Election Security 1 - PowerPoint Presentation

Election Security 1 Tyler Johnson, INSVRS Business Analyst, GCR Seth Cooper, INSVRS Program Manager, Baker Tilly Thomas White, INSVRS Project Manager, Baker Tilly

What is the threat?Any actor can be located in any geographical area and can tamper with voter registration, access voting machines, manipulate storage and transmission of results, and influence election outcomes.Actors are becoming more sophisticated using targeted phishing attacks, pretending to be a trusted user or company. IP Spoofing is a technique used to gain unauthorized access, whereby an attacker illicitly impersonates another machine by manipulating IP packets.Security improvements to election technology infrastructure can make it harder for a cybersecurity threat to occur :Physical Security StandardsIP Address WhitelistingUser Account AuditsToken Authentication Two Factor Code Validation Overview 2

Voting EquipmentCertified by the bi-partisan Indiana Election CommissionSystems must comply with one of these federal standards:2002 Voting System Standards VVSG 1 (Voluntary Voting Systems Guidelines)VVSG 1.1 (Voluntary Voting Systems Guidelines)To learn more about the VVSG, go to www.eac.govVoting System Technical Oversight Program (VSTOP) team at Ball State: Reviews certification and engineering change order requestsWorks with a Voting Systems Testing Lab (VSTL) to audit system to ensure compliance with federal & state standards Physical Security Standards 3 IC 3-11-15-13.3

Voting EquipmentVoting systems must be sealed after public test of voting equipmentSystems must be delivered to polling locations no later than 6PM the day before the electionBest practices: Record seal numbers and provide to poll workers to check against in the morning If broken or numbers don’t match, poll workers should call county election officials immediatelyAfter polls close, equipment is secured Physical Security Standards4 IC 3-11-13-6 ( OpScan ) | IC 3-11-13-26 ( OpScan ) | IC 3-11-14-14 (DRE) | IC 3-11-14.5-7 (DRE) | IC 3-11-13-36 ( OpScan ) | IC 3-11-14-30 (DRE)

ePollbooksMust be programmed to require dual log-in by poll workersMay not be connected to a voting systemMay work with a voting system, howeverData must be secured & placed on a dedicated private server Physical Security Standards 5 IC 3-11-8-10.3

Election MaterialsBefore Election Day:Ballots & provisional ballots must be sealed & ONLY opened on Election DayAll other materials may be sealed at the county’s discretionInspector picks up materials on the Saturday or Sunday before the election After polls close:Voted ballots must be sealed by precinctAbsentees, spoiled ballot, and other bags to store election materials may be sealedInspector and the judge of the opposite political party are to return materials to county election board Materials are secured under bi-partisan lock & keyPhysical Security Standards 6 IC 3-11-3-12 | IC 3-11-3-10 | IC 3-11-3-11 | IC 3-12-3-2 | IC 3-12-2-8 | IC 3-12-2-9 | IC 3-12-2-11

Absentee BallotsUntil Election Day, must be stored under bi-partisan lock and keyEach appointed CEB member has control over own keyOn Election Day:Precinct Count Ballots are delivered by bi-partisan teams Ballots must be delivered in secure, stout bagsReceipt is completed by Inspector & given to bi-partisan teamCentral Count w. Paper Poll BooksAbsentee voter lists are delivered by couriers (may be one courier at CEB’s discretion) Poll workers sign affidavit that ABS list was received and processed for couriers to return to central sitePhysical Security Standards 7 IC 3-11-10-12 | IC 3-11-10-12.5 | IC 3-11-10-13 | IC 3-11.5-4-8 | IC 3-11.5-4-9 | IC 3-11.5-4-22

CEB can unanimously agree to adopt an election security protocol to secure the county’s voting systems and ePollbooksMust include an audit trail to detect unauthorized access to the voting systems and ePollbooksIf a county does NOT adopt a security protocol, then additional requirements to seal voting equipment must be followed during specific portions of the election calendar See IC 3-11-15-46 for detailsPhysical Security Standards 8 IC 3-11-15-46

By January 31 of each year, the County Election Board must certify its inventory of voting systems and ePollbooks to the Secretary of StateUse form IEC-22Work with VSTOP to update voting system inventory in its online databaseContact VSTOP ( vstop@bsu.edu) for information on how to access this database to review and update your county’s informationVoting Systems Inventory 9

When a county wishes to dispose of a voting system unit or ePollbook, the CEB must first file a plan with the Election DivisionPlan must state:Serial number of each unit to be disposed of by the countyMethod to be used for disposal of the equipment, including sale, transfer or destruction of the equipment That the disposal will occur in compliance with federal and state laws requiring the retention of election materials until the expiration of the period specific by those lawsIf IED approves the proposed plan, IED shall notify the CEB and VSTOP, then CEB may dispose of equipment Voting System Disposal 10 IC 3-11-15-59

Internet Protocol (IP) is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet.In order for each county to access SVRS, each County must provide an IP address or IP address range from their county office (IP addresses that do not reside at a county office are not eligible for approval of SVRS access).Because counties may have to provide IP address ranges it is strongly recommended that county officials connect with their IT department or IT support for assistance. If they are not available, officials should contact the Quest Help Desk. An audit of the approved list of IP addresses will be conducted annually in the month of June.By providing these annual updates we ensure that only authorized users can navigate to the SVRS application. IP Address Whitelisting 11

County Administrators have the functionality to setup additional county users and their associated security roles in SVRS, change the security level for a user that has changed roles, de-activate users who no longer need access to INSVRS, and provide temporary workers usernames and passwords to access INSVRSWhen adding a new user or updating an existing user, the county administrator must include the user’s DOB, determine the user’s status as a County Admin, Non-County Admin, or Temporary user, and enable or disable Token Authentication and/or After Hours Validation INSVRS User Account Access 12

County Administrators should carefully evaluate users and their security roles before granting an individual access to the system. County Administrators must also immediately deactivate any user no longer with the county, including temporary staff that may only work defined periods throughout the year. The SVRS User Account Report in the INSVRS Reports Library (Reports > Reports Library > Statewide) can be run to assist with this procedure. INSVRS User Account Access 13

Each user is assigned an individual, unique username and password. These passwords require a minimum of 15 characters and must include a minimum of one (1) character for each of the following scenarios:Uppercase alpha characterLowercase alpha character Numeric digitsNon-alphabetic characters (! # $)County users are required to change their INSVRS passwords at least once every 90 days and cannot reuse their last two passwords.Under no circumstances should county users share passwords OR user IDs. INSVRS User Account Access 14

In order to ensure that SVRS remains as secure as possible, the Election Division, Baker Tilly, and Quest will conduct audits of SVRS User Accounts. In 2018 a user account audit was conducted to search for SVRS user accounts utilizing duplicate email addresses, @yahoo.com email addresses, accounts without expiration dates or expiration dates that fell outside of the accepted timeframe (7/1/2019). The Core Team worked with counties to make required updates to these SVRS User AccountsNew SVRS business rules were subsequently implemented that prevent SVRS user accounts from being created with the above criteria. For more information on INSVRS User Account Access and User Account Audits please review the User Access and Security in SVRS Standard Operating Procedure on the County Portal. User Account Audits 15

Tokens are devices that help authenticate users by transmitting a code in the background. When a token is used, in conjunction with a username and password, the user meets the multifactor authentication requirements for “something you know” and “something you have.” 71 counties are currently utilizing tokens when accessing SVRSThe token requires the use of Firefox or Chrome.Each token device will be mapped to an individual username in SVRS. When token participants log in, they will be prompted to connect their USB token and press the button to login. Token Authentication 16

Counties will be required to properly secure tokens because they are the property of the state. The preferred hierarchy for County Election Officials to execute secure token storage is as follows: Safe or lockboxLocked desk drawer Locked / secure officeToken Authentication 17

Token Authentication18

The system will validate that the response received from the token device is correct and will not require users to enter a pin.After the user has successfully authenticated to SVRS with their user name, password, and token, the token may be disconnected without affecting the current session. Users will be required to re-authenticate at the next login. Token Authentication 19

This security measure incorporates an additional layer of security during predefined timeframes, which are at a higher risk for cyberattacks. An “after hours” code validation method requires the entry of a code sent via text or email based on the user’s requested method when the system is accessed during the defined timeframe. The system uses a default time throughout the year and counties are also able to change these timeframes during an election cycle After Hours Code Validation 20

After Hours Code Validation21

After Hours Code Validation22

After Hours Code Validation 23

Q&A? 24