GAO questions progress on e-voting standards
Questions about security, accuracy likely to continue into the '06 elections
News Story by Grant Gross IDG News 24 October 2005
OCTOBER 24, 2005 (IDG NEWS SERVICE) - Questions about the security and accuracy of electronic voting systems are likely to continue into the 2006 national elections, because the U.S. government has not yet completed work on electronic voting guidelines, according to a new government report.
With lingering concerns about the security of e-voting systems, the U.S. Election Assistance Commission (EAC) needs to define security policies and set up a machine-certification program to help state and local election officials use e-voting equipment, according to a report issued Friday by the U.S. Government Accountability Office (GAO).
"Until these efforts are completed, there is a risk that many state and local jurisdictions will rely on voting systems that were not developed, acquired, tested, operated or managed in accordance with rigorous security and reliability standards potentially affecting the reliability of future elections and voter confidence in the accuracy of the vote count," the GAO report said.
The EAC, established with the Help America Vote Act passed by Congress in 2002, is working on several initiatives to help state and local governments improve their management of e-voting systems, the GAO said. The EAC is working on security and reliability standards and on programs to certify voting machines and accredit independent laboratories to test e-voting systems, the GAO said. But those efforts aren't finished and are "unlikely to have a significant effect in the 2006 federal election cycle," the report said.
The EAC "significantly expanded" the security system of proposed voluntary voting system guidelines, the EAC said in response to the GAO report. Those guidelines include a requirement that e-voting machine vendors submit software to the National Software Reference Library, a software repository with which voting officials could examine software for exploits.
"GAO asserted that electronic voting systems must be secure and reliable, and EAC agrees," the EAC statement said. "Security has always been a top priority at EAC, and we have already made significant progress on GAO's recommendations."
The EAC and the National Institute of Standards and Technology (NIST) are developing a vulnerability analysis of e-voting systems, the statement said.
The EAC also questioned the GAO's reference to security and reliability questions about e-voting systems. The GAO report talks about security and reliability problems experienced, but it "does not provide a context of the pervasiveness or relative obscurity of these issues," the EAC wrote in a letter signed by EAC Chairwoman Gracia Hillman and Vice Chairman Paul DeGregorio.
The GAO report relies on documents produced by other people, but the agency didn't substantiate those reports of security and reliability problems, the EAC added.
The EAC is just one participant in an effort to ensure safe and reliable elections, added Hillman and DeGregorio. "It is the voting system vendors that must design and configure their systems to meet [federal] guidelines and the state and local election officials that must adopt these guidelines and restrict their purchases of voting systems to those that conform to the guidelines," the EAC letter said.
The Information Technology Association of America (ITAA), a trade group representing some e-voting machine vendors, said state election officials started late on working through e-voting machine concerns because of delays in Congress to set up the EAC and a NIST e-voting working group and because of congressional delays in funding. The EAC and NIST have "put forth a steady stream of best-practices guidance," but Congress gave the EAC no regulatory authority to make states comply with its guidelines, said Bob Cohen, the ITAA's executive vice president.
"The picture is vastly improved from that of two or three years ago due to the fine work done by EAC, NIST and state and local governments," Cohen said. "The states are working as fast as they can against deadlines coming up in early 2006 and most are making solid progress towards those deadlines."
The CalTech/MIT Voting Technology Project reported the November 2004 elections were the most accurate ever, Cohen said. "We believe that the proof is in the pudding."
Members of Congress who had requested the report had mixed reactions to it. Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, laid some of the responsibility on state election officials and praised the EAC for pushing states to improve voting systems.
"It is certainly disappointing that, despite the recommendations from federal organizations and nongovernmental groups, many states still have not made progress to make sure their electronic voting systems are safe from fraud and can be relied on to accurately count votes," Davis said in a statement. "America's voting system must be made to be world-class, everywhere in the country, as soon as possible."
Democrats, however, called for congressional action, with Michigan Rep. John Conyers Jr. saying Congress needs to require that e-voting machines include a voter-verified paper audit trail. Some groups questioning the security of e-voting machines have called for a paper printout with which voters could double-check their votes.
"I am shocked at the extent and nature of problems GAO has identified in our electronic voting systems, and I fear that this may just be the tip of the iceberg," Conyers said in a statement. "It is totally unacceptable that in 21st century America we would allow faulty machines and systems to rob citizens of their voting rights."