Re: U.S. Bars Ciber Lab From Testing ElectronicVoting - New York Times

From: Alan Dechert <dechert_at_gmail_dot_com>
Date: Thu Jan 04 2007 - 14:51:17 CST

----- Original Message -----

> To me the importnt comments in the article were Shamos's where he said
> about half the errors he found in his tests should have been trapped back
> at the ITA. And Avi Ruben's comments that the ITA ought to include a
> component of hacker-style hardening testing.
> In any case, I think this is an entre for several actions
> 1) it shows the continued need for EAC oversight. There had been talk of
> disbanding it without replacement.
> 2) It shows the possible rationale for (Open) source respositories as
> proposed by the OVC.
> 3) It shows the strength of the Open source approach in general.
I agree. We also need to find out about the bill mentioned in the article.

> And the laboratories will still be paid by the voting machine
> companies, though a bill now in Congress could change that
> to government financing.
My idea of government funding would be to have NIST and the GAO to join OVC.
Their 6-figure membership fees could help underwrite testing under the "open
test" model.

Alan D.

p.s., capturing text of article for the record

January 4, 2007
U.S. Bars Lab From Testing Electronic Voting
A laboratory that has tested most of the nation's electronic voting systems
has been temporarily barred from approving new machines after federal
officials found that it was not following its quality-control procedures and
could not document that it was conducting all the required tests.

The company, Ciber Inc. of Greenwood Village, Colo., has also come under
fire from analysts hired by New York State over its plans to test new voting
machines for the state. New York could eventually spend $200 million to
replace its aging lever devices.

Experts on voting systems say the Ciber problems underscore longstanding
worries about lax inspections in the secretive world of voting-machine
testing. The action by the federal Election Assistance Commission seems
certain to fan growing concerns about the reliability and security of the

The commission acted last summer, but the problem was not disclosed then.
Officials at the commission and Ciber confirmed the action in recent

Ciber, the largest tester of the nation's voting machine software, says it
is fixing its problems and expects to gain certification soon.

Experts say the deficiencies of the laboratory suggest that crucial features
like the vote-counting software and security against hacking may not have
been thoroughly tested on many machines now in use.

"What's scary is that we've been using systems in elections that Ciber had
certified, and this calls into question those systems that they tested,"
said Aviel D. Rubin, a computer science professor at Johns Hopkins.

Professor Rubin said that although some software bugs had shown up quickly,
in other instances "you might have to use the systems for a while before
something happens."

Officials at the commission and other election experts said it was essential
for a laboratory to follow its quality-control procedures and document all
its testing processes to instill confidence in the results.

Commission officials said that they were evaluating the overall diligence of
the laboratory and that they did not try to determine whether its weaknesses
had contributed to problems with specific machines.

Computer scientists have shown that some electronic machines now in use are
vulnerable to hacking. Some scientists caution that even a simple software
error could affect thousands of votes.

In various places, elections have been complicated by machines that did not
start, flipped votes from one candidate to another or had trouble tallying
the votes.

Until recently, the laboratories that test voting software and hardware have
operated without federal scrutiny. Even though Washington and the states
have spent billions to install the new technologies, the machine
manufacturers have always paid for the tests that assess how well they work,
and little has been disclosed about any flaws that were discovered.

As soon as federal officials began a new oversight program in July, they
detected the problems with Ciber. The commission held up its application for
interim accreditation, thus barring Ciber from approving new voting systems
in most states.

Ciber, a large information technology company, also has a $3 million
contract to help New York test proposed systems from six manufacturers.
Nystec, a consulting firm in Rome, N.Y., that the state hired, filed a
report in late September criticizing Ciber for creating a plan to test the
software security that "did not specify any test methods or procedures for
the majority of the requirements." The report said the plan did not detail
how Ciber would look for bugs in the computer code or check hacking

A spokeswoman for Ciber, Diane C. Stoner, said that the company believed
that it had addressed all the problems and that it expected to receive its
initial federal accreditation this month. Federal officials said they were
evaluating the changes the company had made.

Ms. Stoner said in a statement that although the Election Assistance
Commission had found deficiencies, they "were not because Ciber provided
incomplete, inaccurate or flawed testing, but because we did not document to
the E.A.C.'s liking all of the testing that we were performing."

She added that the test plan cited in New York was just a draft and that
Ciber had been working with Nystec to ensure additional security testing.

The co-chairman of the New York State Board of Elections, Douglas A.
Kellner, said Ciber had tightened its testing. But Mr. Kellner said
yesterday that Nystec and Ciber continued to haggle over the scope of the
security testing.

New York is one of the last states to upgrade its machines, and it also has
created some of the strictest standards for them. Mr. Kellner said only two
of the six bidders, Diebold Election Systems and Liberty Election Systems,
seemed close to meeting all the requirements.

Besides Ciber, two other companies, SysTest Labs of Denver and Wyle
Laboratories, in El Segundo, Calif., test electronic voting machines. Ciber,
which has been testing the machines since 1997, checks just software. Wyle
examines hardware, and SysTest can look at both.

The chairman of the Election Assistance Commission, Paul S. DeGregorio, said
SysTest and Wyle received interim accreditations last summer. Mr. DeGregorio
said two other laboratories had also applied to enter the field.

Congress required greater federal oversight when it passed the Help America
Vote Act of 2002. Since then, the government also put up more than $3
billion to help states and localities buy electronic machines, to avoid a
repeat of the hanging punch-card chads that caused such confusion in the
2000 presidential election.

The commission was never given a substantial budget, and it did not finish
creating the oversight program until last month. Until then, the
laboratories had been at the heart of the system to evaluate voting
machines, a system that seemed oddly cobbled together.

While the federal government created standards for the machines, most of the
states enacted laws to make them binding. The states also monitored the
testing, and much of that work was left to a handful of current and former
state election officials who volunteered their time.

As a result, voting rights advocates and other critics have long been
concerned about potential conflicts of interest, because the manufacturers
hire the laboratories and largely try to ensure confidentiality.

Michael I. Shamos, a computer scientist who examines voting machines for
Pennsylvania, said about half had significant defects that the laboratories
should have caught.

Besides certifying the laboratories, the Election Assistance Commission will
have three staff members and eight part-time technicians to approve test
plans for each system and check the results. The manufacturers will be
required to report mechanical breakdowns and botched tallies, and Mr.
DeGregorio said those reports would be on the agency's Web site.

Dr. Shamos said, "This is not the sea change that was needed."

He said he was disappointed that the commission had hired some of the same
people involved in the states' monitoring program and that it never
announced it had found problems with Ciber operations.

Dr. Rubin of Johns Hopkins said the laboratories should be required to hire
teams of hackers to ferret out software vulnerabilities.

And the laboratories will still be paid by the voting machine companies,
though a bill now in Congress could change that to government financing.

A recent appearance in Sarasota, Fla., by the SysTest Labs president, Brian
T. Phillips, also raised eyebrows. After a Congressional election in the
Sarasota area ended in a recount last month, the victorious Republican
candidate hired Mr. Phillips as a consultant to monitor the state's
examination of whether there had been a malfunction in the voting machines.

Several critics questioned whether Mr. Phillips should have taken such work,
either because of its partisan nature or because it represented such a
public defense of the industry.

Mr. Phillips said he did not see any conflict because his laboratory had not
tested the software used in Sarasota. And the project does not appear to
have violated the ethics rules of the election commission.

Ian Urbina contributed reporting.

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Tue Jan 1 14:12:44 2008

This archive was generated by hypermail 2.1.8 : Tue Jan 01 2008 - 14:12:51 CST