1. The Threat Trees and Threat Matrices in the report do not have a label identifying which voting system it is referring to when continued on subsequent pages.  For example, see pp. 8-13.  Even a simple designation of “DRE” contained on the headings of these pages would have been more helpful.  However, note that the Threat Tree Graphics do have a label in blue print centered at the bottom of the page (for example, see p. 14-33).  Due to the large volume of pages, it gets a little confusing when reviewing the report as to which system is being referred to.  Just a suggestion. 
2. Suggest that the term “ malware ” be defined in the glossary.  It is used 228 times in this report, and a clear definition may be appreciated. 
3. I agree with the point made by the Voting Systems Standards Committee relating to a concern that the report doesn’t factor in the reality that all elections are not equal relating to risk. 
4. I wholeheartedly agree with the VSS Committee’s suggestion for a testing the TIRA tool early in the assessment process.

Before the EAC adopts this product, it should review very carefully what the intended use is.  I have operated under the direction that this is an tool to be used during the voting system certification process by testing authorities or EAC.  I would not like to see EAC consider this as a tool for election officials or the public.  The assumptions are for the most part subjective which will essentially influence the answers provided.

• In the internet voting section, the recommended controls for "inject malware" are "(1) Chain of custody (2) Two person integrity (3) High Assurance Software (4) Rigorous testing."  There is no definition of "high assurance software" anywhere, nor is there any example of high assurance software.  The authors need to explain why they think that high assurance software can protect against malware and if any federally certified (qualified) voting system uses high assurance software.  (As has already been observed, even the term "malware" needs to be defined).
  
• Other terms that appear in the "recommended controls" are "effective auditing", "strong network security", and "strong legal deterrence."  Please provide rigorous definitions, together with examples, for each of these terms.  Does effective auditing of a voting system occur anywhere in the U.S.?  If so, where?  Why is the auditing effective? 
• The "recommended controls" for protecting against the threat that an insider could manipulate an election are "establish a chain of custody on Voting Machines, including access control and personnel security, audit and accountability, media protection policies, and physical and environmental protection; establish system and services acquisition controls."  What does "audit and accountability" mean?  What needs to be audited, and by whom?  Who should be accountable to whom?  What are "service acquisition controls"?

I do not know if it is possible to think of every possible method of subverting a process, but this document is trying to do so.  I think that it would be useful for election officials to question their own system, or for attackers who are not experts with the equipment to develop a successful method of attack.  How will this document be used?  When election officials detail their security procedures on line, they usually do so in a secured setting.  I agree with the committee's recommendation to examine the costs and to have local election officials use the document before it is implemented. 

The TIRA should only be utilized by the EAC and their certified testing labs in the process of testing systems.  This tool has great potential for abuse beyond that scope of use.

The report has not included email and fax voting as specific types worthy of their own examination.  This is especially relevant, because a number of states have passed or are considering legislation that would allow voted ballots to be returned via email or fax.  In fact, some policy makers are even under the false impression that email voting does not involve the internet!

The omission could be at least partially rectified by modifying the definition of internet voting.  From the Glossary:

    InternetVoting
    A VotingSystem that utilizes the Internet to deliver a VotableBallot to a RemoteVoter who completes the VoteCapture process and Commits their Votes by returning the CommittedBallot via the Internet.


As written, this definition could be construed to mean that a ballot received via mail but returned via fax or as an email attachment would NOT be an InternetVoting ballot.  Further, it is not clear whether this would encompass even a ballot transmitted via the Internet and printed, completed off line, but then scanned and returned as an email attachment or fax. If you read it that the RemoteVoter "completes the VoteCapture process... via the Internet" then it would NOT include those ballots. If you read it that they "complete the VoteCapture process" any old way, and merely "return the CommittedBallot" via the Internet as an example of Internet voting, then both are incorporated...

Therefore, either the definition is insufficient, or the threat matrix is insufficient.

This is especially important because the introductory language about Vote By Mail is notably harsh, and a recommended mitigation for some of the threats is "dual submit electronically"... If we're going to stipulate, as the Threat Trees document does, that

    [Vote By Mail] delivery of both blank and marked ballots is both uncontrollable and unpredictable. This places a rigid time constraint on VBM voters and many VBM ballots are disallowed in every VBM election due to timing challenges. The time challenges are even more difficult for mobile, military voters whose mail delivery may be delayed well beyond voters with stable residence addresses...

and that one mitigation is to submit ballots electronically.  We also have to examine whether the delivery of blank and marked ballots electronically is uncontrollable and unpredictable. 

In addition, there is another mitigation that needs to be considered, namely the hybrid system that allows ballots to be requested and received via the internet, printed out and marked by the voter, and then mailed back using Fed Ex or some other mail service.

We know that emails and faxes can be easily forged.  Therefore, for any system that sends voted ballots either over the internet (including via email) or via fax, the report needs to examine how to protect against insider forging of ballots. 

The threat trees and threat matrices could be useful to assist the EAC and state election officials in the certification of voting systems.  State election officials could also utilize the trees and matrices to aide in the development of security protocols for local election jurisdictions to follow with respect to voting systems.  We have commented before that threats to voting systems should not be considered in a vacuum.  Rather, the entire election process must be taken into consideration in order to identify risks.  Comprehensive trees and matrices of this nature provide the type of information which can be used to enhance the processes and procedures at the local level.  While the information itself is indeed useful, the means by which an election official accesses the information should be made more manageable.  In its current form, the document is extremely lengthy and complex.  Some consideration should be given as to how to an election official could easily access specific pieces of information without having to parse through a cumbersome document.  The easier it is to access the information, the more likely that an election official will be able to effectively use it.  Some caution, however, should be exercised as to what extent this information is made available to the public at large to limit exposure to vulnerabilities.            

1.  The report needs to include an acknowledgment that an important (and currently lacking) measure of attack likelihood is the number of individuals who would be needed for each attack.  This is especially relevant in trying to determine the impacts of proposed defenses.

2.  The relevance of local laws needs to be stressed.  Furthermore, the study should state clearly and up front that transparency, not secrecy, is generally the most powerful force for enhanced election integrity that is available.

3.  The report needs to emphasize the critical role for election integrity that is played by election observers.  In almost all states, the right to election observation is enshrined in law; the move to electronic voting must not cripple the observation rights that American citizens have fought so hard to obtain.

4.  There are portions in the report that seem to imply that knowledge of how a system works is a threat.  For example, item 1.1 of the DRE threat matrix is "gather needed technical knowledge."  Yet, any voting system that can be compromised by simply knowing some of the technical details as to how it works is fundamentally insecure.  Security by obscurity is a very weak foundation on which to build our voting system.  A related point is that item 1.1.2.1.1 "infiltrate as insider" is listed under "gather knowledge."  The insider risk is not that a malevolent individual will gather knowledge, but rather that the person will take advantage of the insider position to manipulate the election results.  This needs to be clarified and cleaned up.

• The DRE Threat Tree 2-11 DRE Subvert Voting Process, contains node 3.2.7 – allow rotation of pollworker roles. This node states that in order to subvert the voting process an individual could target polling places and allow the rotation of poll workers through different poll site roles (JBC clerk, roster clerk, greeter, etc.). At the Orange County Registrar of Voters we encourage poll workers to try their hands at different positions on Election Day, if time permits. This provides them with opportunities to learn a variety of tasks and makes for a better-rounded poll worker population. We are concerned that the inclusion of this node is contrary to our practice (and possibly other election officials), and do not want to appear vulnerable to attacks or liable. We recommend this node be re-worded or removed from the threat tree.

• The instructions on navigating this document were clear and helpful, and in spite of the technical nature of the document we were able to understand the various threat trees and accompanying language.

• The preferred format of threat trees is the Threat Tree - Graphical. The Threat Tree – Outline was not clear or understandable, and the Threat Matrix was also difficult to follow. The descriptive information contained in the Threat Matrix was helpful though, and an ideal format would be some sort of computerized layout that would allow you to click on or roll over a particular node and see the descriptive information.

• If this document were to be provided to election officials for any purpose, it would need to be re-worded and re-formatted to be suitable to the audience. In its current form the document is fairly impractical, both in length and in technical language.

• On a less technical level, we are concerned about sharing this information with the public. While a person who wants to hack into a voting system could probably find a way to do so on their own, we are not sure it is in the best interest of election security to provide detailed diagrams outlining all the possible ways that an election can be tampered with.

The document we have been asked review reflects a great deal of work on the part of preparers.  Threats to any system require a number of considerations such as analysis of the system to determine its vulnerabilities, consideration of the vulnerabilities, and analysis of what steps can reduce risk to a reasonable level.

Because elections are conflict driven, they are the most challenging of social services that government provides to its citizens.  In fact, at the end of an election day, by necessity someone is not going to be happy with the outcome. The best opportunity for progress is when deliberations about election policy can be discussed in an objective manner.

Study of elections, voter engagement, and voting systems should be ongoing.  My thanks to everyone who worked on the report it is more difficult to work on this topic because there are no parallels to draw from that closely mimic the end-to-end public election environment. There is an excellent report done by the Brennan Center on voting technology and threats, which might be of interest to committee members. See http://brennan.3cdn.net/52dbde32526fdc06db_4sm6b3kip.pdf

The following are my comments and recommendations regarding the report.

The phrase “canonical election fraud issues, such as ballot stuffing.” I assume this is ballot box stuffing.

Recommendation: Change “canonical” to “historic” care should be taken to avoid terms or phrases strongly associated with faith or religious institutions. I would also add mail ballot fraud, which is problematic and incidents are readily available from recent election history.[1]  Election administrators on the committee should speak to this particular vulnerability and public elections. To my knowledge, the disappearance or misplacement voted ballots are the issue most referenced in the last couple of decades. Election workers driving home with ballots and not to the election counting station, or ballots left in the polling location after closing.  These situations should be investigated and appropriately addressed.

For more on voting system attack based on voting machine locks see Ed Felten’s work on locks used to secure voting machines.[2]  He found that a popular model of hotel-mini-bar key would open the locks used on a model of voting machine.  For this reason, it may not be necessary to obtain access to the key or the machine to prepare an attack of this type.

Remove attack 2.2.1.1.3.2, which references a VVPAT DRE system.  The definition of DRE excludes VVPAT see page 7

The DRE section graphic representation on page 28, is duplicated on page 29.

Treatment of the topic of DRE and Precinct Optical Scan include “subvert voting process” attacks, which are not attacks on the voting technology.  I would suggest removing these sections.  If it is included, the topic of voter registration system should be a separate section, because any exploit would be generic to any of the voting systems reviewed in the report.

The “attack team” scenario really could benefit from a likelihood evaluation, and caution should be made regarding the use of  terms associate with Get Out the Vote efforts within this attack description.  For example, “Block Captains” are generic for organizing neighborhoods for registration and voting efforts during elections.  The work of these volunteers or political season part time employees is important and should not be confused with criminal behavior regarding federal and state election laws. As with any crime, which this would be under existing federal and state laws the more people involved the harder it is for it to remain undetected. It is just not a practical use of funds, if someone is going through this much trouble, they might as well do a legal Get Out the Vote effort, for less money and no illegality involved. Remember that poll workers, election judges, law enforcement, city and county employees are in the general population of people where this would be occurring, which make up the population of people they will be trying to avoid when this type of scheme is deployed. If this section remains, I recommend that “Captain” become “Leader.” It might be worth the input of election protection experts to offer more insight into this particular issue.

If voter registration will be covered exploits based on fictions people registering or voter impersonation is an interesting topic, but real world examples that stand up to investigation are hard to identify. Also, see report done by ACM on Statewide Centralized Voter Registration Systems.[3]

We hear a lot about it just before elections and not much after Election Day.  It’s the kind of crime that would raise the possibility of being caught with a non-existent chance of affecting the outcome of an election. The issue of multiple registrations by the same person, in massive voter registration efforts—high interest elections, etc, which do not translate into attempts to vote multiple times.[4] The problems may have more to do with the uncertainty of the voter registration process than an attempting to vote more than once in an election. The resources and effort put into trying to stop something that is not a measurable threat seems wasteful.

Security is about risk minimization.  If voter impersonation or identity theft is a problem, what is the system impact from known cases, which would rationalize effort to prevent this instance?  Remember that changes in voter registration rules can directly reduce the participation of legitimate voters. I would very much like to learn about documented cases of voter identity theft of any type so if you have them send them to me.

The most basic attack on a voting machine would be physical such as defacing a voting touch screen using quick drying acrylic paint or to damage the vote recording and/or storage device.

The most basic issues with new voting systems are more likely to be the mistakes that happen, which might result in problematic election outcomes or allow infiltration by those with criminal intent.

The attack tree for DRE and Optical Scan Precinct Count outlined gaining access while the machine was in transit, which is valid.  I would also suggest that access to the machines while in storage is also a risk, which may be more/or less difficult to do without detection regardless of the method and means of storage security.

Recommendation: Include a description of storage location threats to voting machines, components or supplies.

Recommendation: The value of persons with divergent political interests in participating in the election process is of great value to cutting down on insider abuse or misuse of their access to voting systems.

Comment: The more election officials are in control of election technology as well as the process, the better will their ability to secure the systems.  Many jurisdictions are using outsourcing to provide critical support for election technology.  How this issue will be resolved in the context of security can only be answered by provide dedicated resources to acquire and retain election staff with the skills and knowledge to manage elections from end-to-end.

Optical Scan Precinct Count and DREA systems can offer another layer auditable events (artifacts) for election activity.  The larger issue is finding a way to make sure that auditing is in play at each step of the process while not compromising voter privacy.[5]  There have been discussions about Software Independence, which provide an avenue to innovation classes of voting systems.  Often discussions were about paper as opposed to paperless systems, when the real issue is making sure that the components of the vote collection, retention, reporting, and tabulation process did not require trust of any single components software.   It would be good to know when and how general principles about the independence of voting system components can be used to assist election officials with their tasks.

As for attacks based on what can be determined about a polling location. It is important to understand that secrecy and election results are not going to win over support for the election process. Further, there is too much information from secondary sources on voters and voting profiles based on demographic information for obscurity to get any measurable security for voting locations.[6]  Transparency is a very important principle to election integrity and it can be useful in public election auditing. See, Takoma Park Maryland, a recent effort to allow voters to participate in the election audit.[7]

Audio interfaces are of great importance to voter privacy and voting independence.  The authors of the report do an excellent job on including these attacks in the scenarios offered. We should be sure that the audio and disability access interfaces work as intended and are free of defect or manipulation. Pre-testing of ballot styles and user interfaces should be routine.  Making sure that the instructions for casting ballots are correct and effective for the ballot style provided at polling location might be a good addition to the steps taken to guard against voting technology attacks. Cryptic-knock and other attacks that attempt to determine if a machine is in test mode or not are of importance. 

Excellent point on the election auditing and the auditing process as it relates to real world financial auditing being addressed in the report.  The creativity of financial criminals to find ways to avoid detection by auditors is a real problem.  The point on compromising auditors is very valid and should be a reminder that elections will require the same level of commitment as financial auditing practices to develop “Generally Accepted Election Auditing Procedures.”[8]

Vote By Mail attack scenarios have one large hurdle remote voting.  There is no way to make this free from a number of the most problematic vulnerabilities for voters such as the potential for the loss of their secret ballot.  Remote voting also introduced more practical scenarios for voter identity theft and “voter fraud” if this issue is included as previously discussed.  Targeting voters who can request absentee ballots, assisting voters with voting ballots, collecting voted ballots, returning or mailing voted ballots.

The issue of mailbox attack specifically around public elections is interesting.  I would like to learn more about examples of this happening.  I do recall issues of people requesting absentee ballots that never came, if there are cases where mailboxes were accessed or used in some way that would be helpful to know.

Recommendation: The 1.1.2.1 Edit Marked Ballots in Post Office seems questionable. I would strongly recommend speaking with someone with the postal customer service office on how feasible this attack might be.  Most postal operations are automated, staff is very tight and the locations are under surveillance by postal authorities.  Postal inspectors are pretty aggressive about security of the mail, but it does not mean that incidents are not possible, but I would be interested to know what precautions if any they take regarding the mail and election season. Lost mail is an issue and the cost to local jurisdictions in resending ballots or absentee ballot request are real.  The degree that this issue may be mitigated would be of benefit to election administration.

Scenarios related to paying voters via the Internet or attacks against voters with Internet ads might be more in line with scams that exploit voters not comprehending that elections are a public service provided at no charge to them.  There was an instance in 2008, where an online service sold voter registrations to individuals. Some of these scams can be run from anywhere on the planet. The best way to reduce their effect is through voter education.

Internet voting presents a challenge to security for the same reasons vote by mail does.

Recommendation:  Include descriptions for technical failures, errors in operation, compromise of voters, voter fraud, disruption of operation. Major Internet companies with billions of dollars in resources find it difficult to protect their networks.  A recent example is China’s reported attack on Gmail’s servers to gain access to records on Gmail users.[9]

In conclusion the challenge with elections are there are no do over’s that will rival the actual election event.  This has been a very thought provoking exercise and I thank you for the opportunity to participate in the discussion and I look forward to our working together on the committee.

[1] http://novbm.wordpress.com/2008/03/05/absentee-ballot-fraud-hits-texas-grannyfarming-a-longterm-problem/

[2] http://www.freedom-to-tinker.com/blog/felten/hotel-minibar-keys-open-diebold-voting-machines

 
[3] http://usacm.acm.org/usacm/VRD/

[4] http://epic.org/epic/lillie_coney.html/lillie_coney.pdf

[5] http://www.juangilbert.com/

[6] http://votingintegrity.org/pdf/edeceptive_report.pdf

[7] http://scantegrity.org/takoma/checkcodes

[8] http://epic.org/audit.pdf

[9] http://www.nytimes.com/2010/02/05/science/05google.html