Original SAIC Report

(Redactions are crossed through by unknown party and Additions are underlined by unknown party)

The federal Help America Vote Act requires that each state have a voting system meeting federal requirements by January 2006, including a Direct Recording Electronic (DRE) or other accessible voting unit in each precinct for voters with disabilities. Chapter 564 of the Laws of Maryland (2001) requires a uniform statewide voting system for polling places and a uniform system for absentee voting by 2006, for all jurisdictions in Maryland.

To meet these requirements the State Board of Elections (SBE) selected the Diebold AccuVote-Touch Screen for polling pIace voting and the Diebold AccuVote Optical Scan for absentee voting. The agency entered into a contract for the Phase I implementation covering four counties on December 12,2001, and the system was used in those counties for the 2002 elections. SBE signed a contract modification on July 19,2003 to provide for additional equipment and services for 19 jurisdictions (Phase II), to be used b e m g with the March 2004 primary election. The remaining jurisdiction, Baltimore City, is scheduled to implement the system for the 2006 elections.

In a report dated July 23,2003 entitled "Analysis of an Electronic Voting System," (the Rubin report) computer scientists from Johns Hopkins University and Rice University stated results of their analysis of source code for a Diebold touch screen voting system. The report described potential security issues and vulnerabilities of source code found on a Diebold web site and suggested that the security of the system could be compromised easily. The report indicated that administrative controls and procedures for use of the voting system were not analyzed, and based observations on the assumption that the voting devices operate on the Internet.

In response both SBE and Diebold affirmed stated that the devices do not operate on the Internet, and that the State's procedural controls reduce or eliminate many, if not all, of the vulnerabilities identified in the report. Nonetheless, the Rubin report, representing observations of computer security experts, prompted strong public interest in verifying security of the voting system.

On August 5,2003, Governor Robert L. Ehrlich, Jr., directed the Department of Budget and Management to carry out an independent security review of the voting system to determine security risks, and corrective actions required to ensure the integrity of the voting process. Science Applications InternationaI Corporation (SAIC), an independent consulting firm internationdly respected in the fieId of technology security, performed the analysis and has delivered its security analysis report.
The SAIC security analysis reviewed compliance with a total of 329 requirements for voting system security, including management, operational and technical controls.The analysis included testing of a complete AccuVote-TS system, software analysis, interviews of elections professionals, and reviews of administrative procedures and controls for election processing security.

A total of 329 requirements were reviewed and the following: results were found: A total of  217 requirements (66%) were found to be met with existing procedures and technical features. Fourty six 46 requirements (14%) were deemed not applicable to this specific system. Sixty six 66 requirements (20%) were found to need further action, of which 26 (8%) were judged to be high risk factors.

SAIC found few risks represented by the Diebold equipment. The most significant vulnerability, use of hard-coded passwords, has been reported by Diebold to have been corrected and submitted for federal certification. SAIC further recommended encryption of certain data in storage and in transmission, and 100% verification of data transmitted. The analysis noted that risk of compromise via the Internet is minimized eliminated by the fact that the system is not connected to the Internet.

Risks identified were predominantly associated with a wide variety of absent administrative controls for voting system security. Among management andoperational controls, SAIC found risks in the controls on access to servers, administration of passwords, use of system audit logs, intrusion detection, and level of security training for elections personnel. SAIC concluded that with the management and operational procedures currently in use, the risk of system compromise is high.

SAIC indicated however that these vulnerabilities can be mitigated, if not eliminated, by adequate security planning and administration. SBE has prepared an Action Plan in which the agency proposes to develop and carry out immediately series of upgrades in its security procedures to meet these requirements. These include the following types of actions:

SBE will create and implement a formal Information System Security Plan (ISSP);
SBE wilI implement a formal Information System Security Training Program;
SBE wilI develop a plan for alI local jurisdictions to implement policies and procedures uniformly;
SBE wiIl verify that no voting system server is attached to a network accessible externally.

The administrative changes are proposed to be completed in phases: Phase I by September 22, 2003; Phase II by January 31, 2004; and Phase III by March 311, 2004.
 
The Board of Elections believes that:

1. Management and operational requirements can and will be met to fully assure
the integrity of the voting process for all voters, including those with disabilities.

2. The Diebold AccuVote-TS system selected by the Board is capable of meeting the
security requirements with minor changes and proper controls.

In considering appropriate plans, the Department of Budget and Management and SBE evaluated two main options: Continue the existing project and Diebold contract, or discontinue the contract and use an alternative voting system. Since few significant vulnerabilities were found with the Diebold equipment, which in addition meets the requirements of federal and State elections law, and since procurement of an alternative system would likely result in major costs and disruption to the election preparations in the State, continuing the present contract is recommended, subject to successful mitigation of risks identified by SAIC.

SBE proposes keeping to the original schedule of statewide implementation of the voting system by March 2004. Doing so would prevent overlap of that project with the voter registration system project, also required by 2006. An aggressive schedule is required to completed tasks including the intensive security program by March 2004. Implementation of some counties by the November 2004 general election in lieu of the  primary remains a possible alternative if needed. In that case, advance plans must be made with the counties to retain previously acquired equipment until the actual conversion.

SBE projects a need for three additional personnel to manage the security plan. SAIC recommended establishing one SBE System Security Officer position. Two additional State contractual positions are proposed, one to develop procedures and coordinate actions with local Boards of Election, and one to manage the voter outreach and training. SBE has received federal funds under the Help America Vote Act of 2002(HAVA) to implement election reform, for which the Assistant Attorney General for SBE has provided an opinion that the personnel costs will be an acceptable use of funds. The Department of Management and Budget concurs in the retention of a Systems Security Officer and the voting system vendor and contract, and recommends immediate implementation by the State Board of Elections of all security upgrades required to ensure absolute reliability and integrity of Maryland's voting process.


James C. DiPaula, Secretary