July 17, 2006
CC: "Sherri Hadskey", "Chrissie Weatherford", "Renee Free", "Al Ater"
Dear Mr. Ward:
The Brennan Center Task Force Report you asked about focuses on the threat of hacking, which is not a concern with regard to our Sequoia AVC Advantage and AVC Edge voting machines as our approach to ensuring the security of the machines and related systems contains many levels of security, both physically and procedurally, but most importantly, they are stand alone systems and we do not use the public internet, nor any wireless or infrared components to operate our systems.
It is important to remember that election security is about more than just the voting equipment. Election security takes into account the people and processes that surround the voting technology. There are many levels of security in our state. There is physical security of all of our election machines and parts, such as cartridges and their storage before, during and after elections. We also use numbered security seals for all machine cartridges, which cannot be removed from the machines without evidence. We perform a full inspection and test on each machine before each election and print an audit report trail showing our pre-election test, zero proof sheet, any error messages, results, and ballot image reports.
We also provide physical security for our central network system with very limited access and evidence of access. We have a custom electronic interface with our clerks of court to receive election results, which do not involve the public internet. We test this system prior to every election.
We have established procedural securities for the security of our computer hardware and the operating system and application security for our software. For example, we have a policy on access to the system with user login permissions that is monitored, and therefore, can detect unauthorized access. We also required the escrowing of the voting system source code to be held in our state. Our voting technology provider, Sequoia Voting Systems, has also voluntarily placed the hash code for their voting system software in escrow at the National Software Reference Library (NSRL). Sequoia's products have been through and passed federal and state testing, including a line by line review of their voting system source code by the federal independent testing authorities.
Finally, we have checks and balances that act as prevention for a security breach and provide evidence if there were to be any attempts. For example, software cannot be accessed by a Sequoia representative alone, nor a secretary of state employee alone and every action is recorded in our system security log, showing the person and action. We have precinct by precinct returns and we know on each machine how many people voted in a particular election and we also have a precinct register where the voter signs in, which will match the public counter on the machine, and if it does not, then that is evidence of some sort of problem, which is usually commissioner error and not a security breach. We have a parish board of election supervisors in every parish, made up of 5 election officials (clerk of court, registrar of voters, governor appointee, republican pec chairman and democratic pec chairman) who oversee all election activities for each election. This parish board acts as a check and balance, not only for the security of our system, but especially for the security of our election results.
I hope that this answers all of your questions and provides sufficient information for your article. We appreciate the opportunity to fully explain our security measures, as each state is different and unique in its approach to securing not only their machines, but also their results and transmission of their results. If you have any other questions, please do not hesitate to contact me.
(Ed Ward) My response follows:
Dear Angie Laplace,
Thank you for your response. Relevant portions will be included in my article (far to long for the article and contain already stated information). Do your/our machines differ from all the other Sequoia machines specifically evaluated in the Brennan Study? Despite recommendations of gov and private experts, the election board still does not feel they need to be implemented? The Brennan study is in conflict with your assessment of your/our machines and necessary security measures that need to be implemented. Also, you state 'do not use public internet', so apparently there is 'transmission' of results. Is this correct? And adds possible security breeches for any and all transmission equipment. Since there is no hookup for the machines to transmit, the cartridges are removed and then transmitted? Is this correct? Also note, in Curtis's testimony reference to a central transmission process.
For your convenience, relevant sections are below (infrared section is apparently NA and does not need address, unless in during transmission there is any infrared access). Also note the sworn statements of Mr. Curtis who wrote an undetectable election fix for the state of Florida.
The Task Force surveyed hundreds of election officials around the country; categorized over 120 security threats; and evaluated countermeasures for repelling attacks. The study examined each of the three most commonly purchased electronic voting systems: electronic machines ("DREs") with - and without - a voter verified paper trail, and precinct-counted optical scan systems ("PCOS"). The report, The Machinery of Democracy: Protecting Elections in an Electronic World/programs/downloads/SecurityFull7-3Reduced.pdf, is the first-ever systematic analysis of security vulnerabilities in each of these systems. The report's findings include:
All of the most commonly purchased electronic voting systems have significant security and reliability vulnerabilities. All three systems are equally vulnerable to an attack involving the insertion of corrupt software or other software attack programs designed to take over a voting machine.
Automatic audits, done randomly and transparently, are necessary if paper records are to enhance security. The report called into question basic assumptions of many election officials by finding that the systems in 14 states using voter-verified paper records but doing so without requiring automatic audits are of "questionable security value."
Wireless components on voting machines are particularly vulnerable to attack. The report finds that machines with wireless components could be attacked by "virtually any member of the public with some knowledge of software and a simple device with wireless capabilities, such as a PDA."
The vast majority of states have not implemented election procedures or countermeasures to detect a software attack even though the most troubling vulnerabilities of each system can be substantially remedied.
Among the countermeasures advocated by the Task Force are routine audits comparing voter verified paper trails to the electronic record; and bans on wireless components in voting machines. Currently only New York and Minnesota ban wireless components on all machines; California bans wireless components only on DRE machines. The Task Force also advocated the use of "parallel testing": random, Election Day testing of machines under real world conditions. Parallel testing holds its greatest value for detecting software attacks in jurisdictions with paperless electronic machines, since, with those systems, meaningful audits are not an option.
Watch computer programmer Clinton Curtis testify under oath that in October of 2000 he wrote a prototype election fixing program for then speaker of the house of Florida and present FL congressman Tom Feeney that was virtually undetectable and even worked on optical scan machines.
Again, thank you for your responses, pertinent information will be included in the article. Any further responses prior to the publishing date will be treated the same.
Ed Ward, MD
Per phone conversation with Angie soon after my response: I met a single mindedness and fervor that would have made a Jehovah's Witness recruiter proud. Indeed after 15 minutes, 3 attempts to get off the phone, and a request for email correspondence. The cell phone cut off with her still chanting the safety of LA elections. Angie Laplace stated it was her opinion everything is perfectly safe with LA elections. I responded that was most definitely not the opinion of: The Brennan Study, The Common Cause study, VoteTrust USA org., True Vote MD org., Black Box Voting org., The Brad Blog (with possibly the largest compilation of voting security information anywhere, except maybe the NSA and their information is classified), Distinguished Professor Michael Shamos (who testified before congress regarding election security), all independent voting security orgs and experts that are truly interested in verified accurate election results, and certainly not my opinion after correspondence with the Elections Division.
Prior to the publishing of this article there has been no email correspondence regarding this last set of questions.
Until Brennan Study recommendations are enforced, this reporter will no longer be participating in what he considers the charade of voting in elections
Ed Ward, MD