Response From Sequoia Voting Systems to the California Secretary of State's Office on the Top-to-Bottom Review of Voting Systems

Business Wire, July 30, 2007

Public Hearing

SACRAMENTO, Calif. -- This document is Sequoia Voting Systems' initial response to the California Secretary of State's office on the July 26th issued Red Team Penetration Testing and Accessibility portions of the Secretary's "Top-to-Bottom Review" of Sequoia's voting equipment currently used in 21 of California's 58 counties.

Nothing in life happens in isolation. As we have stated many times as have our nation's election officials, elections are a complex system made up of not only election equipment, but the people and the processes surrounding that equipment. California's Top-to-Bottom Review was not conducted in a true election environment or in accordance with ISO 15804, Common Criteria for Information Technology Security Evaluation and/or ISO/IEC 17799:2005. This was not a security risk evaluation but an unrealistic worst case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks. This is not a real-world scenario and does not reflect the diligence, hard work and dedication to the stewardship of our nation's democracy that our customers - and all election officials - carry out every day in their very important jobs of conducting elections in California and throughout the United States.

As stated by our company many times in the past, with a Voter Verifiable Paper Audit Trail (VVPAT) that was pioneered by Sequoia in actual elections in 2004 and post-election checks that are already established by law and regulation, none of these attacks described in the Red Team report are capable of success. All would be prevented or detected through use of the VVPAT and legally sufficient audits. Red Team penetration testing is a well-known technique in the security industry. It is normally performed in a manner by which the system, in its native operation mode, is subjected to attacks from the Red Team, which is given various levels of knowledge regarding the system based on what the team is expected to emulate - insider threats, outsider threats, or ad hoc (a less defined test plan that can cross both insider and outsider threat boundaries).

In this case, the stated objective was to emulate both insider and outsider threats. However, the test plan actually employed suffers from misapplication of this methodology:

The Red Team had no corresponding Blue Team (friendly to the system under study) to emulate traditional and current election security practices. In short, the Red Team was able to, using a financial institution as an example, take away the locked front door of the bank branch, remove the security guard, remove the bank tellers, remove the panic alarm that notifies law enforcement, and have only slightly limited resources (particularly time and knowledge) to pick the lock on the bank vault. Such a scenario is implausible. Furthermore the equipment tested was not taken through the prescribed pre-election logic and accuracy testing and preparation, which would have included the addition of tamper evident seals. These seals, for example, would have precluded many of the attacks on the system.

The methodology used implies that election authority "insiders" have unlimited access to equipment, with no surveillance of their activities through automated methods. This is untrue. Election jurisdictions have several methods of insider deterrence and apprehension. These include cameras in the elections warehouse and computer rooms, audit logging on election database servers and workstations, and laws that make tampering with election equipment a felony at both state and national levels.

In summary, a more effective test would have been for the Red Team to have attacked a simulated target jurisdiction. Said jurisdiction would have prepared the equipment in keeping with traditional, current, and legally mandated equipment and procedural safeguards. The results of this test would have pointed out true weaknesses in election process security and provided real data from which governments could have improved their security profile. As it stands today, all that has been proven is that any computerized system, removed from its environment and placed, in this case almost literally, out in the street or into a laboratory for anyone to tamper with, can be successfully attacked. The data is thus unfortunately muddled by the inappropriate test methods, forcing governments to separate the wheat from the chaff of its ramifications for secure elections.

Sequoia will address each and every attack scenario in the Red Team report, its implications and mitigations as well as the points in the Accessibility Report.

In this presentation today, I will go through many of these points with you at a high-level summary and give some examples in the interest of our allotted time to present here today. We will share more information this week in response to both of these reports.

As for the Accessibility report, Sequoia's equipment complies with all requirements of the current 2002 VVSG as well as all California state requirements. Sequoia has worked with both national and local accessibility groups to design our voting system and we continue to do so in an effort to make all of our voting equipment as accessible as possible and continually improve our products as advances are made in technology to better assist persons with disabilities.