[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]


 
         CERTIFICATION AND TESTING OF ELECTRONIC VOTING SYSTEMS 

=======================================================================

                                HEARING

                               before the

                  SUBCOMMITTEE ON INFORMATION POLICY,
                     CENSUS, AND NATIONAL ARCHIVES

                                 of the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 7, 2007

                               __________

                           Serial No. 110-13

                               __________

Printed for the use of the Committee on Oversight and Government Reform


  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html
                     http://www.oversight.house.gov
                                 ----------
                       U.S. GOVERNMENT PRINTING OFFICE 

36-750 PDF                     WASHINGTON : 2007 

For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
Washington, DC 20402-0001 





































             COMMITTEE ON OVERSISGHT AND GOVERNMENT REFORM

                 HENRY A. WAXMAN, California, Chairman
TOM LANTOS, California               TOM DAVIS, Virginia
EDOLPHUS TOWNS, New York             DAN BURTON, Indiana
PAUL E. KANJORSKI, Pennsylvania      CHRISTOPHER SHAYS, Connecticut
CAROLYN B. MALONEY, New York         JOHN M. McHUGH, New York
ELIJAH E. CUMMINGS, Maryland         JOHN L. MICA, Florida
DENNIS J. KUCINICH, Ohio             MARK E. SOUDER, Indiana
DANNY K. DAVIS, Illinois             TODD RUSSELL PLATTS, Pennsylvania
JOHN F. TIERNEY, Massachusetts       CHRIS CANNON, Utah
WM. LACY CLAY, Missouri              JOHN J. DUNCAN, Jr., Tennessee
DIANE E. WATSON, California          MICHAEL R. TURNER, Ohio
STEPHEN F. LYNCH, Massachusetts      DARRELL E. ISSA, California
BRIAN HIGGINS, New York              KENNY MARCHANT, Texas
JOHN A. YARMUTH, Kentucky            LYNN A. WESTMORELAND, Georgia
BRUCE L. BRALEY, Iowa                PATRICK T. McHENRY, North Carolina
ELEANOR HOLMES NORTON, District of   VIRGINIA FOXX, North Carolina
    Columbia                         BRIAN P. BILBRAY, California
BETTY McCOLLUM, Minnesota            BILL SALI, Idaho
JIM COOPER, Tennessee                ------ ------
CHRIS VAN HOLLEN, Maryland
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont

                     Phil Schiliro, Chief of Staff
                      Phil Barnett, Staff Director
                       Earley Green, Chief Clerk
                  David Marin, Minority Staff Director

   Subcommittee on Information Policy, Census, and National Archives

                   WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania      MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York         CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky            BILL SALI, Idaho
PAUL W. HODES, New Hampshire
                      Tony Haywood, Staff Director



























                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 7, 2007......................................     1
Statement of:
    Davidson, Donetta L., chairman, U.S. Election Assistance 
      Commission; and Mark W. Skall, chief, Software Diagnostics 
      and Conformance Testing Division, National Institute on 
      Standards and Technology...................................    17
        Davidson, Donetta L......................................    17
        Skall, Mark W............................................    34
    Kellner, Douglas A., co-chair, New York State Board of 
      Education; Dr. David Wagner, associate professor, Computer 
      Science Division, University of California, Berkeley; 
      Lawrence Norden, Brennan Center for Justice, New York 
      University School of Law; John Washburn, VOTETRUSTUSA 
      Voting Technology Task Force; and Mac J. Slingerlend, 
      president and CEO, CIBER, Inc., accompanied by John Pope, 
      vice president for contracts...............................    54
        Kellner, Douglas A.......................................    54
        Norden, Lawrence.........................................    78
        Slingerlend, Mac J.......................................   105
        Wagner, Dr. David........................................    64
        Washburn, John...........................................    93
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................     3
    Davidson, Donetta L., chairman, U.S. Election Assistance 
      Commission, prepared statement of..........................    19
    Kellner, Douglas A., co-chair, New York State Board of 
      Education, prepared statement of...........................    57
    Maloney, Hon. Carolyn B., a Representative in Congress from 
      the State of New York:
    Information concerning CIBER.................................   110
    Prepared statement of........................................    15
    Norden, Lawrence, Brennan Center for Justice, New York 
      University School of Law, prepared statement of............    80
    Skall, Mark W., chief, Software Diagnostics and Conformance 
      Testing Division, National Institute on Standards and 
      Technology, prepared statement of..........................    36
    Slingerlend, Mac J., president and CEO, CIBER, Inc., 
      information concerning CIBER...............................   118
    Wagner, Dr. David, associate professor, Computer Science 
      Division, University of California, Berkeley, prepared 
      statement of...............................................    66
    Washburn, John, VOTETRUSTUSA Voting Technology Task Force, 
      prepared statement of......................................    96


         CERTIFICATION AND TESTING OF ELECTRONIC VOTING SYSTEMS

                              ----------                              


                          MONDAY, MAY 7, 2007

                  House of Representatives,
   Subcommittee on Information Policy, Census, and 
                                 National Archives,
              Committee on Oversight and Government Reform,
                                                      New York, NY.
    The subcommittee met, pursuant to notice, at 9:30 a.m., in 
City Council Chambers, New York City Hall, 131 Duane Street, 
New York, NY, Hon. Wm. Lacy Clay (chairman of the subcommittee) 
presiding.
    Present: Representatives Clay and Maloney.
    Staff present: Tony Haywood, staff director/counsel; Adam 
C. Bordes, professional staff member; and Nidia Salazar, staff 
assistant.
    Mr. Clay. The Subcommittee on Information Policy, Census, 
and National Archives of the House Committee on Oversight and 
Government Reform will now come to order.
    Today's hearing will examine issues relating to the 
certification and testing of electronic voting systems under 
the Help America Vote Act of 2002.
    Without objection, the Chair and other Members present will 
have 5 minutes to make opening statements, and without 
objection, Members and witnesses may have 5 legislative days to 
submit a written statement, or extraneous material for the 
record.
    Let me say, first of all, that it is a pleasure to be here 
in the Big Apple to discuss a topic of tremendous importance to 
New Yorkers and the Nation as a whole; the need for effective 
and transparent certifications and testing of electronic voting 
systems. I want to thank my distinguished friend and colleague, 
Congresswoman Carolyn Maloney, for inviting us to New York and 
I want to thank City Council Speaker Christine Quinn for making 
the City Council Chambers available to us. This is a wonderful 
venue for a hearing.
    And this is the subcommittee's second hearing on electronic 
voting systems. During an April 18th hearing in Washington, the 
subcommittee heard testimony concerning widespread 
vulnerabilities in modern electronic voting systems. Those 
weaknesses are a major concern for Congress, State, and local 
entities, that administer the electoral process, and all 
Americans who value their stake in our democracy. Passed on 
response to reports of serious voting irregularities during the 
November 2000 Presidential election, HAVA established the first 
set of uniform minimum standards and requirements for the 
administration of Federal elections.
    The law authorized $3.86 billion in funding. The bulk of 
this funding was provided to enable States to replace punch 
card or mechanical voting equipment, improve their election 
administration capabilities, meet new election requirements and 
improve access for disabled voters.
    Beginning in fiscal year 2003, many States used HAVA funds 
to procure new electronic voting systems. In 2005, the EAC 
approved new voting system standards, the 2005 voluntary voter 
system guideline for States to use as a reference, when 
procuring new machines under HAVA.
    Unfortunately, numerous States have reported problems with 
new voting systems, as well as difficulty ensuring that their 
systems comply with the evolving HAVA standards.
    Voting system problems include software vulnerabilities 
that impair security or reliability, and the inability to 
confirm voter intent in the case of systems that lack an 
independent audit component, such as a verifiable paper trail.
    A change in requirements have left some States out of 
compliance with HAVA standards because their systems were 
designed and procured before current standards took effect.
    In addition, there have been serious problems relating to 
the EAC's accreditation and oversight labs that test and 
certify voting systems for compliance with HAVA.
    In January, for example, the New York State Board of 
Elections suspended CIBER, Inc., a lab that has reportedly 
tested 70 percent of the Nation's voting systems, due to 
ineffective internal controls and CIBER certification 
practices, and lack of transparency in their testing process.
    CIBER also has failed to win accreditation by the EAC. New 
York has decided to postpone the procurement of new voting 
systems until there is a more dependent and transparent 
certification program to identify system vulnerabilities and 
ensure HAVA compliance before systems are marketed to States.
    We rely upon our voting systems to record each and every 
vote accurately. Uniform testing standards and vigorous 
oversight of the certification process for voting systems are 
necessary to ensure that these systems operate reliability and 
securely, and without this we risk eroding the public 
confidence that is necessary for active voter participation and 
a healthy democracy.
    We have invited today's witnesses here to shed light on the 
factors that have impeded the ernest efforts of States like New 
York, to improve accuracy, reliability and security in their 
voting systems, while complying with HAVA requirements.
    I want to thank all of our witnesses for appearing before 
the subcommittee today, particularly those who traveled long 
distances and adjusted their busy schedule to be with us. I 
welcome all of you and look forward to an informative and frank 
discussion of these important issues, and now I would turn to 
my colleague and dear friend, Mrs. Carolyn Maloney. Thank you.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Maloney. Thank you so much, Lacy Clay, for your 
leadership on this and so many other important issues before 
Congress and for traveling all the way, to be here, in New York 
City on this very important issue. Truly nothing is more 
important to our democracy than the accuracy, the reliability, 
the trust that our people have in our voting systems, and the 
fact that they are reliable and dependable and transparent.
    I do want to say that Rush Holt had hoped to be with us, 
but was not able to. He brings his greetings. He says we will 
be marking up his bill that he has worked 8 years on, Intro 
811, tomorrow, in Congress, it will be moving forward with 
tremendous and important funding, $1 billion for new voting 
machines, $100 million for auditing and making sure that the 
voting machines work, and also calls for an independent audit, 
a paper trail. It's very important legislation. I support it.
    I know that Lacy and I have some ideas to make it even 
better. But it is a compromise. I'm thrilled that it's moving 
forward and I thank all of our attendees today.
    It shows that you care about our democracy, and most 
importantly, I thank all of our witnesses for coming and for 
the hard work that they're doing on this subject.
    And I really especially appreciate all the hard work done 
by Mr. Clay and his staff on an issue that is very important to 
me, and I would say to every American, the accuracy and 
security of the Nation's voting systems.
    In recent years, considerable concern has been expressed 
about the security and reliability of the electronic voting 
systems. Reports from governmental agencies, testimony before 
Congress, and academic studies, have indicated serious 
vulnerabilities that call for immediate attention.
    I must add that it is one of the issues that people 
literally walk up to me on the street, at events, at meetings. 
They come up and express their concern over voting machines. 
This is a critical issue to my constituents and I would say to 
every American across this country.
    Penetration testing done by independent computer security 
experts has demonstrated that election results can be altered 
in a manner that cannot be detected by normal election security 
procedures. Independent reviews commissioned by State election 
officials have revealed serious security vulnerabilities in the 
software, architecture of voting systems now in use.
    Typically, when concerns about the security and reliability 
of voting systems are raised, supporters argue that these 
systems have been tested to Federal standards. However, at a 
recent hearing of this subcommittee, the Government 
Accountability Office reported, ``The test performed by 
independent testing authorities, and State and local election 
officials, do not adequately assess electronic voting systems 
security and reliability. These concerns are intensified by a 
lack of transparency in the testing system.''
    The GAO, which is an independent bipartisan governmental 
agency, noted weak and insufficient system testing, source code 
reviews and penetration testing. They pointed out that most of 
the systems that exhibited the weak security controls had been 
nationally certified after testing by an independent testing 
authority.
    Now that is scary. They're saying you cannot trust them and 
they've been certified. Last summer, the EAC undertook a review 
of the laboratories that had been testing under the NASED 
program. The assessment review of one of these labs, CIBER 
concluded, ``CIBER has not shown the resources to provide a 
reliable product.'' The report also noted, ``CIBER reports 
provide limited or no descriptions of the testing performed, so 
a reader or reviewer can tell if all the testing was 
completed.''
    This is very serious. This is one of the things that we 
want to accomplish this hearing, is how we can rectify this.
    Here, in New York, an independent review--and I want to 
applaud the elections board of New York, they went out and got 
an independent review, many States did not, but New York State 
is so concerned about this issue; they got an independent 
reviewer of CIBER's test plans and these revealed that they did 
not document the methodologies, procedures, and processes 
necessary to ensure that all testing is done in a structured 
and repeatable way.
    It is estimated that CIBER has tested the software in more 
than 70 percent of the voting machines used last November. So 
what the GAO and the independent review in New York is telling 
us is that 70 percent of those voting machines that are out 
there being used, really have not been tested adequately and 
have not been certified adequately, and may have serious flaws. 
Estimated, because there is no way to know for sure which lab 
tested which system, and apparently there's also no way of 
knowing, for sure, if any testing was done at all. Trusting the 
word of the ITA or testing labs, election officials across the 
country use taxpayer money to purchase equipment, believing 
that this equipment was in conformance with Federal standards.
    Apparently, we have no way of knowing whether the equipment 
actually does meet Federal standards. CIBER hides behind a 
cloak of confidentiality, and personally, I believe that in 
something as important as the reliability of our voting 
machines, there should be no confidentiality; it should be 
transparent and open to the election officials, and I would say 
the public.
    Because test methods are considered proprietary, the public 
and election officials cannot verify that procedures were done 
properly. When a system fails a test, there is no public 
announcement. Why in the world aren't they telling people, if 
certain systems are failing these tests? We have a right to 
know this.
    Many States went out and bought these machines, thinking 
they were reliable. If they had known that they had failed 
tests, or hadn't even been certified, they would never have 
bought them.
    Further, if the system subsequently passes, there is no way 
to identify what changes the manufacturer made, if any, to 
enable the system to pass. Considering that CIBER certified 70 
percent of the machines that were used last November, we have a 
real dilemma. Do we keep using machines that were certified by 
these testing labs that did not meet the standards for 
accreditation, or do we have to start all over and recertify? 
That is a basic question before this committee today.
    I am very pleased that CIBER will be here today to respond 
to our concerns. The National Testing and Certification Program 
has been vital to the sales and acceptance of voting machines 
in most States. Experience is often the best test and a great 
deal of jurisdictions are finding problems with the machines 
that the testing labs seem to have missed.
    Several States have moved forward quickly to buy touch 
screen voting machines, and they are realizing that the 
machines they bought do not work very well.
    New Mexico, the State of New Mexico decided to switch to 
optical scan style voting, statewide. In 2006, including in 
four counties it spent nearly $4 million for touch screen 
machines. Last month, Maryland switched to optical scan. They 
even took the extraordinary step of having paper ballot votes 
because they didn't trust the machines.
    This month, Florida followed suit, and incidentally, there 
will be hearings in Washington on the contested ``Florida 15'' 
because of the missing votes. New York is looking pretty smart 
these days. We were criticized for not going out there and 
buying those machines. There were court suits against us. But I 
think New York looks pretty smart, because New York focused on 
standards and refused to jump quickly into untested technology. 
Our elected officials may have saved taxpayers a great deal of 
money. We didn't buy machines that we have to change, and the 
New York delegation, led by Congressman Serrano, is working 
very hard to restore the $50 million that was taken away from 
New York State.
    It was part of a bill that was moving forward, that has 
been vetoed; but we believe we will be successful in restoring 
that money.
    We need meaningful testing to make sure equipment meets the 
2005 standards. This hearing provides an opportunity to examine 
the current state of voting systems testing and certification 
in this great Nation. It can also serve as a step toward a more 
transparent and trustworthy process in the future. Unless we 
improve our certification process, we are in danger of losing 
the confidence of American voters.
    And I want to really thank the advocates and citizens that 
turned out today, and many of your constant questions, e-mails, 
phone calls to me, are one of the reasons that I have reached 
out to the chairman of the appropriate committee to hold these 
hearings, and he has done a magnificent job and I am sure he 
will not stop until he is satisfied, that we have safe, 
reliable, transparent voting machines. So I thank everyone, 
especially the chairman.
    [The prepared statement of Hon. Carolyn B. Maloney 
follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

    Mr. Clay. Thank you so much, Representative Maloney. Let me 
also say that I represent Missouri, which is known as the 
``Show Me State,'' and Representative Maloney has certainly 
laid the marker down for what the intent is of this hearing and 
future hearings on the transparency. So it is time that the 
people that produce election machines, those who monitor, those 
who have the authority over it, show the people of this country 
that it is transparent, show them that their votes will be 
counted accurately.
    And let me say that on our first panel, we will hear from 
the Honorable Donetta Davidson, Chair of the U.S. Election 
Assistance Commission and Mr. Mark W. Skall, chief of the 
Software Diagnostics and Conformance Testing Division within 
the Information Technology Laboratory of the National Institute 
on Standards and Technology.
    And we also have our newest commissioner of the Election 
Assistance Commission, Rosemary Rodriguez. Thank you for being 
here, Ms. Rodriguez. Let me thank all of you for being here 
today before the subcommittee and it is the policy of the 
Committee on Oversight and Government Reform to swear in all 
witnesses before they testify.
    I would like to ask you both to stand and raise your right 
hands.
    [Witnesses sworn.]
    Mr. Clay. Thank you. You may be seated. Let the record 
reflect that the witnesses answered in the affirmative and I 
will ask you both to give a brief summary of your testimony and 
to keep the summary under 5 minutes in duration, and those 
lights in front of you will indicate when you get down to 1 
minute, and then when it turns red, that means your 5 minutes 
is up.
    You complete written statement will be included in the 
hearing record.
    Ms. Davidson, we will begin with you. Please proceed.

  STATEMENTS OF DONETTA L. DAVIDSON, CHAIRMAN, U.S. ELECTION 
   ASSISTANCE COMMISSION; AND MARK W. SKALL, CHIEF, SOFTWARE 
    DIAGNOSTICS AND CONFORMANCE TESTING DIVISION, NATIONAL 
             INSTITUTE ON STANDARDS AND TECHNOLOGY

                STATEMENT OF DONETTA L. DAVIDSON

    Ms. Davidson. Thank you very much, Mr. Chairman. We are 
here to discuss the reliability of voting systems. With the 
committee's permission, I think it's important to talk, just 
for a moment, about how equipment has been tested in the past. 
The National Association of Election Directors [NASED], tested 
voting equipment against the guidelines created by the Federal 
Election Commission. They did this on a volunteer process and 
without any Federal funding.
    The Federal Government, at that time, at 2002 standards by, 
and up to just recently, they did not certify, the Federal 
Government did not certify voting equipment.
    It wasn't until the Help America Vote Act, that even--we 
also know it was HAVA--that put this into place, where we could 
test equipment, and I would like to go further into that with 
questions because my statement won't allow time, but we'll go 
further into it.
    HAVA requires EAC to create voting system guidelines and it 
also accredited the labs which will test voting systems.
    The commission voluntary adopted voting system guidelines 
in December 2005. Our certification program got underway to 
test voting equipment this year. And let me be absolutely 
clear. We did not grandfather any vendors or test labs into the 
process.
    The National Institute of Standards and Technology is EAC's 
valuable partner in both of these areas. NIST evaluates the 
test labs and provides recommendations to the EAC.
    After review, NIST recommends, and we conduct additional 
reviews when the commission makes final decision, before we 
make the final decision. As of today, we have two accredited 
labs. There is nine manufacturers or vendors that have 
registered for our program. Five systems have been submitted 
for certification. Information about these labs and the 
manufacturers are on our Web site at www.eac.gov. EAC will hold 
the vendors and the labs to do their job and make sure they 
take responsibility.
    We do have ability to decertify in both cases. We have set 
up a quality monitoring program and we will work hard with the 
States to investigate on reports and the voting systems 
irregularities and share this information with election 
officials and the public.
    So what does the future hold for voting systems? We are 
working with NIST on the next iteration of guidelines and we 
expect to receive this a little later this year.
    Just like 2005 guidelines, the version will further 
increase security requirements. However, no matter how thorough 
we test voting machinery, people ultimately ensure the voting 
equipment is reliable. People remove the ballots from the 
ballot boxes. People unlock the optical scan machines and 
remove the ballots. And people program all voting equipment.
    To successfully compromise a voting system, any voting 
system on election day, you must have two things--knowledge of 
that system and access to that system.
    Focusing on the security of voting machines in a laboratory 
is not enough. No voting system, ballot box, touch screen or 
optical scan, should be trusted unless officials store them in 
secure locations, prevent tampering, conduct logic and accuracy 
testing as well as all other testing, have well-trained 
workers, in other words, your poll workers, audit the result, 
and let the public observe the process.
    I have spent most of my career in elections, and some 
things never change. Detail matter, whether we are using paper 
ballots, we use touch screen, or we use the DRE, the direct 
record. It is important to remember that the voting equipment 
must work properly as well as to have procedures and make sure 
that the people are well-trained to control the access and 
maintain the equipment properly.
    Thank you. I look forward to your questions.
    [The prepared statement of Ms. Davidson follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you so much, Ms. Davidson, for your 
testimony.
    Mr. Skall, you may proceed.

                   STATEMENT OF MARK W. SKALL

    Mr. Skall. Thank you. Chairman Clay and members of the 
subcommittee, thank you for the opportunity to testify today. I 
am Mark W. Skall, chief of the Software Diagnostics and 
Conformance Testing Division of NIST, part of the Technology 
Administration of the Department of Commerce. I will discuss 
NIST's role in voluntary voting systems, guidelines and 
testing.
    Some of the major items assigned to NIST by HAVA included 
sharing and providing technical support to the Technical 
Guidelines Development Committee [TGDC], in order to develop 
voluntary voting system guidelines and conducting an evaluation 
of independent non-Federal laboratories, in order to submit to 
the EAC a list of those laboratories that NIST proposes to be 
accredited by the EAC to test voting systems.
    These voluntary voting system guidelines [VVSG], contain 
requirements for vendors when developing voting systems, and 
for laboratories when testing whether the systems meet the 
requirements of the guidelines.
    The TDGC provides technical direction to NIST in the form 
of TDGC resolutions and reviews, and approves research material 
written by NIST researchers. The TDGC ultimately is responsible 
for approving the guidelines and submitting them to the EAC.
    HAVA provided for the creation of the TDGC and mandated 
that the first set of recommendations for voluntary voting 
system guidelines be delivered to the EAC 9 months after the 
final creation of the TDGC.
    To meet this very aggressive schedule, NIST and the TDGC 
conducted workshops, meeting, and numerous teleconferences to 
gather input, pass resolutions and review and approve NIST-
authored material.
    This was done in a fully transparent process, with meetings 
conducted in public and draft materials available over the Web.
    These guidelines built upon the strengths of the previous 
voting system standards, enhanced areas needing improvement, 
and included new material, primarily in usability, 
accessibility and security.
    The resultant document, now known as the VVSG 2005, was 
delivered on schedule to the EAC in May 2005.
    Immediately after completing its work on the VVSG 2005, 
NIST and the TDGC began working on the next iteration of the 
VVSG which is currently planned for delivery to the EAC in July 
2007.
    The new VVSG will be a larger, more comprehensive standard, 
with much more thorough treatment of security areas and 
requirements for equipment reliability. This VVSG will include 
updated requirements for accessibility and requirements for 
usability based on performance benchmarks. It prohibits radio 
frequency wireless communications, which includes the use of 
common wireless local area networks.
    In December 2006, the TDGC approved a resolution to include 
requirements in the VVSG only for those voting systems that are 
software independent. This essentially means that the voting 
system can be audited through the use of voter-verified paper 
records, so that election fraud and errors that would result in 
changes to election outcomes can be reliably detected.
    To encourage innovations in voting systems that could 
produce more usable, accessible and reliable designs, the new 
VVSG will include an innovation class. Some innovations 
resulting from this class could result in secure voting systems 
that do not rely on voter-verified paper records.
    NIST is also developing open, comprehensive test suites, so 
that the requirements in the draft VVSG can be tested uniformly 
and consistently by all of the testing labs.
    NIST has been directed to recommend qualified testing 
laboratories to the EAC for accreditation. In order to 
accomplish this, NIST is utilizing its National Voluntary 
Laboratory Accreditation Program [NVLAP]. Simply stated, NVLAP 
offers an unbiased third party evaluation and formal 
recognition that a laboratory is competent to carry out 
specific tests or calibrations.
    NIST first accredits voting system testing laboratories 
according to NVLAP's criteria and then recommends them to the 
EAC.
    In January 2007, NIST proposed that high Beta Quality 
Assurance and SysTest Labs be accredited by the EAC under the 
provisions of HAVA. Currently, NVLAP is proceeding with the 
evaluation of five other laboratory applicants.
    In conclusion, NIST is pleased to be working on this matter 
of national importance with our EAC and TDGC partners. Thank 
you for the opportunity to testify. I would be happy to answer 
any questions the subcommittee might have.
    [The prepared statement of Mr. Skall follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you so much, Mr. Skall.
    We will now proceed to the questioning period under the 5-
minute rule, and I will start with Ms. Davidson.
    Ms. Davidson, I am aware of your background in the area of 
systems certification, through your work as Secretary of State 
in Colorado, and through the National Association of State 
Election Directors.
    With this expertise, I am hopeful that you can offer some 
explanation and potential solutions. What activities have the 
Technical Guidelines Development Committee of the EAC, in 
concert with NIST, and the vendor community, undertaken to 
bring uniformity to the accreditation process of certification 
labs?
    Where is the EAC in determining whether to reinstate the 
labs that lost their interim accreditation in 2006?
    Ms. Davidson. Currently, Mr. Chair, we have set up a 
temporary process to get us through the last year's election, 
to make sure that we were able to test just software, not 
systems, because of State laws changing, or maybe a piece of 
equipment failed and needed some software change, and the other 
issue is a name of a ballot came off, or the court case. So 
State law, that type of thing, would cause that. We had three 
that was tested, only three minor changes. In that process, we 
said that underneath what the--and we did this at a public 
meeting in August 2005, where our Standards Board and our 
Advisory Boards were there, and we went through the process of 
saying this is what we will do if we cannot get laboratories 
that have been recommended by NIST/NVLAP process.
    Because of their thorough process, we were told that it was 
going to take over a year to get them through the process. It 
is a very thorough process, to get it really worked through. So 
in January, we allowed the three labs that NSLAP had actually 
accredited as independent test labs, and we allowed them to 
qualify, you know, to actually register to go through the steps 
and the procedures.
    In that, two labs were named, in October, and they 
testified in a public meeting that we had. So there was a 
public meeting with the two labs that had met that criteria, it 
was SysTest and it was Wyle.
    At that time, CIBER had applied, they also applied, but 
they had not met all of the requirements that we felt they 
should. We went through the same process that was set up by 
NVLAP with NIST, and really tried to make sure that the labs 
would meet the needs that we needed. And this was only to 2002 
requirements, not to 2005.
    We weren't checking voting systems, only the software in 
that time. So we are still in the process with CIBER. If they 
meet that, you know, that interim process. But at this time, if 
they do not meet that, and we expect to have that, you know, 
information before too long, then they'll continue going 
through the NVLAP process and trying to meet their letter from 
Dr. Jeffries to us from the NIST Foundation, to come to us and 
recommend that they would be accredited. They are one of the 
five labs that have registered, that has not gone through the 
full process with NVLAP at this time.
    Does that answer your question thoroughly enough?
    Mr. Clay. Well, wait a minute now. Are you comfortable with 
the other two labs that have gained certification? Are you 
confident that they are doing what is necessary to check these 
systems throughout the country?
    Ms. Davidson. The two labs that have the accreditation, now 
the full accreditation, because we received a letter in January 
from NIST, recommending that we accreditate SysTest, which was 
one of those labs, and the other one is iBeta, and those labs 
have gone through the whole process, through NIST, and with 
that process I think Congress was very wise in putting NIST in 
control of that, because they go through that process with all 
different kinds of labs. They are really very qualified to do 
that.
    So in moving forward, yes, I feel that our labs will be 
able to test to the standards that have been developed, and 
they currently--because we did not grandfather anything in--
they can test to 2002 or 2005.
    The equipment that is out there right now have the 
recommendation from the NASED association, which was a 
volunteer association, no Federal money. So the two labs that 
are there now, yes, I feel that they definitely can.
    And one of the things that we do is any time we set new 
standards, NVLAP will go back out to make sure that they meet 
that, and in our requirements, we also put that we can go into 
the labs at any time and verify the process they are using, to 
make sure that they are doing the job correctly.
    Mr. Clay. Thank you for such a thorough answer. Let me ask 
one more and then I will turn it over to Representative 
Maloney.
    What is the commission doing about the system flaws that 
were reported during the 2006 election cycle? In particular, 
what will it do with reports of significant flaws or failures 
in systems certified under NASED for 2007 and 2008 election 
cycle? Will the commission decertify NASED systems, if 
warranted?
    Ms. Davidson. In our process, they have to go through our 
process for us to be able to decertify. But one of the things 
that we are doing is if there is something that has come in for 
certification, as we said, we have five different systems that 
is in now, if that is one of them that had issues, we have sent 
that manufacturer a letter, asking them if they are addressing 
that in the new process that they have gone through with the 
test labs.
    So that the laboratories will be aware of it, and any time 
we get anything from the States, if the system is going through 
it we make the laboratories aware of what the issues are.
    So we are definitely making sure that if they are going 
through our process, we feel that we have authority at that 
time.
    Mr. Clay. So you all actually report to the certification 
board, to NIST, if there are flaws or problems, and they are 
brought to your attention?
    Ms. Davidson. We will certify to the laboratories themself, 
if we are aware of any problem, so that they can check, too, 
what the problems--whether it is a State or whether it is an 
issue that has been, you know, really gone through a process 
some other way, we will definitely notify the labs of the 
issues.
    Mr. Clay. Thank you for that response.
    Representative Maloney, please proceed.
    Mrs. Maloney. Thank you.
    I would like to start with Mr. Skall, and if you would like 
to also answer, Ms. Davidson, and thank you very much. for 
being here, for all your hard work, both of you.
    Considering that CIBER certified 70 percent of the machines 
in use last November, and that now they have been suspended for 
inadequate certification and testing, we have a huge challenge 
in front of us. Do we keep using machines that were certified 
by the ITA, or testing labs that did not meet the standards for 
accreditation? Or do we have to start over and recertify? What 
are we going to do with those 70 percent that--Mr. Skall?
    Mr. Skall. Thank you. Now of course at NIST, we are a 
technical agency and don't make policy decisions like that. I 
guess we are very lucky not to be in that situation. But I will 
give you my perspective from a technical analysis.
    Mrs. Maloney. Yes.
    Mr. Skall. Making sure that voting systems work correctly 
is a very complex process. It starts with a standard. You can 
only test for the most part. You can do some testing outside of 
the standard. You could look through the source code and find 
security glitches.
    But the vast array of detailed testing is what we call 
functional testing, and it starts with having a comprehensive 
well-specified standard. So in my opinion, until you actually 
have really precise, detailed standards in place, which have 
tremendously precise and accurate requirements for security and 
accessibility, it is very difficult to get systems tested 
thoroughly. So the first step is to have the standards in 
place.
    Mrs. Maloney. Do we have those standards in place now?
    Mr. Skall. We have one standard in place, the 2005 
standard. We are about to deliver to the EAC the much more 
comprehensive standard. We are planning to deliver that to the 
EAC in July 2007.
    Mrs. Maloney. So you are going to come out with it. See, 
what happens, though--and I just have to jump ahead--you keep 
improving the standards, and then, if the States go out and buy 
these machines, then they have to totally change them to the 
new standard. So that is a problem for States, and so could you 
address that.
    Mr. Skall. Yes; absolutely.
    HAVA mandated that we produce the first set of voluntary 
voting system guidelines in 9 months. By definition, that meant 
we can only do an incremental update to the existing standards.
    We knew, right away, that we needed a more comprehensive 
standard. The one in 2007 is the comprehensive standard. I 
don't have any plans, and I do not believe the EAC does, to 
change that standard for a long, long time. This will be the 
standard in place for many, many years.
    It won't be a moving target. It is the one that is going to 
have all the requirements that we and the TDGC felt were 
necessary.
    Mrs. Maloney. And that will be in place. And where 
specifically does it change from the 2005 standard?
    Mr. Skall. Oh, it is much more comprehensive in the areas 
of security, access, control, cryptographic requirements, what 
I mentioned before, software independence, which allows for the 
voter to verify his or her vote. This concept of an innovation 
class, which is going to allow, hopefully in the future, for 
automated solutions to voter verification, much more detailed 
requirements in usability for performance benchmarks, to allow 
much more innovative designs to meet the performance 
benchmarks, reliability, accuracy, tremendously--much more 
comprehensive.
    Mrs. Maloney. Sounds great. But based on your statement, 
then, we haven't really scientifically certified these 70 
percent of machines that are being used.
    So I guess the question goes to the policymaker. Ms. 
Davidson, are we going to keep using machines that were 
certified by the ITA, that did not meet the standards for 
accreditation, or do we have to start all over?
    Ms. Davidson. We felt like we had to start over.
    Mrs. Maloney. So you're starting all over to recertify 
them.
    Ms. Davidson. In January, we asked all the vendors, they 
had letters to all of them, asking them to come back in and be 
retested, because as you have stated, most of the States are 
using equipment that is 2002, meets those guidelines and not 
the 2005, because of the deadline that was set in HAVA.
    So many of the States have purchased that equipment and we 
feel that it does need to be retested, and if they want our 
seal--it is a volunteer program--but if the States want the 
seal, where then we can go back and decertify if there is 
issues, we have asked for that equipment to come in.
    We have five that has already got their equipment in, we 
expect many more, we expect another lab, within just a short 
time, from NVLAP. They are also through. So we are moving 
forward. We feel it has to go through the process that we have 
set up.
    Mrs. Maloney. OK. Is there any reason--again I'll start 
with Mr. Skall--why the testing process and test reports should 
be done in secret? Why shouldn't the public be able to verify 
that testing was done properly?
    And we have some of these vendors saying everything we do 
has to be in secret. Well, how in the world do you certify that 
they're doing it properly? So my question is, is there any 
reason why the testing process and test reports should be done 
in secret?
    Mr. Skall. Again, let me give the technical answer to that. 
Right now, the problem, in my opinion, from a technical 
standpoint is there is no uniform set of tests with all the 
labs, publicly available uniform set of tests. Labs develop 
their own tests, they're proprietary, whether they should be 
proprietary or not I guess is a legal and policy question, but 
what we're doing at NIST is developing, starting in fiscal year 
2007, a comprehensive set of test suites that all the labs can 
use. They will be publicly available, there will be tremendous 
transparency, and once this test suite is done----
    Mrs. Maloney. OK. Let's go to another point. Why should the 
labs be doing the testing? That's like the fox in the chicken 
house. I mean, why should the manufacturers be doing this 
testing? They have been certifying--or it is changing now, 
money is going to go to EAC and then go to the labs----
    Mr. Skall. Yes. So you are getting into the question of 
whether, in fact, the vendor should pay the test labs to do 
testing. Again, it's--would you like to----
    Mrs. Maloney. So do you see any reason, once we come out 
with a uniform set of tests, that this testing should be done 
in secret? Is there any reason why----
    Mr. Skall. Oh, no, it should not be done in secret, and, in 
fact, there will not be initial proprietary test suites, 
because we will develop them, they will be in the public 
domain, they will be completely open for everyone to see.
    Mrs. Maloney. That is great news. That is great news. Ms. 
Davidson, would you like to respond?
    Ms. Davidson. The one thing I believe I would like to add 
is we do support, that Congress gives us authority to collect 
the money, and then whether it is by lot, or whatever the case 
may be, we set up a procedure and it is an open procedure. We 
have hearings on issues that we bring into procedures.
    So there would be a process set up where we would collect 
the money and then the lab would be selected for that 
manufacturer or vendor.
    So we see that would improve it, because it is a conflict, 
and there is a lot of the public that is very concerned about 
it as well as us.
    Mrs. Maloney. I ask the chairman, may I have an additional 
2 minutes to ask a question.
    Mr. Clay. Please proceed.
    Mrs. Maloney. OK. I would like to ask Commissioner 
Davidson, and Mr. Skall, if you would like to comment, in 
Section 202 of HAVA, Congress tasked the EAC with serving as a 
clearinghouse of information on the experiences of State and 
local governments in implementing the guidelines and in 
operating voter systems, in general.
    And when a security vulnerability or a system flaw is 
revealed, or when your assessor determined that the main 
testing lab is not testing adequately, why hasn't the EAC made 
every effort to share this information with election officials 
and the public, restoring the trust of the American voter 
should not be a public relations effort. The trust of the 
American public must be earned through transparency and 
accountability, and if you are--you're tasked to be a 
clearinghouse, but I have heard concerns that this type of 
information, when it comes in, does not get sent out to the 
election officials and to the public.
    Ms. Davidson. Currently, the EAC is reviewing how we can 
move forward, because, you know, when we get things from third 
parties, if it is not coming from the State, how do we make 
sure that it's reliable information and correct information? 
And that is one of the things we feel is a responsibility of 
the EAC, that is, make sure that it is correct.
    We thought about setting up a review panel. We have given 
consideration, you know, how do we, you know, actually walk 
through this process? Because it will happen in the future.
    Mrs. Maloney. But Commissioner, if a report comes in from a 
State election official, I mean, that is a pretty serious 
thing, and the question is why are you not sharing that with 
other State election officials? Maybe they would not have 
bought some of these faulty machines, if they knew some of the 
problems that were coming in from other States.
    We want to get good machines out there and a good system 
out there. So if information's coming into the clearinghouse, I 
would say it is true, you have to verify that it is true. But 
if it is coming in from a State election official, from a 
Secretary of State or whatever, this is a very serious piece of 
information and what I am being told is that you are not 
sharing it with other States, the election officials or the 
public.
    Ms. Davidson. We have taken the position, now that we have 
started certifying, yes, that type of information will be 
shared, and because I mean, we have just now----
    Mrs. Maloney. Now you will be sharing it. OK.
    Ms. Davidson. That is right. That is correct. If it comes 
from a Secretary of State, and if it comes from a county 
official, we feel like we have to, beyond the ground and see if 
that--what was the issue with that? Because many times, whether 
it was a poll worker, whether it was actually somebody that did 
the setup of the election--you know, we have to make sure 
whether it is a machine problem, what, but report whatever that 
issue might be.
    Mrs. Maloney. And last, Commissioner, was there any 
communication between the White House and the EAC concerning 
the release of the voter fraud, voter intimidation report, or 
any of the other reports that have been submitted to the EAC?
    Ms. Davidson. Because of everything that was brought up in 
that, and, you know, it is such a hotly contested issue, we 
have asked our Inspector General to do a full audit of our 
process and of those reports, and to give a report and we would 
be more than happy to give you that once that is done. We also 
will be changing----
    Mrs. Maloney. When do you expect that to be done?
    Ms. Davidson. You know, they haven't given us a timetable 
but I would say, hopefully, it's done within a month.
    Mrs. Maloney. Within a month. But the question, was there 
any communication between the White House and the EAC? That is 
a simple question.
    Ms. Davidson. Yes. Not that I know of, but, you know, I 
know that they have kind--they have put a gag order on us 
talking to anybody else within our own office. So for me to ask 
somebody, I--you know, they are going through all of our e-
mails, they are going through all the records, paper records, 
everything, to see if there was any communication with--whether 
it was a Congress Member or whether it was the White House.
    Mrs. Maloney. Do you know of any communication with DOG, 
the FEC or the RNC?
    Ms. Davidson. I am not aware of any.
    Mrs. Maloney. Thank you.
    Mr. Clay. Thank you, Representative.
    Mrs. Maloney. By the way, Mr. Skall, would you like to 
comment on the clearinghouse question of information? This is a 
concern that many State governments have brought to Mr. Clay 
and myself, that they want this information coming out from the 
clearinghouse, that they were tasked by HAVA.
    Could you comment on that aspect.
    Mr. Skall. You know, again, as sort of the technical arm of 
developing the standards and tests, it's just not an area we 
have much expertise in.
    Mrs. Maloney. All right. Thank you very much for your 
testimony and thank you for your work.
    Mr. Clay. Thank you.
    Mrs. Maloney. Both of you. Thank you.
    Mr. Clay. Mr. Skall, let me ask you, are there time limits 
for labs to address problems found during the pre-assessment, 
assessment or monitoring phases of accreditation? What steps 
does NIST take if these time limits are not met?
    Mr. Skall. No; there are no time limits. The way NVLAP 
works is the NVLAP accreditation very much depends on the 
readiness of the labs. Some labs are further along, some labs 
are not very far along, and it takes them a lot of time to do 
remedial type actions to get up to speed, and NVLAP will not 
issue an accreditation until we are 100 percent confident that 
the lab can perform its services.
    So in the procedures there is no time limit, that we ask 
the labs to move faster, because we want them to do it 
correctly.
    Mr. Clay. Thank you.
    Ms. Davidson, can you explain the rationale by the EAC to 
exempt off-the-shelf products from the VVSG guidelines for 
testing of certification purposes, since so much of the 
software and components used in voting systems are COTS 
products. Isn't there an effective way to evaluate these 
products?
    Ms. Davidson. You know, I think that the technical portion 
of your question Mr. Skall should answer. Really----
    Mr. Clay. I'll go back to him and let me hear what the 
rationale is from EAC.
    Ms. Davidson. All right. We actually are doing exactly what 
the standards are saying, the voluntary voting system 
standards, that we don't take a position because we feel that 
is an independent body, the Technical Guidelines Committee 
setting up what the guidelines should be in those arenas, and 
we have not taken a position on that ourselves as an EAC.
    Mr. Clay. OK. Mr. Skall, is there an effective way to 
evaluate these products?
    Mr. Skall. Yes. The COTS, commonly called COTS, commercial 
off-the-shelf systems, has had an exemption, a limited 
exemption throughout the history of voting standards. The 
reason for this exemption--and the exemption has to do--it is 
not a total exemption, they are tested, but some aspects of the 
source code are not tested mainly because we can't acquire 
them.
    Typically Microsoft, for instance, and other large 
commercial off-the-shelf vendors are not going to give their 
source code. That's a tremendous proprietary interest to them 
and they will not give out and make public their source code. 
So there are limitations in what we can acquire.
    We, in the VVSG 2007, are really tightening this loophole. 
We are looking much more closely at which types of systems get 
exemptions and we are limiting the type of exemptions. So we 
are going to test these systems as much as possible within the 
confines of the amount of source code we can get.
    Mr. Clay. Thank you for that. I would like to hear some of 
your thoughts on the new VVSG guidelines that are scheduled to 
go into effect at the end of this year.
    I think we all agree that a good certification process is 
meaningless, if the standards being used are incomplete.
    What is the status of development for the 2007 Voluntary 
Voting System Guidelines? And are there any major topics, 
originally planned for this edition, that will be deferred to a 
later version of the guidelines?
    Mr. Skall. Yes. Let me first say, I agree 100 percent. We 
look at the viability of software and hardware as sort of a 
three-legged stool. You have the standards, you have the tests, 
and then you have the implementation, in this case the voting 
system, and if one of those legs falls over, the whole system 
falls over.
    So you need a good standard, you need good tests, and then 
you need a good implementation based on that.
    The VVSG 2007, as I mentioned before, is very 
comprehensive. We are on schedule to complete it. There is 
nothing that I know of, that will not be in the VVSG 2007, that 
we want to be there. So it will be a complete standard. Now we 
may discover in the future, there are more minor things, and 
those can be added by probably maintenance to the standard.
    But there are no major areas or functionality I know of, 
that will be missing.
    Mr. Clay. Ms. Davidson, would you like to comment.
    Ms. Davidson. Yes, sir. I certainly would. I appreciate 
that. Once they are delivered, by law, to the EAC, we have to 
publish that in a public register, at least for 90 days. The 
last one, we got 6,500 comments that had to be vetted. From the 
time it was delivered to the EAC to the time that it was 
adopted, that was July, I believe, or it was delivered in May 
2000, it took until the middle of December to get that actually 
vetted, and we feel this process will take longer.
    We feel we need to have some open meetings. We are not sure 
what it is going to take the manufacturers in building this new 
equipment. This, as Mr. Skall has discussed, is very complex, 
and adds a lot of details to the voting equipment. It is the 
future of voting systems.
    How long will it take to develop that? Also we need to know 
from the State officials and county officials in a hearing, 
what kind of timeframe are we looking at, that you would be 
replacing equipment? And how long do we need to consider our 
2005, like you said, you can't constantly require States to 
purchase new equipment.
    We need to get information from them. This needs to be a 
very public process. We need to hear from the advocacy 
community. So as we move forward in this process, we expect it 
to take some time because it has to be vetted, the public has 
to have their right to input in public meetings, and here in 
public meetings, and being able to send in their comments to 
the EAC.
    So we will work with NIST, as we did last time, once these 
comments come in, to make sure that the best produce comes out, 
because we want the very same thing that you want. We want 
reliability. We want our elections to be a success in the 
future.
    Mr. Clay. Thank you for that response.
    Ms. Davidson, since New York failed to procure new systems 
by 2006, it is my understanding that they will lose 
approximately $50 million in HAVA funds.
    Due to the circumstances facing New York, will the EAC be 
offering the State a waiver to use the funds, once their 
technical concerns are satisfied? And if not, why not?
    Also, can you tell us if there are other States that might 
not have spent their HAVA funds due to concerns over the 
accreditation and certification processes.
    Ms. Davidson. You know, we follow the law. Right now, the 
law says they have to return the money but we are aware that 
there is a bill, as mentioned by the Congresswoman, that they 
would be able to keep that money and obviously, with that going 
through the process, we would not be moving forward with that.
    I kind of feel like the Congresswoman. I think that is 
going to be a process that gives us ability in the law, that 
says that States that did not spend their money can retain it. 
I think it's until 2008, is what is in the bill currently. But 
we will follow the law.
    The law is what is there but, obviously, we try to make 
ourselves always aware of new legislation.
    Mr. Clay. So right now, the commission couldn't 
administratively give the waiver to the State of New York or--
--
    Ms. Davidson. We cannot give the waiver but, obviously, we 
know that there is a process moving forward, so we have not 
sent out any letters.
    Mr. Clay. Are there any other States that are also kind of 
caught in limbo as far as the certification process?
    Ms. Davidson. As far as other States, they are not caught 
in limbo. They have bought equipment, but maybe one county 
didn't, like in Pennsylvania, I believe there is one county, 
one individual county, so they were going to have to return 
back a very small amount.
    There is other States, Arkansas, that has to return a very 
small amount. But New York is the big area, that they didn't 
move forward and buy equipment, and so it was because of other 
issues, that some of the others didn't purchase equipment.
    Mr. Clay. In New York's case, they didn't move forward 
because they were cautious, because they wanted to make sure 
they got this done correctly, I mean, and I'm sure we will make 
the case for this State in Congress. But I mean, you do 
understand that they moved very cautiously, which I can 
appreciate it. I think others can too.
    Ms. Davidson. We definitely understand their position. We 
asked for reports from States, like the law asks us to, and we 
have a full list, if you want that, of States, what kind of 
funds they still have out there, because it does affect more 
than one State, when you're passing that legislation.
    Mr. Clay. Sure. We would love to see the list and if you 
could provide to the subcommittee.
    Ms. Davidson. OK.
    Representative Maloney, any other questions for this panel?
    Mrs. Maloney. Very briefly. I just wanted to comment on 
your statement, Commissioner Davidson, that ultimately it is a 
human hand and human accountability. I looked at one machine 
that Smartmatic manufactured under the Sequoia name, and they 
literally had a yellow button on the back of the machine where 
you could change the vote. It was unbelievable.
    So when I inquired, what do you do to make sure that 
someone's not changing the vote on the back of the machine? and 
the answer was, well, we will have people watching to make sure 
that no one is changing the vote on the back of the machine.
    So I feel that we should not have machines like Sequoia's 
yellow button you can change, but that there still has to be a 
human element, and I hope Mr. Skall's guidelines will help 
remove the need for that. I have been in some New York 
elections where absolutely every voting machine has had a 
citizen-watcher to make sure that everything is done properly.
    But back to your statement that everything should be 
public. When a system fails a test, there is no public 
announcement. Wouldn't that be helpful for the public and for 
Mr. Skall, and others, to know that this system has failed? And 
then, ultimately, when you test, you are testing to standards. 
What about the hackers? It is the hackers that are getting into 
these machines.
    There are reports in the paper that one from Princeton 
hacked in, and you're not really testing to prevent the hackers 
from getting in there and doing their thing.
    Your response?
    Ms. Davidson. Well, currently, the only ones that we are 
aware of, that has been hacked into, has been at Princeton in a 
lab, and not in a polling location. We are not aware of any 
equipment being hacked into on election day.
    Mrs. Maloney. But that is the point. You are not aware of 
anyone hacking in. It doesn't mean that someone hasn't hacked 
in, and the testing doesn't really prevent hacking or look at 
the hacking approach. It looks at the standards and tests the 
standards as opposed to how a hacker goes in and sees what's 
missing and how to get in there.
    I mean, since we haven't tested against hackers, we don't 
really know whether they have gotten in on election day or any 
other time.
    Ms. Davidson. And I think that is the reason why NIST and 
the TDGC has definitely put a lot of area into security and 
going into cryptographics as Mr. Skall mentioned.
    That is why the new guidelines has really gone into that 
area. But, you know, I think you're going to get a far more 
detailed answer from Mr. Skall than from myself, if you would 
like.
    Mrs. Maloney. But on a policy statement, when a system 
fails a test I'm told there is no public announcement. Maybe 
that is the type of thing that should go into the 
clearinghouse, so that election officials across the country 
will know what systems are failing and why, and be on the alert 
for it.
    So my question is when a system fails a test, there is no 
public announcement. Why not? Why aren't we putting that in the 
clearinghouse and getting it out to election officials?
    Ms. Davidson. As I stated before, that will be a process 
that we are looking at, is how do we get it out, how do we make 
sure it's reliable. As you said, if it comes from a State or 
election official, it needs to be out there.
    And we will also, it has been our policy to, we do a 
newsletter, and the newsletter also goes to our oversight 
committees on the Hill, and we try to make that available not 
only to election officials in the Nation but our oversight. I 
believe that NIST is on. We add anybody that would like to be 
put on to our list for our newsletter.
    Mrs. Maloney. Thank you.
    Mr. Skall, on the hacking question, how do we know they 
haven't hacked in on election day, if we're not testing 
antihacking----
    Mr. Skall. OK. Let me answer that in a couple of ways. We 
are testing security requirements. So the standard itself, the 
new standard will have something called requirements for open-
ended vulnerability testing.
    This is precisely to check, to see whether, in fact, 
hackers have hacked in. Now it is well beyond the state-of-the-
art to prove and to be certain that someone hasn't hacked in, 
just like it is beyond the state-of-the-art to prove the 
software works correctly. You can't prove it. You can only get 
an indication of reliability and of security.
    So we will have more comprehensive tests. There are some 
tests now, the examination of source codes, for that very 
reason. We will have more tests, more requirements.
    Can we be sure someone has not hacked in? No. Will we have 
a better feel, a better confidence that they haven't? Yes.
    So we're at the point where we can be more comprehensive 
but we can never be sure, and we never will be able to.
    Mrs. Maloney. My time is up. I want to thank both of you. I 
would also like to comment that Congress is very concerned 
about moving forward with helping overseas residents vote, and 
helping our men and women in the military vote, and that is 
something that we'll possibly be looking at at a later time, 
because as we go into more of a global economy, many of our 
Americans are living overseas and they report they are having 
difficulty voting. So that is another concern.
    Anyway, thank you very much for coming and thank you for 
all your hard work.
    Mr. Skall. Thank you.
    Ms. Davidson. Thank you.
    Mr. Clay. Thank you, Representative Maloney, and that will 
conclude the testimony for panel one.
    Thank you, Ms. Davidson, and thank you, Mr. Skall, for your 
testimony and you may be excused.
    I would like to now invite our second panel of witnesses to 
come forward and then we will take a recess. Voting systems 
from a variety of important perspectives.
    Mr. Douglas Kellner, co-chair of the New York State Board 
of Elections, an attorney at the law firm of Kellner Herlihy, 
Getty and Friedman. Welcome.
    Mr. David Wagner, professor of computer science at the 
University of California at Berkeley. Thank you for making the 
trip, sir.
    Mr. Lawrence Norden of the Brennan Center for Justice at 
New York University School of Law. Thank you for being here.
    And Mr. John Washburn, software quality consultant and 
member of the VoteTrustUSA Voting Technology Task Force.
    And Mr. Mac J. Slingerlend, president and CEO of CIBER, 
Inc., located in Denver, CO.
    Gentlemen, welcome to all of you. In addition, I understand 
that Mr. Slingerlend is accompanied by CIBER, Inc.'s vice 
president for contracts, Mr. John Pope, and thank you for being 
here.
    It is the policy of the Committee on Oversight and 
Government Reform to swear in all witnesses before they 
testify. At this time I would like to ask all of the witnesses 
to stand and raise your right hands. Mr. Pope, you intend to 
speak on the record. I would like you to join the invited 
witnesses in being sworn.
    [Witnesses sworn.]
    Mr. Clay. Thank you, and let the record reflect that all of 
the witnesses answered in the affirmative. I will now ask all 
of you to give an oral summary of your testimony and to keep 
the summary under 5 minutes in duration.
    Your complete written testimony will be included in the 
hearing record, and Mr. Kellner, we will begin with you.

  STATEMENTS OF DOUGLAS A. KELLNER, CO-CHAIR, NEW YORK STATE 
  BOARD OF EDUCATION; DR. DAVID WAGNER, ASSOCIATE PROFESSOR, 
COMPUTER SCIENCE DIVISION, UNIVERSITY OF CALIFORNIA, BERKELEY; 
     LAWRENCE NORDEN, BRENNAN CENTER FOR JUSTICE, NEW YORK 
 UNIVERSITY SCHOOL OF LAW; JOHN WASHBURN, VOTETRUSTUSA VOTING 
 TECHNOLOGY TASK FORCE; AND MAC J. SLINGERLEND, PRESIDENT AND 
CEO, CIBER, INC., ACCOMPANIED BY JOHN POPE, VICE PRESIDENT FOR 
                           CONTRACTS

                STATEMENT OF DOUGLAS A. KELLNER

    Mr. Kellner. Thank you, Congressman. I thank you for 
calling us to testify today. I have read some of the statements 
that you have made at prior hearings, and I am grateful, 
because I believe that you do understand, very well, the issues 
that we need to address in order to assure that we have 
uniform, accurate, transparent, and verifiable elections. And I 
also thank Congress Member Maloney who has also worked so hard 
on this issue, and for her contribution on this, particularly 
in shedding light on Sequoia Pacific earlier this year and the 
fine work that she has been doing.
    I believe that since it is clear to me that you understand 
the fundamentals, I will skip that part of my testimony and go 
directly to what we have done in New York.
    The key thing is that we can have all these fine principles 
about how elections should be done, and I endorse the 
principles involved in the Voter Confidence and Increased 
Accessibility Act of 2007, H.R. 811, which is sponsored by 
Congressman Holt, because those are important principles to 
assure that we have verifiable and transparent elections.
    But I add the caveat, that we have to pay careful attention 
to the timetable for implementation of any new law, that good 
intentions alone do not make wise legislation. That the timing 
for implementation of new voting systems and HAVA was 
fundamentally flawed by putting the cart before the horse. We 
required States to replace their punch card and lever voting 
machines before setting the standards for new voting systems.
    And as we have heard the testimony from NIST, and from the 
EAC, that none of the systems that are in use today have been 
certified to the 2005 standards that have been set by the 
Election Assistance Commission, let alone the 2007 standards 
which are still in development.
    And what New York has found is that the system for 
certifying under the 2002 standards, which were very weak and 
very summary, itself was flawed, and that there is good reason 
to question all of the 2002 certifications that were made by 
NASED.
    And specifically, what have we found on this? Well, I 
pointed out that in the process of New York adopting its own 
independent testing process, that we learned that ES&S, which 
is one of the major suppliers of election systems throughout 
the country, came to New York and said we want a waiver from 
the 2005 standards with respect to source code, and the reason 
you should give us that waiver is that there was no change in 
that particular requirement from the 2002 standards and we got 
certification from NASED under those standards. So why should 
you make us comply now?
    Well, that raised questions in my mind, and I went and 
inquired, well, how is it that they didn't comply with the 2002 
standard and still got certification?
    The answer is nobody knows. That in asking the NASED 
officials who were in charge of the certification process, they 
said, well, we got a report from CIBER that recommended 
certification, and there was nothing in that report that 
indicated that they were not in compliance with all of the 
applicable standards.
    And then we go back and, in fact, the States that purchased 
this equipment were relying on the NASED certification, that 
relied on CIBER, and CIBER never reported the fact that they 
had not even tested for that particular requirement with 
respect to the source code.
    So that is one piece of evidence questioning the 2002 
certification standards.
    The second thing is that we had these reports that Congress 
Member Maloney referred to before, where computer scientists at 
Princeton showed how they could hack into the Diebold optical 
scanning system. Computer scientists at the University of 
Connecticut did it from a different approach and also showed 
the vulnerability of the system.
    The Maryland election authorities had commissioned a study 
also, that showed the security vulnerabilities. And these 
reports show that, again, that Diebold scanning system was 
certified to the 2002 standards, even though none of the 
security requirements in the 2002 standards had been tested, 
again by CIBER, that did the independent testing report that 
was given to NASED, and NASED certified that Diebold scanning 
system as well as other Diebold--the Diebold DREs share the 
same types of flaws, as pointed out in these studies, and they 
were certified to those 2002 standards which themselves were 
inadequate, even though there was no testing for those 
particular requirements under those standards.
    Now as Commissioner Davidson has indicated, the EAC does 
not decertify equipment that was certified by the National 
Association of State Election Directors. They only decertify 
equipment that they themselves have certified.
    So the bottom line is, is that most of the equipment that 
is in use in this country now, has never been properly 
certified, and the certification process that is in place now, 
to the 2002 standards, is meaningless.
    Now at this time, not a single voting system has been 
certified to the 2005 standards and there is only one system, 
at least according to the EAC Web site, that has even applied 
for certification to the 2005 standards. The other five 
applications are all to the old 2002 standards.
    So we really do have a crisis, in the sense that the voting 
equipment that is in use now does not meet current standards, 
and if Congress is going to require States to upgrade their 
voting equipment, and I certainly support that process, and I 
support what Congressman Holt is trying to do in H.R. 811, we 
have to first make sure, that before we spend all this money, 
we're spending it for equipment that needs proper standards, 
and that is what I would urge you to do.
    In my written testimony, I have enumerated how the New York 
law actually incorporates a lot of these principles that 
Congressman Holt has in his bill. That New York already 
requires every voting system to produce a voter verifiable 
paper audit trail.
    New York requires that there be an audit of the paper trail 
of at least 3 percent of the voting machines in each county, 
and authorizes the escalation of the audit to a greater number 
of machines where errors or the closeness of the results 
warrant.
    New York already prohibits any device or functionality 
potentially capable of externally transmitting or receiving 
data via the Internet or radio waves, and New York requires 
that the manufacturer or vendor of each voting machine escrow a 
complete copy of all programming, source coding and software. 
New York is one of only two States that now has that 
requirement, and North Carolina, the other State, is not 
enforcing its requirement.
    So New York will actually be the first to effectively 
require at least the escrow of source coding.
    New York has also adopted a number of other reforms in the 
regulations that it has adopted, including being the only State 
so far to require compliance with the 2005 voter system 
guidelines.
    New York requires every vendor to disclose all political 
contributions. New York requires and provides for public access 
to observe usability testing of the systems, and--OK.
    Mr. Clay. Mr. Kellner, we will let you summarize.
    Mr. Kellner. All right. I will wrap up, Congressman. So the 
bottom line is that to emphasize that there is no voting system 
on the market today that complies with the current Federal 
standards, and that you can't on the adequacy of the old 
certification, and that Congress should keep that in mind as it 
requires jurisdictions to upgrade their voting equipment.
    [The prepared statement of Mr. Kellner follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you so much, Mr. Kellner. I would like to 
remind the witnesses, let's attempt to keep it at the 5-minute 
rule. Thank you.
    Dr. Wagner, please.

                 STATEMENT OF DR. DAVID WAGNER

    Dr. Wagner. Chairman Clay, Representative Maloney, thank 
you for the opportunity to testify today.
    In my research into electronic voting, I have come to the 
conclusion that the Federal certification process is not 
getting the job done. The testing labs, as we have already 
heard today, are failing to weed out insecure and unreliable 
voting systems.
    The testing labs have approved systems that have lost 
thousands of votes, they have approved systems that are 
unreliable, they have approved systems with serious security 
vulnerabilities.
    For instance, in the past few years, independent security 
researchers have discovered security vulnerabilities in voting 
systems that are used throughout the country, vulnerabilities 
that were not detected by State and Federal certification 
processes.
    In my own research, I too have found serious problems in 
federally certified voting system, systems that remain 
certified and in use today.
    The bottom line is election officials rely upon the Federal 
certification process to ensure quality; but the process has 
failed them.
    Part of the problem is that the testing labs are not doing 
as good a job as they could. But part of the problem is more 
fundamental. Paperless voting machines are incredibly hard to 
certify. When we use paperless voting machines, a single flaw 
in the software potentially caused undetectable errors in 
election outcome, and that places an impossible burden on 
vendors in testing labs because it requires perfection.
    A single overlooked defect can be enough to render the 
whole system insecure, unreliable or inaccurate, and experience 
has proven that it is easy for even the most capable experts to 
overlook flaws and defects in software.
    Given the complexity of modern election technology, it is 
unreasonable to expect perfection from vendors or testing labs.
    If the voting system is completely reliant upon software 
failures and security flaws are inevitable. Therefore, one of 
the best ways to solve this problem may be to reduce our 
reliance upon software.
    Our election system must be software independent. It must 
not rely upon the correct functioning of software. The good 
news is that there are solutions to these problems. The most 
effective solution today is to adopt voter-verified paper 
records and perform routine audits of those records.
    These audits provide a way to independently check whether 
the software has counted the votes correctly. This would reduce 
our reliance upon the software and, in my opinion, it would 
make the shortcomings of the certification process less 
critical.
    Audits are not perfect. Because they can detect problems 
after the fact but cannot prevent them, we will need a 
certification process that is capable of weeding out 
problematic voting system.
    In my testimony, I discuss a number of steps we could take 
to improve the certification process, including eliminating 
conflicts of interest, increasing transparency and embracing 
open-ended vulnerability testing.
    In particular, I would like to draw your attention to a 
conflict of interest in the testing process. Today, vendors 
choose and pay the testing labs, and this creates a perverse 
incentive for the labs to place the vendors' interests above 
the public interest.
    One potential solution would be for Congress to act to give 
the EAC the authority it would need to collect fees from 
vendors, so that EAC can choose and hire testing labs itself.
    As I mentioned, the good news is that solutions are 
available; however, the bad news is that only a minority of 
States have adopted these solutions. My understanding is that 
27 States use voter-verified paper records throughout the 
State, but only 13 of them audit those records.
    Adopting voter-verified paper records in routine audits, 
more widely, would reduce the pressure on our certification 
process and would provide greater transparency and confidence 
for voters. I believe it is the single most effective thing we 
could do to improve the reliability and security and 
trustworthiness of e-voting. Thank you.
    [The prepared statement of Dr. Wagner follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you so much, Doctor.
    Mr. Norden, please proceed.

                  STATEMENT OF LAWRENCE NORDEN

    Mr. Norden. Thank you, Chairman Clay, and Congresswoman 
Maloney, for holding this hearing on what is certainly an 
extremely important topic.
    For 18 months, I chaired the Brennan Center's Task Force on 
Voting System Security, and that was a task force made up of 
the leading computer scientists and security professionals in 
both the private and public sector in the United States.
    It included David Wagner as well as scientists from NIST, 
the former chief security officer from Microsoft, and the 
former cyber security czar for President George W. Bush.
    What the task force found is no longer, I think, a matter 
of debate among security experts that have looked at these 
voting machines, and that is that they have serious security 
and reliability vulnerabilities.
    As David Wagner mentioned, the good news is that there is 
substantial agreement among these experts, about what we can do 
to address these vulnerabilities, and among the most important 
things we can do is to ensure that we have an independent 
voter-verified record such as a paper ballot or paper trail, 
and that after the polls have closed, we use those paper 
records to check the electronic tallies.
    These steps are certainly important, given the problems 
that we are aware of with the machines today and their 
certification. But I would echo what David Wagner said, and say 
that these steps are important, no matter how well we do the 
certification process or accredit labs.
    That is not to say that certification of accreditation 
isn't extremely important. We want to catch flaws before the 
elections, before the systems are certified, obviously, and to 
maximize the chance that we catch those flaws, we have to fix 
what is a broken certification and accreditation process.
    That process, I should say, is in transition right now, as 
we have heard today, and I think there is good reason to 
believe that it is being substantially improved. Still, there 
are certain things that need to be done. I detail a number of 
them in my written testimony. I am just going to talk about a 
few in the remaining time that I have.
    I would say one of the most important things we can do is 
something that Congresswoman Maloney touched upon and David 
Wagner touched upon, and that is to eliminate the process where 
vendors choose and pay the labs that judge and certify them. 
For obvious reasons, this is a conflict of interest and creates 
perverse incentives for vendors to certify machines where they 
are relying on--excuse me--for testing authorities to certify 
machines. They are relying on those same vendors for future 
business.
    I should add that Congressman Holt's bill, H.R. 811, does 
end this system along the lines of what David Wagner suggested. 
The second thing we can do is add an important step to testing 
machines, and this has also come up a little bit in some of the 
testimony we have heard today.
    Right now, what we do is we test to guidelines. We test 
under normal conditions to satisfy a check list. This is 
certainly important to do but good security testing, as 
Congresswoman Maloney touched upon, will try to ensure that a 
system does not fail when it is attacked or misused.
    There are a couple of things we can do. One of the things 
that we can do is what Mr. Skall suggested, which is to have 
independent security experts perform open-ended research and 
search for vulnerabilities on these machines to exploit.
    This is how many of the most serious flaws in voting 
machines have been discovered. Unfortunately, because it wasn't 
part of a certification process, this isn't something we 
discovered until after the machines were in use.
    Something else we can do is require vendors to demonstrate 
how they will defeat a standard set of threats that could be 
developed by an organization list like NIST.
    We should also make sure that the process for certifying 
machines, for evaluating machines, excuse me, does not end with 
certification.
    The EAC is now accepting anomaly reports from election 
officials and that is a good step. Unfortunately, it is not 
accepting such reports from voters, from technical experts that 
are performing field studies on these systems.
    And I would say that is a problem, for a number of reasons, 
not least of which is that voters themselves, and technical 
experts, are often going to be in a better position than 
election officials to know if the machines aren't working when 
they are voting on them.
    We should use their reports to investigate machines, to 
amend guidelines and to require machine changes, where 
necessary.
    Finally, one thing I would urge Congress is to make sure 
that we fund the EAC and the certification process adequately.
    The EAC is charged with some of the most important 
administrative tasks in Federal elections. If we are going to 
keep them in charge of those tasks, it is important that we 
give them enough funds and enough employees to do them.
    In 2006, the EAC had a budget of just $15 million and less 
than 30 employees, and that is simply not enough, given the 
responsibilities that they have.
    Thank you.
    [Note.--The Brennan Center Task Force on Voting System 
Security publication entitled, ``The Machinery of Democracy: 
Protecting Elections in an Electronic World,'' may be found in 
subcommittee files.]
    [The prepared statement of Mr. Norden follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you so much, Mr. Norden.
    Mr. Washburn, please proceed.

                   STATEMENT OF JOHN WASHBURN

    Mr. Washburn. Thank you, Chairman Clay, and Mrs. Maloney, 
Congresswoman Maloney, for having this hearing and for giving 
me this opportunity to present testimony to you on testing and 
certification of voting systems.
    I have worked in the field of software quality assurance 
since 1994, and for the 10-years prior to that, I was a 
commercial programmer developing commercial software.
    It is important to consider both past testing done under 
NASED and the present testing process of the EAC, for two 
reasons. First, as has been mentioned, all the equipment 
currently in use has been tested under the former NASED 
process, and most of this equipment will be used again in the 
subsequent years, in this year, and 2008.
    Second, the new EAC program has made some steps toward 
greater transparency and oversight. It retains some of the 
systemic flaws of the NASED program. The NASED and EAC testing 
and certification framework suffer from three systematic flaws.
    Both systems are opaque to most primary stakeholders in the 
election process. These stakeholders are State election 
officials, local election officials, candidates for public 
office, and most importantly, the voters themselves, and due to 
the lack of transparency and accountability, neither system 
adequately assures the public that rigorous, thorough and 
effective testing has actually been done, and neither system 
permits or encourages the reporting of system defects, nor do 
they include a responsive corrective action plan.
    Under the NASED system, the entire process was a private 
sector transaction between the manufacturer and the testing 
laboratory, shielded from public oversight by vigorously 
enforced nondisclosure agreements.
    The reports of test results as well as documentation of the 
testing undertaken to confirm a voting system's compliance with 
standards are considered the property of the manufacturer of 
that system. It is extremely rare for citizens to gain access 
to these reports.
    For jurisdictions without their own State level testing 
programs, all that is available is a list of systems which have 
been granted a certification number, and the assurance that 
NASED has ruled that the certified system is in conformance 
with the standards.
    Without test plans, and results of the test executions, 
there is no evidence, there is just an appeal to authority, and 
with the reports from the New York Board of Elections and the 
nonconformances revealed in penetration analysis and academic 
reviews, this authority has been called into question.
    Over the last several years, numerous security and design 
effects have been uncovered, and each of these discoveries has 
left unanswered the simple question: How did these noncompliant 
systems ever get certified?
    For example, use of a programming technique called 
interpreted code, is prohibited by both the 1990 and 2002 
standards, yet is in use by the Diebold systems.
    The vote tabulation software found in ES&S equipment varies 
from machine to machine and from election to election and from 
jurisdiction to jurisdiction.
    For each election, a new and unique version of the vote 
tabulation software is created. If the software changes from 
election to election and jurisdiction to jurisdiction, how can 
there be any version that is the certified version? The central 
election management system for Sequoia, which accumulates vote 
totals on election night, includes both source code and the 
compiler for that source code.
    The source code and compiler combination make it easy to 
change the operation of this software ``on the fly,'' and in 
the field. This is a violation of both the 2002 and 2005 
standards.
    These examples of nonconformance, though, went undetected 
for multiple rounds of testing over several years. So it is not 
just a one-time miss here.
    The profound and real world consequences of not following 
these standards, even as weak as they are, is found at the hour 
hour and 9 minute mark of the documentation, Hacking Democracy, 
which I have included with my testimony. In this realistic 
simulation of an election, the outcome of the mock election was 
altered in spite of the election official following all of the 
correct administrative procedures.
    This manipulation was only possible because that system did 
not follow the standards. The NASED testing framework provided 
no mechanism to report problems and no way to receive 
suggestions for improvement. The EAC has created a new--for 
example, I think some of the Sequoia systems don't have 
sufficient accessibility for the ADA. That is my opinion; but 
who am I going to tell that to?
    The EAC has created a new program called the Quality 
Monitoring Program. The Quality Monitoring Program, though, 
limits itself to fielded systems. As Commissioner Davidson had 
pointed out, a fielded system is defined as a system which is 
certified by the EAC and used in a Federal election.
    Since the EAC has not yet certified any systems, there are 
no fielded systems. The Quality Monitoring Program also records 
only anomalies, but the definition of anomaly in this section 
is exceptionally narrow and permits the dismissal of any report 
on the basis the report is due to administrative error or a 
procedural defect.
    So, for example, a programming error in Pottawattamie 
County, IA, caused the election system to incorrectly tally the 
results of the June 6, 2006 primary election. This error, 
though, does not meet the EAC's definition of an anomaly, 
because the preelection testing done by the county auditor was 
insufficient and thus is a procedural deficiency.
    The failure of the system to not correctly tally votes is 
not considered an anomaly by this definition, and further, only 
credible reports will be published and distributed to other 
election officials. Information in a credible report must first 
meet this narrow definition of anomaly, second, must only come 
from an election official, and third, the events included in 
the report have to have occurred during an election.
    If an election official discovers a defect in a voting 
system during preelection testing, or during other testing, or 
were to undertake an independent review, the results would not 
be shared with other election officials.
    The Quality Monitoring Program fails to meet the mandate 
laid upon the EAC in section 202, to be a clearinghouse of 
information on all voting systems, not just those systems which 
meet the limited definitions of fielded, anomaly and credible 
reports.
    There is not much time before the 2008 Presidential 
election, and because of the short time, the EAC should use its 
authority already granted to the commission under section 242, 
to set up a second parallel testing framework. A suggestion for 
that is in my written testimony.
    So, in conclusion, the NASED testing framework is opaque to 
every stakeholder in the elections, except, it seems, the 
election manufacturers. It gives the illusion of rigorous 
testing without the substance and resists reports of problems 
and resists suggestions for improvement.
    The new EAC testing framework has these same deep flaws. In 
the meantime, an alternate framework needs to be created, which 
is more nimble, more effective and more efficient than either 
the NASED or EAC framework.
    I would like to add as a software test professional, the 
activities over the last several years do offend me, that they 
have been allowed to be called software testing.
    [Note.--The U.S. Election Assistance Commission publication 
entitled, ``Testing and Certification Program Manual,'' may be 
found in subcommittee files.]
    [The prepared statement of Mr. Washburn follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Clay. Thank you.

                STATEMENT OF MAC J. SLINGERLEND

    Mr. Slingerlend. I will loan a couple of my minutes to a 
couple colleagues that used a couple extra minutes, so we can 
stay on track here. We realize that we didn't predeliver a 
standard written statement, and thank you, Mr. Chairman and 
Mrs. Maloney, for having us here today.
    This was not to offend or otherwise indicate a lack of 
cooperation on CIBER's part. A letter by the committee was sent 
to us 10 days ago, faxed last Saturday, handed to me last 
Monday afternoon, but for me, last week was a board of 
directors meeting and a shareholders meeting, so as soon as 
those were over, I began to work on this activity.
    That said, I contacted Tony Haywood and discussed today's 
hearing, changed my schedule and that of John Pope, who is the 
left of me. I spent the weekend preparing and getting further 
updated on what has been going on in this activity of our 
company, so I could be here.
    Ladies and gentlemen, we have nothing to hide. We are a 33-
year-old New York Stock Exchange billion dollar IT services 
company with 8,000 people in 18 countries and a 96 percent 
customer satisfaction rating.
    The business we are here to discuss represents about one-
quarter of 1 percent of what we do. That said, we take all of 
our business seriously. I am, and have been, at least generally 
familiar with the questions asked of us in the chairman's 
letter to be here today. I cannot say I know every detail of 
any one project but I have prepared and believe I can speak 
with you today about the matters you are asking.
    With respect to the New York Board of Elections, and Mr. 
Kellner, in particular, and I have read his criticisms, in 
part, of us, or one of our counsel, we have nothing except good 
things to say about the State of New York's activity with 
respect to electronic voting.
    They have taken their responsibility seriously. They picked 
a good company to do the work for them and they have been 
victims, I believe as have we, with circumstances primarily 
beyond our control since some time, in particular, in 2006.
    We have done good work for them and it is currently on 
hold. In our opinion, we should either finish the work or 
perhaps be paid and asked to go away, but in any case, we are 
happy to do either, as directed.
    With respect to the EAC, this is a more complicated 
situation. The EAC, like we, and our customer, have been caught 
in the middle of changing responsibilities, changing 
technology, changing test procedures, likely a lack of 
sufficient funding for the EAC, and changing testers.
    Specifically, we have dealt with moving targets, slow turn-
around times on assessments, and a general lack of sufficient 
direct EAC resources, such that they have to rely on others, 
and then part-time others, nondirect, and inexperienced 
auditing, in part, to help them with their systems and their 
accreditation.
    In conclusion, some of the tabloids have been accurate; 
some not. I think some of the statements Mrs. Maloney made this 
morning weren't exactly--I would say accurate, from the 
standpoint that you were led in the wrong direction, not that I 
would criticize anything you had to say, but relying on some 
statements that weren't accurate. Therefore, your questions 
came from that standpoint.
    It appears that there are multiple agendas that our 
customer, the New York State Board of Elections, and we, are 
affected by, and perhaps this meeting this morning will push 
these to resolution.
    Thank you for having us here today.
    Mr. Clay. Thank you so much, Mr. Slingerlend, and Mr. Pope, 
for being here. We appreciate your accommodating the committee. 
Let me go to the 5-minute questioning now and I will start with 
Mr. Kellner, and let me first thank the entire panel of 
witnesses for the expert testimony that you have just provided.
    Mr. Kellner, in light of CIBER's inability to earn interim 
accreditation from the EAC last year, what are the major issues 
New York is currently facing in using the nationally accredited 
Voting System Test Labs for the upcoming election cycle?
    What are the timelines that are necessary to adequately 
address the EAC's accreditation process in order to ensure a 
smooth election cycle for 2008?
    Mr. Kellner. Congressman, the New York State Board of 
Elections has issued a RFP to accredited laboratories and the 
deadline for response to that is next week or so, and we will 
be very shortly then evaluating our options on restarting the 
testing process as soon as possible.
    We would hope that within the next couple of months, we 
would be able to restart the testing process.
    Now hopefully, the vendors have used this time delay of the 
testing process to get their equipment up to snuff, so that 
when the testing process resumes, the equipment will pass, and 
if that happens, then we expect that we would be able to 
certify to the county boards of elections acceptable voting 
systems by this December, and that would be in sufficient time 
for them to acquire new voting systems for the 2008 primary in 
September and the general election in November 2008.
    Mr. Clay. Pardon my ignorance. Is New York involved in a 
February 5, 2008----
    Mr. Kellner. That is correct, Congressman.
    Mr. Clay. OK. So they will not be ready for----
    Mr. Kellner. That is correct; not for February.
    Mr. Clay. OK. One topic that I believe does not get enough 
attention in the larger debate over system integrity and 
security is the topic of information sharing about system 
flaws.
    As the national clearinghouse for election information, 
what role should the EAC play in developing stronger mechanisms 
for sharing information among election officials about system 
flaws that are identified by officials or industry 
stakeholders?
    And anyone on the panel can attempt to answer that.
    To followup, should the EAC work together and disseminate 
information about flaws not found through its prescribed 
national certification processing, including NASED 
qualification for upcoming elections?
    Yes, Mr. Washburn. You may start.
    Mr. Washburn. My customary experience with software 
testing, when you are reporting and recording defects, is to 
record everything and then categorize later. That is why I am 
particularly disturbed with the gatekeeping functions on the 
definition of anomaly.
    So I guess my opinion would be is that the EAC should take 
a report of everything, from everyone, and vet those out, and 
then categorize them as credible, not credible, after the fact, 
because many times, it's in the pattern of the minutia, in the 
pattern of the many reports, that you actually see something--
ah, there is a recurring issue here in some administrative--you 
know, even though it may be an administrative error, it is one 
that everyone's having.
    So the general custom in software testing is to record 
everything immediately and then categorize, prioritize and 
essentially cite its significance later.
    Mr. Clay. Do you think the response time is quick enough? 
Is it timely, to flaws and problems?
    Mr. Washburn. We are under a very short timeframe for the 
2008 election cycle. I am not sure, even if they started 
setting up a very high end, you know, defect reporting system 
like ClearCase, you know, tomorrow, I doubt that the 
responses--it would be better, but I don't know if it would be 
enough to correct the systems. But it would at least allow the 
local election officials to know what problems to watch for and 
perhaps adopt local procedures to help avoid them and mitigate 
them.
    Mr. Clay. Anyone else? Mr. Norden.
    Mr. Norden. Chairman Clay, I just wanted to add a couple of 
things. Certainly, there should be some process for all 
systems, including NASED-certified systems, to get reports from 
election officials, and I would add, as I said before, also 
from voters who are voting on these machines and are actually 
using them on election day, about things that go wrong with the 
system.
    Another thing I would add is that as I understand it right 
now, if election officials file a report with the EAC and that 
report is deemed credible, there is no way for the election 
official to have that complaint made anonymous, and that seems 
to me to be a problem, for a couple of reasons.
    No. 1, the election official that may be filing the 
complaint is often the one who bought the system. So they might 
have an incentive for not wanting that to be attributed to 
them. They are also reliant on the vendors for technical 
assistance in the future, and we have instances in the past, 
where there has been retribution against election officials for 
making complaints, or showing the vulnerabilities in voting 
systems.
    So I would say three critical things would be providing 
some way for there to be anonymous publication of these 
complaints from election officials, if they requested, include 
voters in the complaints that are taken, and make sure that 
there is a clearinghouse for all systems, not just the ones 
that have been, or are going to be certified in the near 
future.
    Mr. Clay. That is a great point. In Congress, we also deal 
with that same issue when it comes to HAVA, from the original 
authors who don't want any alteration of HAVA, but we know it 
is much overdue and needed.
    Let me ask Dr. Wagner, many people compare computerized 
voting machines to bank ATM machines. They argue that these 
bank machines are perfectly safe and accepted by the public.
    Therefore, we should have the same confidence in 
computerized voting machines. Are these voting machines 
constructed with the same security as bank machines and is the 
physical security of voting machines the same? What are the 
differences in the security and reliability standards and would 
using such security standards enable us to better test and 
evaluate e-voting systems?
    Dr. Wagner. Thank you. First, I would say that our voting 
systems are not up to the standards in the financial system 
that we are using to protect our bank ATMs.
    Second, I would say that the voting problem is a much more 
challenging problem than the problem of securing bank ATMS 
because of the secret ballot. If we didn't have a secret 
ballot, we may be able to apply some of the techniques from the 
financial world, which include associating names, multiple 
paper trails, and auditing those, cross-checking them.
    But because of the requirement for a secret ballot, we are 
much more constrained in the voting world by what kinds of 
audit logs we can keep, so it is much more challenging to 
provide the necessary level of security in the voting world.
    Mr. Clay. Thank you so much for that response.
    Representative Maloney, your turn.
    Mrs. Maloney. Thank you, and I really thank all of the 
panelists. I particularly would like to thank Mr. Kellner and 
Mr. Norden who are from the district and communities that I 
have had the honor to represent, and they have been 
longstanding advocates for voter reform, machine reform, 
honesty in voting, and I congratulate all of your efforts.
    I congratulate all of your efforts. I am just more familiar 
with theirs since they are from my city.
    Mr. Slingerlend, I understand that you have already 
responded to many of the concerns raised in the initial EAC 
assessment review from last July. However, the EAC review and 
the NYSDEC review commissioned by the New York Board of 
Elections, described the state of your testing methods and 
procedures that prevailed during the period in which you were 
testing most of the voting system software in use across the 
country. These independent reviews suggest that CIBER is unable 
to adequately document the testing undertaken to establish the 
conformance of voting systems to Federal standards.
    Are you able to document the test plans, methods and 
results of testing performed under the NASED/ITA program?
    Mr. Slingerlend. Thank you. I think the answer to that 
question is yes. If I may, in kind of a broader sense, say how 
we got to where we were, and my comment on, by the way, one of 
your earlier comments that we have certified machines, we have 
never certified machines, and unfortunately for Commissioner 
Clay, it says regained accreditation from the EAC, well, we 
have never had accreditation from the EAC so we don't regain 
that either.
    But in some respects, we have been involved in this 
business for a decade. We have been involved in the business 
under the NASEd leadership and it was completely voluntary 
because I think the Federal Government just did not adequately 
approach this subject, historically, and consequently the 
States found it necessary to take it on themselves, although 
there were a few Federal standards that they were identified 
with.
    I have talked to myself, if you will, about this, over the 
weekend, saying that, you know, we were lulled to sleep by the 
process, which wasn't our fault. The fact that we slept 
probably was our fault. I think the individual, in particular, 
that was leading this effort for us, was like a cook that 
doesn't have recipes. He knew the systems very well. He knew 
the vendors very well. He knew everything very well. He behaved 
in pretty much the same manner for the last 5 or 10 years, as 
far as how he was testing machines, and going through his 
procedures.
    But the documentations of his efforts were not what you or 
I would call ``buttoned up,'' to a standard that would be 
acceptable, and when the EAC came around last summer with 
respect to testing to a standard, it was a new standard, hadn't 
been used previously, which was OK. I would say that we weren't 
documenting things, that we were physically doing. Nobody has 
ever questioned the quality of our work, or the fact that we 
have tested things, or attested to things accurately.
    The documentation to that, of that fact, though, is not as 
good as it should have been. We spent the summer, probably 
early fall, after we were told about this, getting things, if 
you will, buttoned up, perhaps not completely but substantially 
better. The EAC came back--and I am feeling like I am running 
out on my answer but there is a timeline here. The EAC came 
back in early December and asked to review what progress we had 
made, and said you guys have made tremendous progress, but now 
we also need you to meet the 2005 standards. So the people that 
were certified by the EAC, last summer, weren't asked to meet 
the 2005 standards, and we have buttoned ourselves up for 2002. 
We were then told we had to be--2005. Then it was February 
before we get another response. We turned back in a--and asked 
by EAC to respond by March 5th. We further responded on 
February 26th, which is--you can, you know, take the months 
now, but it is 2\1/2\ months, or whatever that might be. We 
still have not heard back, the status of that submission.
    So, you know, we feel for the State of New York. You might 
even say we feel for ourselves. But I do believe at this point, 
we are fully capable of meeting the 2002 standards as the other 
currently accredited companies are doing, or have been 
accredited to.
    Mrs. Maloney. OK. I would like to submit a formal request 
on behalf of the subcommittee for documentation related to the 
testing by the CIBER of NASED-qualified systems, and it is a 
documentation request for each of the systems listed before. If 
you would produce the following set of records.
    Mr. Clay. Without objection.
    Mrs. Maloney. I would like to submit it to you, and to the 
record. Thank you.
    [The information referred to follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Maloney. Mr. Slingerlend, is there any reason why the 
testing process and test reports should be done in secret?
    Mr. Slingerlend. I have listened to some of the comments 
about the--I will probably say no to the question, with the 
exception of that it is a very iterative process, and one can 
draw conclusions. It is a little bit like Donetta Davidson was 
saying earlier, that you are not always sure the information 
that you are getting is accurate, so you are not quite sure you 
want to publish it, until you have the ability, yourself, to 
verify whether it is accurate.
    And for Mr. Washburn and I--and he and I obviously don't 
know each other--but I am sure that he has been through lots of 
testings of software, over time, just based on his testimony, 
and it is an iterative process.
    What we have found, and what has been explained to me about 
what we have done with the vendors in the past, they may give 
us something, we say, well, that doesn't meet Federal 
guidelines. And so you go back and forth, and back and forth. 
You may do it 50 times.
    I don't know that it is healthy, or wise, or necessary, to 
indicate the status, sort of an iterative process between a 
vendor and a testing lab, whether it is NIST, whether it is 
ourselves, etc. And by the way, we have no problem with the 
concept that any vendor money would go to NIST or EAC, and then 
they would select people to do testing. That means nothing to 
us.
    Mrs. Maloney. But once you have tested and sent the results 
to EAC, why shouldn't the public be able to verify that the 
testing, see what the testing was, to see if it was done 
properly or not? Why keep that secret? When you are in a ``give 
and take,'' I can understand. But once you have made a decision 
and relayed it to EAC, why not have that open to the public, as 
the prior two panelists said, should be open to the public?
    Mr. Slingerlend. I think that sounds fine with us. I mean, 
I think from our standpoint, we have never certified any 
machine works. We have attested to the fact that it has met 
Federal guidelines. The fact that we say something meets 
Federal guidelines, we have no problem with that information 
being public, ourselves.
    Mrs. Maloney. OK. Did CIBER serve as the independent 
testing authority for the ES&S Unity System that was certified 
by the National Association of State Election Directors in 2003 
and 2004?
    Mr. Pope. Yes, ma'am. I believe that is correct.
    Mrs. Maloney. OK. Did CIBER do a review, at that time, to 
determine if the source code used in the ES&S Unity System 
complied with the 2002 voting system standards?
    Mr. Pope. I am not the technical expert on that. We would 
have to ask our technical folks about that.
    Mrs. Maloney. But you were reviewing and testing to see if 
they met 2002 standards; right?
    Mr. Pope. Yes.
    Mrs. Maloney. But you can't say whether or not you tested 
to see whether they met 2002 voting system standards?
    Mr. Pope. I believe that is a correct statement but I would 
like to have the chance to verify that.
    Mrs. Maloney. Well, could you verify and get back to the 
committee on whether or not you tested to see if they met the 
2002 standards?
    Mr. Pope. Yes, ma'am.
    Mrs. Maloney. Now you testified that you believe they did 
since it was certified in 2003 and 2004. So my question is 
really, how does CIBER explain the ES&S request to the New York 
State Board of Elections for a waiver of these standards? So 
when they came to New York, they asked for a waiver of the 2002 
voting system standards.
    Mr. Pope. That issue is between ES&S and the State of New 
York, not between us and ES&S.
    Mrs. Maloney. Well, were there other standards in the 2002 
voting system standards, that CIBER did not test? We are 
talking about testing--70 percent of the voting machines out 
there now were tested by CIBER. Now, because of the GAO report, 
and it is not my words, I was quoting from the GAO report, the 
GAO report said that they were not done properly. We just 
heard, from the prior two panelists from the Election 
Commission, that they are not going to have to recertify all of 
those voting machines to the standards.
    So I want to know, are there standards in the 2002 voting 
system standards that CIBER did not test?
    Now you testified earlier that you are working now to get 
up to the 2005 standards. But were there some standards that 
you eliminated, or did not test in the 2002 voting system 
standards?
    Mr. Slingerlend. Ma'am, I don't think we have ever--first 
of all, I do believe we tested everything with respect to 2002. 
Nobody has ever indicated that we haven't tested everything 
with 2002. The issue has been with the documentation with 
respect to the testing, not the fact that testing wasn't done, 
or that the systems didn't work to Federal standards.
    Mrs. Maloney. OK. Then if I could have an additional minute 
for one question, Mr. Chairman.
    Mr. Clay. Please proceed.
    Mrs. Maloney. What individual, or individuals, are 
responsible for carrying out and supervising the testing of 
voting systems at CIBER?
    Mr. Slingerlend. Historically, that responsibility has 
fallen, in Huntsville, AL, under a name, Sean Southworth.
    Mrs. Maloney. Prior to serving in this capacity, what were 
Mr. Southworth's qualifications and how was he chosen for this 
role?
    Mr. Slingerlend. Ma'am, I can't tell you that. I can tell 
you that he has been doing it for approximately 10 years. We 
made an acquisition in October 2001, and this was a small 
portion of that company, and it was an ongoing activity of that 
company. It wasn't the target of the acquisition but was an 
ongoing activity of the company at the time. They had been 
doing it for several years, are very familiar with NASED, the 
people involved in NASED, and continue to do the work they had 
been doing prior to the acquisition, after the acquisition.
    Mrs. Maloney. Could you please provide the subcommittee 
with Mr. Southworth's biography, resume, documents attesting to 
his qualifications to perform voting system testing.
    Mr. Slingerlend. Sure.
    Mr. Clay. Thank you very much, Representative.
    Mr. Slingerlend, first, could you please characterize for 
us the meaning of the term ``confidential, competition 
sensitive.'' Does this mean these documents have trade secrets 
or proprietary information? Why was there not adequate 
justification made to the board for these designations?
    Mr. Slingerlend. My understanding, in part, with respect to 
the software work that we perform, we believe that the way we 
perform the work we were doing was unique to ourselves and 
consequently, you would tend as a business competing with other 
business and having competitors and testing, that you don't 
like to release those testing procedures to other companies, in 
particular.
    I think the whole activity that--now that EAC is here, now 
that NIST is here, I think that whole program can change. I 
don't have any particular reason, other than just we didn't 
find it necessary to disclosure how, if you will, Sean 
Southworth was doing his work to our competitors.
    Mr. Clay. Now according to the New York State Board of 
Elections, CIBER had been submitting reports to the board, that 
were paid for with New York State funds, but were somehow 
restricted from public disclosure.
    It seems to me as though CIBER was looking to prevent 
public scrutiny of its work.
    Mr. Slingerlend. Yes. I don't think there is any intent to 
that. I do believe that Mr. Kellner talked to one of our 
attorneys, but Mr. Kellner, I did not verify that. I am happy, 
if you want to comment on this, and I believe that the 
discussion between Mr. Kellner and our attorney was such, that 
we removed the confidential labeling of the documents and they 
were made public. If that is not the case--I don't know that is 
not the case.
    Mr. Clay. OK. Well, we will let Mr. Kellner respond. Go 
ahead.
    Mr. Kellner. Mr. Chairman, I think the problem is that the 
habit of CIBER was to keep everything secret and confidential, 
and New York's process has been to keep everything open to the 
public, and CIBER really wasn't prepared to deal with that, and 
I was not satisfied with the way my requests were handled in 
terms of telling them, look, you have marked all this stuff 
confidential, I want to release it.
    And we had a report that had been very carefully negotiated 
between New York's independent technical experts, the New York 
State Technical Enterprise Corp., and CIBER, on the extent of 
the COTS exemptions for source code testing, and CIBER insisted 
that agreement that they had be marked confidential, and then 
the lawyer at CIBER, when I protested this, rewrote the report, 
not the experts but the lawyer rewrote the report, and then 
said, here you can release this version that I've cleaned up.
    And I really thought that was an inappropriate way to deal 
with an expert report, and of course the New York State board 
then, following the complicated legal procedures in our State 
law, disclosed the report, but only after we went through the 
formal procedures to determine that CIBER had no right to claim 
confidentiality for the agreed report.
    Mr. Clay. Thank you. Thank you for that response.
    Mr. Washburn, any commentary or thoughts about the 
testimony?
    Mr. Washburn. It is my amateur legal opinion, but I don't 
think trade secrets apply in voting systems for the test 
procedures, because that is the evidence that it does conform. 
You are talking about public moneys spent for the, you know, 
spent by public officials to administer public elections, for 
candidates to public office. What part of that is private?
    And so I don't think half of the trade secret definition is 
met, because part of trade secret is subject to reasonable 
efforts to keep secret, and it is unreasonable to keep secrets 
here.
    Mr. Clay. Thank you for that response.
    Mr. Slingerlend, I picked up on something that you said, 
that I am really concerned about, when you say that there were 
first 2002 standards and now there are 2005 standards, like 
this, and it seems to me like there is a moving ball or a 
moving target that the industry has to keep up with.
    But what I find to be so disconcerting is that, you know, 
we are talking about the public's voting rights, the integrity 
of elections, making sure that we get it right once, the first 
time, making sure that people's votes are accurately tallied, 
that they are actually counted.
    I mean, is this a process that we will never be able to 
satisfy? Or can we get this right?
    Mr. Slingerlend. Sir, I believe it certainly can be done. 
If I took off my CIBER hat for a second and I just put on my 
American hat----
    Mr. Clay. Put on your American cap.
    Mr. Slingerlend. I do think that when you look back, then, 
how this was done over time--and you should give credit to Ms. 
Davidson and the other people of NASED, that took their time, 
unpaid, etc., to work on having these machines certified to 
some level of Federal standard over the last decade, I think 
this has just been, you know, the minister's kids without 
shoes. You know, it is just basically a system that has been 
neglected, in an official sense, as it should have been done, 
over time.
    I don't know that the two thousand and--you know, we were 
certified as the 1997 standards, the 2002 standards were better 
but certainly not adequate, we are sitting here today being 
told the 2005 standards are better, but by July 2007 there is 
even going to be better ones.
    And when we were asked, which we had never been asked to 
behave in a certain manner, as I said we were kind of lulled to 
sleep, not our fault, but the fact we slept is--when we were 
asked last July to go through a testing process that our guys 
hadn't done before, weren't behaving in a manner that they 
would qualify for ``our fault,'' but doesn't necessarily mean 
that they hadn't been, you know, basically steered in that 
direction.
    When we came back for retesting, it was yet a different set 
of rules, after submitting first answers, and then there is a 
different set of rules, and now it has been from February 26th 
to May 6th or 7th, and we haven't heard about our last response 
because EAC really hasn't had the funding, the full-time 
auditors, NIST isn't quite on the ground--and that is not 
trying to criticize NIST.
    I think you have an evolving process here that is going to 
be much better, very quickly. But it has been not a great 
process over the last couple of years or the last few to 
several years.
    Mr. Clay. Thank you for that response.
    Mr. Washburn, can you identify specific examples of e-
voting systems that had previously been certified by the former 
NASED program, even though they were not compliant with the 
appropriate standards. If so, can you offer examples of the 
types of problems with each system, and are any of these 
systems still being used by local election boards?
    Mr. Washburn. Well, all through the ones I gave, I cited in 
my oral statement, and also my written statement, are currently 
in use. So the use of interpreted code is prohibited by section 
5.3 of the 1990 standards, it is prohibited by section 4.2.2 of 
the 2002 standards, and there were, I believe, 11 systems that 
have that property, that were tested over the course of about 4 
years. I could get you the actual numbers, if you would like, 
of the systems involved.
    Similarly, because of an open records request in 
California, it was discovered that one of the members of the 
technical subcommittee of the NASED voting systems board, 
stated that the ES&S scanners have a unique executable for 
every election, and there is no single version of the firmware. 
It changes from election to election, to election to election, 
because it incorporates the election information as a 
commingled integral part. You cannot separate the ballot 
definition from the scanner firmware. So it is always 
different.
    And similarly, the Sequoia system, Win EDS, which is in use 
by a number of systems still in use, has source code in the 
form of Transact SQL, as well as the compiler for it which is 
Enterprise Manager.
    And what this means is that you can alter the behavior of 
the stored procedures, triggers--I am probably getting a little 
technical here--but what the Win EDS system does is it just 
calls it by name. So whatever SQL is behind that name, that is 
what gets executed at that moment in time, and it may not be 
the same stuff that was delivered, it may not be the same SQL 
that was certified, and it may not be the same stuff that you 
audit, the day after.
    So those are currently in use.
    Mr. Clay. Mr. Norden, what systems send out alarms for you?
    Mr. Norden. I think Mr. Washburn did a pretty good job 
there.
    Mr. Clay. Got everything that you were concerned with?
    Mr. Norden. Yes.
    Mr. Clay. And how about you, Doctor?
    Dr. Wagner. Well, I am a technologist, and I consider the 
question of what meets the certification standards a policy 
question. But I believe there is room for serious concern about 
a number of the systems from three of the four major vendors 
out there. The Princeton vulnerability testing has demonstrated 
serious security problems in machines from one vendor, which I 
think there is a credible argument, violates the standards.
    The problem that we face today is that there has been no 
process and no attempt to investigate these claims. This has 
been a bit of a political ``hot potato'' that no one wants to 
touch, because if we were to--if there were to be a finding 
that these systems did not comply with the standards, local 
election officials would be in a major bind.
    So for that reason, the EAC has been reluctant to 
investigate these claims about--they perhaps reasonably have 
said NASED certified these systems, let NASED deal with its 
mess. NASED has been silent on this issue.
    So we haven't come to terms. There has been no serious 
attempt to grapple with these allegations.
    Mr. Clay. Thank you so much for that response.
    Representative Maloney, do you have any questions?
    Mrs. Maloney. That is truly horrifying, that there has not 
been any serious attempt to grapple with this, and everyone's 
hiding behind the fact that NASED certified it.
    So I would like to ask Mr. Slingerlend, since he is 
involved in testing, is it fair to say that having 
certification from the National Association of State Election 
Directors does not necessarily mean that the voting equipment 
complies with each and every one of the voting standards?
    Maybe let me back up a little bit. Did CIBER test the 
Diebold AccuVote TS optical scan terminals that were the 
subject of the reports by computer scientists at Princeton and 
the University of Connecticut that Dr. Wagner mentioned? Did 
CIBER test them?
    Mr. Slingerlend. Do you know? I don't know.
    Mr. Pope. We have tested Diebold systems but I'm not 
particular about the one that you mention.
    Mrs. Maloney. Well, the Diebold system is the one that 
Princeton and Connecticut hacked into.
    Mr. Slingerlend. As Mr. Washburn said, is it the one that 
was tested, the one that was delivered, the one that was 
implemented, or as other people were saying, we have--they have 
been a client from time to time. That specific item, we would 
have to check into, ma'am.
    Mrs. Maloney. Well, maybe you could check into it and get 
back to the committee.
    Mr. Slingerlend. Let me just make sure that I get the right 
question, so I get them the right answer.
    [The information referred to follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Maloney. And isn't it true, that those reports showed 
security vulnerabilities that were not tested in the 
certification process, obviously, in the Connecticut and 
Princeton tests?
    Mr. Slingerlend. Can I address what you are--the general 
topic of what you are saying right now. I believe with 100 
percent, you know, certainty--and again I guess put the word 
``believe'' there--but I believe we have done a fine and good 
job of testing the software in machines, not the hardware of 
machines, cause we have never been said to be testing the 
hardware of the machine. But the software of the machines to 
meet the 2002 standards that are out there.
    That does not mean to say that the 2002 standards were as 
great as they should have been, or that they weren't changed in 
2005, and it sounds like they are changing again in 2007. But I 
do believe that if we were asked to certify something, or 
attest to something, as to how it worked to 2002 standards, we 
did our job properly.
    Those standards may not have been sufficient and that may 
be exactly your point.
    Mrs. Maloney. Prior to the time that you were suspended 
from further testing in New York State, did any of the voting 
systems submitted pass each of the tests that were given? Did 
any of the voting systems pass prior?
    Mr. Pope. With regard to the State of New York, all the 
systems that we have tested are still in an incomplete state.
    Mrs. Maloney. All right. Let me go back to the question 
that, really, the point that Dr. Wagner raised, and just go 
down the panel, starting with Mr. Kellner, and let everybody 
answer.
    Is it fair to say that having certification from the 
National Association of State Election Directors does not 
necessarily mean that the voting equipment complies with each 
and every one of the voting standards?
    Can you replay to that, Mr. Kellner.
    Mr. Kellner. I think that is completely true. I think that 
everyone has to follow California's lead, and California's 
Secretary of State has announced that she is going to retest 
every single piece of voting equipment, and it is based on the 
bankruptcy of the 2002 standards testing that was done under 
NASED supervision, that NASED certification is meaningless.
    Mrs. Maloney. That is a powerful statement.
    Dr. Wagner.
    Dr. Wagner. Representative Maloney, I think it is indeed 
fair to say. I would concur with your assessment.
    Mrs. Maloney. That NASED certification is meaningless. OK. 
Mr. Norden.
    Mr. Norden. Yes, I would agree with that, and I would add a 
couple of things. That is one reason why having software 
independent records and audits is so critical.
    And in addition, something that Mr. Kellner mentioned I 
think bears some further explanation. I am troubled by the fact 
that this system has been so--on top of everything else, and 
certainly, the security of our elections is the most important 
thing.
    But on top of everything else, it has been an incredibly 
inefficient system, and we have States like New York and States 
like California not trusting Federal certification and having 
to run very expensive tests on their own. This is expensive to, 
obviously, the people of the State of New York, to the people 
of California, it is expensive to the vendors.
    And what I would like to see is that, at some point, when 
we get these standards right on the Federal level, that this 
isn't just voluntary, that it is a mandatory thing that all of 
the States comply with, and that we can actually trust the 
certification process, so we don't have to go through what we 
have gone through in New York, so that we don't have to do the 
kind of additional testing that we do in California, unless 
there are very specific reasons for doing so.
    Mr. Washburn. I too would agree that a certification number 
has no connection at all to whether that system complied or 
doesn't comply with the standards, and echoing Mr. Norden's 
point on the testing, the proposal I was talking about, that is 
in my written testimony, would propose that a consortium of 
States buy a pool of election equipment exactly as bought by 
election officials, and essentially allow anyone who would like 
to do a test on it, in a manner similar to, with access similar 
to what an election official has, the stipulation being is it 
has to be videotaped and audio recorded for everything you do, 
so there is no dispute what they did, what they didn't do, what 
the findings were, good, bad or ugly, whatever the result is.
    And then that information could be made public and help 
election officials evaluate changes in the local security 
procedures.
    Mrs. Maloney. That is a very strong statement, if I 
understand what you said. You said no certification system up 
to this point can verify that the voting machines are meeting 
the required standards of 2002, not to mention 2005, that they 
are now required to meet.
    Mr. Washburn. Well, I haven't looked at all of them. I 
looked at most of those that are sold in the State of 
Wisconsin. But I find problems with all of--I can find a 
section of the standards that the system does not meet for 
every one of those in Wisconsin.
    Mrs. Maloney. And Mr. Slingerlend, do you agree with the 
comments or Mr. Kellner, Dr. Wagner, Mr. Norden and Mr. 
Washburn, that the certification from the National Association 
of State Election Directors is not a certification you can rely 
on? Is it fair to say you are saying it is not workable, it is 
not doing the job?
    Mr. Slingerlend. If you knew me better, you would probably 
know I disagree with most anybody. But I would go back to what 
these gentlemen were saying, and your question earlier was are 
they meaningless, and I think I would say these are good people 
doing unpaid work, not sufficiently funded or done by the 
Federal Government, doing the best they could.
    I would say it wasn't sufficiently meaningful, but I'm not 
going to say it was meaningless.
    Mrs. Maloney. But back to Dr. Wagner's statement, you were 
saying that the EAC would not go back and look at these systems 
because they were certified by the National Association of 
State Election Directors. Is that what you said?
    Dr. Wagner. I can't speak for the EAC of course, but my 
understanding is that the position the EAC has taken is that 
they will not go back to investigate these allegations and 
systems that were certified by NASED, that they are developing 
a new process. If manufacturers choose to submit their systems 
to the EAC's new process, then the EAC will investigate 
reports, may consider decertification, if that is warranted. 
They have developed a new process with these safeguards but 
those safeguards don't apply to the old NASED process.
    Mrs. Maloney. That is very discouraging. I would like, Mr. 
Kellner, just go down the line, for each of you to comment on 
what you have examined in voting systems that were certified, 
and do you think they are fine? Can we trust them? What are 
your statements? I will just get you on the record.
    Mr. Kellner. I certainly subscribe to the view that Debra 
Bowen in California has adopted, which is that we need to have 
recertification of every voting system that is in use in this 
country, and that is a responsibility Congress should give the 
EAC, and I would add that we shouldn't be spending a lot of new 
money to buy voting equipment until that process has been 
completed.
    Dr. Wagner. It is a difficult question with a complex 
answer. I would say despite the flaws and the deficiencies in 
the certification process, I believe that many of the systems 
out there, for instance, the systems that provide a voter-
verified paper record, if they are used appropriately, can 
provide a good basis for trust in our elections.
    However, I have serious concerns about the use of paperless 
e-voting systems.
    Mr. Norden. I would echo exactly what David Wagner just 
said. If we are going to continue using these systems, and I 
think to a certain extent there is no choice, that for the next 
few elections we have to, we need to ensure that we have paper 
records and that we are using those paper records to check the 
electronic tallies that we get at the end of election day.
    Mr. Washburn. I once knew a whitewater outfitter who used 
to say there comes a point in the river where there is no way 
out but through, and I think we are at that point with the 
current crop of systems. There is no way it is going to be 
fixed in time.
    But that said, as Mr. Wagner said, certain systems are less 
vulnerable than others, and specifically what you want is a 
system that provides an objective record, that the voter has 
made, that might possibly contradict what the electronics are 
telling you. Systems that don't have that are inherently more 
vulnerable.
    Mr. Slingerlend. I think paper systems are great for Third 
World countries. I like your comment about if you can't find a 
way I will go through it. I think we are on the cusp, with EAC 
and NIST, to making progress in an area that was never 
sufficiently addressed before, and you should press on.
    I mean, I think that this country should press on with 
electronic voting system, and you have smart people that care, 
that are in charge of this activity now. Go with it. That would 
be my recommendation.
    Mrs. Maloney. Thank you.
    Mr. Clay. Thank you, Mrs. Maloney.
    Let me thank all of the panel for their testimony today, 
and thank our gracious host, again, Representative Maloney, for 
inviting us here today. I think that the hearing brought out 
the fact that we must be able to verify the reliability and 
security of our Nation's voting machinery.
    The EAC, the States, and local election authorities, must 
work hand in hand to ensure that our elections are conducted in 
a manner that gives our citizens the utmost confidence in the 
election process.
    Vendors of election machines should not be paying labs, and 
all machines must have a verifiable paper trail.
    H.R. 811, introduced by Representative Holt of New Jersey, 
would apparently give us that extra protection, and Congress 
needs to move on it.
    The certification process must be transparent, and sunshine 
must be allowed to expose the process. We must get the voting 
procedure correct the first time in New York and across this 
Nation, and I will yield to my friend for closing remarks.
    Mrs. Maloney. I want to thank all of the panelists for 
coming, and my colleague and good friend, Mr. Clay, for having 
this Federal hearing. It is obviously a critical issue. What is 
more important than the security of our voting machines? And it 
is a part of our democracy, it is a top priority and one that 
we will continue to pursue as a Congress and as a committee.
    I am delighted that tomorrow, Congress Holt's bill, on 
which he has worked for 8 years, will be marked up in committee 
and I hope it will move to the floor and be passed. It will 
strengthen it and address many of the issues that you brought 
up today. The need for a verifiable paper trail to check the 
electronic voting. The need for checking conflicts of interest, 
that the payment by vendors will go to the EAC who will then 
select the testing labs to find out how accurate they are.
    It provides funding for purchasing these machines, and for 
audits. It is very important to have an independent audit, to 
see if they are working properly.
    All of you have helped move this country forward to a 
safer, more reliable voting system, and I thank all of you for 
your tremendous contributions to it. Nothing is more upsetting 
than hearing questions about more people voting than were 
registered and more people voting than signed up to vote on the 
machine, and all types of really questionable items, that 
really, you expect to be happening in Third World countries, 
not in the great democracy of the United States.
    So we need to correct it, we need to all continue with 
oversight, and to continue with our eye on making sure that 
these elections are as safe as they possibly can be, and I want 
to thank all of you for your research, your time, for being 
here today, and for your continued commitment for safe and 
reliable voting machines and election system in the United 
States. And all the advocates.
    Mr. Clay. Thank you so much, Representative, and at this 
time we will excuse the panel, gavel the committee to a close, 
and hold an impromptu press conference with Representative 
Maloney and myself for members of the press.
    Without objection, the hearing is adjourned.
    [Whereupon, at 11:30 a.m., the subcommittee was adjourned.]
    [Additional information submitted for the hearing record 
follows:]

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
