Just a step in the right direction: Merrill meets with Homeland Security

Secretary Merrill met with Homeland Security on Thursday:

Merrill Statement on Meeting with DHS Officials Regarding Election Cybersecurity

“Rosenberg, Gabe” <Gabe.Rosenberg@ct.gov>: Oct 27 04:57PM “Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State Gabe Rosenberg Communications Director Connecticut Secretary of the State Denise Merrill

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.  It’s not an issue of a State take-over of local elections, but the impossibility of every town in the State doing what even the NSA has failed at – protecting their most sensitive systems from attack. Yet, like the NSA, the State is capable of doing ever better.

• We need to protect our Centralized Voter Registration System (CVRS) from corruption and denial of service attacks on election day.
• We need to protect the CVRS from incremental loss or corruption of data over time.  That means independently logging of every add, change, and delete of the file, balancing, and auditing those changes against the database regularly, and especially in the days and weeks before an election.
• Making sure that if we use electronic pollbooks that there is a usable paper pollbook in every polling place and a copy of that in the Registrars’ Offices during every election.  We want to avoid the disaster that occurred in a NC county in the last election

Cybersecurity from “outside interference or manipulation” is insufficient. We must prevent insider attacks. We must be able to recover from “interference and manipulation”, since complete prevention is not possible.. As we have said before, database and election integrity depends on Prevention, Detection, and Recovery.

• We have paper ballots everywhere in Connecticut.  Yet, they need to be protected better.  In the majority of Connecticut municipalities they can be accessed by either Registrar for hours, undetected.  In many, they can be accessed by any official in the Registrars’ Offices, sometimes by other officials.  Without paper that we can trust there can be no detection or recovery from insider attack.
• We need to have sufficient audits of results we can trust, from the accurate counting/adjudication of paper ballots to the totals reported by the State.  Where necessary those audits ending in full recounts to determine and certify the correct winners.
• We also need process audits to verify various aspects of the election process:  Comparing checkoffs to ballots counted; verifying ballot security; verifying the integrity of checkoffs to actual legal voters; the integrity of the absentee ballot process, from application integrity,  mail delivery. signature verification, counting etc.