Local Election Officials Perceptions about Electoral Process Maturity and Voting Guidelines: A Case Study

The Helping America Vote Act (HAVA) of 2002 established electoral process maturity as tenets of a working democracy. HAVA was designed to promote technological innovation and processes to strengthen voter accessibility while streamlining the business process for capturing the intent of the voter. However, a problem at the center of the movement toward technological innovation was the maturity of electoral process maturity. Mature security guidelines are highly controlled and reliable processes designed to help local election officials (LEOs) establish and improve upon the security processes required to prevent tampering and to detect gaps in chain of custody. County recorder and election offices (CREO) throughout the United States have generally found that HAVA is out of date with the modern computing technologies used to support electronic voting, and does not address the risks posed by tampering. Local election officials may have not been trained to recognize attempts at electronic voting machine (EVM) tampering or to detect the introduction of nonvendor-approved devices to EVMs. This qualitative case study assessed the extent of potential deficiencies in security awareness training and explored how to improve electoral process maturity for EVMs utilized in the southwestern US. Six LEOs were recruited according to a set of selection criteria. The interview participants were also asked to participate in a focus group discussion. Qualitative data were analyzed using thematic analysis to identify common themes from the responses of participants. The study identified security awareness and training needs for LEOs that might enable them to detect EVM tampering. Studying how outdated legislative practices may contribute to a diminished condition for the maturity of EVM security, can lead to the creation of better guidelines to detect and mitigate system tampering. As such, the results of this study confirmed that current guidelines do provide direction to LEOs for maintaining adequate physical security for EVMs as well as some support for strengthening system custodial accountability as mandated by HAVA. However, EVM guidelines as currently administered do not completely address known issues associated with the prevention of EVM tampering. More specifically, current guidelines do not incorporate security controls for mitigating attempts against system chassis breaches by an attacker. With these results, it is recommended that more resilient physical security requirements can be used to assess EVM vendor security procedures, in alignment with Payment Card Industry (PCI) Hardware Security Module test procedures (PCI-HSM). The results of this study also identified the benefits of implementing third-party security reviews of vendor security guidelines and training procedures.