"[The] release of information provides voters with a check list of problems found and a road map for corrections," Blackwell said. "In order to maintain strong public confidence in our elections systems, voters must be assured that the security risks uncovered in our reviews have been addressed and resolved," Blackwell said.
Blackwell will seek an extension of federally mandated Help America Vote Act (HAVA) deadlines in order to provide system manufacturers time to correct deficiencies.
"I will not place these voting devices before Ohio's voters until identified risks are corrected and system security is bolstered," Blackwell said. "Fortunately, all of the documented risks will be expeditiously corrected by each of our voting machine manufacturers. When Ohioans begin casting ballots on these electronic devices they will do so with the knowledge that the integrity of their voting system has been maintained."
Compuware Corporation conducted a thorough technical analysis of each of the four electronic voting device vendors' software and hardware. The review included an examination of the computer source code, and scrutiny of the potential for penetration and points of failure specific to each voting machine. Compuware examined the Diebold Election Systems AccuVote-TS, the Election Systems and Software (ES&S) iVotronic, the Hart InterCivic eSlate 3000 and the Sequoia Voting Systems AVC Edge.
In its review, Compuware identified a total of 57 potential security risks within the software and hardware tested. The risks were sorted into high, medium and low categories. Diebold Election Systems had five high potential risk areas, two medium and eight low potential risk areas. ES&S had one high potential risk area, three medium and 13 low potential risk areas. Hart InterCivic had four high potential risk areas, one medium and five low potential risk areas. Sequoia Election Systems had three high potential risk areas, five medium and seven low potential risk areas.
InfoSENTRY conducted on-site vendor inspections and interviews to assess voting system vendors' security plans, procedures and processes. The review included all information systems security procedures utilized by voting system vendors. InfoSENTRY also assessed Ohio administrative security procedures and made recommendations for improvement.
As a result of InfoSENTRY's review, the secretary of state will seek additional security and quality assurances with documentation from voting machine vendors. Also, the agency will ask vendors to implement industry standard security and quality practices and procedures. While citing procedural and administrative issues, InfoSENTRY advises that the identified risks are manageable and can be addressed in time to accommodate the secretary of state's new deployment timetable.
Originally setting March 2004 for implementation in select counties, Blackwell has now identified the August 2004 special elections as the first scheduled use of new systems. County boards of elections have until January 15 to select preferred voting systems. The secretary of state's election reform staff, working with boards of elections, will develop a new deployment schedule.
Vendors are currently in the process of making the necessary software, hardware and operational security improvements. When complete, each vendor and their voting devices must undergo additional verification testing by Compuware and InfoSENTRY and in some instances seek federal and state re-certification. Counties currently using electronic voting systems will be provided with mitigating strategies to bolster security and reduce risks.
