Clinic Researchers File Comment on Risk Asssessment with EAC
Clinic researchers have filed a comment with the U.S. Election Assistance Commission (EAC), asking the EAC to revise a proposed statement of work (SOW) concerning voting system risk assessment.
According to the SOW, the EAC will use the results of the risk assessment to create security requirements in the next version of the voluntary voting system guidelines (VVSG), which many states adopt as standards for their voting systems.
The comment (written by research fellow Aaron Burstein, School of Information PhD candidate Joseph Lorenzo Hall, clinical professor and Samuelson Clinic director Deirdre Mulligan, and UC Berkeley computer science professor David Wagner) points out that a structured risk assessment for voting systems is badly needed; but the proposed SOW sets unrealistic goals.
Specifically, the SOW would require quantitative risk assessments for a variety of abstract voting system models. Given how little is known about voting system threats, the expectation of fully quantitative and meaningful risk models is premature.
The comment suggests that a better focus for this effort is to identify, as fully as possible, the threats to voting systems; to assess what it would take for an attack to succeed or an accident to go undetected; and to devise ways to prevent these events or mitigate harm should they occur.
Other changes suggested in the comment include:
* Subjecting the identification of threats to full public review;
* Making any risk assessment tools (including software and documentation)freely available to the public;
* Specifying models and tools that are appropriate for particular audiences; and
* Ensuring that the contractor selected to perform the assessment is free from conflicts of interest.