Testimony to the Connecticut Cybersecurity Task Force – UPDATED

Today was the 2nd and perhaps last meeting of the Connecticut Cybersecurity Task Force, aimed at recommending items for Connecticut’s share of the $5.1 million in new Federal Funding.

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony. In a couple of days I will pass on the video of the event, once it becomes available.  For now:
Here is the Agenda: <read> and my Testimony: <read>

I largely addressed the need for paper ballot security and post-election audits and how some of the new Federal money could be used to enhance them now and in the future.

I think I raised some awareness from my testimony and the questions members asked, yet it seems that the modest items I suggested might be deemed cost prohibitive. I spoke for six minutes and addressed questions for about 10 minutes (the emboldened portion of my written testimony), so the video will be interesting. The recommendations for spending the $5.1 million will apparently closely mimic the items listed near the end of the agenda.

Here is an excerpt of some highlights:

Enhancing post-election audits was explicitly included as an appropriate use of funds in the Federal legislation. Protection of paper ballots is a necessary component of trustworthy post-election audits.  I recommend initial steps that will cost, less than one-half a million dollars and outline a more comprehensive, yet efficient plan for the long run that might best protect Connecticut elections and ultimately our democracy.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence. I agree with Secretary Merrill that public confidence is important. I emphasize that the goal should be justified public confidence.

For post-election audits and recounts to be trusted requires strong paper ballot security and a credible chain-of-custody. Audits must also be transparent and publicly verifiable. The independent Citizen Audit reports show our ballot security is woefully inadequate.

Connecticut currently has an insufficient post-election audit. Insufficient because it only audits 5% of polling-place cast, machine counted ballots, exempting all centrally counted absentee ballots, Election Day Registration ballots, and originally hand-counted ballots from the audit. Insufficient because many of the local counting sessions are poorly conducted, with most differences in counts attributed to human counting error and left uninvestigated – a phenomenon that is, as far as I can tell, unique to Connecticut.

Fortunately, there is a straight-forward remedy close at hand. The UConn VoTeR Center in conjunction with the Secretary’s Office have developed an independent, electronic system to rescan and recount the ballots, called the Audit Station.  Unfortunately, the Audit Station has not been used in a way that meets requirements for software independence or that would satisfy most election integrity activists, leading scientists, and security experts.

The good news is that the Audit Station could easily be enhanced to satisfy most experts.My written testimony details Citizen Audit recommendations for ballot security and audits. Once again, I emphasize that audits and protected paper ballots are necessary for detection and recovery from every type of attack, breakdown, and error.

The Registrars of Voters Association asked for money for electronic pollbooks and for GEMS systems to accumulate results from memory cards, presumably somehow replacing or enhancing our new, completely air-gaped Election Night Reporting System.

Without explanation the Registrars linked those systems to improved cybersecurity.

They also asked the State to pay for new computers, newer than the XP systems many registrars use and sometimes share with other town employees.

Those suggestions were apparently ignored.

For the agenda from the 1st meeting and a list of task force members, see this press release: <read>


Days sooner than last time, the video is available: <View>

My testimony starts at about 45 minutes in.

In reviewing the video, I note that Secretary Merrill did express interest in using some of the Federal money for some of our recommendations and considering improving some aspects of the audits.


Leave a Reply

You must be logged in to post a comment.