Election security vaulted to the top of public officials’ concerns in the U.S. following the attempted intervention by Russian hackers in the 2016 presidential election. The hacking attempt captivated the country and became a political football in Washington D.C. as a major sticking point in partisan rancor between Democrats and Republicans.
Washington state was among 21 states where Russian agents attempted to access voter rolls and other sensitive information. For state officials, the cyberattack served as a valuable stress test on state election systems.
The state has stored election data online since the mid-2000s, which created a valuable baseline for what normal activity looks like. As a result, suspicious IP addresses rang alarm bells in the IT department at the office of the Secretary of State, which oversees the state elections, and the state government contacted the Department of Homeland Security and the FBI. The state knew that tabulation systems were safe from prying eyes as its election architecture ensures that they are air gapped.
This year, the Office of the Secretary of State rolled out VoteWA, the state’s $9.5-million newly modernized voter registration system. The platform has been five years in the making, starting with a tech summit in 2014 where the idea was first hatched.
While VoteWA has faced its share of criticism, such as a month-long offline period while transitioning between databases that left counties backlogged to update new registration and changes of address, the system largely weathered a primary election in August and is primed for November’s general election — a crucial test ahead of next year’s presidential election that is expected to produce record turnout.
GeekWire on Thursday sat down with Kim Wyman, secretary of state of Washington since 2013, to learn more about election cybersecurity. Wyman was in attendance at Cyber Strong: Defending Government’s Digital Frontier, a forum on cybersecurity for local government hosted by Route 50 and Government Executive. The interview has been edited for length and clarity.
GeekWire: Washington has among the strongest transparency laws in the nation, which means a lot of election data is already public, like state residents’ voting history. How does our desire for transparency impact election cybersecurity?
Kim Wyman: Those two things are constantly in conflict. We have to share enough information to instill confidence, but not enough to give the hackers any kind of edge, and where do you find that sweet spot? The challenge of elections is balancing access and security. It’s a difficult pendulum because if you get too far on one axis, security is going to suffer. Conversely, you can make it so secure that people aren’t going to be able to register and vote.
When we first started working with the Department of Homeland Security right after the announcement of the 21 states where election hacking was attempted, for example, we spent months trying to explain to them that we have to inform the public which 21 states [were affected]. We have to come clean.
The hardest transition working with our federal partners is that their world is all about keeping things secret. We had to introduce them to elections, where you have to be very transparent with the public.
Even beyond security, our transparency laws present a challenge. The Trump administration put together a commission on election fraud in 2017. They asked all the states to give their data and they were going to figure out if there had been any instances of non-citizens voting.
Of course, that set off all sorts of political fires. My congressional delegation members and the governor called me saying, “Don’t give the Trump administration the data.” My response was: “I won’t give them private data, but I have to give them the public data.” Actually, anyone can go online and download our data. That was a shock to a lot of those members of Congress and the governor because they didn’t realize it was public information.
GeekWire: In addition to transparency, the Washington legislature strives to make voting accessible to as many eligible voters as possible. Just this year, for example, the state began same-day voter registration. How does your office handle those efforts to increase voter turnout, which like transparency can also make it challenging to secure an election?
Wyman: If you allow people to make changes to their registration up to 8 p.m. on election night in a vote-by-mail environment, that presents a challenge because we start running the ballot print jobs a month before election day. If you change your address even 10 days before election day, you will get a new ballot. How do we make sure that, even though the county sent you two ballots, that only one gets counted? That’s where back-end security has to happen.
With VoteWA, one of the driving forces was that King County couldn’t talk to Thurston County in real time with the old systems. Everything went through our state database, but it was batch processing. Each county did things slightly differently, so we had to standardize in order to create near real-time data. As a result, if you vote in Seattle on election morning, then drive down to Tacoma and register to vote in Pierce County, and you do that all the way down I-5, how do we make sure that you only have one ballot counted even if you were issued multiple ballots?
GeekWire: Did you catch any instance of that type of election fraud this year?
Wyman: We’re still pouring through all the information from the August primary. It used to be the case that you couldn’t change your address after the 28th day before an election and you couldn’t register to vote after eight days before an election. We had these windows of time where you cut off the incoming data and you could process it. Now, all of that goes straight up to election day.
We see more transactions of people changing their address than new registrations. Statewide, we had a few hundred people that actually registered for the first time on election day and a few thousand who updated their address in the days leading up to the election.
Ten percent of our population moves every year, even more so in the 35 and under demographic, because people are really mobile. How do you stay in front of that? You do it with data and that’s why having this interconnected system was so critical. Just because you moved, we’re not going to penalize you for not updating your address.
GeekWire: A month after the primary, what is your assessment of VoteWA’s debut? There were certainly some bumps, like duplicate ballots in King County, and county election offices were vocal about their concerns.
Wyman: This was a good election to dip our toe in the water. I don’t think the counties realized the impact VoteWA was going to have on their operations. We can talk about it, but until they actually have that rubber meets the road election, they didn’t get it.
We spent a lot of time on the front end considering how to standardize our data, even before we got the vendor bid. We had three vendors providing 39 counties with systems. Even though the counties would use the same system, they would use it differently. For example, counties might categorize a rejected ballot different ways. When trying to merge those files, it was a nightmare.
We spent a good year just on data governance and how to migrate all these systems into common data points. Once we merged all the data in June, the counties had to validate their data first before we went live.
Part of the problem with King County was inconsistent data that VoteWA couldn’t process. For example, some apartment had leading zeroes, and some didn’t. That led to apartment numbers being left off of registrations.
Those painstaking elements had to happen — that’s true of any IT project. Unfortunately, we had to do it in the public sphere, instead of just keeping it in the family. None of that could have happened unless we went live, so that was a tough call, but, boy, it was the right one because we worked through it in a painstaking way in public and now the system’s better for it.
GeekWire: Voting by mail is among the most secure methods of voting. Nevertheless, within that system, what would you say is the biggest weak point?
Wyman: The hot topic in 2018 was ballot harvesting. You saw it in North Carolina and California, where you have overzealous candidates or campaigns that go door-to-door and offer to take your ballot to the post office for you, which is fraught with peril.
We haven’t seen that here for a couple of reasons. One, counties have put in drop boxes, so they make it convenient for people to drop their ballots off. And of course you can put it in any post office box and now we have prepaid postage.
GeekWire: Do you have any new tools planned to allow voters to track their ballots once they drop them off?
Wyman: We are continuing to work with the counties on ballot tracking software, like what you have with Amazon or any shipper, where you’ll be able to see where your ballot envelope enters the mail stream, when it got to the county, when the county processes it, and when it was put in to be counted.
GeekWire: Are there other states that are looking to Washington and trying to adapt some of our systems? What kind of information sharing, policy transfer, lesson learned type of stuff is going on?
Wyman: In the next five years, you’re going to see a large number, particularly Western states, move to vote by mail. Utah just joined, California is considering it, and we already have Oregon, Washington, Colorado, and Hawaii.
Our vendor now has a product that I think other states will be picking up. Even the process we’ve been through in building VoteWA is a model for other states. Everyone is in the same boat we were five years ago. We built that system in the mid-2000s with money from the Help America Vote Act. There’s no federal backfill and now they find they need to replace these systems soon. What we found, you can’t secure old technology.
Ironically, Microsoft stopped supporting the platforms that our voter registration system ran on the same day that I testified at a state senate hearing on the VoteWA project back in early July. A legislator asked if I had spoken to Microsoft and whether they would continue to support it. I said, “Yeah, I did, and for half a million dollars a year, they’d be happy to support this whole technology.” But even that’s not going to be the level of service that we have with newer technology.
GeekWire: It can be difficult for government to find the resources for investments against potential threats like cybersecurity versus immediate, recurring needs. How does that dynamic play out in Washington state government and to what extent did 2016 serve as a wake-up call?
Wyman: Back in 2014, the counties didn’t have money to replace the systems they built in the 2000s with the Help America Votes Act money. They’re cash-strapped and their county commissioners didn’t see the value in it. How flush is your county?
King County has a lot of resources. They can keep pouring money into election systems. Asotin County is lucky if they have a single IT person for their whole county.
We’re trying to help them build out their systems with an economy of scale for the whole state, but also looking to the operations. How are you going to pay for ongoing maintenance? How are you going to replace the system in three to five years when the technology gets old? If you don’t start thinking about that piece, you’re going to be exactly where we were in 2014.
It’s hard when you’re competing with other priorities. Do you put a sheriff’s deputy on the road or do you put an IT person in the elections office?
GeekWire: Finally, while vote-by-mail is great, it lacks the satisfaction of getting an “I Voted” sticker at a polling place.
Wyman: That is everybody’s complaint. You can call your county election office or my office and we’ll will mail you one.