09/06/2017: "Havard: Washington’s Online Voter System Secure"
A study released today by Harvard University outlines the measures taken by state elections officials to secure online voter registration in Washington. The report examined the online registration systems utilized in 35 states and the District of Columbia.
“I believe it’s healthy to have credible, independent evaluations of our elections systems and processes, and I am very pleased this report confirms that here in Washington state, we have an online voter registration system that is both accessible and secure,” said Secretary of State Kim Wyman, whose office oversees the state’s Elections Division.
Wyman maintains that, in order to encourage and facilitate participation, voter registration systems must be convenient to use. However, those systems must also prevent malicious activity from impacting the outcomes of any election.
“As an example, as the report confirms our long-standing practice of maintaining and storing all database access and change logs and reviewing them multiple times daily to identify and investigate any abnormal access patterns,” Wyman continued. “We also log database changes over time to allow for correction and investigation should fraudulent changes occur - and those logs are stored permanently.”
The state’s Elections Division also partners with the Department of Homeland Security and many national elections organizations on best practices and security for processes and systems.
“The release of this report provides another opportunity to educate the public about the security measures we undertake to ensure the safety and integrity of our voters’ information,” Wyman added. “We are constantly striving to increase accessibility and promote participation, but without compromising security, and I am confident that Washington’s election system is safe, secure and accurate.”
The Harvard report suggests a number of improvements states could make to improve online voter registration security, however Washington is already compliant with all of them:
A. Maintain and store website access and change logs.
Washington’s network and website technicians maintain all system event and firewall logs. In addition, the Washington Election Information (WEI) system logs and identifies the date and time any address change was submitted online.
B. Review the change logs to determine unusual activity.
Daily firewall logs are reviewed at least four times a day and weekend logs are reviewed every Monday morning. Daily system event logs are reviewed at least twice a day and weekend logs are reviewed every Monday morning. Transaction totals are reviewed daily to identify any patterns that appear to be abnormal. If any are discovered, they are investigated.
C. Maintain Internet and change logs in case voter complaints about unauthorized online changes to voter registration information need to be investigated.
· Voter registration system technicians retain all logs permanently and do not destroy or delete them. Additionally, the state Elections Division maintains a close relationship with DHS, FBI and federal election organizations so that any unauthorized activity can be investigated immediately.
D. Log database changes over time so selected changes can be reversed and attackers may not cover their tracks by reversing changes after an election.
· The WEI logs the voter ID, transaction ID, and date/time of submitted address changes so that fraudulent address changes can be identified and reversed.
E. Include fields in the voter records to indicate the date the current address was entered and describes the reason for the change.
The WEI records all logins, address changes and new registrations submitted, and voter registrations systems at county elections departments categorize the registration method and source.
F. Mail a postcard to the old and/or new address of any voter whose address was changed online, to notify the voter that a change occurred.
In Washington state, no online changes to a voter’s address are allowed within 29 days of an election. If an online address change occurs prior to that deadline, county elections departments are required to send a postcard to the new address. If that postcard is returned undeliverable, the county elections department will send a confirmation notice to all known addresses of that voter. Additionally, the state sends an e-mail alert to all of the voter’s e-mail addresses on file after an online address change occurs.
G. Allow contested voters the option of a provisional ballot.
· Because Washington state is a vote-by-mail state, ballots are mailed to all voters no later than 18 days before Election Day. If a ballot does not arrive - for any reason- a citizen can seek a replacement ballot by mail or in person. Provisional ballots are also available in person at 59 voting centers across the state.
H. Provide public service announcements for voters to check their registered voting information online regularly…and provide a way for voters to report problems.
· The Secretary of State’s Office partners with county elections departments to remind voters to verify their registration information leading up to the address change deadline by working with the Washington State Association of Broadcasters to communicate these public service announcements statewide.
Washington state’s Elections Division also goes far beyond the report’s findings by automatically locking out any IP address that attempts to access the voter registration system multiple times within a very short period. Only after the lock-out period is that IP address allowed to access the site again. Additionally, online registrations and address changes are not automatically applied to the database. They first must be reviewed by elections staff.
All elections systems are protected by state-of-the-art Intrusion Prevention Systems and firewalls. The servers are housed in a secure, single-tenant, modern facility with dual redundant alarms, security cameras and FM200 protection. The Quality Assurance system is patched the day after any updates are received from Microsoft. Further, periodic third-party, contracted security audits are performed to test and verify the security and effectiveness of the firewalls, IPS, servers and facility.