'CIBER Has Absolutely No Idea What It's Talking About'
Testing Secrecy Has Allowed CIBER to Profit From Sloppy Work
By Michael Richardson on 2/1/2007, 1:57pm PT  

Guest Blogged By Michael Richardson

CIBER, Inc., the nation’s largest so-called “independent test authority” (ITA) of electronic voting machines, is at the center of a growing scandal about lax testing of voting equipment. The recent release of a long-kept secret assessment of the company by the Election Assistance Commission (EAC) detailing a shocking record of sloppy, incomplete or non-existent testing by CIBER led the test lab’s CEO, Mac Slingerlend, to call the report “old news” in an interview with the Rocky Mountain News.

While CIBER’s shortcomings may be “old news” to Slingerlend, unaware election officials around the nation are angered at not being informed by the EAC prior to the November 2006 elections about voting machine models “tested” by CIBER in use by 68.5% of the registered voters in the country.

Last year the EAC took over testing responsibilities for electronic voting machines from the National Association of State Election Directors (NASED) and refused to grant CIBER interim accreditation because of numerous deficiencies at the test lab located in Huntsville, Alabama.

Slingerlend and CIBER founder Bobby Stevenson both took advantage of the “old news” to unload thousands of shares of stock between the non-accreditation and its public disclosure by the New York Times in January. Stevenson sold $1.6 million worth of CIBER stock during the half-year of silence by the EAC about the non-accreditation. Slingerlend sold 7,500 shares in August 2006, two weeks into the EAC blackout after CIBER lost its authorization to test voting machines. In December, Slingerlend unloaded another 10,000 shares fetching him a total of $116,569 before the secret report became public information.

Although CIBER’s failures are news to the public and many election officials around the nation, they are indeed “old news” to those in the know. CIBER’s chief voting machine technician is Shawn Southworth and he has been doing questionable work for years.

In 2002, Georgia’s 22,000 Diebold touch-screen voting machines all had to be “patched” in the weeks before the November election following CIBER testing of the software used to operate the machines. Although Southworth had certified the machines as good to go, they froze up instead. Kara Sinkule of the Georgia Secretary of State’s office would later explain: “The patch repaired a communication issue between the TS units operating software (WIN CE 3.0) and the voting software. From time to time communication between these two elements would be interrupted and a screen freeze would occur on the voting unit. The patch ensured the two elements remained in constant communication, thus eliminating screen freezes during voting.”

In 2003, Ohio Secretary of State Ken Blackwell had independent studies conducted of the state’s ITA certified voting machines. Compuware Corporation reviewed both software and hardware of the state’s four voting machine vendors, after CIBER had approved vendor software, and discovered 57 security risks in the four systems including high risk flaws.

BlackBoxVoting.org was able to obtain copies of CIBER’s test reports to NASED from 2003 for Diebold and VoteHere voting machines, which admit, “Penetration Analysis not reviewed by software ITA.” Despite the blatant admission of security non-testing of the software, the machines were certified for use by voters. Of course, the CIBER report was marked “Proprietary” and not released to the general public in a timely manner.

In 2005, a computer-savvy voter, John Washburn, studied the Wisconsin voting machine certification process and presented his findings to the Wisconsin State Board of Elections. Washburn found, “Neither Ciber nor Wyle [another ITA] provided in any of the reports the system identification….This means it is impossible to tell which system the reports apply to.”

Further, “The Ciber report was so short and incomplete it is impossible to tell what if any testing was done or more importantly how such testing was done. The NASED number, N-1-06-22-22-001, for the systems was issued on June 27, 2005 but the ITA reports were not completed until August 4, 2005. This means the NASED number was issued before the NASED Voting Systems Board had received the test results.”

“In conclusion, the failure of the NASED ITA system in general and the particular failures of Ciber Labs (in all of its prior incarnations) to perform adequate testing of voting machines is a problem stretching back for more than a decade. This means that voting systems have been approved by “ITA” labs and state election officials have relied upon those approvals. Because of this elections have been held using voting equipment which has never been adequately tested.”

In 2006, Colorado’s use of CIBER testing reports drew fire from Dan Wallach of Rice University who conducted a review of Colorado’s electronic voting machines as an expert witness in litigation over use of the machines. Wallach found, “The Ciber report contains absolutely no evidence that they performed a meaningful security analysis of the Hart InterCivic system.”

In discussing CIBER’s test report of ES&S voting machines Wallach cites a CIBER claim that has been redacted from the public record by the Colorado Attorney General, “This statement [redacted] is entirely false!...A statement like Ciber’s directly indicates that Ciber has absolutely no idea what it’s talking about.”

Stay tuned...