Recently there has been a lot of coverage regarding both election system and voting system security. While some of the stories failed to capture the election official perspective many, particularly local stories, did a great job capturing the facts behind the election process. Here are just a few examples:
Michigan Secretary of State Ruth Johnson on the steps Michigan takes to better secure the process.
Mississippi Secretary of State Delbert Hosemann on the steps his state is taking to better secure the process.
Vermont Secretary of State Jim Condos on the threats to and the reality of the process.
Ohio Secretary of State Jon Husted on the steps Ohio takes to secure voter registration databases.
Local Arizona election officials talking about security being a built in part of the ballot counting process.
Florida State Association of Supervisors of Elections on the steps Florida takes to secure the process.
Nebraska Secretary of State John Gale & Iowa Secretary of State Paul Pate discuss the security surrounding the voting systems.
Kansas officials discuss how they are working with their federal partners to ensure the security of voter data.
Connecticut Secretary of State Denise Merrill and local CT officials discuss the security of their process and the probability of an issue.
Colorado election officials discuss the likelihood of a successful attack on their election process and the safeguards that are in place.
Allegheny County, PA officials walk a reporter through their process and the layers of security that are in place.
As you listen and read these articles three themes emerge quickly:
Election officials are aware of the threats, do not take them lightly and are constantly adapting their processes to address new and emerging threats.
Layers of security are built in throughout the process. From chain of custody, to access control, to logging, to auditing election officials work diligently to secure each part of the process.
Threats differ based on the type of system discussed. The risks to the voting systems are not the same as the ones to the voter registration (VR) system. Voting systems are not connected to the internet, are tested at the federal, state and local level (before each election), are monitored throughout the process and in most jurisdictions are audited. The threat to actual votes is less because of these steps and the decentralized nature of the systems.
VR databases because of their network connection require a different set of security steps. Officials monitor logs, have intrusion detection software, take nightly backups so the lists can be restored, and regularly evaluate new cyber threats to ensure the security of the lists.
Voting systems and VR systems are not the same, do not have the same threat profiles and need to be discussed in that way.
Moving forward the EAC is continuing to work with all levels of government to ensure that election officials have the information they need to secure the process moving forward as new risks emerge and election officials adapt.