standards in elections: nist and the help america vote act lynne s. rosenthal national institute of...
TRANSCRIPT
Standards in Elections:NIST and the Help America Vote Act
Lynne S. RosenthalNational Institute of Standards and Technology
Did your vote count?
2000: Florida hanging chads
2004: 4,500 votes lost - computer software not updated 22,000 votes missing – vote tabulator has insufficient storage
2008 1500 ‘phantom’ votes – software reliability problems 11,627 votes counted late – tabulator memory failure 590 voters get wrong ballot – software defect Massive machine breakdowns – reliability problems 3 precincts have votes switched – programming defect Lack of ink in coded block – ballot unreadable by op-scan
2
Today’s presentation
Background 2002 Help American Vote Act (HAVA) NIST and HAVA
What was wrong with the old standard? Voluntary Voting Systems Guidelines (VVSG)
Conformance section Requirement structure Requirements
VVSG status 3
Background
2000 election generated concerns over voting system integrity, usability, and security
Voting System Standard (VSS) lacked Precision and clarity of requirements Requirements for newer technologies Logical organization of requirements
2002 Help America Vote Act (HAVA) passed to address these concerns Reform voting process Improve voting systems and voter access
4
NIST and HAVA
National Institute of Standards and Technology Non-regulatory, part of U.S. Dept. of Commerce Promotes U.S. innovation and industrial competitiveness
through measurement science, standards, and technology
HAVA gives NIST a key role Provide technical support for development of Voluntary Voting
System Guidelines (VVSG) Chair VVSG development committee
5
What was wrong with the old standard?
Outdated or lacking requirements for newer voting activities and technologies Activation cards, e-pollbooks, accessible devices, electronic
ballot markers Early voting, provisional voting, vote centers
Inadequate security requirements Basically, stated: Thou shalt be secure
No usability requirements Inadequate accessibility requirements Inadequate reliability and accuracy requirements
Why MTBF = 163? No conformance clause
Lacks a high level description of what is required to claim conformance
6
Old Voting Standard Requirements
Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy.
7
Old Voting Standard Requirements
Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy.
8
Bad: uses both ‘must’ and ‘shall’
Old Voting Standard Requirements
Memory hardware, such as semiconductor devices and magnetic storage media, must be accurate. The design of equipment in all voting systems shall provide for the highest possible levels of protection against mechanical, thermal, and electromagnetic stresses that impact system accuracy.
9
Bad: uses both ‘must’ and ‘shall’ Bad: how is ‘accurate’ measured? Bad: what are the ‘highest levels’ ?
Old Voting Standard Requirements
To ensure security, all systems shall provide security access controls that limit or detect access to critical system components.
Good: access controls to be provided Bad: how strong? A 2-digit PIN would conform
In all systems, controls used by the voter or equipment operator shall be conveniently located.
Bad: what is ‘convenient’?10
Goal: Build a new voting standard
One that gets used, used correctly, and implemented in a consistent manner
One that defines: What/who needs to implement the standard What needs to be implemented (shall, should,
may) Testable requirements
One that is modular with minimal redundancy One that is adaptable as things change One that is technology- and design- independent
11
Voting Standard (VVSG) Improvements
Total reorganization New conformance section
Defines what it means for a voting system to conform Clear, precise, testable requirements
New core, security, accessibility, usability requirements
measurement requirements Performance benchmarks, accuracy/error rates, reliability
requirements for technological advances Activation cards, e-pollbooks, electronic ballot markers,
accessible devices requirements to support all voting activities
Early voting, vote centers, provisional voting
12
VVSG: Conformance Section
Audience = manufactures and testing labs Defines what is normative vs. informative Defines normative verbs: SHALL, SHOULD, MAY Conformance is 100%, no partial conformance Classes of voting systems
Categorizes requirements by functionality as they apply to voting systems and devices
Implementation statement by manufacturer Indicates requirements that have been implemented
(via classes)13
VVSG: Conformance Classes
Grouped various ways: Equipment type: vote capture device, tabulator, DRE, op-scan Voting variation: straight-party, N of M, primary, in-person
14
Voting device
Voting variations elided
EBP
Vote-capture device
Tabulator
Paper-based device
EMS Optical scanner
Central tabulator
Precinct tabulator
EBMMMPB
VEBD
PCOSMCOS ECOS
Audit device
Activation device
CCOS
Electronic device
Programmed device
IVVR vote-capture device
VVPAT
DRE
Acc-VS
VEBD-A VEBD-V
VVSG: Conformance Classes
Grouped various ways: Equipment type: vote capture device, tabulator, DRE, op-scan Voting variation: straight-party, N of M, primary, in-person
15
Voting device
Voting variations elided
EBP
Vote-capture device
Tabulator
Paper-based device
EMS Optical scanner
Central tabulator
Precinct tabulator
EBMMMPB
VEBD
PCOSMCOS ECOS
Audit device
Activation device
CCOS
Electronic device
Programmed device
IVVR vote-capture device
VVPAT
DRE
Acc-VS
VEBD-A VEBD-V
VVSG: Requirement Structure
Id Requirement Title
RequirementApplies to:
Test Reference:
DISCUSSION
Source:
16informative
normative
Indicates a requirementId: numbered according to section of VVSGReq Title: shorthand descriptionRequirementApplies to: indicates voting system or device classTest Ref: type of testing required, VVSG Part 3 testing requirement citedDiscussion: informative supporting infoSource: origin
VVSG Requirement
17
Voting device
Voting variations elided
EBP
Vote-capture device
Tabulator
Paper-based device
EMS Optical scanner
Central tabulator
Precinct tabulator
EBMMMPB
VEBD
PCOSMCOS ECOS
Audit device
Activation device
CCOS
Electronic device
Programmed device
IVVR vote-capture device
VVPAT
DRE
Acc-VS
VEBD-A VEBD-V
18
Voting Standards: old vs. new
Old: Software Standards: Control Constructs
Operator intervention or logic that evaluates or stores data shall not re-direct program control within a program routine. Program control may be re-directed within a routine by calling subroutines, procedures, and functions, and by interrupt service routines and exception handlers.
New: Core Requirements: Workmanship: Structured Programming
Separation of code and dataApplication logic SHALL NOT compile or interpret configuration data or other input data as a programming language.
Extracted from the Description:
The requirement in [VSS2002] read "Operator intervention or logic ..." That attempt to define what it means to compile or interpret data as a programming language caused confusion.
Distinguishing what is a programming language from what is not requires some professional judgment…
The reasons for this requirement are (1) mingling code and data is bad design, and (2) embedding logic within configuration data is an evasion of the conformity assessment process for application logic.
Voting Standards: old vs. new
Old: To ensure security, all systems shall provide security access controls that limit or detect access to critical system components.
New: Access Control Section 7 General req. 5 Identification req. 12 Authentication req. 6 Authorization req.
19
Extracted from General Requirements: •The voting device SHALL provide access control mechanisms designed to permit authorized access to the voting system and to prevent unauthorized access to the voting system.• Within the voting system architecture:
a. the voting device SHALL provide controls that permit or deny access to device’s software and files.b. the vote-capture device’s access control mechanisms shall distinguish at least the following voting states: pre-
voting, activated, suspended, and post-voting.c. The vote-capture device SHALL allow the administrator group or role to create additional voting states.d. The vote capture device SHALL allow the administrator group or role to configure different access control
policies available in each voting state.e. The voting device’s default access control permissions SHALL implement the minimum permissions needed for
each role or group.f. The voting device SHALL prevent a lower-privilege process from modifying a higher-privilege process.
General Security Requirements: Access Control
Current Status
VVSG undergoing public review and revisionshttp://www.eac.gov/vvsg
VVSG companion document and tutorialshttp://www.votingvideos.nist.gov/TrainingVideos/
Test materials being developedhttp://vote.nist.gov/SystemTesting.htm
Lynne S. Rosenthal NIST 20
NIST Voting Site
http://vote.nist.gov Overview of NIST voting project VVSG versions, presentations, white paper VVSG tutorials and overview information Test materials and information
21
