LECTI Election Systems Software 11208 John Galt - Omaha, NE 68137 P: 402.593.0101 TF: 1.877.377.8683 SyStemS SOftWa re info@essvote.com - Thursday, April 5, 2018 VIA UPS DELIVERY VIA UPS DELIVERY The Honorable Ron Wyden The Honorable Ron Wyden United States Senate United States Senate 221 Dirksen Senate Office Bldg. 911 NE 11th Ave., Suite 630 Washington, DC. 20510 Portland, OR 97232 Dear Senator Wyden, We are in receipt of your March 6, 2018 letter and appreciate your interest in the security of the systems that are central to safeguarding the integrity of our country's elections. It is clear that we share a common belief that it is of paramount importance to our democracy that the nation's elections infrastructure is never compromised. As you know, the United States Election Assistance Commission (EAC) is charged with overseeing the testing and certification of voting systems in America. Central to that oversight is the development, maintenance and administration of Voluntary Voting System Guidelines (VVSG). All registered voting system manufacturers in the United States that participate in the EAC testing and certification program must design and manufacture their respective systems in accordance with the requirements of the VVSG, as the EAC strictly applies them in its conduct of the testing programs to which and other election vendors submit end-to-end voting systems for certification and approval. All voting systems submitted to the EAC are independently tested by laboratories that are accredited by the National Institute of Standards and Technology (NIST). The first testing standards developed and adopted by the EAC were originally named the 2005 VVSG, which is now referred to as VVSG 1.0. These guidelines, as well as subsequent VVSG issued by the EAC, require that the election management system workstation located within an election official?s facilities be certified in a ?hardened? configuration. Simply put, a "hardened? configuration means that the EMS workstation cannot contain software applications that are not essential to the conduct of an election, nor can the EMS workstation be connected to an outside network, such as the Internet. This hardening requirement prohibits or any other manufacturer that participates in the EAC testing and certification program, from installing remote- connection software on any portion of the EMS workstation. submits all of its voting systems for federal certification to the testing and certification program administered by the EAC. To be clear, this testing and certification program requires that EMS workstations be hardened, thus prohibiting the inclusion or use of any remote-connection software. We do find it troubling that despite the hardening requirements imposed by the EAC and followed by and other voting system manufacturers, your home state of Oregon has chosen not to follow this recommended practice, contrary to the fact that specifically urged them to do so. Please see the enclosed letter from the Elections Division of the Oregon Secretary of State. Prior to the inception of the EAC testing and certification program and the subsequent requirement for hardening and at customer's request, provided pcAnywhere remote connection software on the EMS Maintain Voter Confidence. Enhance the Voting Experience. Thursday, April 5, 2018 Page 2 workstation to a small number of customers between 2000 and 2006. The EAC required that, starting December 13, 2007, voting systems be tested and certified according to the 2005 VVSG (now known as WSG 1.0). In accordance with that requirement, discontinued the installation of pcAnywhere software on EMS workstations. Prior to the inception of the 2005 VVSG, remote connection software was used solely to enable effective and timely customer support and was considered an accepted practice by numerous technology companies, including other voting system manufacturers. The use of the tool could only occur through approval by the customer, who had to initiate the remote connection and was prescribed only after all other troubleshooting efforts were exhausted. As technology has evolved, customers have since migrated to WSG- tested and certified voting systems that require a hardened configuration. We have confirmed that the EMS workstations originally configured with the remote connection software no longer have this application installed. It is also critical to understand that this remote connection support model was never used, nor was it ever possible to be used, on any voting devices (tabulators and/or ballot marking devices), as voting devices do not contain the required operating system or remote connection software necessary to enable a remote connection. To be clear, never installed remote connection software on any vote tabulation device it has delivered to a customer, nor has it ever been possible to do so--either before or after creation ofthe EAC. As we noted in our October 25, 2017 response to your October 3, 2017 inquiry regarding security practices, we welcome the opportunity to meet with you in person to discuss these important issues. We would also be pleased to welcome you to our offices in Omaha, where you can view first hand our processes and products. We are happy to serve as a valuable resource to you and your fellow members of Congress. Sincerely, ob. we Tom Burt President, Election Systems Software Enclosures Maintain Voter Confidence. Enhance the Voting Experience. 1 OFFICE or THE SECRETARY or STATE Erasmus DIVISION JEANNE P. ATKINS JIMWILLIAMS Steamer or Sm: DIRECTOR . 255 NE, Sum-501 ROBERT TAYLOR 5mm, Unison 97310-0722 DEPUTY Secnamtr OF STATE . [503) 985-15111 March 9, 2016 Steve Pearson Election Systems Software 11208 John Galt Blvd. Omaha, NE 68137 Sent via email and USPS RE: Use of election software on non-hardened computers To Whom it May Concern: This letter is to answer concerns about the use of election management software on "non- hardened? computeijrs. Hardened computers are machines that have been stripped of literally everything but the operating system. From what we?ve been told, has some concerns about upgrading county customers to newer versions of the Unity software (version 3.4.1.0) unless the software will be installed on a hardened computer. Federal certification of voting systems (through the Election Assistance Commission) requires the testing to be performed on a hardened computer. That practice makes sense, since it helps ensure that the integrity of the system being tested is not compromised. However, in a live, practical setting of everyday use, we find it acceptable for the software to be run on an un-harde?ned computer. The Elections Division of the Oregon Secretary of State approves the use of E586 software on unhardened computers. This approval applies to Unity software version 3.4.1 as well as Electionware version 5.2.0.0. Of course, we encourage County Election officials to maintain the security of their election management software by ensuring that their system is not connected to an outside network or the internet. Please let us know if you have questions or need more information; Regards, - a WM Jim Williams, Director Elections Division i i Shipping: UPS Page 1 Of 1 UPS Internet Shipping: View/Print Label 1. Ensure there are no other shipping or tracking labels attached to your package. Select the Print button on the print dialog box that appears. Note: If your browser does not support this function select Print from the File menu to print the label. 2. Fold the printed label at the solid line below. Place the label in a UPS Shipping Pouch. If you do not have a pouch. affix the folded label using clear plastic shippingtape overthe entire label. 3. GETTING YOUR SHIPMENT T0 UPS Customers with a Daily Pickup Your driver will pickup your shipment(s) as usual. Customers without a Daily Pickup Take your package to any location of The UPS Store?, UPS Access Point(TM) location, UPS Drop Box, UPS Customer Center, Staples? or Authorized Shipping Outlet near you. Items sent via UPS Return (including via Ground) are also accepted at Drop Boxes. To find the location nearest you, please visit the 'Find Locations' Quick link at ups.com. Schedule a same day or future day Pickup to have a UPS driver pickup all Of your Internet Shipping packages. Hand the package to any UPS driver in your area. UPS Access PointTM UPS Access UPS Access PointTM BEST MOBILE (BOOST MOBILE) GAMERS QST EXPRESS 5054 108TH ST 12411 CENTER RD 8410 ST OMAHA 68137 OMAHA .NE 68144 OMAHA 68127 FOLD HERE 1 OF 1' mus-m Reference#1: Government Relations WED 97 DA 01/2018 0.0 LBS LTR UPS NEXT DAY AIR TRACKING 12 E69 181 01 9608 9567 LIE 20 0.42. l\ [x 402?593?0101 1189 ELECTION SYSTEMS SOFTWARE 11208 JOHN GALT BLVD. OMAHA NE 681372364 SHIP TO HONORABLE RON WYIDEN UNITED STATES SENATE SUITE 630 911 NE 11TH AVE. PORTLAND OR 97232-4128 BILLING: SUSAN PAUISON .. 4/5/20] 8