On Wednesday September 19th, 2012, at the Union League Club in Chicago, Defend the Vote, an Illinois-based nonprofit organization whose mission is to empower citizens to protect the integrity of elections, held a news conference to announce a project with Argonne National Laboratory to evaluate the election security of Chicago and Suburban Cook Country's elections systems through a vulnerability assessment. This project is generously funded by Jack Roeser, Chairman and founder of Otto Engineering and Publisher of Champion News.
Speaking at the press conference was Jack Roeser, Dr Johnston, Ph.D., CPP, and Manager of the Vulnerability Assessment Team (VAT) at Argonne National Laboratory, Republican Cook County Chairman, Aaron Del Mar, and Defend the Vote Director, Sharon Meroni.
In some instances, in Illinois, gaining access to voting equipment and the software that runs it, requires the participation of the political parties. At the press conference, Republican Cook County Chairman Aaron Del Mar pledged his full support of this project. In addition he announced that the Cook County GOP is working on election security by assuring that Republican election judges are placed throughout the City of Chicago and Cook County.
Details of the vulnerability assessment project were discussed at the press conference. The assessment is set to begin immediately. Defend the Vote has contacted Dominion Voting, but they have not returned our calls. We will follow-up with further information later today.
What is a vulnerability assessment?
The procedure for reviewing an election jurisdiction’s security and offering suggestions for ways to improve it is as follows. This is similar to the procedures that the Argonne Vulnerability Assessment Team (VAT) uses for vulnerability assessment on other types of (non-election) security programs.
1. The VAT obtains 2 functioning, randomly chosen voting machines from the election jurisdiction (not directly from the vendor or manufacturer) that were scheduled to be used in the next election. Ideally, these should already be programmed for a small, mock election. Alternately, they can be programmed for the upcoming election. These will be studied and returned undamaged. Copies of user and programming manuals, and other materials from the vendor or manufacturer should be provided to the VAT.
Note that the VAT has previously analyzed and demonstrated simple non-cyber attacks for earlier, related models but needs to identify any changes to the voting machine design that are relevant for security and the voting machine's use protocol.
While the VAT will look briefly at cyber security issues, most of the focus on the voting machines will be on the electronic and mechanical design in order to identify simple physical/electronic attacks, as well as to determine countermeasures and optimal use and security protocols (including lock and seal use). Significant design improvements to the voting machines are unlikely in time for the next election, so the VAT will emphasize ways to use the existing voting machines in a relatively secure manner (though design changes will still be suggested).
2. The VAT meets with the manufacturer (assuming manufacturer willingness) to obtain verbal and written information about the voting machine design, security, operation, and recommended use protocols.
3. The VAT meets with mid- to high-level election officials to learn about the election jurisdiction’s strategies and procedures for elections, training, and security. Ideally, the VAT can obtain copies (to be returned) of any written (or video) guidelines, instructions, and training materials for poll workers and election jurisdiction employees/contractors. Samples/examples of locks, seals, ballot containers, voter lists and registries, polling place paperwork, and other election materials, supplies, and forms should be provided to the VAT.
4. The VAT tours the facilities, warehouses, and offices of the election jurisdiction, and possibly tours a typical polling location.
5. The VAT meets with relevant hands-on election technicians, workers, clerks, and also with personnel who transport the voting machines to discuss procedures, training, technical issues, and security culture. This includes some private, one-on-one interviews.
6. The VAT briefly interviews a few experienced poll workers for the election jurisdiction and a few relatively inexperienced poll workers.
7. After completing its analysis, the VAT meets with the officials from the election jurisdiction (and possibly the voting machine manufacturer) to discuss the VAT’s preliminary findings, suggestions, and recommendations, and to obtain feedback from the election officials and from the sponsor of the vulnerability assessment.
8. The VAT submits a final report to the sponsor of the vulnerability assessment. This report discusses the VAT’s findings, suggestions, and recommendations modified accordingly from what was learned in step 7.