Risk assessment planned for voting systems
Election Assistance Commission assessment to create benchmark for new voluntary guidelines
- By William Jackson
- Aug 19, 2008
The Election Assistance Commission plans to perform a formal risk assessment of voting systems that would help identify an acceptable level of risk for all types of systems used in federal elections.
The acceptable level of risk and the appropriate security controls would be included in the next version of the Voluntary Voting System Guidelines published by the EAC.
The commission noted in a solicitation for the assessment that 'a substantial amount of risk assessment work has been done for voting systems,' but that 'at present there is no federal analysis for the security threats to voting systems and the potential resulting harms.' This project would remedy that situation.
The project will apply principles laid out in the Federal Information Security Management Act and will use the procedures and guidelines for FISMA compliance created by the National Institute of Standards and Technology. FISMA requires that government information systems have a level of security appropriate for the risks they face and the seriousness of consequences if data is compromised. These requirements apply only to federal IT systems, not to the state and local governments that administer elections.
But, 'these concerns are not unique to federal systems,' EAC said. 'They apply equally to other computer-based systems supporting sensitive processes such as voting.'
EAC released a request for proposals
for a contractor to conduct a 'scientifically founded voting system risk assessment.' Proposals are due by 3 p.m. on Sept. 5.
EAC was created by the Help America Vote Act in the wake of the disputed presidential election of 2000. Problems with balloting in that election have led many states to move to new types of voting systems, including computer-based Direct Recording Electronic (DRE) systems. But since their adoption, questions have been raised about the relative security and reliability of DRE and more traditional systems.
Because elections are administered by state and local jurisdictions, EAC does not have authority over them. But the commission does produce a set of voluntary guidelines for certifying voting systems that are used by many states. The commission's Technical Guidelines Development Committee last year recommended new security requirements in the next voluntary guidelines.
Implementing the suggestions requires EAC to determine 'how to specify a sufficient level of security protection without requiring disproportionate tradeoffs against other desirable attributes, such as ease of use, efficiency of operation and reasonable cost,' EAC said. Without a formal risk assessment, 'there is an insufficient basis for determining what constitutes an acceptable level of risk.'
The commission is looking for multidisciplinary team to do the work, including academic researchers as well as security and software engineers and security professionals, and personnel with hands-on experience in election administration.
The work will be broken into three phase. The first would produce reference models for election processes to define the operational context in which voting systems are used, and for models for each generic type of technology, such as paper ballot, optical scan, DRE, telephone, etc. The second phase would analyze risks associated with each technology and perform assessments of potential harm from these risks. The third phase would identify an acceptable level of impact for voting systems. EAC is beginning with a working hypothesis that a 'moderate' level of impact, as defined in NIST Special Publication 800-53, would provide an acceptable level of protection. The risk assessment would evaluate that hypothesis.
The assessment would apply to all forms of voting systems.
'The intention of this analysis is not to rate one technology as better or worse than another or to identify the 'best' system, but rather to identify the security requirements necessary for all types of systems to achieve a specified level of confidentiality, integrity and availability,' the solicitation said. 'Theoretically, with the appropriate mix of technical and procedural safeguards, every technology solution can provide and acceptable level of security. But achieving the appropriate mix for some technologies may be technically more difficult and/or expensive and/or entail undesirable trade-offs against other important design considerations such as usability.'