Voting ProjectBriefing for William Jeffrey

Director, NIST

September 26, 2005National Institute of Standards and

Technologyhttp://vote.nist.gov

page 2

Briefing Outline History of Voting Standards HAVA TGDC VVSG Implementation Strategy NIST/TGDC Activities Who’s Who VVSG Version 1 Description VVSG Version 2 Work to Date Lab Accreditation Funding Outreach Issues

page 3

History of Voting Standards

1975 NBS/NIST issues report critical of electronic vote tallying

1984 Congress funds FEC to develop national standards

1990 FEC issues Standards NASED to oversee testing

1999 Congress funds FEC to update Standards

2002 FEC issues new Standards – 2002 VSS 2002 HAVA enacted

page 4

Help America Vote Act (HAVA)

Provides for the creation of the Technical Development Guidelines Committee (TGDC)

Mandates that the TGDC provide its first set of recommendations to the EAC not later than 9 months after all of its members have been appointed.

Assigns specific responsibilities to NIST

page 5

NIST Responsibilities Under HAVA

NIST Director Chairs the TGDC Provides technical support (R&D) to the TGDC including

Security of computers Methods to detect and prevent fraud Protection of Voter Privacy Human factors, including assistive technologies for

individuals with disabilities Remote access voting

Laboratory Accreditation NIST submits, to the EAC, a list of proposed

laboratories to be accredited no later than 6 months after adoption of standard

Human Factors Report

page 6

Composition of TGDC 15 Members including the Chairman

An equal number of members from Standards Board Board of Advisors Architectural and Transportation Barrier

Compliance Board (Access Board) ANSI representative IEEE representative 2 representatives of NASED Others with technical and scientific expertise

page 7

TGDC Members Chair:

William JeffreyDirector of the National Institute of Standards and Technology (NIST)

Representing Standards Board: John Gale Nebraska Secretary of State

Alice MillerDirector of Elections-District of Columbia

Representing Board of Advisors:Sharon Turner BuieDirector of Elections-Kansas City

Helen PurcellMaricopa County Recorder

page 8

TGDC Members (Continued)

Representing Access Board:James Elekes

Dr. James (“J.R.”) R. Harding

Representing ANSI:David KarmolVice President, Policy and Government Affairs

Representing IEEE:H. Stephen BergerTEM Consulting, LP- Chair, IEEE SEC 38 (Voting Syst. Stds.)

Representing National Association of State Election Directors (NASED):Dr. Brittain WilliamsRetired professor- Kennesaw StateTucker, GA

Paul CraftFlorida Department of State, Voting Systems  

page 9

TGDC Members (Continued)

Other: Patrick GannonPresident and CEO,OASIS

Whitney QuesenberyPresident-Usability Professionals' Association Dr. Ronald RivestProfessor, MIT-Department of Electrical Engineering and Computer Science

Dr. Daniel Schutzer Vice President & Director of External Standards and Advanced Technology, e-Citi, CitiGroup

page 10

TGDC Method of Operation Plenary Sessions

Formal meetings held periodically to develop resolutions, review work products, discuss, and vote Public invited to attend and provided access via webcast, transcripts published

Subcommittees Comprised of TGCG members and supported by NIST staff Gather and analyze information in support of development of voting system guidelines Conduct bi-weekly teleconferences with occasional face-to-face meetings Public provided access via Internet, transcripts provided

NIST Staff Provide technical expertise and research Develop work products as directed by TGDC resolutions, with guidance from subcommittee Work products are submitted to the entire TGDC for approval

page 11

Voluntary Voting System Guidelines (VVSG)

Implementation Strategy Develop best long-term voting systems guidelines

possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Redesign and reorganize for clarity and testability

Provide guidance to states in time for 2006 election cycle

Implied need to minimize changes to 2002 VSS while filling in 2002 VSS gaps

Implied need to require only what is possible by 2006 Thus, two guidelines developed:

VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline

page 12

NIST/TGDC Activities - 1 Dec 2003 – NIST Symposium

Building Trust and Confidence in Voting Systems July 2004: 1st TGDC meeting

Organizational, divided into 3 subcommittees: Human factors and privacy Core requirements and testing Security and transparency

Sep 2004: information gathering meeting for the TGDC Heard public input from voting officials, vendors

page 13

NIST/TGDC Activities - 2 January 2005: VVSG direction

Discussed, adopted 35 resolutions affecting development of VVSG Version 1 and VVSG Version 2

EAC requests NIST develop VVPAT requirements NIST subsequently prioritized resolutions

March 2005: VVSG Version 1 preliminary drafts Commented on presentations, materials from NIST staff EAC requests additional security material for VVSG Version 1

April 2005: final draft and VVSG Version 1 adoption Commented on final materials from NIST staff NIST directed to make final edits and deliver to EAC

May 9, 2005: VVSG Version 1 delivered to EAC EAC version released June 29, 2005 Public review ends Sept. 30, 2005

page 14

Who’s WhoEAC

Standards Board Advisory Board TGDC

EAC Executive Director

EAC Commissioners: Gracia Hillman, chair Paul DeGregorio, vice-chair Ray Martinez Donetta Davidson – former Colorado Secy of State & TGDC memberEAC Executive Dir.Tom Wilkey - former NY State Election Director, VSS organizer/advocate

Standards Board: 110 members drawn from State and local election officialsAdvisory Board: 37 members drawn from various national associations and government agencies.TGDC (vocal and active members) Whitney Quesenberry - HFP chair, Usability/Accessibility expert, very engaged w/NIST Ron Rivest - STS chair, renowned cryptographer and security expert, very engaged w/NIST Dan Schutzer - CRT chair, VP at CitiGroup Brit Williams - NASED rep, Kennesaw State U., Georgia, performs state voting system certifications, contracted to assist EAC with VVSG public

comments Paul Craft - NASED rep, head of elections for Florida Steve Berger - IEEE rep, chair IEEE Voting System Standard, contract with EAC

National Association of State Election Directors, prior to HAVA had authority on standard, Qualification (Certification) and ITAs

National Association of Secretaries of States

NASED

NASS

page 15

New Material in VVSG Version 1

1. Conformance Clause2. Human Factors3. Security Overview – IDV Systems4. VVPAT5. Wireless6. Software Distribution/Setup Validation7. Glossary8. Error Rates9. Best Practices for Voting Officials

page 16

Conformance Clause VSS-2002 did not include a conformance clause Conformance: the fulfillment by a product,

process, or service of requirements as specified in a standard or specification

The conformance clause of a standard specification is a high-level description of what is required of implementers and developers

Refers to other parts of the standard Specifies minimal requirements for certain functions and

implementation-dependent values Specifies the permissibility of extensions, options, and

alternative approaches and how they are to be handled

page 17

Human Factors The VSS-2002, Volume 1 Section 2.2.7, addressed

Accessibility; Section 3.4.9 addressed Human Engineering—Controls and Displays; Appendix C addressed Usability

VVSG Version 1 replaces these items with a new Section 2.2.7 that addresses Human Factors including accessibility, usability, and limited English proficiency

Privacy Requirements added Incorporates the two NASED Technical Guides

(Guide #1 and Guide #2) VVSG Version 2 will contain performance-based

requirements (specifies how voting systems must perform)

page 18

Security Overview New security Section 6.0, with 4

parts: Overview of Independent Dual

Verification (IDV) voting systems (informative only)

VVPAT Requirements Wireless Requirements Software Distribution/Setup Validation

Requirements

page 19

Independent Dual Verification

IDV systems produce a 2nd record of votes for ballot record integrity and auditability

Current approaches include Split process systems Witness systems – recently marketed Cryptographic-based systems – available

today VVPAT, modified Op Scan – available today

New Appendix D contains in-depth IDV discussion

IDV systems expected to evolve significantly in VVSG Version 2

page 20

VVPAT The VSS-2002 contained no requirements for voter

verified paper audit trails (VVPAT) Vendors, most States in need of consistent,

common guidance TGDC directed by EAC to produce VVPAT guidance

for States requiring VVPAT VVPAT a form of IDV VVSG does not require or endorse VVPAT Methods other than VVPAT can provide ways to

achieve IDV, as explained in Security Overview NIST used CA State, IEEE standards, and enacted

State legislation as initial basis

page 21

Wireless Technology TGDC concluded that use of wireless technology

introduces risk and should be approached with caution

VVSG Version 1 includes new section on wireless that augments the general telecommunications requirements in Volume 1, Section 5

Requires that wireless transmissions be encrypted to protect against a variety of security problems

Requires wireless to be turned on/off under controlled conditions

Requires backup procedures in case wireless fails

page 22

Software Distribution Helps to ensure correct version of

voting software is used Helps to ensure voting software is

set up correctly Uses NIST’s National Software

Reference Library at http://www.nsrl.nist.gov

page 23

Glossary Common terminology forms basis for

understanding requirements and for discussing improvements

This glossary contains terms from the VSS-2002 and additional terms needed to understand voting and related areas, e.g., security, human factors, testing

Terms in glossary include a definition and its source, and an association as to the domain for which the term applies

Also available in a web-based on-line version at http://www.nist.gov/votingglossary.

page 24

Best Practices for Voting Officials

VSS 2002 contained requirements for voting systems and testing entities

Requirements in VVSG Version 1 for wireless, VVPAT, human factors, etc. depend on voting officials developing and carrying out appropriate procedures

VVSG Version 1 contains best practices for voting officials

These are not testable and conformance can not be determined

Best Practices for Voting Officials are also contained in Appendix C of Volume I

page 25

VVSG Version 2 A comprehensive standards guideline, a

complete rewrite of 2002 VSS with updated and expanded material

Will draw from VSS, IEEE P1583, Federal and other standards

Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05

Outreach with other efforts

page 26

VVSG2 Kick-Off Meeting with EAC

Meeting held on July 8 Follow-up meeting with Commissioners on July 26 Agreement that a lot more work needs to be

done Two Year Window for effective date does not

preclude enhancements to existing VVSG NIST/TGDC will deliver replacement “chunks” Candidate “chunks” include VVPAT, IDV, HFP

Final version of next iteration – July, 2007 Internet Voting

page 27

VVSG Version 2 Overview 5 major sections:

An overview for using the VVSG, executive summary, etc.

A terminology standard (NIST glossary) A product standard, containing general and voting-

activity related requirements (e.g., setup, cast, count, …)

A standard on data to be provided by testing authorities or the vendor

A testing standard including all test methods, testing requirements, evaluation guidelines, test cases, etc.

page 28

VVSG Version 2 Current Status

Detailed outline has been developed; NIST and TGDC working to create final version of outline

Timeline for VVSG2 deliverables has been created

Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis under development Preliminary requirements development

underway

page 29

Lab Accreditation June 23, 2004 FRN – NVLAP announced the

intent to establish a program for laboratories testing voting systems

August 17, 2004 – NVLAP conducted a public workshop

June 17, 2005 FRN – NVLAP announced the availability of application for its Voting Systems Testing accreditation program

June 2005 - A draft of NIST Handbook 1501-22, Voting Systems Testing, was made available to the public

page 30

Funding FY05 Funding - $2.8 million via the EAC and

$500K NIST funds FY06 Funding Request - $6.5 million

Includes comprehensive test suite development FY06 Funding Request constrained to $2.8 million

No test suite development Other items funded proportionately

FY07 Funding Request - $ 5 million Assumes $2.8 million for FY06 Includes test suite development

page 31

Outreach NSF Grant to Johns Hopkins University

To improve the reliability and trustworthiness of voting technology

Parallels many topics in NIST/TGDC plans Voting system architectures built for verifiability IDV and trusted models Defense-in-depth techniques for security

Many opportunities for collaboration or consultation NIST subsequently contacted NSF to initiate collaboration NSF invited NIST to kick-off meeting tentatively Winter,

2005

page 32

Outreach Continued State of MD Independent Verification Study

Studying add-on technologies to existing Diebold DREs Intent is to produce 2nd, verified record NIST may consult with respect to evaluation criteria

Threat Analysis Workshop October 7 at NIST/Gaithersburg To arrive at consensus on plausible threats May involve follow-on workshop or study

GAO Report Public release Fall/2005 Relevant to EAC/TGDC/NIST

page 33

Issues Working Relationship with EAC NIST/TGDC/EAC interrelationship Security/IDV

IDV De-emphasis in EAC version Time to do research Two year window for effective date

for VVSG1