Office of the Kansas Secretary of State

Voting System Security Policy

March, 2004

 

Introduction:

 

Security of any computer-based system requires a combination of three factors. First, the computer must provide audit data that is sufficient to track the sequence of events that occur on the system and, to the extent possible, identify the person(s) that initiated the events. Next, there must be well defined and strictly enforced policies and procedures that control who can access the system, the circumstances under which they can access the system, and the functions that they are allowed to perform on the system. Finally, there must be physical security in place such as fences, doors and locks that control and limit access to the equipment. It is recommended that each county adopt the following policy and its six components, but each may have different procedures for adhering to the policy. Kansas counties currently use DRE, optical scan and paper ballots to conduct elections, and each requires different procedures to implement the security policy.

 

Overview of Voting Systems:

 

Direct Recording Electronic (DRE):  A standard personal computer running an executable software module is used to define the election, enter the candidates and questions, and format the ballots for the voting devices. This computer also accumulates the votes after the polls close and prints various reports and audits. Three Kansas counties currently use DRE systems, and a fourth uses a combination of DRE and optical scan.

 

Optical Scan:  A paper ballot is used to cast a vote and is then fed through a scanner. The device reads the voter’s marks on the ballot, and tabulates number of votes cast for each candidate or question. Eighty-one Kansas counties currently use optical scan systems.

 

Paper Ballot:  Votes are recorded on paper ballots and counted by hand. Twenty-one Kansas counties currently use paper ballots.

 

Six Components of Voting System Security:

 

1.      Access to the System: 

 

ú         Stand-alone system

ú         No network connection

ú         No modem

ú         Only operating system and voting software loaded

ú         Controlled access with authorized users

 

The computer-based voting system should not be connected to any network and it should not have a modem. If it does have a modem, it shouldn’t be connected to the Internet. The computer should have only the operating system and voting software loaded. Additional applications could jeopardize system security.

 

If the computer has no outside connections, it can only be accessed by county election staff or other authorized persons.  Any such system should also have password requirements. There should be strict procedures that control who has access to the election system, when they can access the system, what components they can access, and what functions they are allowed to perform.

 

The computer portion of the election system contains features that facilitate overall security of the election system. Primary among these features is a comprehensive set of audit data. For transactions that occur on the system, a record is made of the nature of the transaction, the time of the transaction, and the person that initiated the transaction. This record is written to an audit log to allow the sequence of events surrounding the incident to be reconstructed.

 

A security program, similar to a virus detector program, should be run against the operating system and the election tabulation software before beginning the definition of an election to verify that the code has not been altered. This program should be repeated after the close of the election to verify that the code did not change during the election.

 

Permanent storage of media containing certified application programs should be within a secure, fireproof location such as a safe. Additional backup copies of application programs and media containing election data should be created and stored securely off site.

 

2.      Transmitting Data: 

 

ú         No data transmission by modem – from polling place to election office or from election office to state

 

It is important that results from elections not be sent from polling places to election offices via modem, network, phone line, cable, or any other electronic form of file transmission. The same applies when sending results from the county election office to the Secretary of State’s office. Results should be sent by fax, phone or by inputting the results in the SOS database directly using an IP address and/or using the state’s secure Public Key Infrastructure (PKI) system.

 

3.      Testing Voting Equipment: 

 

ú         Public test 5 days prior to election

ú         Test before public test

ú         Test after canvass

ú         Print zero totals

ú         End of day totals

 

Voting equipment should be tested when it is first received from the vendor. Tests should cover all functions that will be necessary to conduct an election. Prior to use in an election, each voting machine should undergo system diagnostics to ensure proper operation of certified components. A checklist confirms the outcome of acceptability. Any component failure should be logged and repairs to equipment performed as soon as practical.

 

4.      Polling Place Security: 

 

ú         Hardware security

ú         Software security

ú         Poll worker procedures

 

There are many polling places in Kansas that simply do not provide an ideal physical security environment. For instance, church lobbies, school gymnasiums and other places may not always be locked or secured. The county election officer should, to the extent possible, designate polling sites that afford the necessary security features and should maximize the use of whatever security features exist.

 

The memory cards in each touch screen voting station should be stored within a locked compartment. The supervising judge should be the only person with a key to this compartment. The memory cards and/or ballots from each voting location are transported from the voting location to the county elections office by a sworn election official or a sworn law enforcement officer.

 

The area of the voting location that contains the voting stations is secure. A voter is not allowed to enter this area until a voting station is available for his or her use. No person other than a voter, a person assisting a voter, or a poll worker may enter this area.

 

Voting machine protective counters should be observed and recorded with a date of record. Voting machines and ballot boxes should be sealed before delivery to polling place locations. Seals should be tamperproof and serialized with numbers. Logging of machine serial number, seal number and designated voting location is an essential part of the audit trail.

 

Equipment Delivery:  Voting equipment delivery to polling place locations should be conducted with the same degree of control as applied to storage. A delivery person or company should continue the audit trail for the election officer. Documentation and daily reporting are essential.

·         The delivery person or company, or in some cases the supervising judge, should provide documentation containing voting machine numbers, seal numbers and identification for each voting location where equipment has been delivered.

·         A list of persons involved in equipment delivery should be maintained by the county election officer.

·         Voting machines should remain locked and stored in a secure location. Multiple voting machines should be secured together by a keyed or combination lock and a single cable or chain. Additional supplies delivered with machines should be secured with the same cable or chain.

·         Polling places should be in locked buildings or locations that are capable of monitoring secure storage of voting equipment.

 

Election Worker Security Awareness and Requirements:  All election judges are responsible for maintaining the security of the polling place, the integrity of the vote and the protection of voting equipment and supplies. Judges must be vigilant throughout election day and be aware of who is in the polling room. Frequent monitoring of voting machines and securing voting supplies ensures that any malicious attempt to compromise the accurate gathering and reporting of the vote is unsuccessful. The following steps should be taken to ensure that the voting equipment and the voting process are secure at all times in every precinct:

 

Supervising Judges:

• Inspect voting machines for physical damage while setting up or closing units and record on maintenance log. Examples: damaged or broken lid hinges, cracked cases, and damage to equipment inside case.
• Control and secure keys to all voting machines.
• Assure that the election media slot (memory cartridge slot area) on every voting machine is locked.
• Report any suspicious activity in or around voting machines to the county election officer and call 911 if immediate help is required.

 

5.      Equipment Storage: 

 

ú         Election computers should be kept in locked offices.

ú         Physical security during non-election times

ú         Protective seals

ú         Limited access

 

The first line of defense in any system is physical security. When not in use, all election equipment should be stored in a locked room. Access to the room should be limited to election officials and authorized county officials or technicians. A paper activity log should be maintained to record date, time, staff person, and reason for entering the secured computer room. A video camera is recommended to be installed in the locked office to monitor activity. All voting machine keys, voter cards, and storage media should be secured in a controlled access room. Staff should maintain a detailed inventory control of these supplies.

 

6.      Voting Equipment Certification Process:           

 

Kansas participates in the Federal Election Commission (FEC) voluntary voting systems standards program. This program defines three levels of testing that voting equipment must pass before it can be used: national qualifications testing, state certification, and local acceptance testing.

National independent testing authorities (ITAs) selected and monitored by the National Association of State Election Directors (NASED) Voting System Board administer the qualifications tests. After ITA certification, any change to either the operating system or the election system requires retesting. A complete description of the qualification tests can be found in the FEC voting system standards section at http://www.fec.gov.

 

After the system has successfully completed qualification testing it is brought to the state for certification testing. Certification testing is conducted by the Secretary of State’s office using the following procedure:

 

ú         The manufacturer or vendor sends a request for certification in writing to the Secretary of State, accompanied by a $500 fee.

ú         The Secretary of State requires that the equipment be certified by an independent testing authority (ITA). A copy of the ITA’s report must be submitted. 

ú         The Secretary of State reviews the equipment to ensure that it meets standards established by the Federal Election Commission and the requirements of Kansas law.

ú         The Secretary of State conducts a public meeting in Topeka at which the manufacturer or vendor displays the equipment and members of the Secretary’s staff and other interested persons test the equipment.

ú         The Secretary of State may hire a private expert to review the equipment at the manufacturer’s expense.

ú         The Secretary of State contacts other jurisdictions in the United States that have certified and used the equipment to inquire about their experiences. 

ú         The Secretary of State may grant temporary conditional approval for the equipment to be used in a Kansas jurisdiction before granting final certification.

ú         If the above conditions are met, the Secretary of State makes the final decision whether to grant certification and informs the manufacturer and vendor of the decision in writing.

 

The final level of tests, acceptance tests, is conducted in the county offices after the voting system has been delivered and installed. The purpose of these tests is to verify that the system as delivered and installed in the county is complete, is working properly, and is identical to the system that was previously qualified by the ITA and certified by the state. 

 

The Help America Vote Act has given the National Institute of Standards and Technology (NIST) a key role in helping to realize nationwide improvements in voting systems by January 2006. NIST’s Information Technology Laboratory (ITL) is coordinating the agency’s HAVA efforts through its expertise in areas such as computer security and usability. NIST supports the Election Assistance Commission (EAC) as chair of the Technical Guidelines Development Committee (TGDC). The TGDC makes recommendations to the EAC on voluntary standards and guidelines related to voting machines. As of this writing, NIST has not adopted guidelines or standards.

 

Conclusion

Adoption of this voting system security policy will increase the overall security of each county’s system as well as the security of the electoral process across the state. Further, it will enhance preparation for the deployment of HAVA-compliant voting equipment in the next several years.