Posts Tagged ‘Synergy Data’

Answer to motion to dismiss HAVA complaint

November 27, 2019

Today (11/27/2019), I filed my answers to the arguments made by the Iowa Secretary of State (SoS) in his motion to dismiss my HAVA complaint.  As the banner on my home page indicates, I wear many hats.  I am the author of the answers, but I am not a lawyer.  My brief is functional, but it is not lawyerly.  It is 128 pages long and includes 18 exhibits.

To save you from having to scroll through 128 pages, I embedded the links to my online sources into the exhibit numbers.  If you want to see an exhibit that does not have a link, please reach out to me via the contact form.

Next steps.  The SoS has until 12/5/2019 to respond to these answers and the resistance I filed on 11/26/2019.  Unless the SoS and I decide to settle before 12/9/2019, the Voter Registration Commission, in its role as the Presiding Officer, will hold a hearing at 10am on 12/9/2019 in the SoS conference room on the 1st Floor of the Lucas State Office Building on the Capitol Complex.  The hearing will be open to the public.

In the meantime, feel free to use the contact form to reach me.  Happy Thanksgiving!  Joel D. Miller – Linn County Auditor

 

Resistance to motion to dismiss HAVA complaint

November 26, 2019

On 8/12/2019, I filed a HAVA complaint on the Iowa Secretary of State.

Today, 11/26/2019, I filed part one of my Resistance to the Secretary of State’s Motion to Dismiss my HAVA complaint.

Tomorrow, 11/27/2019, I will file part two of my resistance, i.e., an additional complementary, stand-alone document containing detailed answers to the Arguments in the Motion to Dismiss.

If you are a legal geek, you may find today’s filing interesting.  If you are an elections or cybersecurity geek, then save your reading for tomorrow.  Joel D. Miller – Linn County Auditor

Secretary Pate files motion to dismiss HAVA complaint

November 13, 2019

As expected, the assistant attorney general representing the Office of Iowa Secretary of State Paul D. Pate filed a motion to dismiss my HAVA complaint. Assuming my complaint is not resolved in the next few days, I will be filing a response to the motion to dismiss, which I will post on this blog. Joel D. Miller – Linn County Auditor & Commissioner of Elections

 

VRC to discuss how-to-proceed on HAVA complaint

October 25, 2019

The Iowa Voter Registration Commission (VRC) will take up my HAVA complaint at its 10am meeting next Wednesday. Details of the meeting are at VR Agenda 10-30-2019.pdf

Here are some events that have occurred since I filed the HAVA complaint on 7/17/2019:

7/19/2019 – Iowa Secretary of State’s Office (SoS) confirms to Associated Press that Iowa’s 14-year-old voter registration system (IVoters) will not be upgraded prior to the 2020 Presidential Election.

7/20/2019 – Published “HAVA complaint filed on Iowa Secretary of State” on this blog.

7/22/2019 – SoS responds to Linn County Auditor’s (LCA) public records request (PRR) seeking correspondence on IVoters development from 1/1/2018 to the present by providing one email from 12/26/2017, and nothing for all of 2018 or 2019. SoS indicates all other records are considered confidential (secret) under Iowa law.

7/22/2019 – Published “Feds trust Pate. Why doesn’t he trust us?” on this blog.

7/26/2019 – LCA requests Auditor of State (AoS) investigate SoS’s usage of $1.05M in FY2019 State funds and $4.8M in Federal funds to determine if the funds have been spent on IVoters upgrades, enhancements, replacement, or security; and to determine how those expenditures benefitted taxpayers.

7/31/2019 – Published “I-Voters: Anyone looking for APTs?” on this blog.

8/1/2019 – Emailed SoS asking for the names of the county auditors assigned to the Cybersecurity Working Group touted by Secretary Pate in a 5/4/2018 press release. To date, no response from the SoS.

8/5/2019 – Published “Saying I-Voters is secure isn’t enough” on this blog.

8/9-11/2019 – LCA and Johnson County Auditor attend DEFCON Hacking Conference in Las Vegas. While there, both host a discussion group on Iowa’s voting system with ethical hackers.

8/12/2019 – Des Moines Register publishes story on my HAVA complaint and my concern that IVoters is vulnerable to hackers. SoS calls me “willfully ignorant”.

8/19/2019 – Director of Elections for SoS “accepts” HAVA complaint and notifies VRC (the presiding officer) of the Administrative Rules requirement that a schedule be established to resolve the complaint.

8/23/2019 – Secretary Pate and others attend a statewide county auditors conference in Des Moines. Pate says he came up with the $7M proposal to replace IVoters by “calling around to other states” to see what they spent to replace their voter registration systems. SoS confirms IVoters will not be upgraded prior to 2020 Presidential Election, and further indicates that no RFI (requests for information) or RFP (requests for proposals) have been issued to replace IVoters.

10/3/2019 – LCA sends PRR to SoS requesting a copy of all contracts related to IVoters since its inception through 12/31/2020.

10/18/2019 – Published “Where are your voter records stored?” on this blog.

10/22/2019 – Assistant Attorney General representing SoS indicates SoS is working on my 10/3 PRR, and they may require longer than 20 days to complete it.

10/22/2019 – Published “Iowa’s voter registration system not designed for today’s technological challenges” on this blog.

10/23/2019 – LCA sends PRR to VRC requesting documents related to IVoters status, updates, and revamp; and provides samples of VRC records containing those items.

10/24/2019 – LCA sends request for information to AoS to answer the question: How can a vendor perform work for the SoS and store voter registration records without being paid by the State?

10/30/2019 – VRC holds meeting on HAVA complaint and other topics.

By Joel D. Miller – Linn County Auditor & Commissioner of Elections

 

Iowa’s voter registration system not designed for today’s technological challenges

October 22, 2019

“The system was built in 2005 and was not designed for today’s technological challenges, including cybersecurity.” 

“… technological advancements are needed to ensure the integrity of our election systems.”

“The system simply was not built for our evolving election methods.”

You write that when you ask for $7,350,000 from legislators.

Source:  An executive summary from the Iowa Secretary of State.

“You might have recently read that I-Voters will not be replaced before the 2020 elections. Replacing the system is a multiyear, multimillion-dollar project and remains on-schedule. It is not something that can or should be rushed into blindly.”

You write that when you did not do your job by replacing I-Voters prior to the 2020 Presidential Election.

Source: Iowa Secretary of State Paul Pate in The Gazette on 7/29/2019

Is I-Voters secure?  Maybe we will learn the answer during my upcoming HAVA complaint hearing.  Joel D. Miller – Linn County Auditor & Commissioner of Elections #trustnverifyivoters

Where are your voter records stored?

October 18, 2019

Iowa law says county commissioners of elections are responsible for the maintenance and storage of all voter registration (VR) records and it also prohibits counties from operating VR systems separate from the Iowa Secretary of State’s (SoS) VR system.

So where are your voter records stored?

You may recall that I filed a HAVA complaint on the SoS?

In doing research for the complaint, I reviewed documentation related to the SoS winning a national award for election cybersecurity.  Specifically, I noticed two references to Arikkan, Inc – see pages 3 and 10, respectively:

In 2017, the decision was made to partner with our IVoters vendor, Arikkan, Inc. to move the statewide voter registration system to a new, privately-hosted, Criminal Justice Information Service (CJIS) compliant data center. This move transferred the system to new hardware, which offered many improvements, including next-generation intrusion detection systems. Programming changes were made for more secure access, and stronger defenses were put in place to protect personal identifiable information.
Spring 2017: The Secretary of State and Arikkan, Inc. partner to move the State Voter Registration Database (IVoters) to a new privately-hosted, CIS-compliant data center. This move transfers the system to new hardware, which offers many improvements, including next generation Intrusion Protection Systems. This also eliminates the need to replace the Iowa Secretary of State’s current infrastructure, which would have cost more than $1 million.

IVoters is the name of Iowa’s statewide voter registration system, i.e., the system all county commissioners of election are required to use.  Per the SoS, Arikkan is our IVoters “vendor” and a “partner” of the SoS.  When you search for Arikkan, you will find that it provides hosting services.

When you search the State’s checkbook for a vendor named Arikkan, you will find that the State of Iowa has never written a check to Arikkan; yet, the SoS states that Arikkan is a “partner” and a “vendor”.

I am certain there is an explanation for the preceding, but when you search for Arikkan, Arrikan, or Arrikkan on the SoS’s Business Entities Search, you also come up empty handed.

On 10/7/2019, the SoS received a public records request from me seeking information on Arikkan, Inc., as well as, other vendors related to IVoters.  I have yet to receive a response from the SoS.

So where are your voter records stored?  I do not know; and I have a right to know.  I am the custodian of those records.  –Joel D. Miller – Linn County Auditor & Commissioner of Elections

Additional references to Arikkan by the SoS (updated 10/22/2019):
Primary Election Voters, Eighteen Year Olds at General Election
Secretary of State Annual Report 2015
Secretary of State Presentation, 3/1/2018

Saying I-Voters is secure isn’t enough

August 5, 2019

Reprinted from the print edition of The Gazette 8/4/2019

I am writing in response to Iowa Secretary of State Paul Pate’s July 30 guest column ‘A model for election security.’ And my purpose is to explain I-Voters and why you should be concerned about it.

I-Voters is our statewide voter registration system. It is a computer system maintained and operated by the Secretary of State’s Office. Voter registration records for more than 2 million voters now are stored in I-Voters.

Every county is required to store its voter registration records on IVoters and every county is required to pay the secretary of state an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters.

I-Voters went into service in Iowa in 2006. Cybersecurity did not become a hot topic until 2016 – 10 years later. Although I-Voters is running on newer hardware than it did in 2006, that just means the old software, including its flaws, is running faster – not more securely. Let me explain one flaw, which others view as a feature.

Imagine you show up to vote on Election Day and your name is not on the election register. You swear you voted at your precinct in the last election. Heck, you swear you voted in this precinct for the past 30 years. Some of the precinct officials know you and cannot explain why you are not listed on the election register. Yes, you still can vote. Unfortunately, you have to go through the Election Day registration process to register before you can vote.

That takes time and requires proof of who you are and where you reside. What if you don’t have time? Or proof? Now multiply this scenario by ten thousand voters across the state.

How could your name disappear from the election register? One feature of I-Voters is that it allows an election employee – an I-Voters user – in one county to pull your voter registration record from the losing county to the gaining county; e.g., when you relocate from Cedar Rapids to Iowa City.

One flaw of I-Voters is that one employee – not two employees – can pull your voter registration record from Cedar Rapids to Iowa City; i.e., from Linn County to Johnson County. What used to be a ‘feature’ before the age of cyberwarfare now is a ‘flaw.’ I do not know how many other flaws I-Voters has, but that is the one that keeps me awake at night.

When you pay someone a fee, you are entitled to know what you are getting in return. Unfortunately, I do not know what Pate is doing with the millions of dollars he has received to upgrade I-Voters. I thought I-Voters would be upgraded before the 2020 presidential election. On July 19, the Associated Press reported it would not be upgraded until after 2020.

I-Voters is the Achilles’ heel of elections in Iowa. Maliciously remove or relocate a thousand voter registration records in the system just before Election Day, and chaos will ensue.

Time is of the essence, Mr. Secretary.

Telling Iowa’s voters, taxpayers, and county auditors that I-Voters is ‘secure’ is not enough. County auditors do not know what is going on with I-Voters, and they are entitled to know.

I request that you hire a third party, independent cybersecurity firm to assess I-Voters and determine if it is ready for the 2020 elections. In addition, let me and my fellow county auditors on your Auditors’ Advisory Panel observe the assessment, see the results, and monitor the fixes. Nothing is more important.

 Joel Miller is Linn County auditor.

A compilation of news stories on election hacking

August 1, 2019

CALIFORNIA

4/9/2019 – LA Times – Hackers attacked California DMV voter registration system marred by bugs, glitches 

FLORIDA

5/14/2019 – Russians hacked voting databases in two Florida counties in 2016, governor says.  Gov. Ron DeSantis isn’t allowed to disclose which counties

5/22/2019 – Mueller report confirms:  FBI believes Russians hacked Florida county’s voter records

6/9/2017 – How hackers targeted the vote in Florida (spearfishing)

5/14/2019 – Russians Hacked Voter Systems in 2 Florida Counties. But Which Ones?

GEORGIA

11/5/2018 – Georgia Secretary of State calls for FBI vote hacking investigation 

8/14/2018 – 6 million Georgia voter’s records exposed: ‘Could have easily been compromised’

ILLINOIS

9/6/2016 –  – Accessing the Risk, Damage after Illinois voter rolls hacked

6/21/2017 – US Senate Intelligence Committee – Illinois Voter Registration System Database Breach Report

IOWA

7/13/2018 – Mueller indictment: Russian officials scouted Iowa county elections websites

PHILIPPINES

4/12/2016 – Hackers Expose Philippines Voter Database

USA

6/19/2017 – Wired – The Scarily Common Screw-Up That Exposed 198 Million Voter Records

A CONCERN:  Potential hacking via election equipment/system manufacturers and suppliers

9/21/2018 – Hacks, Security Gaps And Oligarchs: The Business of Voting Comes Under Scrutiny  

6/9/2017 – Fox News – Spearfishing via a vendor (duplicate item)

#trustnverifyivoters

I-Voters: Anyone looking for APTs?

July 31, 2019

I-Voters is the name of our statewide voter registration system. It is a computer system maintained and operated by the Iowa Secretary of State’s (SoS) Office. Currently, the voter registration records for over two million voters are stored in I-Voters.

I-Voters went into service in Iowa in 2006 and every county is required to store its voter registration records on I-Voters, and every county is required to pay the SoS an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters. Iowa’s county auditors are not privy to any inside information on I-Voters or if I-Voters was the target of hackers or if a county election system was a target of hackers.

I reviewed the two SoS provided lists below and highlighted the items which mention I-Voters or voter registration. I applaud the SoS, the OCIO, and DHS for building a huge firewall around I-Voters, but what about the backdoors built-in the I-Voters over the last 13 years? What about the flaws in the software code used to create I-Voters? What about advanced persistent threats (APTs)? What about discontent or compromised contractors/employees with access to the code in I-Voters?

Which of the activities below are aimed at identifying the backdoors, detecting inherent flaws in the software application, detecting APTs, and/or vetting the contractors/employees with access to I-Voters? Your comments are welcome! – Joel D. Miller – Linn County Auditor

List of Activities to Occur Before or During the 2018 General Election Cycle according to attached IA Narrative Budget authored by the Legal Counsel for the SoS on 3/23/2018

• Partnership with DHS on the “Last Mile Project,” to provide security posters for each of Iowa’s 99 counties

• DHS assessments, including Risk and Vulnerability, Cyber Resilience Review, External Dependency Management, Infrastructure Survey, and Phishing Campaign

• Joined DHS Information Network

• Preform weekly vulnerability scan

• Upgrades to firewalls protecting internal network

• Joined the Electronic Registration Information Center, Inc. (ERIC) and will be sending out an Unregistered But Eligible (UBE) mailing by October 1, 2018

• Develop and implement county level incident response plans

• 2 table tops session were held in partnership with DHS for County Auditors, elections staff and county IT professionals

• Create and distribute Curbside Voting Signs to counties for use at polling locations

• Requiring “Securing the Human,” an online cybersecurity training program, to county level staff in partnership with the Iowa Office of the Chief Information Officer (OCIO)

• Cybersecurity training opportunities for Secretary of State staff, County Auditors, elections staff, and county IT professionals through conferences at NASED, The Election Center, and The National Election Security Summit

• The Iowa Secretary of State’s Office hosted two Cybersecurity Workshops for County Auditors, elections staff and county IT professionals to promote free services offered by the OCIO, DHS, and other state and federal partners

• Post-election audits will be conducted following the General Election

• Upgrades to Election Night Reporting system, including increased cybersecurity protections such as two-factor authentication

• Hiring an Information Security Officer and Cyber Navigator

• Partnering with OCIO to offer all interested counties malware protection and an intrusion detection system

• Development of training tools for County Auditors, elections staff and precinct election officials

• Development of communications aimed at reassuring the public confidence in the integrity and security of Iowa’s elections

• Development of communications aimed at educating and encouraging voters with disabilities to vote, including veterans with disabilities

• Creation of a Cyber Working Group with local, state and federal partners

The following list of security measures have been implemented to the voter registration system according to a CBS2/Fox28 news story on 7/22/2019:

-Mandatory two-factor authentication for anyone who accesses I-Voters

-Mandatory cybersecurity training for all SOS staff and all elections staff in all 99 counties

-Constant monitoring of voter registration additions and changes, with weekly reports that detect any irregularities (Note: As of 7/31/2019, I have yet to see a weekly report from the SoS)

-Upgraded firewalls and cybersecurity protection

-Upgraded Election Night Reporting system with increased cybersecurity protections

-Required that e-poll books be encrypted

-U.S. Department of Homeland Security (DHS) has conducted several assessments on state and county systems

-DHS runs a weekly vulnerability scan.

-Iowa’s Office of the Chief Information Officer runs a separate weekly scan.

-Placed an Albert Sensor on the state’s voter registration system (I-Voters)

-Housed I-Voters in a secure, off-site location

-Held table top exercises with the Iowa National Guard, state agencies and county auditors

-Hosted several cybersecurity trainings for county auditors and county IT staff

-Partnered with DHS to create a pilot program on a self-assessment cybersecurity tool

-Developed and distributed the first of its kind, personalized cybersecurity posters to every county, a model DHS has replicated in dozens of states

-Developed training tools for county auditors, their staff and precinct election officials related to cybersecurity

-Partnered with the OCIO to have their Security Operations Center monitor networks on Election Day

-Worked with the Iowa Homeland Security and Emergency Management Department to opened their Emergency Operations Center that was staffed by multiple state agency representatives to facilitate Election Day communication

-Coordinated with OCIO, Iowa HSEMD, Iowa Public Safety, DHS, FBI, county auditors and IT department to staff the Department of Public Safety’s Fusion Center on Election Day

-Implemented the first statewide post-election audits in Iowa history

#trustnverifyivoters

IA_Narrative_Budget.pdf

Feds trust Pate. Why doesn’t he trust us?

July 22, 2019

In the private sector, when one company wants to share proprietary data or trade secrets with another company, the two companies enter into a non-disclosure agreement and anyone violating the agreement is subject to legal consequences if they violate the agreement.

Governments use security classifications and a “need to know” to justify a lack of transparency.

For example, in 2016, Russian bad actors tried to hack into election systems in Iowa. Until about mid-2018, only, supposedly two election officials in the State of Iowa were privy to what the Russians tried to do, and which counties they targeted. I still do not know which Iowa counties were targeted and why, and I am non-the-wiser as to whether I have the same vulnerabilities as those counties.

Today, I received a response to the public records request (FOIA) mentioned in my HAVA complaint. The response was disappointing – see attached. I requested “… all correspondence regarding Ivoters development from January 2018 to the present date.” The response contained one email dated 12/26/2017 with four vague references (see my highlighted text) to I-Voters, and a letter indicating “additional records … are considered confidential under Iowa Code 22.7.”

Unfortunately, State and Federal officials seem to believe that by avoiding transparency, they are keeping our election systems secure. I believe the exact opposite is true, i.e., their lack of transparency is jeopardizing the security of local election systems run by county commissioners of elections and others. Surely, those officials including Iowa Secretary of State Paul Pate, the current President of the National Association of Secretaries of State, can find a way to share information with the local officials who are responsible for administering ALL elections in Iowa. Why can’t Pate give his county auditor and county auditors across the State definitive proof that I-Voters is secure without jeopardizing the security of I-Voters?

Supposedly, Pate is one of the two election officials in the State of Iowa with a Federal security clearance that provides him with information of the vulnerability of election systems. Is that Federal information less secure because Pate knows about it? The Feds trust Pate. Why doesn’t he trust us? Joel D. Miller – Linn County Auditor & Commissioner of Elections.

0316_001.pdf


%d bloggers like this: