Archive for the ‘Cybersecurity’ Category

VRC to discuss how-to-proceed on HAVA complaint

October 25, 2019

The Iowa Voter Registration Commission (VRC) will take up my HAVA complaint at its 10am meeting next Wednesday. Details of the meeting are at VR Agenda 10-30-2019.pdf

Here are some events that have occurred since I filed the HAVA complaint on 7/17/2019:

7/19/2019 – Iowa Secretary of State’s Office (SoS) confirms to Associated Press that Iowa’s 14-year-old voter registration system (IVoters) will not be upgraded prior to the 2020 Presidential Election.

7/20/2019 – Published “HAVA complaint filed on Iowa Secretary of State” on this blog.

7/22/2019 – SoS responds to Linn County Auditor’s (LCA) public records request (PRR) seeking correspondence on IVoters development from 1/1/2018 to the present by providing one email from 12/26/2017, and nothing for all of 2018 or 2019. SoS indicates all other records are considered confidential (secret) under Iowa law.

7/22/2019 – Published “Feds trust Pate. Why doesn’t he trust us?” on this blog.

7/26/2019 – LCA requests Auditor of State (AoS) investigate SoS’s usage of $1.05M in FY2019 State funds and $4.8M in Federal funds to determine if the funds have been spent on IVoters upgrades, enhancements, replacement, or security; and to determine how those expenditures benefitted taxpayers.

7/31/2019 – Published “I-Voters: Anyone looking for APTs?” on this blog.

8/1/2019 – Emailed SoS asking for the names of the county auditors assigned to the Cybersecurity Working Group touted by Secretary Pate in a 5/4/2018 press release. To date, no response from the SoS.

8/5/2019 – Published “Saying I-Voters is secure isn’t enough” on this blog.

8/9-11/2019 – LCA and Johnson County Auditor attend DEFCON Hacking Conference in Las Vegas. While there, both host a discussion group on Iowa’s voting system with ethical hackers.

8/12/2019 – Des Moines Register publishes story on my HAVA complaint and my concern that IVoters is vulnerable to hackers. SoS calls me “willfully ignorant”.

8/19/2019 – Director of Elections for SoS “accepts” HAVA complaint and notifies VRC (the presiding officer) of the Administrative Rules requirement that a schedule be established to resolve the complaint.

8/23/2019 – Secretary Pate and others attend a statewide county auditors conference in Des Moines. Pate says he came up with the $7M proposal to replace IVoters by “calling around to other states” to see what they spent to replace their voter registration systems. SoS confirms IVoters will not be upgraded prior to 2020 Presidential Election, and further indicates that no RFI (requests for information) or RFP (requests for proposals) have been issued to replace IVoters.

10/3/2019 – LCA sends PRR to SoS requesting a copy of all contracts related to IVoters since its inception through 12/31/2020.

10/18/2019 – Published “Where are your voter records stored?” on this blog.

10/22/2019 – Assistant Attorney General representing SoS indicates SoS is working on my 10/3 PRR, and they may require longer than 20 days to complete it.

10/22/2019 – Published “Iowa’s voter registration system not designed for today’s technological challenges” on this blog.

10/23/2019 – LCA sends PRR to VRC requesting documents related to IVoters status, updates, and revamp; and provides samples of VRC records containing those items.

10/24/2019 – LCA sends request for information to AoS to answer the question: How can a vendor perform work for the SoS and store voter registration records without being paid by the State?

10/30/2019 – VRC holds meeting on HAVA complaint and other topics.

By Joel D. Miller – Linn County Auditor & Commissioner of Elections

 

Iowa’s voter registration system not designed for today’s technological challenges

October 22, 2019

“The system was built in 2005 and was not designed for today’s technological challenges, including cybersecurity.” 

“… technological advancements are needed to ensure the integrity of our election systems.”

“The system simply was not built for our evolving election methods.”

You write that when you ask for $7,350,000 from legislators.

Source:  An executive summary from the Iowa Secretary of State.

“You might have recently read that I-Voters will not be replaced before the 2020 elections. Replacing the system is a multiyear, multimillion-dollar project and remains on-schedule. It is not something that can or should be rushed into blindly.”

You write that when you did not do your job by replacing I-Voters prior to the 2020 Presidential Election.

Source: Iowa Secretary of State Paul Pate in The Gazette on 7/29/2019

Is I-Voters secure?  Maybe we will learn the answer during my upcoming HAVA complaint hearing.  Joel D. Miller – Linn County Auditor & Commissioner of Elections #trustnverifyivoters

Where are your voter records stored?

October 18, 2019

Iowa law says county commissioners of elections are responsible for the maintenance and storage of all voter registration (VR) records and it also prohibits counties from operating VR systems separate from the Iowa Secretary of State’s (SoS) VR system.

So where are your voter records stored?

You may recall that I filed a HAVA complaint on the SoS?

In doing research for the complaint, I reviewed documentation related to the SoS winning a national award for election cybersecurity.  Specifically, I noticed two references to Arikkan, Inc – see pages 3 and 10, respectively:

In 2017, the decision was made to partner with our IVoters vendor, Arikkan, Inc. to move the statewide voter registration system to a new, privately-hosted, Criminal Justice Information Service (CJIS) compliant data center. This move transferred the system to new hardware, which offered many improvements, including next-generation intrusion detection systems. Programming changes were made for more secure access, and stronger defenses were put in place to protect personal identifiable information.
Spring 2017: The Secretary of State and Arikkan, Inc. partner to move the State Voter Registration Database (IVoters) to a new privately-hosted, CIS-compliant data center. This move transfers the system to new hardware, which offers many improvements, including next generation Intrusion Protection Systems. This also eliminates the need to replace the Iowa Secretary of State’s current infrastructure, which would have cost more than $1 million.

IVoters is the name of Iowa’s statewide voter registration system, i.e., the system all county commissioners of election are required to use.  Per the SoS, Arikkan is our IVoters “vendor” and a “partner” of the SoS.  When you search for Arikkan, you will find that it provides hosting services.

When you search the State’s checkbook for a vendor named Arikkan, you will find that the State of Iowa has never written a check to Arikkan; yet, the SoS states that Arikkan is a “partner” and a “vendor”.

I am certain there is an explanation for the preceding, but when you search for Arikkan, Arrikan, or Arrikkan on the SoS’s Business Entities Search, you also come up empty handed.

On 10/7/2019, the SoS received a public records request from me seeking information on Arikkan, Inc., as well as, other vendors related to IVoters.  I have yet to receive a response from the SoS.

So where are your voter records stored?  I do not know; and I have a right to know.  I am the custodian of those records.  –Joel D. Miller – Linn County Auditor & Commissioner of Elections

Additional references to Arikkan by the SoS (updated 10/22/2019):
Primary Election Voters, Eighteen Year Olds at General Election
Secretary of State Annual Report 2015
Secretary of State Presentation, 3/1/2018

Saying I-Voters is secure isn’t enough

August 5, 2019

Reprinted from the print edition of The Gazette 8/4/2019

I am writing in response to Iowa Secretary of State Paul Pate’s July 30 guest column ‘A model for election security.’ And my purpose is to explain I-Voters and why you should be concerned about it.

I-Voters is our statewide voter registration system. It is a computer system maintained and operated by the Secretary of State’s Office. Voter registration records for more than 2 million voters now are stored in I-Voters.

Every county is required to store its voter registration records on IVoters and every county is required to pay the secretary of state an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters.

I-Voters went into service in Iowa in 2006. Cybersecurity did not become a hot topic until 2016 – 10 years later. Although I-Voters is running on newer hardware than it did in 2006, that just means the old software, including its flaws, is running faster – not more securely. Let me explain one flaw, which others view as a feature.

Imagine you show up to vote on Election Day and your name is not on the election register. You swear you voted at your precinct in the last election. Heck, you swear you voted in this precinct for the past 30 years. Some of the precinct officials know you and cannot explain why you are not listed on the election register. Yes, you still can vote. Unfortunately, you have to go through the Election Day registration process to register before you can vote.

That takes time and requires proof of who you are and where you reside. What if you don’t have time? Or proof? Now multiply this scenario by ten thousand voters across the state.

How could your name disappear from the election register? One feature of I-Voters is that it allows an election employee – an I-Voters user – in one county to pull your voter registration record from the losing county to the gaining county; e.g., when you relocate from Cedar Rapids to Iowa City.

One flaw of I-Voters is that one employee – not two employees – can pull your voter registration record from Cedar Rapids to Iowa City; i.e., from Linn County to Johnson County. What used to be a ‘feature’ before the age of cyberwarfare now is a ‘flaw.’ I do not know how many other flaws I-Voters has, but that is the one that keeps me awake at night.

When you pay someone a fee, you are entitled to know what you are getting in return. Unfortunately, I do not know what Pate is doing with the millions of dollars he has received to upgrade I-Voters. I thought I-Voters would be upgraded before the 2020 presidential election. On July 19, the Associated Press reported it would not be upgraded until after 2020.

I-Voters is the Achilles’ heel of elections in Iowa. Maliciously remove or relocate a thousand voter registration records in the system just before Election Day, and chaos will ensue.

Time is of the essence, Mr. Secretary.

Telling Iowa’s voters, taxpayers, and county auditors that I-Voters is ‘secure’ is not enough. County auditors do not know what is going on with I-Voters, and they are entitled to know.

I request that you hire a third party, independent cybersecurity firm to assess I-Voters and determine if it is ready for the 2020 elections. In addition, let me and my fellow county auditors on your Auditors’ Advisory Panel observe the assessment, see the results, and monitor the fixes. Nothing is more important.

 Joel Miller is Linn County auditor.

A compilation of news stories on election hacking

August 1, 2019

CALIFORNIA

4/9/2019 – LA Times – Hackers attacked California DMV voter registration system marred by bugs, glitches 

FLORIDA

5/14/2019 – Russians hacked voting databases in two Florida counties in 2016, governor says.  Gov. Ron DeSantis isn’t allowed to disclose which counties

5/22/2019 – Mueller report confirms:  FBI believes Russians hacked Florida county’s voter records

6/9/2017 – How hackers targeted the vote in Florida (spearfishing)

5/14/2019 – Russians Hacked Voter Systems in 2 Florida Counties. But Which Ones?

GEORGIA

11/5/2018 – Georgia Secretary of State calls for FBI vote hacking investigation 

8/14/2018 – 6 million Georgia voter’s records exposed: ‘Could have easily been compromised’

ILLINOIS

9/6/2016 –  – Accessing the Risk, Damage after Illinois voter rolls hacked

6/21/2017 – US Senate Intelligence Committee – Illinois Voter Registration System Database Breach Report

IOWA

7/13/2018 – Mueller indictment: Russian officials scouted Iowa county elections websites

PHILIPPINES

4/12/2016 – Hackers Expose Philippines Voter Database

USA

6/19/2017 – Wired – The Scarily Common Screw-Up That Exposed 198 Million Voter Records

A CONCERN:  Potential hacking via election equipment/system manufacturers and suppliers

9/21/2018 – Hacks, Security Gaps And Oligarchs: The Business of Voting Comes Under Scrutiny  

6/9/2017 – Fox News – Spearfishing via a vendor (duplicate item)

#trustnverifyivoters

I-Voters: Anyone looking for APTs?

July 31, 2019

I-Voters is the name of our statewide voter registration system. It is a computer system maintained and operated by the Iowa Secretary of State’s (SoS) Office. Currently, the voter registration records for over two million voters are stored in I-Voters.

I-Voters went into service in Iowa in 2006 and every county is required to store its voter registration records on I-Voters, and every county is required to pay the SoS an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters. Iowa’s county auditors are not privy to any inside information on I-Voters or if I-Voters was the target of hackers or if a county election system was a target of hackers.

I reviewed the two SoS provided lists below and highlighted the items which mention I-Voters or voter registration. I applaud the SoS, the OCIO, and DHS for building a huge firewall around I-Voters, but what about the backdoors built-in the I-Voters over the last 13 years? What about the flaws in the software code used to create I-Voters? What about advanced persistent threats (APTs)? What about discontent or compromised contractors/employees with access to the code in I-Voters?

Which of the activities below are aimed at identifying the backdoors, detecting inherent flaws in the software application, detecting APTs, and/or vetting the contractors/employees with access to I-Voters? Your comments are welcome! – Joel D. Miller – Linn County Auditor

List of Activities to Occur Before or During the 2018 General Election Cycle according to attached IA Narrative Budget authored by the Legal Counsel for the SoS on 3/23/2018

• Partnership with DHS on the “Last Mile Project,” to provide security posters for each of Iowa’s 99 counties

• DHS assessments, including Risk and Vulnerability, Cyber Resilience Review, External Dependency Management, Infrastructure Survey, and Phishing Campaign

• Joined DHS Information Network

• Preform weekly vulnerability scan

• Upgrades to firewalls protecting internal network

• Joined the Electronic Registration Information Center, Inc. (ERIC) and will be sending out an Unregistered But Eligible (UBE) mailing by October 1, 2018

• Develop and implement county level incident response plans

• 2 table tops session were held in partnership with DHS for County Auditors, elections staff and county IT professionals

• Create and distribute Curbside Voting Signs to counties for use at polling locations

• Requiring “Securing the Human,” an online cybersecurity training program, to county level staff in partnership with the Iowa Office of the Chief Information Officer (OCIO)

• Cybersecurity training opportunities for Secretary of State staff, County Auditors, elections staff, and county IT professionals through conferences at NASED, The Election Center, and The National Election Security Summit

• The Iowa Secretary of State’s Office hosted two Cybersecurity Workshops for County Auditors, elections staff and county IT professionals to promote free services offered by the OCIO, DHS, and other state and federal partners

• Post-election audits will be conducted following the General Election

• Upgrades to Election Night Reporting system, including increased cybersecurity protections such as two-factor authentication

• Hiring an Information Security Officer and Cyber Navigator

• Partnering with OCIO to offer all interested counties malware protection and an intrusion detection system

• Development of training tools for County Auditors, elections staff and precinct election officials

• Development of communications aimed at reassuring the public confidence in the integrity and security of Iowa’s elections

• Development of communications aimed at educating and encouraging voters with disabilities to vote, including veterans with disabilities

• Creation of a Cyber Working Group with local, state and federal partners

The following list of security measures have been implemented to the voter registration system according to a CBS2/Fox28 news story on 7/22/2019:

-Mandatory two-factor authentication for anyone who accesses I-Voters

-Mandatory cybersecurity training for all SOS staff and all elections staff in all 99 counties

-Constant monitoring of voter registration additions and changes, with weekly reports that detect any irregularities (Note: As of 7/31/2019, I have yet to see a weekly report from the SoS)

-Upgraded firewalls and cybersecurity protection

-Upgraded Election Night Reporting system with increased cybersecurity protections

-Required that e-poll books be encrypted

-U.S. Department of Homeland Security (DHS) has conducted several assessments on state and county systems

-DHS runs a weekly vulnerability scan.

-Iowa’s Office of the Chief Information Officer runs a separate weekly scan.

-Placed an Albert Sensor on the state’s voter registration system (I-Voters)

-Housed I-Voters in a secure, off-site location

-Held table top exercises with the Iowa National Guard, state agencies and county auditors

-Hosted several cybersecurity trainings for county auditors and county IT staff

-Partnered with DHS to create a pilot program on a self-assessment cybersecurity tool

-Developed and distributed the first of its kind, personalized cybersecurity posters to every county, a model DHS has replicated in dozens of states

-Developed training tools for county auditors, their staff and precinct election officials related to cybersecurity

-Partnered with the OCIO to have their Security Operations Center monitor networks on Election Day

-Worked with the Iowa Homeland Security and Emergency Management Department to opened their Emergency Operations Center that was staffed by multiple state agency representatives to facilitate Election Day communication

-Coordinated with OCIO, Iowa HSEMD, Iowa Public Safety, DHS, FBI, county auditors and IT department to staff the Department of Public Safety’s Fusion Center on Election Day

-Implemented the first statewide post-election audits in Iowa history

#trustnverifyivoters

IA_Narrative_Budget.pdf

Feds trust Pate. Why doesn’t he trust us?

July 22, 2019

In the private sector, when one company wants to share proprietary data or trade secrets with another company, the two companies enter into a non-disclosure agreement and anyone violating the agreement is subject to legal consequences if they violate the agreement.

Governments use security classifications and a “need to know” to justify a lack of transparency.

For example, in 2016, Russian bad actors tried to hack into election systems in Iowa. Until about mid-2018, only, supposedly two election officials in the State of Iowa were privy to what the Russians tried to do, and which counties they targeted. I still do not know which Iowa counties were targeted and why, and I am non-the-wiser as to whether I have the same vulnerabilities as those counties.

Today, I received a response to the public records request (FOIA) mentioned in my HAVA complaint. The response was disappointing – see attached. I requested “… all correspondence regarding Ivoters development from January 2018 to the present date.” The response contained one email dated 12/26/2017 with four vague references (see my highlighted text) to I-Voters, and a letter indicating “additional records … are considered confidential under Iowa Code 22.7.”

Unfortunately, State and Federal officials seem to believe that by avoiding transparency, they are keeping our election systems secure. I believe the exact opposite is true, i.e., their lack of transparency is jeopardizing the security of local election systems run by county commissioners of elections and others. Surely, those officials including Iowa Secretary of State Paul Pate, the current President of the National Association of Secretaries of State, can find a way to share information with the local officials who are responsible for administering ALL elections in Iowa. Why can’t Pate give his county auditor and county auditors across the State definitive proof that I-Voters is secure without jeopardizing the security of I-Voters?

Supposedly, Pate is one of the two election officials in the State of Iowa with a Federal security clearance that provides him with information of the vulnerability of election systems. Is that Federal information less secure because Pate knows about it? The Feds trust Pate. Why doesn’t he trust us? Joel D. Miller – Linn County Auditor & Commissioner of Elections.

0316_001.pdf

HAVA complaint filed on Iowa Secretary of State

July 20, 2019

When have you ever paid over $200,000 for something and did not know what you were receiving in return? That is the amount Linn County taxpayers have paid to the Iowa Secretary of State for I-Voters Maintenance Fees since 2010. And my office just received a bill for another $29,000 for the current fiscal year.

The reason for this complaint is simple. I and my fellow Iowa county auditors have been told for years that Iowa’s voter registration system, i.e., I-Voters, is secure. Yet, over the years we have received little factual information that allows us to draw the conclusion that I-Voters is secure.

On February 11, 2015, Secretary of State Paul Pate named me to his Auditors’ Advisory Group, a bi-partisan group of county auditors. I said then, “I appreciate Secretary Pate reaching out to me to gather input regarding elections, I look forward to working with him over the next few years to come up with solutions that make sense for Iowa.” The Advisory Group has not been convened by the Secretary in over two years.

Some of my peers have advised me to not talk about our voter registration system, fearing the public will misinterpret the talk. How can I assure the voters of Linn County that I-Voters and their voter registration records are secure when I do not know what is going on with it?

For example, has I-Voters been subjected to a cyber security vulnerability assessment? Or a penetration test? And were the tests performed by third party, ethical hackers who are committed to ensuring the system is secure for the next election? And why did the Secretary’s staff cutoff Linn County’s access to I-Voters after I announced I was going to conduct a vulnerability assessment on the election systems physically residing in Linn County.

I don’t know what I don’t know. And I am not going to be “high” on something that I have been kept “in the dark on”, i.e., I-Voters.

I am doing everything I can to keep the elections systems that I am responsible for secure from bad actors. I am a former IT director and a technology project manager, and the current commissioner of elections, and I need to hear more from the Secretary than the words “trust me”.

Again, the reason for this complaint is simple. I do not know what is going on with I-Voters and I need to know, and I am entitled to know.

Joel D. Miller
Linn County Auditor & Commissioner of Elections

REFERENCES:

Pate names Miller to Auditors’ Advisory Group https://sos.iowa.gov/news/2015_02_11.html

Iowa will keep voter registration system for 2020 elections https://www.timesunion.com/news/article/Iowa-will-keep-voter-registration-system-for-2020-14108004.php

HAVA Complaint Letter 7.16.19.pdf
HAVA complaint 7.17.19.pdf
Public Information Request 7.1.19.pdf

DEF CON: A confirmation about the state of elections in Iowa

August 13, 2018

At a recent Iowa State Association of County Auditors (ISACA) meeting in Iowa City, I heard officials from the Iowa Secretary of State’s Office (SoS) discounting the value of any news or reports coming out of the Voting Machine Hacking Village at DEF CON® 26.

I went to DEF CON anyway.  I arrived on Thursday, soaked up as much as possible on Friday, and returned home on Saturday.  As the metaphor goes:  It was like trying to drink out of a fire hose.

Contrary to what the SoS said, I found the opposite.  Every person I met seemed interested in elections, interested in the equipment we use, and interested in showing us the vulnerabilities of the equipment we use with an unexpected twist.  That twist:  What can I do to help election officials fix the problems?

Imagine.  A bunch of techies who cared about our democracy and elections; who were asking tough questions; and receiving accurate answers from researchers who had obviously spent plenty of time studying the voting machines, many still in use across the country.  One of the machines used in Iowa, an ES&S DS650 high-speed scanner (Linn County uses the DS850), was being analyzed by a team of twenty- somethings when I left the Village Friday evening.

I was reinvigorated to see so many strangers excited about voting machines.  I have witnessed many public tests of Linn County’s voting machines over the years where no one attended our public tests.  Maybe that will change going forward?

So what was the value of DEF CON to me and the taxpayers of Linn County?

Confirmation.  Confirmation that Iowa’s biggest election vulnerability is the voter registration database, i.e., I-Voters, managed by the SoS, along with the I-Voters clients in each of the State’s 99 counties, and along with the voter registration databases stored on the electronic pollbooks (ePollbooks) in almost every county.

At one point, I came into the Village just as a couple of techs finished up successfully hacking into an ePollbook (not the one used in Linn County) while NHK Japan’s TV cameras were rolling.  NHK  interviewed me earlier in the day for a story they will broadcast before our November 6th election.

While Iowa has Election Day registration (EDR), which would become the backup for any voters deleted from a voter registration database aka the election register on Election Day; the confusion, frustration, and inconvenience of my 90-year-old mother having to re-register to vote on Election Day would undermine trust in our elections.  And for those states without EDR laws, disenfranchisement would occur.

If you read David E. Sanger’s book – The Perfect Weapon (I am reading it now) – combined with the news reports about the Russians scouting some Iowa counties, you would likely conclude that some fourteen-year old in Prairieburg is not likely to be motivated to hack into I-Voters unless they were getting a million dollars in Bitcoin to do it.  However, Bitcoins leave tracks; whereas, nation-states have the ability to skew tracks.  Maybe we will know who did it; maybe not.  And even if we have conclusive proof, will the suspected nation-state admit it?  Come on Russia; admit it.

No.  If I-Voters is going to be hacked – assuming it has not been hacked already – it will be by a nation-state.  And even if I-Voters has been hacked and Iowa’s State officials know about it, they have likely been forbidden from telling me and my peers for fear of undermining the upcoming election.  I guess they would rather wait until after the election to tell us, when we will already know the answer and be suffering the consequences.  That will so much better for our democracy.  Not!

Look.  The SoS keeps telling us that the Russians were merely walking around the neighborhood turning the doorknobs, looking for an unlocked home.  But they did not get inside the house.

I contend that their walking around the neighborhood was a distraction.  When what they were really doing was hacking into an I-Voter’s client sitting in the Podunk (not a real name) County Courthouse via a thumbdrive that one of the employees thought fell out of another employee’s purse because it looked exactly like the one he uses at work.  When that thumbdrive was inserted into a County computer the next day, it gave a nation-state remote access into I-Voters.  And the malware has been there ever since.  Waiting.  Patiently waiting.

If I-Voters has already been hacked, I cannot do anything about it and I will not be told about it.  So I have to do what I can do to remove any weaknesses in Linn County Elections – which my team has been doing since August of 2017.

Every county in Iowa is interconnected to every other county in Iowa via I-Voters as required by HAVA.  While I do not believe Linn County is the weakest link in Iowa’s election infrastructure chain, it does not matter because the weakest link can affect Linn County.  DEFCON confirmed that fact to me, too.

A couple of months ago, I talked to the Linn County Board of Supervisors (BOS) about deploying a tech from Linn County to assist other counties with shoring up their election infrastructure defenses.  The BOS indicated I did not need their permission.  I made the offer to the SoS and the Iowa’s Office of Chief Information Officer (OCIO).  I never received a request from either office.

On July 26th, I asked the OCIO’s representative in front of 50+ county auditors how many of Iowa’s counties were still not being monitored by the OCIO’s Security Operations Center.  He answered, “40”.  That is the same number that he gave me in March 2018 when I asked the same question.

On that same July 26th, before leaving the Auditors’ meeting room, I told the SoS’s Deputy Commissioner of Elections that I truly believe Iowa’s elections infrastructure is vulnerable.  His reply, “I appreciate your passion.”

Is Iowa’s elections infrastructure going to be ready for the November 6th general election?  What is the likelihood it has already been compromised?

To the team who put together the Voting Machine Hacking Village at DEF CON 26.  Thank you!  To those who made elections related presentations at DEF CON 26.  Thank you!  To David E. Sanger for confirming what I have been saying about voter registration databases.  Thank you!  -Joel D. Miller – Linn County Auditor & Commissioner of Elections

Let’s get tough on cybersecurity for elections now

May 7, 2018

I don’t believe in asking for permission when the Iowa Legislature has already given me the power and/or the duty to get the job done.  That’s why I’m questioning why Iowa Secretary of State Paul Pate @IowaSOS is slow to push for cybersecurity relating to Iowa’s elections infrastructure.  Please recall Iowa was targeted, but not hacked in 2016 – close to 2 years ago.

The Iowa Official Register states:  Secretary Pate is the Chief Elections Officer for Iowa.  Secretary Pate is also the chairman of the bipartisan Voters Registration Commission. The commission oversees policies and procedures related to Iowa’s voter registration system.

The 2013-2014 edition of the Register indicates the Secretary of State “… prescribes uniform election practices and procedures.”  This is accomplished via Chapter 721 of the Iowa Administrative Code, which gives the Secretary the authority to mandate requirements or fill in the gaps when the Legislature has not been specific enough to ensure uniformity among, e.g., Iowa’s 99 county commissioners of elections.

In a face-to-face meeting on 5/4/2018, I asked Secretary Pate to mandate two things:

1> Require all counties accessing the statewide voter registration system to meet minimum cybersecurity standards; and

2>  Require all users of the statewide voter registration system to complete Securing the Human training which is offered for free by the State.

It’s not enough for the Secretary and his staff to talk about “best practices” related to elections infrastructure.  It’s time to start mandating minimum requirements for the devices and people accessing Iowa elections infrastructure.

The June primary election is less than 30 days away.  The general election is less than 6 months away.  “Secretary Pate!  Let’s get tough on cybersecurity for elections now!”  – Joel D. Miller – Linn County Auditor


%d bloggers like this: