The Dirty Little Secrets of Voting System Testing Labs
Avi Rubin
12.16.2005
snip
Before election officials can purchase voting systems, those systems need to be certified by a federally accredited lab called an Independent Testing Authority (ITA). There are three such labs in the US: Ciber, Wyle Labs, and Systest. These labs are tasked with testing any proposed voting systems against federal standards, in this case, the 2002 federal standards, soon to be replaced by the 2005 voluntary voting system guidelines (VVSG). You would think that these labs would be very interested in attending a summit such as this, and in fact, they were all invited. Only Systest showed up.
There were several overriding themes that emerged at the voting systems testing summit. Perhaps the most prevalent one was that the ITAs consistently decline to appear at these meetings. Why? Well the main reason is that they are fraught with conflict of interest and incompetence. In fact, had they shown up, they would have been raked over the coals by some of the voting system examiners that attended the summit. For instance, an examiner from Pennsylvania wanted to know how come so many systems that passed the ITA testing still had serious security and even operational flaws. The Systest representative, who had the misfortune of representing his entire industry alone, replied that they were only required to test against the standard. When pressed about whether or not the ITAs would fail a system if a serious flaw was found, the reply was that a memo would be written, but that the system would still pass. I couldn't believe it. The company that was tasked with certifying machines for elections in the United States would still pass them, even if a serious flaw was found, as long as the machine did not violate any aspects of the standard. Unbelievable.
Now, let me talk a bit about the conflict of interest. As a friend of mine put it, the ITAs are not independent and they have no authority. So Independent Testing Authority is a misnomer. Thankfully, NIST is going to change the name next year. Here's where it gets bad. The ITAs are hired by and paid by -- the vendors. That is, when a vendor has a voting machine that they want certified, they find an ITA who is willing to certify the voting machine. Any memos about flaws that are discovered remain confidential. There is no requirement to disclose any problems that are found with the machines. In fact, the entire ITA report is considered proprietary information of the voting machine vendor. After all, they paid for it. This provides an incentive for ITAs to certify machines, to satisfy their clients.
Two years ago, my research team got our hands on the code that runs inside of Diebold's Accuvote machines. We performed a source code analysis and reported all kinds of serious security problems (see
http://avirubin.com/vote/analysis/). It was incredible to me that such machines were actually deployed and used in elections. Equally confounding was that a national testing lab, in this case Wyle Labs, actually certified this machine. Either they did not know the first thing about cryptography and security, or they did not look at the source code. In fact, according to the 2002 standards, they were not required to examine the code.
snip
http://www.huffingtonpost.com/avi-rubin/the-dirty-little-secrets-_b_12354.html