Summary

Since the 2000 national elections, concerns have been raised by various groups regarding the election process, including voting technologies. Beginning in 2001, GAO published a series of reports examining virtually every aspect of the elections process. GAO's complement of reports was used by Congress in framing the Help America Vote Act of 2002, which, among other things, provided for replacement of older voting equipment with more modern electronic voting systems and established the Election Assistance Commission (EAC) to lead the nation's election reform efforts. GAO's later reports have raised concerns about the security and reliability of these electronic voting systems, examined the EAC's efforts to address these concerns, and surveyed state and local officials about practices used during the 2004 election, as well as plans for their systems for the 2006 election. Using its published work on electronic voting systems, GAO was asked to testify on (1) the contextual role and characteristics of electronic voting systems, (2) the range of security and reliability concerns that have been reported about these systems, (3) the experiences and management practices of states and local jurisdictions regarding these systems, and (4) the longstanding and emerging challenges facing all levels of government in using these systems.

Voting systems are one facet of a multifaceted, year-round elections process that involves the interplay of people, processes, and technology, and includes all levels of government. How well these systems play their role in an election depends in large part on how well they are managed throughout their life cycles, which begins with defining system standards; includes system design, development, and testing; and concludes with system operations. Important attributes of the systems' performance are security, reliability, ease of use, and cost effectiveness. A range of groups knowledgeable about elections or voting systems have expressed concerns about the security and reliability of electronic voting systems; these concerns can be associated with stages in the system life cycle. Examples of concerns include vague or incomplete voting system standards, system design flaws, poorly developed security controls, incorrect system configurations, inadequate testing, and poor overall security management. For the 2004 national elections, states' and local governments' responses to our surveys showed that they did not always ensure that important life cycle and security management practices were employed for their respective electronic voting systems. In particular, responses indicated that the most current standards were not always adopted and applied, security management practices and controls were employed to varying degrees, and certain types of system testing were not commonly performed. Moreover, jurisdictions' responses showed that they did not consistently monitor the performance of their systems. In GAO's view, the challenges faced in acquiring and operating electronic voting systems are not unlike those faced by any technology user--adoption and application of well-defined system standards; effective integration of the technology with the people who operate it and the processes that govern the operation; rigorous and disciplined performance of system security and testing activities; reliable measurement of system performance; and the analytical basis for making informed, economically justified decisions about voting system investment options. These challenges are complicated by other conditions such as the distribution of responsibilities among various organizations and funding opportunities and constraints. Given the diffused and decentralized allocation of voting system roles and responsibilities across all levels of government, addressing these challenges will require the combined efforts of all levels of government, under the leadership of the EAC. To assist the EAC in executing its leadership role, GAO has previously made recommendations to the commission aimed at better planning its ongoing and future activities relative to, for example, system standards and information sharing. While the EAC agreed with the recommendations, it stated that its ability to effectively execute its role is constrained by a lack of adequate resources.