Hart’s Statement in Response to April 4, 2018 News Story by McClatchy DC
“14 states’ voting machines are highly vulnerable. How’d that happen?”
Hart InterCivic, Inc. is committed to election integrity and is proud of the role we play in the election technology space. We integrate security into everything we do, into all the products we build and into how we share best practices with customers. We are actively engaged in multiple industry-wide efforts to help improve election security.
The U.S. Election Assistance Commission (EAC) oversees the definition of federal voting system certification requirements. The EAC also oversees the thorough, independent testing process which determines whether a voting system meets those requirements, including those standards designed to ensure the system accurately records and tabulates votes. In addition to the federal certification process, most states maintain their own separate certification and testing procedures. Hart’s Verity® Voting system has passed multiple federal and many state certifications and has never failed.
Verity represents the very latest, most modern and secure voting system available today. It is the only all-new system that has been designed from scratch to ensure ease of use, reliability, flexibility and security. Hart is completely agnostic about the voting method a particular jurisdiction chooses. Our goal is to listen to and understand our customers’ needs and work diligently to provide solutions that work for them. Verity supports all types of voting from in-person polling places to convenience voting (e.g. early voting and vote centers) to by-mail voting. Verity supports all the voting methods used by our customers, including electronic, paper-based and hybrid solutions.
While technology, like Verity, is a critical part of election security, it is not the only requirement. True election security requires strong technology used by thoroughly trained election officials and staff, adhering to mandated processes by using well documented and scalable procedures. In other words, Security = People + Procedures + Technology. Hart works closely with our customers to ensure they are fully trained on the technology and to facilitate best practices and procedures around secure election operations (e.g. chain of custody, numbered and logged security seals, thorough User Acceptance Testing, thorough Logic and Accuracy Testing for every single election, post-election reconciliation and audits). Ultimately, it’s up to the jurisdiction to ensure all these pieces come together in a way that delivers secure, transparent elections and voter confidence.
Consistent with Hart’s commitment to accuracy and transparency, we want to address several of the errors and omissions in the article referenced above. While none of these reporting gaps impact Hart directly, and it is not our objective to be argumentative or combative, we believe it is important for election officials and the voting public to have a complete and accurate viewpoint on these very important topics. To that end, we offer the following constructive comments on various portions of the story:
1) The story includes quotes from a Hart customer in Texas regarding their recent purchase of a new voting system.
- The federal and Texas state rules which govern voting system requirements, testing and certification do not prohibit the use of touch-screen voting systems.
- The EAC, which oversees the federal certification requirements, as well as the testing and certification processes, is made up of a bipartisan group of commissioners.
- The system purchased in San Jacinto County, Texas has undergone rigorous testing and examination at both the federal and state levels. The federal certification process is an open inspection process, whereby Hart provides all source code for every component of the voting system, and it undergoes careful review by test laboratories that must be accredited by both the EAC and the National Institute of Standards and Technology’s (NIST) National Voluntary Laboratory Accreditation Program (NVLAP). The EAC and the voting system test lab also have full access to a detailed Technical Data Package (TDP) describing the architecture and technical details of the entire voting system. There is nothing secretive about this process, and it includes common sense protections by the EAC and state authorities to prevent the release of sensitive information that could impact the integrity of the vote.
- The EAC federal certification body publishes detailed information about certified voting systems and systems under test. Those documents are publicly available, at https://www.eac.gov/voting-equipment/system-certification-process-s/
- The State of Texas Secretary of State publishes public, detailed information about certified voting systems. Those documents are publicly available, at https://www.sos.state.tx.us/elections/laws/votingsystems.shtml
2) The story says, “Cyber experts, including a team from the nation’s premier technology standards-setting lab, have warned since 2006 that hackers can plant vote-altering malware in electronic machines and some now say the cyberattacks could occur at plants where the machines are made…But an obscure federal agency charged with issuing election guidelines for state and local officials rejected the experts’ finding in 2007, and 11 years went by before it recently took steps to reverse itself.” This account of federal oversight and the experts that have been relied upon is inaccurate and misleading:
- As part of EAC certification, systems go through the “trusted build process,” performed by accredited Voting System Testing Laboratories (VSTLs). During this process, secure workstation and device images are produced and securely stored with the EAC. Each set is uniquely tagged with a secure hash of the certified software components and is stored securely with the EAC. At any time, any jurisdiction can verify that the software they are running locally is consistent with the official source code on file with the EAC to ensure that the deployed configuration matches the system configuration certified by the EAC.
- The EAC is not “obscure.” It was created as a central part of the Help America Vote Act, which was a high-profile, national response to the 2000 federal presidential election.
- The EAC did not “reject” any specific findings, and the “experts” cited in this article are completely unnamed.
- The EAC relies on the expertise of a cross-functional body of experts that operate in association with the National Institute of Standards and Technology, and more specifically, the EAC’s Technical Guidelines Development Committee (TGDC).
- The TGDC is also not “obscure;” all its findings and work product are publicly available.
- Detailed information about the TGDC is available at https://www.eac.gov/about/technical-guidelines-development-committee/
- When new systems are purchased, the jurisdiction goes through a thorough User Acceptance Testing (UAT) protocol to ensure that all software installed on the new system matches the software version that has been certified by federal and/or state authorities, and the UAT ensures that the system performs as expected. User Acceptance Testing is administered by the receiving jurisdiction, and vendors serve only as a resource to answer questions or address any issues. Jurisdictions will not accept and use a new voting system until they are satisfied that it has passed all UAT requirements.
- Separate from and in addition to UAT, before each and every election, jurisdictions put their voting system through public Logic and Accuracy Testing (LAT) to ensure the system is capturing and tabulating votes accurately. Vendors are not involved in any way with LAT. Once the systems pass the LAT, they are physically secured by the jurisdiction until they are to be used.
- At any time, any jurisdiction can verify that the software they are running locally is consistent with the official source code on file with the EAC to ensure the deployed configuration matches the certified configuration.
- While there are many security features built in to the voting system (significant detail below), every jurisdiction is responsible for ensuring that no unauthorized access to the software or devices occurs before, during or after an election. Physical security measures and thorough procedures in accordance with best practices are essential (e.g. personnel security policies, strong chain of custody, numbered and logged security seals, post-election reconciliation and audits, to name just a few).
3) The story says, referring to certification testing, “Such assurances offer little consolation, because such “certification” tests cannot trace malware that deletes itself after tampering with vote totals, and because the vendors’ computer coding is proprietary and unavailable for public examination, said James Scott, a cyber security whiz who is advising U.S. intelligence agencies and Congress about voting security…” This reflects a lack of understanding of how the federal certification process works.
- As part of EAC certification, systems go through the “trusted build process,” performed by accredited Voting System Testing Laboratories (VSTLs). During this process, secure workstation and device images are produced and securely stored with the EAC. Each set is uniquely tagged with a secure hash of the certified software components and is stored securely with the EAC.
- At any time, any jurisdiction can verify that the software they are running locally is consistent with the official source code on file with the EAC to ensure the deployed configuration matches the certified configuration.
- The federal VVSG standards also have rigorous requirements for audit logging capabilities in all voting systems, which produces a transparent record of all activity in the system. VVSG requirements for logging require voting systems to track, store and report each and every action associated with tasks such as creating an election/ballot, programming devices, reading captured vote data, adjudication of voter intent, tabulation of results, and reporting of results. Verity has extensive logging capabilities that exceed VVSG requirements. Verity’s plain language logs and reporting provide complete transparency and are protected from tampering through encrypted digital signatures. Logging cannot be disabled through any means.
- When new systems are purchased, the jurisdiction goes through a thorough User Acceptance Testing (UAT) protocol to ensure that all software installed on the new system matches the software version that has been certified by federal and/or state authorities, and the UAT ensures that the system performs as expected. User Acceptance Testing is administered by the receiving jurisdiction, and vendors serve only as a resource to answer questions or address any issues. Jurisdictions will not accept and use a new voting system until they are satisfied that it has passed all UAT requirements.
- Separate from and in addition to UAT, before each and every election, jurisdictions put their voting system through public Logic and Accuracy Testing (LAT) to ensure the system is capturing and tabulating votes accurately. Vendors are not involved in any way with LAT. Once the systems pass the LAT, they are physically secured by the jurisdiction until they are to be used.
4) The story continues to quote Mr. Scott, “…the next foreign attack on U.S. voting machinery will likely be initially directed at an equipment vendor’s server before migrating to county systems and voting sites…He said the malware can poison vendors’ update servers with a “decimalization feature” — a program to manipulate the vote outcome as desired…Then you add a second layer to the exploit that geo-targets that malware to hit swing regions of swing states…It embeds in the touch-screens and carries through to the central (vote-counting) tabulator at the state level before destroying itself upon final tabulation…” This quote reveals a serious lack of understanding about how modern, air-gapped election infrastructure works.
- An “air gap” is a security measure employed on one or more computers to ensure that secure components are physically isolated from unsecured networks (hence the name, to signify the lack of connection). Hart voting systems in use by jurisdictions across the country are not connected to the internet, not connected to the Hart network, and not connected to other I/T systems within the jurisdiction. They are like an island surrounded by walled fortifications, and they require an authorized and authenticated election staff member to physically access them to control all aspects of the system.
- Hart voting systems that are owned and used by jurisdictions across the country are not updated by a central server pushing out updated code. There is no central server and there are no pushed updates. There is no connection between Hart’s infrastructure and our customers’ voting systems. We cannot access them remotely and we cannot update them remotely.
- For Hart customers, system updates include air-gapped delivery of the new federal and state certified software directly to the workstations and devices within a specific jurisdiction.
- Hart is not aware of any “…central (vote-counting) tabulator at the state level…” in any state. Typically, all tabulation is completed at a local jurisdiction level and results are reported to the state.
5) The story continues, “While Homeland Security officials have alerted the vendors about such a threat, Scott said, he’s seen little effort by the manufacturers to build a defense.” Again, this is either intentionally misleading or reflective of very little effort at research.
- Hart InterCivic has made a huge investment in the research and development of the nation’s only all-new voting system platform – Verity – and it has been certified by federal and state authorities multiple times since its introduction in 2015.
- The Verity Voting system embodies best practices for security, accuracy, and reliability – for every component and for all data – at every step of the election workflow.
- From the outset, security has been a core design goal for Verity. Indeed, this is one of the greatest benefits of Verity’s status as a uniquely modern voting system; throughout the design, development and testing process for this all-new system, unlike older, first-generation voting technology, Hart has been able to leverage the most up-to-date technologies and best practices for security.
- Verity employs a “defense-in-depth” strategy, whereby security architecture and code is reused by all applications, whether on the desktop or on voting devices. In this manner, Verity security covers physical, electronic, software and policies for Verity customers, across the system.
- Throughout the system, the code implements controls for:
- Authorization
- Authentication
- Auditing
- Non-repudiation
- Validation
- Tamper resistance/evidence
- Select examples of security features of Verity software:
- Systems running Verity software are not connected to the internet (air gap).
- Verity software cannot be remotely accessed by Hart or anyone else.
- Systems running Verity software operate in “kiosk” mode, which means the user can only access those functions required by the software. This prevents user access to the operating system and prevents installation of any unauthorized programs or files onto the system. The system is “locked down” to prevent intentional or accidental misuse by the operator.
- Application whitelisting prevents unauthorized executable code from being executed in the voting system.
- The Verity system includes two-factor authentication to secure access to critical functions throughout the election.
- All election-related data is secured with NIST/VVSG-compliant cryptography.
- Throughout all phases of operation, all Verity system components maintain complete audit logs. Every Verity application thoroughly logs all user authorization/authentication, data entry, user interaction, vote adjudication and system events.
- Election managers can print or export audit logs from each application, using easy-to-use report filtering to access the precise information to be audited.
- Select examples of security features of Verity devices:
- Verity devices utilize specific physical features to prevent physical tampering. Access controls include:
- Keyed locks;
- Tamper-evident seals;
- Port protection – all ports on Verity voting devices are physically shaped in non-standard ways and accommodate only Hart-proprietary cables and devices to prevent unauthorized users from inserting standard, commercial-off-the-shelf cables;
- Non-standard electrical wiring in strategic areas;
- External cards, drives or other devices can NOT be inserted by voters into any Hart voting device, nor can executable code be hidden and run from voting system media cards.
- Strong chain of custody processes within jurisdictions prevent data manipulation as data is being transferred from the voting devices to a central count facility.
- Multiple redundant data backups ensure any attempts at manipulation are detected.
- Cast vote record data is protected through encrypted digital signatures using NIST-compliant FIPS 140-2 cryptographic modules.
- Verity devices utilize specific physical features to prevent physical tampering. Access controls include:
- Hart is actively engaged in conversations and activities related to election security. We are plugged in to the broad community of stakeholders, actively participating in knowledge sharing, best practice sharing, and discussions on the latest security technology and procedures. Some examples include:
- Department of Homeland Security – Hart is a founding member of the new DHS Sector Coordinating Council (SCC) composed of industry representatives to act as a voice on election cybersecurity and to coordinate with the sister organization, the DHS Government Coordinating Council (GCC). Together, these two groups partner in identifying potential security risks and implementing the measures to eliminate those risks.
- Election Assistance Commission (EAC) – Hart meets regularly with the EAC and actively participates in their industry-wide initiatives.
- National Academies of Science, Engineering, and Medicine (NASEM) – We were one of only two manufacturers to appear at the meeting of the NASEM Committee on Science, Technology and Law on the Future of Voting (Denver, Dec 8, 2017).
- Election Center – A member of Hart’s leadership team serves on the Security Committee. We participate in national conversations about cybersecurity at conferences sponsored by The Election Center (Joint Election Officials Liaison Committee), which include a diverse array of election stakeholders (state and county officials; election administrators; technology and security experts).
- National Association of Secretaries of State (NASS) – Hart regularly exhibits at NASS events, engages in conferences, attends substantive sessions on election topics including security and produces a bi-annual white paper submission.
- National Association of State Election Directors (NASED) – Hart regularly exhibits at NASED events and participates in conference sessions that cover election security and related topics.
6) The story says, “[some] counties use [touchscreens] as accessible voting machines for the handicapped to mark their ballots.”
- The 2002 Help America Vote Act (HAVA) includes specific provisions to support the needs of voters with disabilities, including accessibility, privacy, usability and security. These provisions cover both voting system functionality and administration of elections by local jurisdiction officials. Hart’s Verity voting system meets or exceeds all HAVA requirements for voters with disabilities and Hart ensures our customers are trained in proper deployment of the system to meet voter needs.
- While it is accurate that some accessible voting devices include a touch screen, it is an error to equate “touchscreens” with devices used by voters with disabilities. Not all voters with disabilities use touchscreens; many voters use audio-tactile interfaces (ATIs). Many accessible voting devices with touchscreens are used to mark a paper ballot that is printed out and do not record the vote on the touchscreen marking device.
- Regarding terminology when referring to disabled voters, Hart encourages the McClatchy team to review this excellent resource on appropriate terminology: http://nda.ie/Publications/Attitudes/Appropriate-Terms-to-Use-about-Disability/
7) The story says, “On March 21, U.S. Homeland Security Secretary Kirsten Nielsen ended years of federal equivocation about paperless touch-screen machines.”
- There has been no “federal equivocation” about touch-screen machines; on the contrary, they have been repeatedly accepted for use and regulated for decades.
- Functional standards for electronic voting devices, without prohibitions on the use of Direct Record Electronic systems (DREs), include:
- Federal Election Commission (FEC) Voting System Standards of 1990;
- FEC Voting System Standards of 2002 (VSS 2002);
- The federal Voluntary Voting System Guidelines (VVSG) v. 1.0 (2005);
- The VVSG v. 1.1 (2015);
- In addition, the EAC has recently accepted the TGDC’s recommendation of VVSG 2.0 Guidelines, and although those Guidelines have not yet been formally adopted, they also include standards for both paper-based and electronic devices.
8) The story states, “In December 2006, a team of as many as 20 computer experts at the National Institute of Standards and Technology reported, after exhaustive testing, that they could find no way to verify the accuracy of votes cast on paperless touch-screens…In a recommendation to the Election Assistance Commission…NIST’s team wrote that the machines’ vulnerability ‘is one of the main reasons behind continued questions about voting system security and diminished public confidence in elections.’ By then, however, most of the federal grant money had been spent, much of it on tens of thousands of touch-screens.” This is not an accurate representation of what NIST actually said.
- On the heels of misleading efforts by some media sources to misconstrue what NIST said, NIST issued this statement in 2006:
- “Recent news accounts discussing the vulnerabilities of electronic voting systems contained in the report titled Requiring Software Independence in VVSG 2007: STS Recommendations for the TGDC said NIST on its Voting Technology page, “have raised the question of whether the report’s recommendations represent the official position of NIST. This draft report was prepared by staff at the National Institute of Standards and Technology (NIST) at the request of the Technical Guidelines Development Committee (TGDC) to serve as a point of discussion at its Dec. 4-5, 2006, meeting. Prepared in conjunction with the Security and Transparency Subcommittee (STS) of the TGDC, the report is a discussion draft and does not represent a consensus view or recommendation from either NIST or the TGDC.” [emphasis added]
- Source: http://www.govtech.com/security/NIST-Clarifies-Import-of-Voting-Machine.html
9) Incredibly, the story continues, “In 2007, rather than addressing NIST’s recommendation, the Election Assistance Commission shelved it.”
- As pointed out already, the NIST comment in question was simply a discussion point and not a recommendation. Because of prior misleading reporting, NIST had to issue a specific statement pointing that out.
- Actual 2007 NIST recommendations are available to anyone who searches for them here: https://www.nist.gov/document-7110
- Note that the document above is stored on a NIST website and they contain the recommended standards for all types of voting devices.
10) The story goes on to quote an unnamed government official, “It was knowingly wrong for Congress to appropriate funds for new systems before better standards could be written and reckless on the part of the EAC to then vote down NIST’s update to the standards.” Once again, this is misleading and incorrect.
- New standards were written and adopted in conjunction with the Help America Vote Act’s appropriation of federal funds. Those standards were the VVSG 1.0 (2005) guidelines.
- Around 35 states found them sufficiently valuable and rigorous to make compliance with VVSG a pre-requisite for state certification examinations.
- As explained already, the EAC did not “vote down” NIST’s “update to the standards”.
11) The story quotes Susan Greenhalgh, policy director for the National Election Defense Coalition who called it, “…’scandalous’ that EAC ignored NIST’s warnings all those years.” This statement does not reflect the reality of how the EAC and NIST continue to collaborate closely.
- NIST continues to work regularly and closely with the EAC’s Technical Guidelines Development Committee, and indeed, both NIST and the EAC recently celebrated the EAC’s acceptance of the TGDC’s recommendation for VVSG 2.0 Principles and Guidelines: https://www.eac.gov/news/2017/05/01/eac-standards-board-unanimously-approves-the-17-core-voting-system-principles/
- Mary Brady, Voting Program Manager at NIST, provides regular updates on the cooperative work being done between the EAC and NIST. An example is here: (note that Slide 4 is titled “Together…Making it Happen” and refers to the partnership between several groups, including NIST and EAC).