New Pilot Project RABET-V Tests Security of Election Technology
Securing the nation’s elections goes beyond the voting machines that are used to cast and tally ballots on Election Day. Electronic poll books, election night reporting systems, electronic ballot delivery, and other non-voting election technology systems also need to be secured. The Center for Internet Security (CIS) is piloting a new process called RABET-V for verifying the security of this non-voting election technology.
Closing the Gaps in Securing Non-Voting Technology
The Help America Vote Act (HAVA) defines voting systems and establishes a means for testing them. Non-voting election technology (i.e., all the other election technology) doesn’t currently have an equivalent means for testing. Non-voting election technology, such as electronic poll books and election night reporting sites, are often internet-connected and trusted to provide important election administration services.
CIS recognized the criticality of these technologies to the security of elections and worked with a community of election stakeholders to release a guide for Security Best Practices for Non-Voting Election Technology in October 2019. Shortly thereafter, CIS convened a group of election officials, election technology providers, and other industry stakeholders to discuss how to verify the security of non-voting election technology. This new process for testing election technology is based on modern software development and testing practices.
The first public details of this process were released in late January 2020 in our National Association of Secretaries of State (NASS) Winter Conference white paper entitled How to Improve Election Technology Verification.
There can be numerous challenges with verifying non-voting technology. The primary challenge is conducting a verification process which supports rapid product changes, such as the ones required to keep internet-connected technology constantly patched, while continuing to provide assurances of security, reliability, and usability. To address this challenge, the RABET-V process takes a risk-based approach to verify product revisions, where the risk estimate is based heavily on the product architecture and the provider’s software development processes.
Better system architectures and more mature internal software development processes yield lower risk estimates and more time- and cost-efficient verification cycles. This creates incentives for sound architecture and development practices early on. RABET-V is also designed to take advantage of modern software development, testing, and deployment practices and tools. By deploying a risk-based process and leveraging modern practices and tools, RABET-V can provide high confidence, flexible, rapid, and cost-effective process for verifying non-voting election systems.
RABET-V Pilot Program and Steering Committee
CIS is partnering with its U.S. Federal, State, and industry partners to conduct a RABET-V Pilot Program in 2020 to evaluate and refine the RABET-V process and address open questions from both technical and non-technical perspectives. This effort will be guided by a Steering Committee comprised of election officials, election technology providers, and other election infrastructure stakeholders.
RABET-V Public Project Repository
There are many details of RABET-V still to be developed, reviewed, and evaluated. CIS has set up a public GitHub repository to manage this and engage the broader community for help. To follow along with the pilot project or to contribute to its development, check out the RABET-V Pilot Program GitHub Repository.
Additional information about RABET-V can be found in the white paper How to Improve Election Technology Verification:
- Background information
- Benefits of this approach
- Process and testing rules
- Activity descriptions
- Pilot program and open questions
Get your copy today!