Is New York ready for an Election Cyber-Attack? Are the State’s Voting Systems Vulnerable to Hacking?
The New York State Assembly’s Election Law Committee heard Testimony from State and Local Election Board Officials and Cybersecurity Experts on the Systems in place to Protect the State’s Election Processes from the Types of Coordinated Cyberattacks that were carried out by Russian Actors who sought to Influence the 2016 Presidential Election.
The Hearing was prompted by Developments in September, when the Department of Homeland Security informed Officials from 21 States that their Election Systems, including their Registration Databases, were Targets of the Coordinated Russian Hacking effort that also attacked the Democratic National Committee and Members of Hillary Clinton’s Campaign last year. Although New York was not among them, the News raised Concerns among State Officials that similar Incursions could be levelled against New York Election Infrastructure.
With the Local Elections of this year over and a State-Level Election Cycle coming up in 2018, when all of the State Legislature and the Four Statewide Positions will be on the Ballot, Assembly Members spent Four Hours seeking Clarity on how Election Data is Managed, Results are Counted and Recounted, and how the State Works with Federal and Local Authorities to Detect and Prevent Cyber Attacks like the ones seen last year. “These attacks were not aberrations, they were not isolated incidents and only the most naïve and or the most corrupt would believe that they will not continue into the future,” said Assembly Member Charles Lavine, a Democrat from Nassau County and Chair of the Committee, in his Opening Remarks.
Officials from the New York State Board of Elections seemed to put Fears at rest almost immediately, even as they Acknowledged that certain Changes are Required and that Existing Regulations need to be Implemented more Stringently. “New York actually has one of the most secure systems in the country,” said Douglas Kellner, Co-Chair of the State Board of Elections (BOE). He noted that the Help America Vote Act (HAVA) passed by the United States Congress in 2002, which Enacted Reforms to Voting Systems and provided Federal Funds for New Voting Equipment, did not first establish Standards for that Equipment. New York was one of the last States to comply, but in doing so years later implemented it Correctly, he said, “in a manner that provides voters with secure and verifiable elections.”
The State has Strict Laws requiring Certification and Testing of both Election Software and Hardware, Kellner said, as well as Independent outside Reviews of Software. Wireless Connections and Networking Capabilities are Prohibited in Voting Equipment and even the Computers Used to Program Ballot Scanners must be Standalone Devices without Internet Connectivity. “That isolation of the system used to set up the voting machines is something relatively unique to New York and it substantially reduces the possibility for the introduction of malware into our voting machines,” Kellner said.
The State also Prohibits County Boards of Elections from Contracting with Outside Vendors to Program Voting Machines, which Kellner did Concede could be Cumbersome for Smaller County Boards with Limited Staff.
Finally, the State Requires an Audit of 3% of the Voting Machines used in each County after every Election. The Audit Requirements were a particular Focus of the Hearing, with Good Government Advocates and Cybersecurity Experts Advocating for a New, more Efficient method, called Risk-Limiting Audits, Developed in recent years. Risk-Limiting Audits Randomly choose which Ballots to Audit for Comparison with the Paper Record, and Determine the Statistical Level at which one can be Confident that Election Results are Correct. It results in a Changing Standard for the Number of Ballots that have to be Audited, depending on the Closeness of Election Results. The Closer the Race, the more Ballots would be Examined, for instance. Kellner generally Endorsed the Idea and Recommended that the Committee explore Legislation to Enact the Improved system.
Kellner did have his own Points to make during his Testimony, noting that the Law dealing with extremely Close Contests is “flawed” since Escalating from a 3% Audit to a Full Audit requires Consensus from Election Commissioners representing opposing Political Parties, which is not easy to come by. As an aside, Kellner, a Democrat, noted that New York would not be able to Implement Online Voting any time soon since “the best technical minds around the world have not solved the problem of maintaining the secret ballot while at the same time ensuring that the ballot is cast and counted in the manner intended by the voter.”
Robert Brehm, Co-Executive Director of the State BOE, said though the Board is Unaware if New York was Directly Targeted during the 2016 Election, Hackers consistently attempt Intrusions into their Systems and none have Significantly affected Election Administration. The BOE takes a Three-Pronged approach to Cyber-Preparedness, he said, which involves Developing a Comprehensive Risk Assessment Strategy, a Strategy for County Cyber-Readiness, and bolstering Plans to respond to Individual Incidents of Cyber-Intrusion. Brehm said State Officials cooperate with a Slew of Federal Authorities and are striving to Ensure that the Information shared between them is also given to County Election Boards, which lack a Strong Cybersecurity Apparatus and are more Vulnerable.
The Assembly Members present for the Hearing at 250 Broadway in Manhattan, Seven Democrats and two Republicans, had a Broad Range of Inquiries. They asked about the Board’s Experiences with Cyber Attacks in the past, conclusions on Trusted Vendors who can work with County Boards, and the Mechanisms for keeping the Legislative and Executive Branches of Government in the loop. They asked about recommendations on Electronic Poll Books, BOE’s Kellner said they had yet to thoroughly examine the Proposal, though Legislation to Implement E-Poll Books has appeared close to Passage in the Legislature, Plans to Update Equipment, and Cyber-Readiness Training for County BOE Staff.
The problem with E-Book centers around the need to be connected to BOE's system if you want the opportunity to catch Voters'
voting more then once or voting at the Polls and then voiding their Absentee Ballot.
At the County Level, Brehm conceded, “there’s much more work that’s needed to be done....The voting machines are isolated and very much the voter registration systems are not. They’re part of county infrastructure.” The BOE has full Authority, he said, “to promulgate regulations that we are considering with regards to improving our security posture and requirements at the county level, but implementing them is going to be very difficult.”
Assembly Member Robert Carroll of Brooklyn raised the Prospect of Hackers attempting to Purge Voters from the Rolls, asking the BOE Officials how they Monitor County BOE Rolls. Brehm insisted the Board Conducts Real-Time Monitoring of Voter Rolls and is working on Updating its System. Carroll also mentioned the Infamous Purge of nearly 120,000 Voters in Brooklyn ahead of the 2016 Presidential Primary, which Brehm said was Due to a Procedure being Inaccurately followed rather than a Failure in the System. He later emphasized the need for greater Resources for County Boards, and said the BOE would make a more substantial Funding Request in the Upcoming State Budget Session.
Michael Ryan, Executive Director of the New York City BOE, also insisted during his Testimony that “money is always a critical thing,” although he did praise the Cooperative Attitude of the State BOE and Federal Officials. Ryan said there were initial Missteps in Communication with Federal Authorities following the 2016 Election Cyberattack but the City was prepared for the eventuality. “The good thing is it was the type of circumstances that were built into the protections that were already in place,” he said. He insisted that the Board had Administered the 2016 and 2017 Elections “without an issue of consequence,” but would need to be more Vigilant for next year, when there will be Congressional, State Legislative, and Statewide Elections in New York. “We’re in pretty good shape...but we’re only in good shape until October of 2018,” he said. “So we really need to take a look at that critically and say, ‘how are we going to plan this out?’” There were numerous Recommendations made to the Assembly Committee, some of which involved Administrative solutions while yet others require Legislative Fixes.
Dustin Czarny, Commissioner from the Onondaga County BOE said the current Voting and Election System leaves little time to Identify and Remedy issues with Ballots. He encouraged the Assembly Members to pursue Electoral Reforms such as Early Voting and No-Excuse Absentee Voting. The Two are among a slate of Election Reforms that have Stalled in the Republican-controlled State Senate, with minimal Objection from Democratic Governor Andrew Cuomo or the Democratic-led Assembly.
Susan Lerner, Executive Director of Common Cause New York, a Good Government group, and Susan Greenhalgh, Vice President of Programs at Verified Voting, a Nonprofit focused on Voting System Technology, both argued for Risk-Limiting Audits of Voting Machines.
Lerner pointed out that the current Election Auditing Method looks at the Process rather than Results, by testing Vote Totals from Machines instead of directly Examining Ballots. She insisted that the State must constantly Inspect Paper Ballots for Accuracy, must never allow Online Voting, and must do away with the current System of Election Audits. “A flat three percent audit really, we feel, doesn’t hit the mark,” she said, agreeing to help Legislators and Election Administrators in crafting Legislation on Risk-Limiting Audits.
“We have to look at ways to protect [the election system] as a national security asset,” Greenhalgh said, “and this is something that’s being run at county levels by people who are not in the federal national security space typically.” Greenhalgh said the focus in Computer Security was increasingly on “resilience,” allowing a system to function even after it has been Hacked. “If we’re looking at resilience in election systems, we want a system that would ensure that voters can vote,” she said, “that their votes get counted correctly...and that the proper outcome is realized.” She also supported the continued use of Paper Ballots as the simplest means of maintaining Physical Records, and reiterated the need for Risk-Limited Audits. “There is a limit to what our security practices, as good as they are in New York, can do,” she said.
NYC Wins When Everyone Can Vote! Michael H. Drucker