the majority of states require state certification of voting systems, but do not require national testing. Only 13 states currently require their systems to be tested against the federal standards by independent testing authorities and certified by the National Association of State Election Directors (see fig. 4). In commenting on a draft of this report, EAC noted that some state and local jurisdictions can choose to exceed state statute and administrative rules--and may be using federal standards and national certification testing. Figure 4: States Requiring the Use of Federal Voting System Standards and States Requiring National Certification Testing: [See PDF for image] Note: State requirements are based on EAC assessment of state statute and administrative rule. [End of figure] Resources. HAVA authorized federal payments to help states improve their voting systems in two ways: * By replacing punch card and lever voting systems in time for the November 2004 federal election unless a waiver authorizing a delay is granted by the Administrator of the General Services Administration. In the event of a waiver, states are required to replace the systems in time for the first federal election held after January 1, 2006.[Footnote 15] EAC reports that approximately $300 million was distributed to 30 states under this HAVA provision--all in fiscal year 2003. * By incorporating new voting system functions required by HAVA (for instance, ballot verification by voters, producing printed records for election auditing, and meeting vote counting error rates);[Footnote 16] upgrading systems in general; improving the administration of elections; or educating voters and training election workers (among other things).[Footnote 17] EAC reported that as of August 31, 2005, approximately $2.5 billion had been disbursed to the 50 states, 4 U.S. territories, and the District of Columbia, for these and other election improvements. Time frames. HAVA specifies time frames for several key activities. Specifically, it requires that: * EAC commissioners be appointed no later than 120 days after the law was enacted, * a program to distribute payments to states to replace antiquated voting systems be in place no later than 45 days after the law was enacted, * the first set of recommendations for revising the voluntary voting system standards be submitted to EAC no later than 9 months after the appointment of TGDC members, * EAC approve voluntary guidance for certain voting system standards by January 2004, * NIST conduct evaluations of independent testing laboratories for accreditation within 6 months of the adoption of updated voting standards, * states receiving federal payments replace their lever or punch card voting machines in time for the November 2004 federal election, or the first federal election after January 2006, with a waiver, and: * states meet requirements for federally mandated improvements to voting systems, such as voter verification of ballots, records for manual audits, and maximum error rates for ballot counts (HAVA Section 301) by January 1, 2006. EAC commissioners were appointed in December 2003--over a year after the law was enacted--and the commission began operations in January 2004. It received $1.2 million in funding in fiscal year 2004 increasing to $14 million in fiscal year 2005. Thus, the commission got a late start on its initiatives. As discussed later in this report, key activities are currently under way. Security and Reliability Are Important Elements Throughout the Voting System Life Cycle: Electronic voting systems are typically developed by vendors and then purchased commercially off the shelf and operated by state and local election administrators. Viewed at a high level, these activities make up three phases of a system life cycle: product development, acquisition, and operations (see fig. 5). Key processes that span these life cycle phases include managing the people, processes, and technologies within each phase, and testing the systems and components during and at the end of each phase. Additionally, voting system standards are important through all of the phases because they provide criteria for developing, testing, and acquiring voting systems, and they specify the necessary documentation for operating the systems. As with other information systems, it is important to build principles of security and reliability into each phase of the voting system life cycle. Figure 5: A Voting System Life Cycle Model: [See PDF for image] [End of figure] The product development phase includes activities such as establishing requirements for the system, designing a system architecture, and developing software and integrating components. Activities in this phase are performed by the system vendor. Design and development activities related to security and reliability of electronic voting systems include such things as requirements development and hardware and software design. The acquisition phase covers activities for procuring voting systems from vendors such as publishing a request for proposal, evaluating proposals, choosing a voting technology, choosing a vendor, and writing and administering contracts. For voting systems, activities in this phase are primarily the responsibility of state and local governments, but entail some responsibilities that are shared with the system vendor (such as establishing contractual agreements). Acquisition activities affecting the security and reliability of electronic voting systems include such things as specifying provisions for security controls in contracts and identifying evaluation criteria for prospective systems. The operations phase consists of activities for operating the voting systems, including the setup of systems before voting, vote capture and counting during elections, recounts and system audits after elections, and storage of systems between elections. Responsibility for activities in this phase typically resides with local jurisdictions. Security and reliability aspects of this phase include physical security of the polling place and voting equipment, chain of custody for voting system components and supplies, system audit logs and backups, and the collection, analysis, reporting, and resolution of election problems. Standards for voting systems were developed at the national level by the Federal Election Commission in 1990 and 2002 and are now being updated by EAC, TGDC, and NIST. Voting system standards affect all life cycle phases. In the product development phase, they serve as guidance for developers to build systems. In the acquisition phase, they provide a framework that state and local governments can use to evaluate systems. In the operations phase, they specify the necessary documentation for operating the systems. Current and planned national standards include explicit requirements for ensuring the security and reliability of voting systems. Testing processes are conducted throughout the life cycle of a voting system. Voting system vendors conduct product testing during development of the system and its components. National testing of products submitted by system vendors is conducted by nationally accredited independent testing authorities. States may conduct evaluation testing before acquiring a system to determine how well products meet their specifications, or may conduct certification testing to ensure that a system performs its functions as specified by state laws and requirements. Once a voting system is delivered by the system vendor, states and local jurisdictions may conduct acceptance testing to ensure that the system satisfies functional requirements. Finally, local jurisdictions typically conduct logic and accuracy tests related to each election, and sometimes subject portions of the system to parallel testing during each election to ensure that the system components perform accurately. All of these tests should address system security and reliability. Management processes ensure that each life cycle phase produces desirable outcomes. Typical management activities that span the system life cycle include planning, configuration management, system performance review and evaluation, problem tracking and correction, human capital management, and user training. These activities are conducted by the responsible parties in each life cycle phase. Management processes related to security and reliability include program planning, disaster recovery and contingency planning, definition of security roles and responsibilities, configuration management of voting system software and hardware, and poll worker security training. In 2004, we reported that the performance of electronic voting systems, like any type of automated information system, can be judged on several bases, including how well its design provides for security, accuracy, ease of use, efficiency, and cost.[Footnote 18] We also reported that voting system performance is a function of how it was designed and developed, whether the system performs as designed, and how the system is implemented. In implementing a system, it is critical to have people with the requisite knowledge and skills to operate it according to well- defined and understood processes. Significant Concerns Have Been Raised about the Security and Reliability of Electronic Voting Systems: Electronic voting systems hold promise for improving the efficiency and accuracy of the election process by automating a manual process, providing flexibility for accommodating voters with special needs, and implementing controls to avoid errors by voters and election workers. However, in a series of recent reports, election officials, computer security experts, citizen advocacy groups, and others have raised significant concerns about the security and reliability of electronic voting systems, citing instances of weak security controls, system design flaws, inadequate system version control, inadequate security testing, incorrect system configuration, poor security management, and vague or incomplete standards, among other issues. Most of the issues can be viewed in the context of the voting system life cycle, including (1) the development of voting systems, including the design of these systems and the environments in which they were developed; (2) the nature and effectiveness of the testing program for electronic voting systems; (3) the operation and management of electronic voting systems at the state and local levels; and (4) the voluntary voting systems standards, which govern different activities at different phases. The aspects of the life cycle are interdependent--that is, a problem experienced in one area of the life cycle will likely affect the other areas. For example, a weakness in system standards could result in a poorly designed system during the development phase, which then malfunctions in the operational phase. Also, each of the life cycle phases depends on the management of people, processes, and technology to ensure that they are executed in a manner that adequately ensures reliable and secure results. Because of these multiple interdependencies, it is sometimes difficult to determine the root cause of some problems. Table 1 provides a summary of the different types of concerns identified. In viewing these concerns, it is important to note that many involved vulnerabilities or problems with specific voting system makes and models or circumstances in a specific jurisdiction's election, and that there is a lack of consensus among elections officials, computer security experts, and others on the pervasiveness of the concerns. Nevertheless, there is evidence that some of these concerns have been realized and have caused problems with recent elections, resulting in the loss and miscount of votes. In light of the recently demonstrated voting system problems; the differing views on how widespread these problems are; and the complexity of assuring the accuracy, integrity, confidentiality, and availability of voting systems throughout their life cycles, the security and reliability concerns raised in recent reports merit the focused attention of federal, state, and local authorities responsible for election administration. Table 1: Common Types of Security and Reliability Concerns Viewed in Terms of the Voting System Life Cycle: Life cycle component: Product development; Common concerns: * Weak system security controls; * Design flaws in voter-verified paper audit trail systems; * Weak security management practices. Life cycle component: Acquisition; Common concerns: No significant concerns reported. Life cycle component: Operations; Common concerns: * Incorrect system configuration; * Poor implementation of security procedures; * System failures during elections. Life cycle component: Standards; Common concerns: * Vague and incomplete security provisions; * Inadequate provisions for commercial off-the-shelf systems and telecommunications and networking services; * Inadequate requirements for vendor documentation. Life cycle component: Testing; Common concerns: * Inadequate security testing; * Lack of transparency in the testing process. Life cycle component: Management; Common concerns: * Poor version control of system software; * Inadequate security management. Source: GAO analysis and summary. [End of table] Common concerns as well as examples of the problems identified during recent elections are discussed in more detail below. Product Development: Multiple recent reports, including several state-commissioned technical reviews and security assessments, voiced concerns about the development of secure and reliable electronic voting systems by system vendors. Three major areas of concern are weak security controls, audit trail design flaws, and weak security management practices. Weak system security controls. Some electronic voting systems provided weak system security controls over key components (including electronic storage for votes and ballots, remote system access equipment, and system event and audit logs), access to the systems, and the physical system hardware. * Regarding key software components, several evaluations demonstrated that election management systems did not encrypt the data files containing cast votes (to protect them from being viewed or modified).[Footnote 19] Evaluations also showed that, in some cases, other computer programs could access these cast vote files and alter them without the system recording this action in its audit logs.[Footnote 20] Two reports documented how it might be possible to alter the ballot definition files on one model of DRE so that the votes shown on the touch screen for one candidate would actually be recorded and counted for a different candidate.[Footnote 21] In addition, one of these reports found that it was possible to gain full control of a regional vote tabulation computer--including the ability to modify the voting software--via a modem connection.[Footnote 22] More recently, computer security experts working with a local elections supervisor in Florida demonstrated that someone with physical access to an optical scan voting system could falsify election results without leaving any record of this action in the system's audit logs by using altered memory cards.[Footnote 23] If exploited, these weaknesses could damage the integrity of ballots, votes, and voting system software by allowing unauthorized modifications. * Regarding access controls, many security examinations reported flaws in how controls were implemented in some DRE systems.[Footnote 24] For example, one model failed to password-protect the supervisor functions controlling key system capabilities; another relied on an easily guessed password to access these functions.[Footnote 25] In another case, the same personal identification number was programmed into all supervisor cards nationwide--meaning that the number was likely to be widely known.[Footnote 26] Reviewers also found that values used to encrypt election data (called encryption keys) were defined in the source code.[Footnote 27] Several reviews reported that smart cards (used to activate the touch screen on DRE systems) and memory cards (used to program the terminals of optical scan systems) were not secured by some voting systems. Reviewers exploited this weakness by altering such cards and using them to improperly access administrator functions, vote multiple times, change vote totals, and produce false election reports in a test environment.[Footnote 28] Some election officials and security experts felt that physical and procedural controls would detect anyone attempting to vote multiple times during an actual election.[Footnote 29] Nevertheless, in the event of lax supervision, the privileges available through these access control flaws could allow unauthorized personnel to disrupt operations or modify data and programs that are crucial to the accuracy and integrity of the voting process. * Regarding physical hardware controls, several recent reports found that many of the DRE models under examination contained weaknesses in controls designed to protect the system. For instance, one report noted that all the locks on a particular DRE model were easily picked, and were all controlled by the same keys--keys that the reports' authors were able to copy at a local store.[Footnote 30] However, the affected election officials felt that this risk would be mitigated by typical polling-place supervisors, who would be able to detect anyone picking the lock on a DRE terminal.[Footnote 31] In another report, reviewers were concerned that a particular model of DRE was linked together with others to form a rudimentary network.[Footnote 32] If one of these machines were accidentally or intentionally unplugged from the others, voting functions on the other machines in the network would be disrupted. In addition, reviewers found that the switches used to turn a DRE system on or off, as well as those used to close the polls on a particular DRE terminal, were not protected.[Footnote 33] Design flaws in the voter-verified paper audit trail systems. Voter- verified paper audit trail systems involve adding a paper printout to a DRE system that a voter can review and verify. Some citizen advocacy groups, security experts, and elections officials advocate these systems as a protection against potential DRE flaws.[Footnote 34] However, other election officials and researchers have raised concerns about potential reliability and security flaws in the design of such systems.[Footnote 35] Critics of the systems argue that adding printers increases the chance of mechanical failure and disruption to the polling place.[Footnote 36] Critics also point out that these systems introduce security risks involving the paper audit trail itself. Election officials would need to safeguard the paper ballots. If voting system mechanisms for protecting the paper audit trail were inadequate, an insider could associate voters with their individual paper ballots and votes, particularly if the system stored voter-verified ballots sequentially on a continuous roll of paper.[Footnote 37] If not protected, such information could breach voter confidentiality. Weak security management practices. Selected state elections officials, computer security experts, and election experts view the reported instances of weak controls as an indication that the voting system vendors lack strong security management and development practices.[Footnote 38] Security experts and local election officials cite the position of trust that vendors occupy in the overall election process, and say that to ensure the security and reliability of electronic voting systems--as well as improve voters' confidence in the electoral process--vendors' practices need to be above reproach.[Footnote 39] Specific concerns have been expressed about (1) the personnel security policies used by vendors, including whether vendors conduct background checks on programmers and systems developers; (2) whether vendors have established strict internal security protocols and have adhered to them during software development; and (3) whether vendors have established clear chain of custody procedures for handling and transporting their software securely.[Footnote 40] A committee of election system vendors generally disagrees with these concerns and asserts that their security management practices are sound. Election Operations: Several reports raised concerns about the operational practices of local jurisdictions and the performance of their electronic voting systems during elections. These include incorrect system configurations, poor implementation of security procedures, and operational failures during an election. Incorrect system configuration. Some state and local election reviews have documented cases in which local governments did not configure their voting systems properly for an election. For instance, a county in California presented some voters with an incorrect electronic ballot in the March 2004 primary.[Footnote 41] As a result, these voters were unable to vote on certain races. In another case, a county in Pennsylvania made a ballot programming error on its DRE system.[Footnote 42] This error contributed to many votes not being captured correctly by the voting system, evidenced by that county's undervote percentage, which reached 80 percent in some precincts. Poor implementation of security procedures. Several reports indicated that state and local officials did not always follow security procedures. Reports from Maryland found that a regional vote tabulation computer was connected to the Internet, and that local officials had not updated it with several security patches, thus exposing the system to general security threats.[Footnote 43] In another example, election monitors in Florida described how certain precincts did not ensure that the number of votes matched the number of signatures on the precinct sign-in sheets, thus raising questions as to whether the voting systems captured the correct number of votes.[Footnote 44] A report from California cited a number of counties that failed to follow mandatory security measures set forth by the Secretary of State's office that were designed to compensate for potential security weaknesses in their electronic voting systems.[Footnote 45] System failures during elections. Several state and local jurisdictions have documented instances when their electronic voting systems exhibited operational problems during elections. For example, California officials documented how a failure in a key component of their system led to polling place disruptions and an unknown number of disenfranchised voters.[Footnote 46] In another instance, DRE voting machines in one county in North Carolina continued to accept votes after their memories were full, effectively causing over 4,000 votes to be lost.[Footnote 47] The same system was used in Pennsylvania, where the state's designated voting system examiner noted several other problems, including the system's failure to accurately capture write-in or straight ticket votes, screen freezes, and difficulties sensing voters' touches.[Footnote 48] A Florida county experienced several problems with its DRE system, including instances where each touch screen took up to 1 hour to activate and had to be activated separately and sequentially, causing delays at the polling place.[Footnote 49] In addition, election monitors discovered that the system contained a flaw that allowed one DRE system's ballots to be added to the canvass totals multiple times without being detected.[Footnote 50] In another instance, a malfunction in a DRE system in Ohio caused the system to record approximately 3,900 votes too many for one presidential candidate in the 2004 general election.[Footnote 51] While each of these problems was noted in an operational environment, the root cause was not known in all cases. Standards: In 1990, the Federal Election Commission issued a set of voluntary voting systems standards, which were later revised in 2002. These standards identify minimum functional and performance requirements for electronic voting systems such as optical scan and DRE voting equipment. The functional and performance requirements address what voting equipment should do and delineate minimum performance thresholds, documentation provisions, and security and quality assurance requirements. These standards also specify testing to ensure that the equipment meets these requirements. The standards are voluntary--meaning that states are free to adopt them in whole or in part, or reject them entirely. Computer security experts and others have criticized the 2002 voting system standards for not containing requirements sufficient to ensure secure and reliable voting systems. Common concerns with the standards involve vague and incomplete security provisions, inadequate provisions for some commercial products and networks, and inadequate documentation requirements. Vague and incomplete security provisions. Security experts and others have criticized the security provisions in the voting system standards for being vague and lacking specific requirements.[Footnote 52] Although the standards require the presence of many kinds of security controls, the concern is that they are not specific enough to ensure the effective and correct implementation of the controls. One of the independent testing authorities agreed and noted that the broad terms of the standards do not provide for consistent testing because they leave too much room for interpretation.[Footnote 53] Computer security and testing experts have also noted that the current voting system standards are not comprehensive enough and that they omit a number of common computer security controls. For example, an independent testing authority expressed a concern that the standards do not prohibit many software coding flaws, which could make the voting system software susceptible to external attack and malicious code.[Footnote 54] In addition, NIST performed a review of the voting system standards and found numerous gaps between its own security guidance for federal information systems and those prescribed by the standards. Others have argued that the standards are simply out of date, and contain no guidance on technologies such as wireless networking and voter-verified paper audit trails.[Footnote 55]Inadequate provisions for commercial off- the-shelf (COTS) systems and telecommunications and networking services. Computer security experts have raised concerns about a provision in the voting system standards that exempts unaltered COTS software from testing, and about voting system standards that are not sufficient to address the weaknesses inherent in telecommunications and networking services. Specifically, vendors often use COTS software in their electronic voting systems, including operating systems like Microsoft Windows. Security experts note that COTS software could contain defects, vulnerabilities, and other weaknesses that could be carried over into electronic voting systems, thereby compromising their security.[Footnote 56] Regarding telecommunication and networking services, selected computer security experts believe that relying on any use of telecommunications or networking services, including wireless communications, exposes electronic voting systems to risks that make it difficult to guarantee their security and reliability-- even with safeguards such as encryption and digital signatures in place.[Footnote 57] Inadequate requirements for documentation. Computer security experts and some elections officials have expressed concerns that the documentation requirements in the voting system standards are not explicit enough. For instance, computer security experts warn that the documentation requirements for source code are not sufficient for code that is obscure or confusing, nor do they require developers to sufficiently map out how software modules interact with one another.[Footnote 58] This could make it difficult for testers and auditors to understand what they are reviewing, lessening their ability to detect unstable or hidden (and potentially malicious) functionality. In addition, election officials and a security expert raised concerns that the standards do not require sufficient documentation for local officials with respect to proper operation and maintenance procedures.[Footnote 59] For instance, election officials in one state noted that when voting machines malfunctioned and started generating error messages during an election, state technicians were unable to diagnose and resolve the problems because the vendor's documentation provided no information about what the error messages meant, or how to fix the problems.[Footnote 60] Voting System Testing: Security experts and some election officials have expressed concerns that tests currently performed by independent testing authorities and state and local election officials do not adequately assess electronic voting systems' security and reliability. These concerns are amplified by what some perceive as a lack of transparency in the testing process. Inadequate security testing. Many computer security experts expressed concerns with weak or insufficient system functional testing, source code reviews, and penetration testing.[Footnote 61] Illustrating their concerns, most of the systems with weak security controls identified earlier in this report (see product development issues) had previously been certified by the National Association of State Election Directors after testing by an independent testing authority. Security experts and others point to this as an indication that both the standards and the testing program are not rigorous enough with respect to security. * Regarding the functional testing conducted by independent testing authorities and state and local officials, election and security experts expressed concern that this testing may not reveal certain security flaws in electronic voting systems.[Footnote 62] They argue that functional tests only measure a system's performance when it is used as expected, under normal operating conditions.[Footnote 63] As a result, this testing cannot determine what might happen if a voter acts in unexpected ways, or how the system would react in the face of an active attack. Specifically, security experts argue that functional testing is unlikely to ever trigger certain types of hidden code.[Footnote 64] As a result, malicious code could be present in a system and evade testing as long as the triggering commands were not entered. * Security and testing experts also expressed concern that the source code reviews called for in the voting system standards and conducted by independent testing authorities are too general and do not take into account the unique nature of voting systems. For instance, several experts noted that malicious code could be hidden in source code and be obscure enough to avoid detection by the general reviews, which currently focus on coding conventions, comments, and line length.[Footnote 65] Moreover, there is concern that these code reviews may not adequately inspect how voting system software interacts with key election data.[Footnote 66] Specifically, security experts say that a testing authority's source code review should include checks for unique elements of the election contest, including (1) software modules with inappropriate access to vote totals, ballot definition files, or individual ballots; (2) functionality with time or date dependent behavior; and (3) software modules that retain information from previous screen touches or previous voters--all potentially indicative of improper and malicious voting system behavior.[Footnote 67] * As for penetration testing, experts expressed concerns that voting system testing does not include such explicit security tests.[Footnote 68] An official from an independent testing authority generally agreed and said that the security-related parts of their testing use a checklist approach, based on what is called for in the voluntary voting system standards. This official recommended more rigorous security testing. Another testing authority official said that their testing does not guarantee that voting systems are secure and reliable. This official has called for local jurisdictions to conduct additional security testing and risk analyses of their own.[Footnote 69] Lack of transparency in the testing process. Security experts and some elections officials have raised concerns about a lack of transparency in the testing process. They note that the test plans used by the independent testing authorities, along with the test results, are treated as protected trade secrets and thus cannot be released to the public.[Footnote 70] (Designated election officials may, in fact, obtain copies of test results for their systems, but only with the permission of the vendor.) As a result, critics argue, the rigor of the testing process is largely unknown. Critics say that this lack of transparency hinders oversight and auditing of the testing process.[Footnote 71] This in turn makes it harder to determine the actual capabilities, potential vulnerabilities, and performance problems of a given system. Despite assertions by election officials and vendors that disclosing too much information about an electronic voting system could pose a security risk,[Footnote 72] one security expert noted that a system should be secure enough to resist even a knowledgeable attacker.[Footnote 73] Security Management: Numerous studies raised concerns about the security management practices of state and local governments in ensuring the security of electronic voting systems, citing poor version control of system software and inadequate security management programs. Poor version control of system software. Security experts and selected election officials are concerned about the configuration management practices of state and local jurisdictions. Specifically, the voting system software installed at the local level may not be the same as what was qualified and certified at the national or state levels.[Footnote 74] These groups raised the possibility that either intentionally or by accident, voting system software could be altered or substituted, or that vendors or local officials might (knowingly or not) install untested or uncertified versions of voting systems.[Footnote 75] As a result, potentially unreliable or malicious software might be used in elections. For example, in separate instances in California and Indiana, state officials found that two different vendors had violated regulations and state law by installing uncertified software on voting systems.[Footnote 76] Inadequate security management programs. Several of the technical reviews mentioned previously also found that states did not have effective information security management plans in place to oversee their electronic voting systems.[Footnote 77] The reports noted that key managerial functions were not in place, including (1) providing appropriate security training, (2) ensuring that employees and contractors had proper certifications, (3) ensuring that security roles were well defined and staffed, and (4) ensuring that pertinent officials correctly configure their voting system audit logs and require them to be reviewed. In addition, several reports indicated that some state and local jurisdictions did not always have procedures in place to address problems with their electronic voting systems.[Footnote 78] For instance, one county in Pennsylvania reported that neither its election staff nor its technical division knew how to deal with several problems that occurred on election day.[Footnote 79] The report also cited (1) a lack of preparation and contingency planning for significant problems, (2) inadequate communication means between precincts and the county election office for problem reporting, and (3) the absence of paper ballots held in reserve as a backup. In addition, this and other reports indicated that poll workers might not receive sufficient training, or possess adequate technical skills or knowledge of their particular systems to manage, administer, and troubleshoot them.[Footnote 80] While the concerns listed above are numerous, it is important to note that many involved problems with specific voting system makes and models or with circumstances in a specific jurisdiction's election. Further, there is a lack of consensus among election officials, computer security experts, and others on the pervasiveness of the concerns. On one hand, both vendors and election officials express confidence in the security of their current products. Election officials note that their administrative procedures can compensate for inherent system weaknesses, and they point out that there has never been a proven case of fraud involving tampering with electronic voting systems. Alternatively, citizen groups and computer security experts note that administrative procedures cannot compensate for all of the weaknesses and that if electronic voting system security weaknesses are exploited, particularly by those with insider access to the systems, changes to election results could go undetected.[Footnote 81] Nevertheless, there is evidence that some of these concerns--including weak controls and inadequate testing--have caused problems with recent elections, resulting in the loss and miscount of votes. In light of the recently demonstrated voting system problems, the differing views on how widespread these problems are, and the complexity of assuring the accuracy, integrity, confidentiality, and availability of voting systems throughout their life cycles, the security and reliability concerns raised in recent reports merit attention. Recommended Practices Address Electronic Voting Systems' Security and Reliability: Several federal, academic, and nongovernmental organizations have issued guidance to help state and local election officials improve the election and voting processes. This guidance includes recommended practices for enhancing the security and reliability of voting systems. For example, in mid-2004, EAC issued a compendium of practices recommended by elections experts, including state and local jurisdictions.[Footnote 82] This compendium, among many suggested practices, includes activities to help ensure a secure and reliable voting process throughout a voting systems' life cycle. As another example, in July 2004, the California Institute of Technology and the Massachusetts Institute of Technology issued a report recommending immediate steps to avoid lost votes in the 2004 election, including suggestions for testing equipment, retaining audit logs, and physically securing voting systems.[Footnote 83] In addition to this election-specific guidance, the federal government and other entities have published extensive guidance intended to help organizations address, evaluate, and manage the security and reliability of their information technology systems. This guidance includes practices in the product development phase of the system life cycle that may assist voting system vendors in adopting appropriate standards and practices for designing and developing secure and reliable voting systems. In addition, this guidance includes practices in the areas of acquisition, testing, operation, and management that may help state governments and local election officials in acquiring technologies and services; assessing security risks; selecting, applying, and monitoring security controls; auditing systems; and adopting security policies. The following is a high-level summary of common practices identified in both general and election-specific reports that address the security and reliability of electronic voting systems in the context of the system life cycle phases and cross-cutting activities. The recommended practices in both election-specific and IT-focused guidance documents provide valuable guidance throughout a voting system's life cycle that, if implemented effectively, should help improve the security and reliability of voting systems. Appendix II provides a more detailed summary of the election-specific publications' guidance on voting system security and reliability practices, and appendix III provides summaries of general guidance on information systems security. Product Development: * Voting system developers should define security requirements and specifications early in the design and development process. * The security requirements for voting systems should consider the unique security needs of elections and the voting environment, as well as applicable laws, national standards, and other external influences and constraints that govern systems. * Voting systems should contain audit logs that record all activity involving access to and modifications of the system, particularly of sensitive or critical files or data, including the time of the event, the type of event and its result, and the user identification associated with the event. * Voting systems should employ adequate logical access controls over software and data files. Systems should require that passwords be changed periodically, and that they not use names or words from the dictionary. Further, the use of vendor-supplied or generic passwords should be prohibited. * Vendors should review lessons learned from recent elections and implement relevant mitigation steps to address known security weaknesses (see app. II, table 16). Acquisition: * Election officials should focus on the security issues related to electronic voting equipment before purchasing or implementing voting systems. * Requests for proposals should include security requirements and evaluation and test procedures. * Election officials should review lessons learned from recent elections and implement relevant mitigation steps to address known security weaknesses (see app. II, table 16). Operations: * State and local authorities should ensure that sensitive activities in the election process, such as vote tabulation and the transporting of ballots or election results, are performed by more than one person or observed by representatives of both major parties. * Procedures should be developed and followed to identify and document the chain of custody for every instance when sensitive election items (such as memory cards, ballots, and voting machines) change hands. * Voting machines, ballots, memory cartridges, election supplies, and offices should be physically secured against unauthorized access before, during, and after an election. * A postelection audit of voting systems should be conducted to reconcile vote totals and ballot counts, even if there is no recount scheduled. * An audit of the election system and process should be conducted after election day to verify that the election was conducted correctly and to uncover any evidence of security breaches or other problems that may not have surfaced on election day. Standards: * States should adopt the most current version of the national voluntary voting standards or guidelines. Testing: * During the product development phase, electronic voting system developers should verify and validate the security controls on the system before deployment in order to ensure that the controls are working properly and effectively and that they meet the operational security needs of the purchasing jurisdiction. * During the acquisition phase, states and local governments should require that voting systems be certified against federal standards. * During the operations phase, localities should conduct logic and accuracy testing on voting machines before the election to ensure that they accurately record votes. Management: * Voting system developers should establish a sound security policy that identifies the security goals of their system; the procedures, standards, and controls needed to support the system security goals; the critical assets; and the security-related roles and responsibilities. * Voting system developers should conduct appropriate background screening on all employees before granting them access to sensitive information or placing them into sensitive positions. * Election officials should plan for poll worker training early in the process and ensure that all training classes and materials include information on the security of voting systems and on election security procedures. * Election officials, not vendors, should control the administration and use of the voting equipment. To that end, the election administration team should include persons with expertise in both computer security and voting system oversight. * Election officials should conduct a risk analysis of voting systems and address any identified vulnerabilities and points of failure in the election process. * Election officials should ensure that vendors provide tested and certified versions of voting system software by requiring that software be submitted to NIST's National Software Reference Library, and by verifying that the systems, including hardware, software, and software patches, have met all required standards through required testing.[Footnote 84] * Procedures and plans should be established for handling election day equipment failure, including backup and contingency plans. If voting machines malfunction during voting, they should not be repaired or removed from the polling place on election day. National Initiatives Are Under Way to Improve Voting System Security and Reliability, but Key Activities Need to Be Completed: Since the implementation of HAVA in 2002, the federal government has begun a range of actions that are expected to improve the security and reliability of electronic voting systems. EAC, with the support of TGDC and NIST, is in the process of updating voluntary voting system standards, is establishing federal processes to accredit independent test laboratories and certify voting systems to national standards, and is supporting state and local election management by providing a library for certified software and acting as a clearinghouse for information on voting system problems and recommended election administration and management practices. However, a majority of these efforts either lack specific plans for implementation in time to affect the 2006 general election or are not expected to be completed until after the 2006 election. As a result, it is unclear when these initiatives will be available to assist state and local election officials. In addition to the federal government's activities, nongovernmental initiatives are under way to (1) define international voting system standards; (2) develop designs for open voting system products; (3) provide a framework of acquisition questions to use in acquiring voting systems; and (4) support management of voting systems by collecting and analyzing problem reports. Federal Initiatives to Improve Voting Systems Security and Reliability Are Under Way: EAC, in collaboration with NIST and TGDC, has initiated efforts on several of its key responsibilities relating to the security and reliability of electronic voting systems, including improving voting system standards, developing a process to facilitate testing systems against the standards, and supporting state and local governments' election management. Table 2 summarizes federal initiatives--both those required by HAVA and those initiated by EAC to support HAVA requirements. Table 2: Federal Initiatives Related to Improving the Security and Reliability of Voting Systems: Standards: Initiative: Draft initial set of voluntary voting system guidelines (HAVA); Responsibility: TGDC; Status: Completed; Actual or planned completion date: May 2005 (actual). Initiative: Adopt voluntary guidance for certain voting system standards (HAVA); Responsibility: EAC; Status: In process; Actual or planned completion date: Fall 2005. Initiative: Complete security and reliability updates to voting system guidelines; Responsibility: TGDC recommends; EAC approves; Status: In process; Actual or planned completion date: Not determined. Testing: Initiative: Conduct evaluation of independent testing laboratories for accreditation (HAVA); Responsibility: NIST; Status: Not yet initiated; Actual or planned completion date: By early 2007. Initiative: Accredit first cadre of independent voting system testing laboratories (HAVA); Responsibility: NIST recommends; EAC approves; Status: Not yet initiated; Actual or planned completion date: By early 2007. Initiative: Define interim process for certification of voting systems; Responsibility: EAC; Status: In process; Actual or planned completion date: Fall 2005. Initiative: Establish national program for voting system certification (HAVA); Responsibility: EAC; Status: In process; Actual or planned completion date: Not determined. Management support: Initiative: Establish national reference library for certified voting system software; Responsibility: NIST; Status: Completed; Actual or planned completion date: July 2004 (actual). Initiative: Establish procedures for sharing problems associated with voting systems; Responsibility: NIST recommends; EAC approves; Status: In process; Actual or planned completion date: Not determined. Initiative: Provide an initial report that includes best practices for secure and reliable voting systems; Responsibility: EAC; Status: Completed; Actual or planned completion date: August 2004 (actual). Initiative: Provide periodic reports on election administration practices (HAVA); Responsibility: EAC; Status: In process; Actual or planned completion date: First report by December 2006; later reports not determined. Source: GAO analysis of HAVA and EAC, NIST, and TGDC data. Note: Initiatives followed by (HAVA) are required by the Help America Vote Act. [End of table] Standards. TGDC and NIST have been working on behalf of EAC to improve the 2002 Federal Election Commission voluntary voting system standards[Footnote 85] and their impact on the acquisition, testing, operations, and management processes of the voting system life cycle.[Footnote 86] TGDC approved 41 resolutions between July 2004 and April 2005, many of which directed NIST to research and develop recommendations for changing various voting system capabilities and assurance processes. Of the 41 resolutions, 24 relate to the security and reliability of voting systems. Appendix IV contains the relevant resolutions and their status. TGDC's initial priorities have been to correct errors and fill gaps in the 2002 standards and to supplement them with provisions that address HAVA requirements. In May 2005, TGDC approved a first set of recommended changes and delivered them to EAC. Subsequently, EAC published these changes as proposed voluntary voting system guidelines and requested public comment by September 30, 2005. EAC plans to review and address the comments it receives from the public and its standards and advisory boards during October 2005, and to issue the 2005 Voluntary Voting System Guidelines shortly thereafter, depending on the nature and volume of comments. EAC is proposing that the 2005 voluntary voting system guidelines will become effective 24 months after they are adopted by the EAC, although individual states will be free to adopt the standards at any time during the 24 month period. According to the EAC, the 24 month period is intended to give vendors the time to design and develop systems that comply with the new guidelines; to give testing laboratories the opportunity to develop testing protocols, train laboratory staff, and be prepared to test the systems against the new guidelines; and to allow states time to adopt the standards, adjust their certification and acceptance testing processes, and acquire systems in plenty of time for future election cycles. Key security and reliability standards of the proposed 2005 guidelines include: * a method for distributing voting system software, * protocols for generating and distributing software reference data for the NIST repository of certified voting system software, * a method for validating the proper setup of voting systems, * controls for the use of wireless communications by voting systems, and: * optional specifications for a voter-verified paper audit trail. However, NIST reported that several of the topics listed in the proposed guidelines (including software distribution, validation of system setup, and wireless communications) will not be fully addressed in the 2005 update, and will need to be updated in a future version of the guidelines. Furthermore, key security and reliability improvements to the existing standards (including guidance for the security of COTS software; ensuring the correctness of software, testing, and documentation for system security; enhancements to the precision and testability of the standards; and the usability of error messages) have been deferred until the subsequent set of guidelines is developed. EAC officials acknowledged that these changes will not be made in the initial set of guidelines, and reiterated that they are focusing on what can be done in time to meet the HAVA-mandated delivery date for the initial set of guidelines. Testing. EAC and NIST have initiatives under way to improve voting system testing, including efforts to evaluate and accredit independent testing laboratories (which test voting systems against the national standards) and efforts to define both an interim process and a long- term program for voting system certification. * NIST is in the process of establishing plans and procedures to conduct an evaluation of independent, nonfederal laboratories through its National Voluntary Laboratory Accreditation Program. NIST solicited feedback from interested laboratories concerning its accreditation program, drafted a handbook that documents the accreditation process, and accepted applications from its first cadre of candidate laboratories through August 2005. The evaluation of candidate laboratories is planned to begin in fall 2005. Once this evaluation is completed, NIST plans to submit for EAC accreditation a proposed list of laboratories to carry out the testing of voting systems. In light of the time required to publicize the accreditation process and requirements and to evaluate the first set of candidates, NIST officials estimated that they would recommend laboratories for accreditation in late 2006 or early 2007. Laboratories that are currently accredited by the National Association of State Election Directors can continue to operate as independent testing authorities until June 2008, but are expected to complete NIST's new accreditation program by that time. In addition, EAC officials stated that they are in the process of developing plans and procedures with NIST and the independent testing authorities to upgrade existing accreditations to address the 2005 voting system standards, when these standards are approved. * EAC is working to establish a program to certify, decertify, and recertify voting systems. With the assistance of a consulting firm, EAC is in the process of defining certification policies and procedures, both for systems undergoing testing with existing federal voluntary voting system standards and for those that will be tested against EAC's voluntary voting system guidelines. EAC officials expect to define the scope and framework for the certification process and to begin to accept vendor registrations during fall 2005. It also expects to begin accepting applications for certification of voting systems by January 2006. EAC has not yet determined when it will have a national program for voting system certification in place. Management support. To address its responsibilities related to providing election management support to state and local jurisdictions, EAC and NIST have been working to establish a software library and to act as a clearinghouse for information on both problems and recommended practices involving elections and systems. * In anticipation of the 2004 elections, EAC and NIST established a software library for voting systems within NIST's National Software Reference Library that allows state and local governments to verify that their voting system software is the certified version (based on testing by independent testing laboratories) and to manage the configuration of that software for their systems. The library was established before the 2004 general election with software from approximately a half dozen major voting system vendors. NIST derived digital signatures for the software and published them on the library's public Web site for states and local jurisdictions to compare with the signatures of software used by their systems. * In January 2005, TGDC requested that NIST define a process and specification for sharing information among jurisdictions regarding nonconformities, problems, and vulnerabilities in voting systems, to specifically address the security and reliability of those systems. Such information could be used to alert state and local election officials to known problems with their systems and to develop additional recommended practices for their use. TGDC designated this task as a third-tier priority and has deferred working on it until after the publication of the 2005 voting system standards. In addition, EAC surveyed state and local election officials to identify problems they encountered during the 2004 election. However, election officials often interpreted the survey questions differently, so not all of the information resulting from this survey was complete or usable. EAC plans to enhance its survey activities in the future. * EAC is charged by HAVA with conducting periodic studies of election administration issues with the goal of providing the most accurate, secure, and expeditious system for voting and tabulating election results.[Footnote 87] Toward this end, EAC compiled the experiences of a select group of elections experts into a tool kit to help states and local jurisdictions prepare for the 2004 general election.[Footnote 88] It was published on EAC's Web site in August 2004 and publicized to state and local jurisdictions before the election. The tool kit provides recommendations for methods to manage and operate voting systems to help ensure accurate and secure election results and includes general practices for all voting systems and environments, as well as controls for specific types of voting equipment. Since developing the tool kit, EAC has included additional best practices proposed by TGDC and NIST in the appendixes of its draft voting system guidelines. These practices recommend that election officials establish procedures for their jurisdictions to ensure, among other things, that voting systems are physically secured against tampering and intentional damage, cryptographic keys for wireless encryption are actively managed, actions taken when using wireless communication are logged, and the authenticity of certified software is confirmed using the National Software Reference Library. EAC plans to update the practices in the voting system guidelines and to compile a broader framework of guidance for election administration and management practices that incorporates the best practices tool kit and further promotes security and reliability for voting systems. EAC has begun working with the National Association of State Elections Directors to establish a working group to develop additional guidelines and procedures for election management and operations and has identified the personnel who will support this effort. This fall, EAC expects the working group to develop a comprehensive outline for the election management guidelines document and to prioritize the topics to be developed for the initial version scheduled to be released in December 2006. A final report is expected in December 2007. Tasks and Time Frames for Completing Federal Initiatives Are Not Fully Defined: While EAC has begun several important initiatives to improve the security and reliability of voting systems, more remains to be done on these initiatives, and specific tasks and time frames for performing them are not fully defined. Standards. EAC recognizes that its planned 2005 update to the standards does not fully address known weaknesses. EAC and NIST are developing an outline for the next iteration of the guidelines, but no date has been set for NIST to deliver the next guidelines draft to TGDC. This rewrite is expected to extensively change the existing standards and include, among other features, quality management for system development, more testable standards, and specifications for ballot formats. However, neither TGDC nor NIST has defined specific tasks, measurable outcomes, milestones, or resource needs for addressing the next draft of standards. Consequently, the time frame for states and local jurisdictions to implement the security and reliability improvements associated with the next version of the standards is unknown. The undefined time frame for completing the standards is likely to cause concern for states required to comply with the federal standards by statute, administrative rule, or condition of HAVA payments, and will further delay the adoption of widely acknowledged capabilities needed for secure and reliable systems. Voting system certification. While EAC is working to define the scope of a system certification process, much remains to be done before such a process is put in place. Specifically, EAC still needs to establish policies, criteria, and procedures to govern certification reviews and decisions for existing standards, as well as the proposed 2005 standards. However, the specific steps and time frames for EAC to execute each stage of its certification responsibilities have not yet been decided. Until EAC establishes a comprehensive system certification program, its processes may be inconsistent or insufficiently rigorous to ensure that all certified systems meet applicable standards. Software library. NIST established a software reference library for voting systems, but the usefulness of this library is questionable. The initial set of voting system software deposited into the library was not comprehensive, no additional voting system software has been submitted to the reference library since the 2004 general election, and neither EAC nor NIST has identified specific actions to encourage participation from states, local jurisdictions, vendors, or independent testing authorities for the 2006 federal election cycle. Additionally, state and local jurisdictions require specialized tools and technical support to verify that reference library software signatures match those of their own software versions, but no consolidated and easily accessible list of sources for these tools and services is currently available to state and local jurisdictions. Further, NIST did not keep statistics on the extent to which state and local jurisdictions used the library during the 2004 election cycle to verify installation of certified software by their vendors, and thus, it could not determine whether its service was meeting state and local needs. Without the continuous incorporation of certified software into the library and processes that can be effectively implemented by state and local governments, these entities are likely to face difficulty in ensuring that their tested and operational voting systems are the same as those that were certified. Further, without a mechanism for determining how the library is being used and how it can be improved, the potential benefits of the library may be greatly diminished. Clearinghouse for information on problems and leading practices. To fulfill its role as a clearinghouse for information on voting system problems, EAC continues to explore issues of data collection for problems with voting systems through enhancing its survey instrument to collect problem information from election officials and working with NIST to determine how to share this information. However, neither EAC nor NIST has defined specific tasks or time lines for establishing procedures for sharing problems or a repository for collecting them. The continued absence of a national clearinghouse for voting system problems means that segments of the election community may continue to acquire and operate their systems without the benefit of critical information learned by others regarding the security and reliability of those systems. Regarding its efforts to develop broad guidance on election administration practices, EAC has initial plans for moving forward, but lacks a process and schedule for compiling and disseminating this information on a regular basis. Until EAC puts such a process in place, there is a risk that the guidance it provides may become outdated and of little value to election officials. Although EAC initiatives are expected to eventually provide more secure and reliable systems and more rigorous and consistent quality assurance processes for the states and jurisdictions that choose to use them, how, when, and to what degree this will be accomplished is not clear. Specific steps have not been identified to implement some of the initiatives in time to affect the 2006 general election, and others are not expected to be completed until after the 2006 election. This situation is due, in part, to delays in the appointment of EAC commissioners and in funding the commission. As a result, it is unclear when the results of these initiatives will be available to assist state and local election authorities. Nongovernmental Initiatives Are Intended to Improve Voting System Security and Reliability: In addition to federal initiatives, initiatives by various nongovernmental organizations nationwide have been established to address the security and reliability of voting systems. Professional organizations, academic institutions, and citizen advocacy groups have initiatives that affect several areas of the voting system life cycle, particularly product development, acquisition, standards, and management. Selected initiatives include (1) developing open designs for voting system products; (2) identifying issues and key questions to be considered by consumers of electronic voting systems; (3) defining international standards; and (4) supporting more effective management, including collecting, cataloging, and analyzing problems experienced during elections. Table 3 summarizes key initiatives. Table 3: Nongovernmental Initiatives to Improve Voting System Security and Reliability: Product development: Initiative: Prototype for an open-source electronic voting application; Organization: Open Voting Consortium; Product or activity: Developed a prototype for an open-source electronic voting application that uses commercial hardware and operating system components and provides (1) an electronic voting machine that prints a paper ballot, (2) a ballot verification station that scans the paper ballot and lets a voter hear the selections, and (3) an application to tally the paper ballots; Status: Continuing to add functionality to prototype. No specific timetable. Initiative: A Modular Voting Architecture; Organization: Caltech/MIT Voting Technology Project; Product or activity: Proposed an approach for building additional security features into electronic voting systems through an alternative voting system architecture; Status: Completed August 2001. Available for implementation. Acquisition: Initiative: A Framework for Understanding Electronic Voting; Organization: National Academy of Sciences' Computer Science and Telecommunications Board; Product or activity: Defining questions to help policy makers, election officials, and the interested public understand the technology, social, and operational issues relevant to electronic voting, including security issues; Status: Publication expected in fall 2005. Initiative: Relative performance of voting system classes; Organization: Brennan Center for Justice; Product or activity: Started an independent assessment of electronic voting system security and plans to develop a report describing the relative performance of each class of voting systems; Status: To be completed in fall 2005. Standards: Initiative: Project 1583 on Voting Equipment Standards; Organization: Institute of Electrical and Electronics Engineers; Product or activity: Developing a standard for voting equipment requirements and evaluation methods, including security and reliability characteristics; Status: Project 1583 members in recess. No current plans to resume this project's activities. Initiative: Project 1622 on Voting Equipment Electronic Data Interchange; Organization: Institute of Electrical and Electronics Engineers; Product or activity: Developing data formats to be used by voting system components for exchange of electronic data, including data related to secure and reliable system operations; Status: Project 1622 officials are working to endorse a draft standard. No specific timetable. Initiative: Election Markup Language; Organization: Organization for the Advancement of Structured Information Standards; Product or activity: Defined process and data requirements that include security considerations for authentication, privacy/confidentiality, and integrity; Status: Officials are seeking approval for this markup language as an international standard from the International Organization for Standardization. No specific timetable. Testing: Initiative: Voting System Performance Rating; Organization: Voting System Performance Rating; Product or activity: Developing evaluation and performance assessment tests for use in rating the performance of voting systems in subject areas such as privacy, transparency, and ballot verifiability; Status: Working groups are being organized and members plan to draft, publish, and distribute a range of documents in each of the relevant subject areas over the next 2 years. Management: Initiative: Professional Education Program; Organization: The Election Center; Product or activity: Created a professional education program designed to provide training and certification to election officials and vendors; Status: Continuing to expand the curriculum. No specific timetable. Initiative: Election Incident Reporting System; Organization: Verified Voting; Product or activity: Operating the Election Incident Reporting System, a Web-based system to collect and disseminate information about local voting systems and election irregularities; Status: Plans to operate through future elections. No specific timetable for supporting activities. Initiative: Information clearinghouse; Organization: VotersUnite!; Product or activity: Operating a repository of news and events and a newsletter service to share information among advocacy groups and jurisdictions on a wide range of electronic voting problems and issues; Status: Ongoing postings; Continuation uncertain due to limited resources. Initiative: A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections; Organization: Johns Hopkins University; Product or activity: Created a federally funded center that is to conduct (1) research into the technological issues facing electronic voting, (2) education efforts, aimed at higher education, focusing on voting technology issues, and (3) outreach to stakeholders in the election administration process, including vendors, election officials, and community groups; Status: Plans to conduct activities over 5 years. Source: GAO summary of data provided by organizations listed above. [End of table] Conclusions: Electronic voting systems hold promise for improving the efficiency, accuracy, and accessibility of the elections process, and many are in use across the country today. The American public needs to feel confident using these systems--namely, that the systems are secure enough and reliable enough to trust with their votes. However, this is not always the case. Numerous recent studies and reports have highlighted problems with the security and reliability of electronic voting systems. While these reports often focused on problems with specific systems or jurisdictions, the concerns they raise have the potential to affect election outcomes. The numerous examples of systems with poor security controls point to a situation in which vendors may not be uniformly building security and reliability into their voting systems, and election officials may not always rigorously ensure the security and reliability of their systems when they acquire, test, operate, and manage them. These concerns have led to action. Multiple organizations have compiled recommended practices for vendors and election officials to use to improve the security and reliability of voting systems, and EAC has initiated activities to improve voluntary voting system standards, system testing programs, and management support to state and local election authorities. However, important initiatives are unlikely to affect the 2006 elections due, at least in part, to delays in the appointment of EAC commissioners and in funding the commission. Specifically, key security-related improvements to voting system standards will not be completed in time, improvements to the national system certification program are not yet in place, and efforts to provide management support to state and local jurisdictions through a software library and information sharing on problems and recommended practices remain incomplete. Further, EAC has not consistently defined plans, processes, and time frames for completing these activities, and as a result, it is unclear when their results will be available to assist state and local election officials. Until these efforts are completed, there is a risk that many state and local jurisdictions will rely on voting systems that were not developed, acquired, tested, operated, or managed in accordance with rigorous security and reliability standards--potentially affecting the reliability of future elections and voter confidence in the accuracy of the vote count. Recommendations for Executive Action: To improve the potential for benefits to states and local election jurisdictions, we recommend that the Election Assistance Commission take the following five actions: 1. Collaborate with NIST and the Technical Guidelines Development Committee to define specific tasks, measurable outcomes, milestones, and resource needs required to improve the voting system standards that affect security and reliability of voting systems. 2. Expeditiously establish documented policies, criteria, and procedures for certifying voting systems that will be in effect until the national laboratory accreditation program for voting systems becomes fully operational, and define tasks and time frames for achieving the full operational capability of the national voting system certification program. 3. Improve management support to state and local election officials by collaborating with NIST to establish a process for continuously updating the National Software Reference Library for voting system software; take effective action to promote use of the library by state and local governments; identify and disseminate information on resources to assist state and local governments with using the library; and assess use of the library by states and local jurisdictions for the purpose of improving library services. 4. Improve management support to state and local election officials by collaborating with TGDC and NIST to develop a process and associated time frames for sharing information on the problems and vulnerabilities of voting systems. 5. Improve management support to state and local election officials by establishing a process and schedule for periodically compiling and disseminating recommended practices related to security and reliability management throughout the system life cycle (including the recommended practices identified in this report) and ensuring that this process uses information on the problems and vulnerabilities of voting systems. Agency Comments and Our Evaluation: EAC and NIST provided written comments on a draft of this report (see apps. V and VI). EAC commissioners agreed with our recommendations and stated that actions on each are either under way or intended. NIST's director agreed with the report's conclusions that specific tasks, processes, and time frames must be established to improve the national voting systems standards, testing capabilities, and management support available to state and local election officials. In addition to its comments on our recommendations, EAC commissioners expressed three concerns with our use of reports produced by others to identify issues with the security and reliability of electronic voting systems. First, they noted that the draft lacked citations linking security problems and vulnerabilities to the reports in the bibliography and lacked context when referring to experts. We have since provided citations and context, where applicable. Second, commissioners expressed concern that the report portrays voting system problems as systemic, but does not provide context for evaluating the extent of the problems--that is, how frequently these issues arise or whether the problems occur in a large percentage of electronic voting systems or jurisdictions. We do not agree that we portray the problems as systemic. Our report states that many of the issues involved specific voting system makes and models or circumstances in the elections of specific jurisdictions, and that there is a lack of consensus on the pervasiveness of the concerns. This is due in part to a lack of comprehensive information on what system makes and models are used in jurisdictions throughout the country. Nonetheless, the numerous examples of systems with poor security controls point to a situation in which vendors may not be uniformly building security and reliability into their voting systems, and election officials may not always rigorously ensure the security and reliability of their systems when they acquire, test, operate, and manage them. Third, commissioners expressed concern that our report relies on reports produced by others without substantiation of the claims made in those reports, and provides specific examples that they felt should be verified with election officials. While our methodology focused on identifying and grouping problems and vulnerabilities identified in issued reports and studies, where appropriate and feasible, we sought additional context, clarification, and corroboration from the authors, election officials, and security experts. In one of the specific examples offered by EAC, we understand that the Florida demonstration may not have offered an accurate assessment of the system's vulnerabilities to outsiders, but it has value in identifying vulnerabilities to knowledgeable insiders. In another example, EAC takes issue that we found no concerns with the security and reliability during the acquisition phase of the voting system life cycle and noted that they learned from state and local officials that a number of voting equipment units have recently been rejected during the acceptance testing phase of the acquisition process demonstrating quality assurance or reliability concerns. We do not question EAC's point, but this issue did not surface in the reports we analyzed and the interviews we held--so we did not include it in our report. This issue, however, shows that there could be security and reliability issues that are not documented in existing reports. Assessing security and reliability issues and determining their pervasiveness are items that EAC can explore and share in its role as a clearinghouse for information on problems with electronic voting systems. EAC commissioners also commented that our report focuses exclusively on EAC as the answer to the questions surrounding electronic voting, and stated that EAC is but one participant in the process of ensuring the reliability and security of voting systems. They noted that while EAC, TGDC, and NIST are working to develop a revised set of voting system guidelines (standards), it is the voting system vendors that must design and configure their systems to meet those guidelines and the state and local election officials that must adopt the guidelines and restrict their purchases of voting systems to ones that conform to the guidelines. While we agree that EAC is one of many entities with responsibilities for improving the security and reliability of voting systems, given its leadership role in defining voting system standards, in establishing programs both to accredit laboratories and to certify voting systems, and in acting as a clearinghouse for improvement efforts across the nation, we believe that our focus on EAC is appropriate and addresses the objective of our requesters regarding the actions that federal agencies have taken. EAC and NIST officials also provided detailed technical corrections, which we incorporated throughout the report as appropriate. As agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution of it until 30 days from the report date. At that time, we will send copies of this report to the Chairman and Ranking Member of the Committee on House Administration and to the Chairman and Ranking Member of the Senate Committee on Rules and Administration. We are also sending copies to the Commissioners and Executive Director of the Election Assistance Commission, the Secretary of Commerce, the Director of the National Institute of Standards and Technology, and other interested parties. In addition, the report will be available without charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. Should you have any questions about matters discussed in this report, please contact Dave Powner at (202) 512-9286 or at [Hyperlink, pownerd@gao.gov] or Randy Hite at (202) 512-3439 or at [Hyperlink, hiter@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs can be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix VII. Signed by: David A. Powner: Director, Information Technology Management Issues: Signed by: Randolph C. Hite: Director, Information Technology Architecture and Systems Issues: List of Congressional Requesters: The Honorable Tom Davis: Chairman: The Honorable Henry A. Waxman: Ranking Minority Member: Committee on Government Reform: House of Representatives: The Honorable Jim Sensenbrenner, Jr.: Chairman: The Honorable John Conyers, Jr.: Ranking Minority Member: Committee on the Judiciary: House of Representatives: The Honorable Sherwood L. Boehlert: Chairman: The Honorable Bart Gordon: Ranking Minority Member: Committee on Science: House of Representatives: The Honorable William Lacy Clay: House of Representatives: The Honorable John B. Larson: House of Representatives: The Honorable Todd Platts: House of Representatives: The Honorable Adam Putnam: House of Representatives: The Honorable Ileana Ros-Lehtinen: House of Representatives: The Honorable Robert C. Scott: House of Representatives: The Honorable Christopher Shays: House of Representatives: The Honorable Michael Turner: House of Representatives: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: Our objectives were to (1) determine significant security and reliability concerns that have been identified for electronic voting systems; (2) identify recommended practices relevant to the security and reliability of such systems; and (3) describe the actions that federal agencies and other organizations have taken, or plan to take, to improve the security and reliability of electronic voting systems. Our work focused on the security and reliability of optical scanning and direct recording electronic voting systems, which includes equipment for defining ballots, casting and counting ballots, managing groups of interconnected electronic components, and transmitting voting results and administrative information among the locations supporting the voting process. To determine significant security and reliability concerns and identify recommended practices, we conducted a broad literature search for existing published electronic voting studies. Our search included the use of Internet sources, technical libraries, professional and technical journals, and bibliographic information from articles and documents we obtained. We also collected citations and contacts during interviews with relevant officials and experts. To corroborate and provide context for identified concerns and recommended practices, we interviewed federal officials, election officials, computer and information security experts, industry officials, and citizen advocacy groups. Our interviews also included officials from nongovernmental organizations involved with elections and electronic voting issues, as well as members of our Executive Council on Information Management and Technology. In addition, we examined testimony made before pertinent federal bodies and other source material to provide supporting information. Through our literature search, we identified a number of reports that addressed electronic voting issues. We organized these reports into several content areas, including system security assessments, reliability issues, general security issues, practices and recommendations, and statistical analyses. To identify the most relevant sources for our work, we then selected those reports that best met selection criteria that we developed. The selection criteria included the extent to which the report specifically addressed the security and reliability of electronic voting systems and recommended practices relevant to these systems; whether original data analysis was conducted; author knowledge and experience; endorsements by pertinent government organizations (which were often sponsors of reports); and the authenticity of available copies of the report. We were interested in targeting the more recent literature, but we included earlier reports that were deemed particularly relevant to the objectives of our work.[Footnote 89] To assist in our assessment of the reliability of each report's findings, we also conducted reviews of a report's methodology, including its limitations, data sources