For almost a decade Ciber Inc., was one of three Independent Test Authority (ITA) labs that were authorized to hire themselves out to voting machine manufacturers for inspecting and testing their voting machines to federal standards. The testing was a crucial part of the process that led to ultimate qualification of those machines for use by the voters. Ciber, along with SysTest and Wyle Labs, held a very lucrative position in what has become the boondoggle of certifying voting systems. They receive test procedures written by the vendors and a hefty check from those same vendors and, apparently in Ciber's case, they don't do the paperwork or testing required before passing the voting systems on to the voters to use.
The New York Times recently reported that Ciber has been temporarily barred from doing any testing under the Election Assistance Commission's (EAC) interim testing and certification program. This action was taken against Ciber after the EAC found that it was not following its own quality-control procedures and could not document that it was conducting all the required tests.
The Times article also pointed out that Ciber is under fire from analysts hired by New York State over its plans to test new voting machines for the state. This was initially reported last October by Howard Stanislevic for VoteTrustUSA.
In his article Mr. Stanislevic points out:
NYSTEC, a not for profit spin-off from the US Air Force's Research Laboratory at Rome, NY, was hired by the State Board of Elections to conduct an independent review of the voting system test plans issued by one of the three so-called Independent Testing Authorities that test voting systems on behalf their manufacturers, CIBER, Inc., previously hired by the state.
NYSTEC's report is highly critical of CIBER, stating that the ITA's test plan for the state's new voting systems lacked numerous security and functional testing requirements of the 2006 NY State Election Law, the EAC's 2005 Voluntary Voting System Guidelines Vols. 1 & 2, and NY State's Voting System Standards.
According to the NYSTEC report, some of the items omitted from the ITA's test plans were:
- a requirement for voting systems to not include any device or functionality potentially capable of externally transmitting or receiving data via the Internet, radio waves or other wireless means;
- a requirement for the voting system software not to contain any 'viruses', 'worms', 'time bombs', and 'drop dead' devices that may cause the voting system to cease functioning properly at a future time;
- a requirement for voting systems to provide a means by which ballot definition code may be positively verified to ensure that it corresponds to the format of the ballot face and the election configuration.
Furthermore, CIBER's Security Master Test Plan did not specify any test methods or procedures for the majority of requirements. CIBER has stated that these will be provided in another phase of the project.
The day of the New York Times article officials in New York showed they have some integrity (something that appears to be missing from the EAC) by announcing that they may now suspend all state testing of voting systems. The article reporting the announcement relates:
Officials at the federal Election Assistance Commission delayed accrediting Ciber in July, after detecting problems in Ciber's quality-control procedures. The company has long been criticized by voting watchdog groups, but some state elections officials said on Thursday that they only learned of the federal commission's decision after details of it were published Thursday in The New York Times.
"If we had known that, and if we had seen the report from them, we would have known why they were decertified, and maybe we wouldn't have hired them to begin with, or maybe we would have made some remedial changes," said Lee Daghlian, a spokesman for the New York State Board of Elections.
Mr. Daghlian said the board had requested a copy of a report prepared by the federal commission and would review it before making a final decision.
"It may not delay use of the new machines," he said. "If this report comes in and it's something really bad that we didn't know about, we may have to start all over again."
The action, or inaction, by the EAC leaves us with a lot of questions. Why did the EAC not tell us - the voters, the taxpayers, their bosses - that they had questions about one of the labs that certifies voting systems? I think we all would have liked to know about that. Though the document, "Interim Accreditation Program", inconspicuously posted on the EAC's website and dated August 2006, lists only the two ITAs that are presently accredited, Wyle and SysTest Labs, the EAC has done nothing else to inform either state election officials or us - the ones who pay for the accreditation process - of Ciber's failure to comply with the required testing procedures.
The Associated Pressquoted EAC Chairwoman Donnetta Davidson's response:
Davidson cautioned that federal testing of voting machines by labs like Ciber is just "one of three prongs" since most states and counties also conduct their own tests.
"There are a number of layers of testing," Davidson said. "I think it's very important voters do realize how secure the process is."
Ms. Davidson's comments demonstrate the disregard for facts that seems to be more and more typical of the EAC commissioners. Ms. Davidson came to the EAC from a position as Secretary of State of Colorado. She knows full well that most states rely on the national qualification process as the first and most important step to ensure that the voting systems they purchase are capable of doing the job they were built to do. The federal testing is not "one of three prongs". It is not a co-equal process with state and county testing. It is, instead, the first step required by law in most states. Those states cannot even examine new voting systems until they have assurance from the ITA that the systems meet federal standards. Most of those states do not look at the code. Instead they rely on the ITA process to ensure that source code, firmware, and hardware all meet federal standards.
In a later reported interview with reporters from the Denver Post, Ms. Davidson showed, again, that she is not concerned about the lack of integrity of the companies involved in building, testing, or marketing voting systems. Ms. Davidson contradicts the very actions of her own government agency and repeats excuses given in interviews by Ciber representatives in attempts to defend their actions.
Testers in Ciber's Alabama office didn't adequately document their work, according to officials with the U.S. Election Assistance Commission.
But the same federal officials said Ciber's problems are not about shoddy work but about shifting government standards for voting-machine testing.
"I think they kept good documentation; we're just requiring more," said U.S. Election Assistance Commission chairwoman Donetta Davidson, former Colorado secretary of state.
Meanwhile EAC Commissioner Gracia Hillman has also joined in the quest to diffuse this situation and to cover for Ciber. Part of the ITA Accreditation process is for an on-site inspection by a representative of the EAC. There are unconfirmed reports that this visit was accomplished last summer and that the resulting report and Ciber's response to that report are what has held up Ciber's accreditation. Yet, The Journal News (NY)reports the following:
New York officials said they read in a published report that the Election Assistance Commission has known since last summer that there were inadequacies with the way Ciber Inc. of Greenwood Village, Colo., was performing tests on machines and documenting results.
"At the present time, until we get that report in our hands and have a chance to review it, I can't comment myself that we are fully comfortable that all of those issues have been addressed," said Peter Kosinski, co-executive director of the state Board of Elections.
But Commissioner Gracia Hillman of the Election Assistance Commission said Thursday there is no such report.
No such report? If there is no report on the testing procedures used by Ciber, on what basis did the EAC refuse to accredit them?
And what of the voting systems that Ciber was supposed to test but either failed to properly test or failed to properly document their testing? Is the EAC going to question the certification of those systems? Will those systems be retested by another lab that will do the job they are paid to do? The answer is "No". According to Jeannie Layson, spokeswoman for the EAC, "The EAC cannot decertify a system that was qualified by NASED. To obtain an EAC certification, a manufacturer must submit its system for testing under our program."
Ms. Layson's statement is not backed-up by the Help America Vote Act of 2002 (HAVA). Section 202 of HAVA gives the EAC the power to decertify voting systems. And, Section 231 tells the EAC that they must have an accreditation and certification program within six months of the establishment of voting systems standards. In the interim period voting system certification, decertification and recertification can be done by another entity. In this case the National Association of State Elections Directors (NASED) has been doing that job.
And what of NASED and the job they did? A large part of the certification process was done by the NASED Technical Board chaired by Sandy Steinbach of the Iowa Secretary of State's Office with members Steve Freeman, Paul Craft and Brit Williams. (More on this group can be found here, here and here)
Why did this group, whose responsibility it was to review the documents supplied by the ITAs, fail to recognize that Ciber was not following its own quality control program and not documenting all of its tests? Either they ignored the omissions or never looked for them. The omissions seem to have been apparent enough to the New York state analysts and even to the EAC. Why were they not apparent to four people who were appointed to a board whose purpose was to specifically look for those problems?
Even though information released by the Times is new, questions surrounding Ciber's testing procedures aren't. According to a press release from then California Secretary of State Bruce McPherson dated 17 February 2006, the state announced that on 20 December 2005 they had requested that a federal ITA do a review of the Diebold voting systems used in the state. This review was a result, in part, of released information that Diebold's software had 'interpreted code' installed. This 'interpreted code' is expressly forbidden by the Voting Systems Standards used for all voting system certification testing. On 23 February 2006, the ITA provided a report that led, in large part, to the recertification, by the state of California, of all Diebold voting systems. The ITA was Ciber.
Ciber has clearly not conducted itself properly in the independent testing of our voting system software. Perhaps they have gotten lax in their procedures because they are paid to do their work by the vendors and the final product eventually goes to the voters who never see the documents from the ITA? Between the ITA and the voters has been a panel that apparently hasn't done due diligence in their work. The vendors don't seem to care as long as their systems are approved for sale and use.
But what of the actions of the EAC? No action is taken by the government without a ream of paper to explain why that action was taken. The EAC's accreditation process includes a visit to the lab and an inspection by an EAC representative. Why is Commissioner Hillman denying that a report from the inspector exists? If no report of the deficiencies existed, how would the EAC know Ciber didn't comply with the accreditation standards? How would Ciber know what procedures they need to correct?
And why is Commissioner Davidson using the same talking point that Ciber is using to spin their failure to qualify? "Shifting government standards for voting-machine testing" simply means that Ciber's testing procedures are inadequate. Wyle and SysTest had no problems qualifying to the new standards. Why has it taken Ciber over six months to do what the other two ITAs were able to do almost immediately? We the people, the voters, the tax-paying public who are paying for all of this deserve to have answers - not half-truth, cover-up, spin, or obfuscation.