Rethinking Election Technology Certification
Edward Perez, Global Director of Technology Development
Contribution by
Gregory Miller, Co-Founder, COO & Principal Election Technology Analyst
When the Help America Vote Act was passed in 2002 and the regulations implementing the U.S. Election Assistance Commission (EAC) and provisions for testing and certification were put in place, little thought was given to the sources and methods of potential “attacks” on the sovereign act of free and fair elections. Indeed, we argue that the focus 15 years ago was primarily on clearly ascertaining and protecting voter intent. At the time, the thinking was that computers can easily and reliably do that. No one was thinking about “digital attack vectors” on what would be the new machinery of election administration and voting. In some ways similar to other historical mindset-changing events (e.g., the Pentagon Papers, Watergate, the 9.11 attacks, etc.), there remained an “age of innocence” …in this case, with regard to the integrity and security of computers in voting.
Of course, that innocence was somewhat ironic. Even in 2005 computer viruses and malware were well-understood threats. Nevertheless, this administrative computing segment, severely lagging behind the majority of Government I.T., has a growing blind spot. Inasmuch as the election of 2000 woke a nation to the vulnerabilities in our processes of voting, the election of 2016 woke a nation to the reality that the very thing intended to lead us away from the problems of the “hanging chad” had brought us to a new reality: the impact of having never applied proper threat models, risk assessments, or security-centric engineering in the design, development, testing, and certification of the machinery upon which now we depend for the defense of our democracy. It is past time to rethink testing and certification. The OSET Institute takes a position on that topic in this Paper led by our Global Director of Technology Development, Eddie Perez.