Toward Clarifying Election Systems Standards



About This Paper

From the Introduction:

One goal of this work is to answer the question: if systems that meet the standards can be induced to provide inaccurate or unreliable results in an election, is the problem that the standards are not adequate or is the problem that the testing is inadequate? If the standards are inadequate, or the testers fail to test the systems adequately, the problems that we see now will continue.

A complementary goal of this paper is to show how threat modeling can lead to clearer standards and help structure the testing and review of an automated election system. The lack of a detailed threat model leads to an inability to determine if the required security mechanisms provide adequate protection against attempts to compromise the electronic voting systems—or, indeed, what “compromise” means. The current certification process—involving the standards, vendors, and ITA—does not include threat modeling or threat identification. It is not immediately apparent how these processes from commercial software development can be integrated into the certification process.


Kim Alexander proposed the question (although she doesn’t remember, so don’t blame her). We tried to give an answer here, and wound up submitting it as comments for the proposed 2006 EAC/FEC voting standards.