50 Counties will be using the ES&S ExpressVote System for the 2022 Primary Election

WHAT DO EXPERTS THINK ABOUT THE PROPOSED RULES?

The general consensus is that some rules are too restrictive to allow for a meaningful review, many go beyond the authority of NCSBE, and the non-disclosure agreement leaves no way for any vulnerabilities to be addressed and corrected.

Specific comments regarding the proposed rules:

1. The EAC testing program for VVSG 1.0 does not require a detailed source code review, so it is even more important that SBE draft rules that do not prohibit a full source code review to be done.

2. NCSBE is overstepping authority to limit the test to M-F 9-5pm, especially when the law already limits the number of designees to three.
   Let’s crunch those numbers: 3 experts x 2 weeks x 40 hours/week = 240 hours total for a full source code review! The Everest Report took 9 weeks and 20 security researchers at three institutions to study the software systems and identify and confirm security issues. So, for 9 weeks x 40 hours/week x 20 people = 7200 hours.

3. The review would need to take place near to where the designees reside. A source code review of this magnitude could take several months, especially because the General Statutes limits the number of reviewers to three.

4. The restrictions would make this a “static code analysis” rather than a “source code review”. A source code review and security examination requires that dynamic testing be done on the system. Designees must be able to set up a test bench or mock election using all components (software and hardware) of the system under review.

5. Restricting the tools that the reviewers can use will hinder the ability of the experts to perform a full source code review. Experts must also have the ability to add tools at any point throughout the source code review, since they will likely only know what tools are required as the review progresses.

6. Preventing access to the internet on a separate computer that is air-gapped from the election system is an unnecessary and unreasonable restraint. (ex. The code may consist of more than 8 different programming languages and the reviewers may not be familiar with all of them and would need to conduct some research).

7. The type of background check and time the SBE has to perform that background check must be defined in these rules. (ex. A DoE security clearance takes about 6 - 18 months and costs $18K).

8. The Executive Director is given “discretion” to deny authorization based on “convictions” that indicate “the person is unsuitable to review and examine” the information. The language is vague, subjective, and ripe for abuse.

9. Any material that the vendor deems to be proprietary must be marked as “proprietary”. No material that the vendor has marked as “proprietary”, but that can be found elsewhere through legitimate means, should be covered by any constraints.

10. A “vulnerability disclosure policy” should be added rather than a “zero non-disclosure agreement” — this allows researchers to bring potential issues to the vendor and gives the vendor time to correct any issues with the system prior to releasing information about vulnerabilities to the public.

11. ES&S’s own '“Vulnerability Disclosure Policy”, found online 04-29-2022 is to “Keep the details of any discovered vulnerabilities confidential until either they are fixed or at least 90 days have passed.”. Hart InterCivic’s “Vulnerability Disclosure Policy” sets this time to be 120 days - found online May 5, 2022. This is a reasonable amount of time so that source code reviews in NC do not lead to scenarios like the one Alex Halderman is in with the judge sealing his report, not even allowing the Secretary of State of GA to see the vulnerabilities of the system in use in GA. Halderman case

12. According to the NC Elections Systems Certification Program, “Section 3.3.4 Voting System Vendors: Vendor Must Bear Costs Vendors shall bear all costs associated with necessary certifications, reviews, and reports required under this Program, including for all VSTL and third-party review.” There is no other mention of costs or who pays for them in NCGS or NCAC.

    
    

BACKGROUND
In 2005, the NC General Assembly unanimously passed the 'Confidence in Elections Act' that sought to improve election security and public confidence. One of the provisions now codified in law is that any party chair (of officially recognized party in NC) can request to conduct (or designate 3 experts) to conduct an independent source code review and examination of any electronic voting system that has been certified in NC. On December 21, 2022 the Chairperson of the Libertarian Party of North Carolina (LPNC) sent the state a formal request to conduct the review and examination.

Because this is the first request since the law was enacted, the State Board of Elections needed to draft rules regarding access to voting systems in escrow. They have also drafted proposed rules regarding non-disclosure of the findings.

Right now, these are proposed rules so there is time for the public to weigh in during the public comment period April 1 - May 31, 2022 and during a virtual public hearing on April 27, 2022 at 10am. Link to video of public hearing.

OBJECTIONS TO PROPOSED RULES

NCSBE’s PROPOSED RULES TO ACCESS ESCROW MATERIALS
Rule 08 NCAC 04 .0308

NCSBE’s PROPOSED RULES REGARDING NON-DISCLOSURE OF ESCROW MATERIALS
Rule 08 NCSC 04 .0309

Letter from 8 experts to NCSBE re: lack of source code review for Administrative Approval of ES&S EVS 5.2.4.0

”…for the three systems certified on August 23, 2019, the State may have failed to conduct the essential security testing and source code review as part of its certification process. For example, the functional test report delivered by Pro V+V for the ES&S EVS 5.2.2.0 system does not constitute a source code review, nor does it address cybersecurity issues the law specifies. It is our understanding that all recently certified systems had similar Pro V+V reports, but no security or source code review.

The General Assembly’s statutory mandate to require an independent review of the voting system source code is a sound practice that more states should employ, following North Carolina’s lead. The EAC testing program for VVSG 1.0, under which the recently certified systems were apparently certified, does not require a detailed source code review management, technology infrastructure and security controls, security organization and governance, and operational effectiveness, as applicable to that voting system.” nor does it emphasize security in the manner in which North Carolina law wisely contemplates.”

• Voluntary Voting System Guidelines (VVSG)
  2005 standards = VVSG 1.0
  2015 standards = VVSG 1.1
  2021 standards = VVSG 2.0

Historical examples of Source Code Reviews of Electronic Voting Systems

Everest Report: 2007
This report details the findings of one part of the Ohio Secretary of State’s EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing initiative. The goal of this review was to assess the security of electronic voting systems used in Ohio, and to identify any procedures that may eliminate or mitigate discovered issues. The review teams were provided the source-code (computer instructions), software, and election equipment for the majority of systems used in Ohio. During the 9 week review, 20 security researchers at three institutions studied the software and systems and identified and confirmed security issues. The evaluated systems included those designed and developed by Election Systems and Software (ES&S), Hart InterCivic (Hart) and Premier Election Solutions (Premier, formerly Diebold).

Top to Bottom Review: 2007
Source Code Review of the Diebold Voting System
This report was prepared by the University of California, Berkeley under contract to the California Secretary of State as part of a “Top-to-Bottom” review of electronic voting systems certified for use in the State of California. Six researchers participated in the review.

Software Review and Security Analysis of the ES&S iVotronic: 2007
8.0.1.2 Voting Machine Firmware

Security Analysis of the Diebold AccuBasic Interpreter (not full source code review)
https://www.sos.texas.gov/elections/forms/security_diebold_accubasic.pdf

Voatz Security Assessment Volume I of II: Technical Findings: 2020
”Tusk Philanthropies and Voatz engaged Trail of Bits to review the security of the Voatz mobile voting platform. Trail of Bits conducted this assessment over the course of twelve (12) person-weeks with five (5) engineers working from commit hash 3443f4a of the Voatz Core Server repository, commit hash 07d1adb of the Voatz Android Client, commit hash d8436c1 of the Voatz iOS client, and commit hash 69d7a8b of the Voatz Administrative Web Interface... The assessment resulted in forty-eight (48) findings, of which a third are high severity, another quarter medium severity, and the remainder a combination of low, undetermined, and informational severity.”

Voatz Security Assessment Volume II of II: Threat Modeling Findings: 2020
”Trail of Bits undertook a threat model of the Voatz system to help Voatz understand wider design concerns within the system… The assessment included 20 identified components across five trust zones, and resulted in a total of 31 findings, ranging in severity from High to Informational. The client identified several policy and control frameworks that were in use. Listed frameworks include NIST 800-53 (“Security and Privacy Controls for Federal Information Systems and Organizations”), ISO 27001 (“Information technology—Security Techniques - Information Security Management Systems—Requirements”), and the NIST Cybersecurity Framework (CSF). This document mainly uses NIST 800-53 controls, with the addition of two control families. Sections of this document that deviate from NIST 800-53 are marked, and controls from other policy frameworks, specifically ISO 27001:2013, are noted.”

RULEMAKING PROCESS
Once proposed rules are posted on the NC Register, a 60 day public comment period begins. The Agency is required to hold a public hearing no earlier than 15 days after posting the rules. Comments from hearing will be transcribed and given to the NC Board of Elections along with any written comments received. Once the 60 day period is complete, the Board may take into account the comments and amend the proposed rules before voting to submit them to the Rules Review Commission.

An agency may not adopt a rule that differs substantially from the proposed form published as part of the public notice until the adopted version has been published in the North Carolina Register for an additional 60 day comment period.

When final action is taken, the adopting agency must file the rule with the Rules Review Commission (RRC) within 30 days of the adoption. After approval by RRC, the adopted rule becomes effective on the first day of the month following the month the rule is approved by the Commission, unless the Commission receives 10 or more written objections to the rule. If the Commission receives objections from 10 or more persons clearly requesting review by the legislature, the rule is sent to the General Assembly. The meeting of the RRC following the closing of the May 31, 2022 public comment period is scheduled for June 19, 2022.

LEGAL INFORMATION

NC General Statutes: Chapter 163
searchable link: https://www.ncleg.gov/Laws/

NC Administrative Code

NCSBE Voting System Certification Program

§ 163-165.7. Voting systems: powers and duties of State Board.
(a) “... Among other requirements as set by the State Board of Elections, the certification requirements shall require at least all of the following elements:”

(6) With respect to all voting systems using electronic means, that the vendor provide access to all of any information required to be placed in escrow by a vendor pursuant to G.S. 163-165.9A for review and examination by the State Board of Elections; the Department of Information Technology; the State chairs of each political party recognized under G.S. 163-96; the purchasing county; and designees as provided in subdivision (9) of subsection (f) of this section.

(f) Subject to the provisions of this Chapter, the State Board of Elections shall prescribe rules for the adoption, handling, operation, and honest use of certified voting systems, including all of the following:

(9) Notwithstanding G.S. 132-1.2, procedures for the review and examination of any information placed in escrow by a vendor pursuant to G.S. 163-165.9A by only the following persons: 

    c. The State chairs of each political party recognized under G.S. 163-96.

“Each person listed in sub-subdivisions a. through d. of this subdivision may designate up to three persons as that person's agents to review and examine the information… For purposes of this review and examination, any designees under this subdivision and the State party chairs shall be treated as public officials under G.S. 132-2.”

§ 163-165.9A. Voting systems: requirements for voting systems vendors; penalties.

(a) Duties of Vendor. - Every vendor that has a contract to provide a voting system in North Carolina shall do all of the following:

(1) The vendor shall place in escrow with an independent escrow agent approved by the State Board of Elections all software that is relevant to functionality, setup, configuration, and operation of the voting system, including, but not limited to, a complete copy of the source and executable code, build scripts, object libraries, application program interfaces, and complete documentation of all aspects of the system including, but not limited to, compiling instructions, design documentation, technical documentation, user documentation, hardware and software specifications, drawings, records, and data… those items shall be subject to the provisions of this section. The documentation shall include a list of programmers responsible for creating the software and a sworn affidavit that the source code includes all relevant program statements in low-level and high-level languages.

(c) Definitions. - For the purposes of this section, the term "voting system" shall include an electronic poll book or a ballot duplication system. (2005-323, s. 2(a); 2017-6, s. 3; 2018-13, s. 3.7(b); 2018-146, s. 3.1(a), (b).)