US Election Assistance Commission - Voluntary Voting System Guidelines Vote
EAC Home
Introduction
View Guidelines
View Comments
Glossary

View Comments

Section CommentsGeneral CommentsGlossary Comments
 
Name :   Stanley A. Klein
Organization :   N/A
Post Date :   9/30/2005

General Comments
Comment :  VOTING MACHINE INSECURITY
Above and beyond the basic unreliability of voting machines and the likelihood of undetectable,
unrecoverable modification or loss of votes, there is the issue of malicious tampering with voting
machines and vote tabulation.
Lack of Mandatory Vulnerability Testing Negates Provisions
The draft VVSG continues numerous requirements from the FEC standards and provides
additional requirements for security. However, all of the security requirements of the VVSG are
nothing but untested and unenforced platitudes about security. This includes those added to
address the serious problem of wireless use in voting systems and those that provide detailed
requirements purporting to ensure that the distributed and installed software in the voting
machine is the same as the software certified.
In particular, none of the security requirements in the draft VVSG is tested seriously enough to
ensure that their implementation can not be defeated or bypassed. To properly test for security
there are two key activities that security standards have identified: (1) a systematic search for
vulnerabilities with mandatory correction of each vulnerability, and (2) mandatory penetration
testing by a team of at least specified size and qualifications for at least a specified duration. In
the Department of Defense Trusted Computer System Evaluation Criteria, the almost 30yearold
“Orange Book”, the more serious B and A divisions of evaluation require penetration testing
of 2 to 6 months in duration.
By contrast in the VVSG, Volume II, Section 6.4 makes the penetration testing “discretionary”,
which means it will likely not happen. This effectively neutralizes and negates all the
requirements of Volume I Sections 2.2.1, 2.2.4 (c through j), 2.2.5, 2.6, 6.2, 6.3, 6.4, 6.5, 6.6, and
6.7. Unless these requirements are seriously and intensively tested, they are nothing but window
dressing.