Hart InterCivic Responds to California SOS Top-to-Bottom Review
Jurisdictions in California Run Successful Elections Using Hart InterCivic Election Technology
Hart InterCivic today testified to the California Secretary of State that the Hart Voting System is safe, secure and accurate, in response to her office's findings in a top-to-bottom review of voting systems used in California.
"Election security is about People, Processes, Procedures, Policies, and Technology," said Neil McClure, chief technology officer for Hart InterCivic, a leading national provider of elections systems. "The procedures and processes must be implemented, and followed, along with the system’s technical security features. We continually work to improve security, both through technology and through working with our customers on processes and procedures."
The Secretary of State's Red Team report only examined technology vulnerabilities when given unfettered access in a laboratory setting to all technical documentation and source code information of the voting systems being tested. The report states that the Red Team did not ‘make assumptions about compensating controls or procedural mitigation measures that the vendor, the Secretary of State, or individual counties may have adopted.’
A better approach, said McClure, would be to define a realistic threat that faces all layers of security in an election.
"A threat model is not just about technology but includes other system relevant elements, such as the operating environment, characteristics of typical users, functional requirements, motivation of attackers to name a few," McClure said.
In real-world election environments, the Hart Voting System is used successfully by over 300 customers throughout eleven states: California, Colorado, Hawaii, Illinois, Kentucky, Ohio, Pennsylvania, Tennessee, Texas, Virginia and Washington. Two of the nation's largest voting jurisdictions – Harris County, Texas, and Orange County, Calif., have adopted electronic voting using Hart technology.
"We have found several inconsistencies, alternate conclusions, omissions and errors in the report. It is critical that these items be addressed before any action is taken based on the report," said McClure. "It was disappointing, and a disservice to the public, that none of the well-designed security aspects of the Hart Voting System were acknowledged in the report."
McClure cited an example in the Red Team report that a device can force the system to issue voting access codes, which is analogous to issuing a blank paper ballot. The time and skill needed to attach a device and to overcome physical and procedural security measures would make casting extra electronic ballots much less likely than stealing extra paper ballots. Additionally, the report neglected to state that security features in the Hart Voting System would prevent the extra access codes from activating before printing, which would alert the poll worker to a problem.
In another example, the Red Team did not take into account the fact that the Hart Voting System has three duplicate originals of the Cast Vote Records in three independent storage locations. An attacker would have to attain access to and modify all three original records identically, in addition to the paper VVPAT record, in order for a successful attack to take place.
"This report is an important tool, but must be used responsibly. We look forward to continuing to work with the Red Team to address the unresolved open issues in the report. We are interested in continually improving our system and an excellent source of input is from third-party, independent reviewers." McClure said.
The full text of McClure's testimony is now available - click here.
Hart InterCivic is a leading national technology and services provider for state and local government election, records management, and now GIS-integrated database solutions. Nearly a century ago, Hart InterCivic started as a company focused on printing forms for local governments in Texas. The company has evolved into a leader in software and service solutions for the public sector. Hart's business values are centered on heritage, integrity, reliability and personalized customer service. A recipient of the Samaritan Center Ethics in Business Award, Hart InterCivic is a privately held corporation based in Austin, Texas.