Legislature(2017 - 2018)BARNES 124

05/10/2018 09:00 AM STATE AFFAIRS

Note: the audio and video recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.

Download Mp3. <- Right click and save file as

Audio Topic
09:06:02 AM Start
09:06:22 AM Presentation: Election Security: State Policies
10:23:10 AM Adjourn
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ Presentation: Election Security by TELECONFERENCED
- Wendy Underhill, National Conference of State
- Maurice Turner, Center for Democracy &
- Danielle Root, Center for American Progress
- Josie Bahnke, AK Div. of Elections
                    ALASKA STATE LEGISLATURE                                                                                  
             HOUSE STATE AFFAIRS STANDING COMMITTEE                                                                           
                          May 10, 2018                                                                                          
                           9:06 a.m.                                                                                            
MEMBERS PRESENT                                                                                                               
Representative Jonathan Kreiss-Tomkins, Chair                                                                                   
Representative Gabrielle LeDoux, Vice Chair                                                                                     
Representative Chris Tuck                                                                                                       
Representative Adam Wool                                                                                                        
Representative Chris Birch                                                                                                      
Representative Gary Knopp                                                                                                       
Representative Andy Josephson (alternate)                                                                                       
MEMBERS ABSENT                                                                                                                
Representative DeLena Johnson                                                                                                   
Representative Chuck Kopp (alternate)                                                                                           
COMMITTEE CALENDAR                                                                                                            
PRESENTATION: ELECTION SECURITY: STATE POLICIES                                                                                 
     - HEARD                                                                                                                    
PREVIOUS COMMITTEE ACTION                                                                                                     
No previous action to record                                                                                                    
WITNESS REGISTER                                                                                                              
WENDY UNDERHILL, Director                                                                                                       
Redistricting and Elections                                                                                                     
National Conference of State Legislatures (NCSL)                                                                                
Denver, Colorado                                                                                                                
POSITION STATEMENT:  Presented a PowerPoint on Election                                                                       
Security: State Policies.                                                                                                       
MAURICE TURNER, Senior Technologist                                                                                             
Center for Democracy and Technology                                                                                             
Washington, D.C.                                                                                                                
POSITION STATEMENT:  Presented a PowerPoint on Cyber Security.                                                                
DANIELLE ROOT, Voting Rights Manager                                                                                            
Center for American Progress (CAP)                                                                                              
Washington, D.C.                                                                                                                
POSITION STATEMENT:  Provided a presentation on cyberattacks.                                                                 
JOSIE BAHNKE, Director                                                                                                          
Central Office                                                                                                                  
Division of Elections                                                                                                           
Office of the Lieutenant Governor                                                                                               
Juneau, Alaska                                                                                                                  
POSITION STATEMENT:   Answered questions during  the presentation                                                             
on Election Security.                                                                                                           
PHILLIP MALANDER, Systems Administrator                                                                                         
Central Office                                                                                                                  
Division of Elections                                                                                                           
Office of the Lieutenant Governor                                                                                               
Juneau, Alaska                                                                                                                  
POSITION STATEMENT:   Answered questions during  the Presentation                                                             
on Election Security.                                                                                                           
ACTION NARRATIVE                                                                                                              
9:06:02 AM                                                                                                                    
CHAIR  JONATHAN KREISS-TOMKINS  called  the  House State  Affairs                                                             
Standing   Committee    meeting   to    order   at    9:06   a.m.                                                               
Representatives  Kreiss-Tomkins,  Josephson  (alternate),  Knopp,                                                               
and Birch  were present  at the call  to order.   Representatives                                                               
Wool, Knopp, and LeDoux arrived as the meeting was in progress.                                                                 
^PRESENTATION: ELECTION SECURITY: STATE POLICIES                                                                                
        PRESENTATION: ELECTION SECURITY: STATE POLICIES                                                                     
9:06:22 AM                                                                                                                    
CHAIR KREISS-TOMKINS  announced that  the only order  of business                                                               
would be a Presentation: Election Security:  State Policies.                                                                    
9:07:42 AM                                                                                                                    
WENDY UNDERHILL, Director,  Redistricting and Elections, National                                                               
Conference of  State Legislatures  (NCSL), began a  PowerPoint on                                                               
Election Security.   She stated that election security  was a key                                                               
issue in all states, not just  in Alaska.  The NCSL redistricting                                                               
and elections  team has spent most  of its time in  the past year                                                               
working on election security, she said.                                                                                         
9:08:15 AM                                                                                                                    
MS.  UNDERHILL turned  to slide  2, titled  "What Does  NCSL Do?"                                                               
She stated  the NCSL  is a  non-partisan organization  that works                                                               
for legislators and  staff throughout the nation.   The NCSL does                                                               
not  make recommendations  on  policy  issues since  legislatures                                                               
make   those  decisions;   however,  the   organization  provides                                                               
research on a number of topics, including election security.                                                                    
9:09:19 AM                                                                                                                    
MS. UNDERHILL referred to slide 3,  titled "The Plan for the Next                                                               
15  Minutes."   She  said  she  would  provide a  quick  national                                                               
overview  on threats  to election  security, including  where the                                                               
threats  have shown  up  or  might show  up  and, in  particular,                                                               
pointing  out  policy  choices  that  the  state  might  like  to                                                               
consider.  She  acknowledged that although she is  not a security                                                               
expert,  Maurice Turner  who is  an expert  would testify  later.                                                               
Election security was not a new  issue even though it may seem as                                                               
though it  is new, she said.   She stated that  election security                                                               
was  relative, such  as whether  the system  is more  secure than                                                               
prior systems.                                                                                                                  
9:10:30 AM                                                                                                                    
MS. UNDERHILL referred to slide  4, which provided a flowchart of                                                               
statewide voter  registration databases.  She  directed attention                                                               
to the bottom  of the slide, showing that  registrations can come                                                               
to the state via several mechanisms, including self, third-                                                                     
party,  online, and  DMV [Department/Division  of Motor  Vehicle]                                                               
registrations.  Some states are  currently automating their voter                                                               
registration processes, including Alaska,  since it has automated                                                               
its system  via the permanent fund  dividend application process.                                                               
The  next most  common source  of voter  registration was  via an                                                               
online registration system, using paper  forms that are mailed in                                                               
by voters.   Voter registration  drives and local  election voter                                                               
registration provide  other means  to register voters  in person,                                                               
she said.                                                                                                                       
MS.   UNDERHILL  reported   that  statewide   voter  registration                                                               
databases  are updated  on an  ongoing basis  by state  and local                                                               
officials, depending  on the  state.   The databases  are checked                                                               
against other sources  of data within the state or  by using out-                                                               
of-state resources.   She said that the  registration process was                                                               
separated from  the voting process  so any "messing  around" with                                                               
registration  does  not  interfere   with  vote  counting.    She                                                               
cautioned  that  if "bad  actors"  did  gain  access to  a  voter                                                               
registration system it could cause  havoc.  For example, it would                                                               
be possible for people to  change or remove individual records or                                                               
even to  delete a whole  database, which could disrupt  an entire                                                               
election.  Voters tend not  to make any distinction between voter                                                               
registration and elections,  so any tampering would  be viewed as                                                               
tampering with elections.                                                                                                       
9:12:42 AM                                                                                                                    
MS. UNDERHILL  referred to slide  5, titled  "Voter Registration:                                                               
Policy   Options."     She  said   some   states  have   same-day                                                               
registration, such that a person  could appear at a polling place                                                               
on  Election Day  and register  to vote.   She  acknowledged that                                                               
this policy  has been  adopted because  people are  interested in                                                               
increased  voter turnout;  however,  this option  does provide  a                                                               
failsafe  for  any registration.    She  stated that  maintaining                                                               
voter lists  translates to  good elections.   Data is  checked by                                                               
using  in state  and  out-of-state sources,  noting  Alaska is  a                                                               
member of the Electronic  Registration Information Center (ERIC),                                                               
which  is  a  national  cooperative   where  states  share  data.                                                               
Electronic poll books are in  use in some jurisdictions; however,                                                               
she  cautioned  that  if  the  poll book  is  electronic,  it  is                                                               
important to have  a backup on paper or on  a stand-alone laptop.                                                               
Therefore,  any  intrusion on  Election  Day  would not  have  an                                                               
impact through an electronic poll book, she said.                                                                               
9:14:21 AM                                                                                                                    
CHAIR KREISS-TOMKINS asked  for an explanation of  poll books and                                                               
the significance of electronic poll books.                                                                                      
MS.  UNDERHILL explained  poll  books.   Throughout  the last  80                                                               
years,  jurisdictions have  printed  out  all registered  voters,                                                               
creating a paper poll book.   These poll books are distributed to                                                               
the  polling place  at the  precinct  level and  voters sign  the                                                               
register after providing poll workers  with identification.  That                                                               
data  can be  in paper  or it  can also  be on  a computer  as an                                                               
electronic register, which  often is used as a means  to speed up                                                               
checking in  voters at polling  places where lines are  an issue.                                                               
The electronic poll  books can be a direct line  to the statewide                                                               
registration database or the poll book  can be kept on a separate                                                               
laptop  and   uploaded  to   the  statewide   voter  registration                                                               
9:15:50 AM                                                                                                                    
MS. UNDERHILL  continued to  review slide  5, stating  that voter                                                               
registration systems can be reviewed  for security and Mr. Turner                                                               
would discuss this  in more detail.  The state  or local election                                                               
officials can  also perform certain  security reviews  in advance                                                               
of the  election.  The  federal government has released  an extra                                                               
$300 million to states and  she assumed that Alaska's share would                                                               
likely be  $3 million, which  can be used for  election security.                                                               
Some  states  are  using  this  funding  to  update  their  voter                                                               
registration databases, she said.                                                                                               
9:16:50 AM                                                                                                                    
REPRESENTATIVE BIRCH  referred to the recent  Anchorage municipal                                                               
"vote  by  mail"  election.    He  indicated  a  lot  of  expired                                                               
information  occurred  during the  election  process.   He  asked                                                               
whether she had  any recommendations or innovative  ways to clean                                                               
up  voter  registration  lists,  for  example,  to  update  voter                                                               
registration when people move.                                                                                                  
MS. UNDERHILL  responded that as  states consider "vote  by mail"                                                               
elections they  all have  that same  question.   She acknowledged                                                               
that having "clean voter lists"  for mail elections was important                                                               
since states do not want to  mail twice as many ballots as actual                                                               
voters.    She emphasized  how  important  it  is to  check  data                                                               
throughout  the  year,  for example,  states  can  compare  vital                                                               
records to their election database  to identify death records and                                                               
update  their voter  databases.    The DMV  can  also notify  the                                                               
Division of Elections  of any address changes.  In  turn, the DMV                                                               
could mail  out a  postcard to  verify the  address change.   She                                                               
acknowledged  that it  takes a  lot  of proactive  work prior  to                                                               
Election Day to keep voter  databases updated.  She reported that                                                               
Colorado has  one-fiftieth of the  number of  provisional ballots                                                               
being used  due to  "clean voter"  lists and  the state  is quite                                                               
proud of its database.                                                                                                          
9:19:34 AM                                                                                                                    
REPRESENTATIVE LEDOUX asked whether  any "red" states have solely                                                               
vote-by-mail elections or if it was primarily "blue" states.                                                                    
MS. UNDERHILL  responded that three states  have all vote-by-mail                                                               
elections,  including  Washington,  Oregon, and  Colorado.    She                                                               
stated that Colorado, where she  lives, was considered a "purple"                                                               
state since  one body  is held  by Republicans  and the  other by                                                               
Democrats.  She  said that Washington State has  had all vote-by-                                                               
mail elections for  some time, although she was unsure  if it was                                                               
a  "blue"  state  at  the  time  it  shifted  to  a  vote-by-mail                                                               
election. Utah has nearly all  "vote by mail" elections, although                                                               
its counties  are allowed to  make the decision;  she anticipated                                                               
that  Utah would  be  an all  "vote by  mail"  election in  2018.                                                               
States  considering  moving  to  all  "vote  by  mail"  elections                                                               
include Hawaii  and California, both "blue"  states, and Montana,                                                               
a "red" state.                                                                                                                  
CHAIR  KREISS-TOMKINS asked  for  clarification  on reasons  that                                                               
western states are considering "vote  by mail" but eastern states                                                               
have not done so.                                                                                                               
MS.  UNDERHILL responded  that she  was unsure;  however, it  was                                                               
mostly  likely cultural,  although size  may be  a consideration.                                                               
Newer states  tend to have more  of an appetite for  change.  She                                                               
also  noted  that legislators  from  eastern  states have  raised                                                               
issues  about   concern  that  ballots   might  be   stolen  from                                                               
9:23:42 AM                                                                                                                    
MS. UNDERHILL added that some  legislators from Indiana, which is                                                               
a "red"  state, have  also expressed interest  in "vote  by mail"                                                               
elections.  However, Indiana has not taken any action, she said.                                                                
MS. UNDERHILL referred  to slide 6, titled "Voting  Itself."  She                                                               
explained  voting options,  including absentee  and mail  voting,                                                               
which  are  considered  similar;  in-person  voting  consists  of                                                               
polling  place  voting and  early  in-person  voting at  a  local                                                               
election  office,  and  electronically-transmitted  ballots  have                                                               
been considered to be  online voting.  Electronically-transmitted                                                               
ballots  have  triggered   the  most  security-related  concerns;                                                               
however,   all  states   are  required   to   send  ballots   out                                                               
electronically to  some citizens, primarily to  overseas military                                                               
voters,  so   outbound  blank  ballots  via   the  Internet  were                                                               
considered normal.                                                                                                              
MS.  UNDERHILL reported  that nearly  two-thirds of  states allow                                                               
voters to return their ballots in some electronic form via an e-                                                                
mail  attachment or  a  web  portal, she  said.    Both of  those                                                               
options  cause  concern  by cyber-security  people  since  e-mail                                                               
attachments could  be hacked and  changed, she said.   The portal                                                               
not only  allows the votes to  come in but could  become a target                                                               
of  an  attack.    She  pointed out  that  tradeoffs  exist,  for                                                               
example, in  terms of  all mail elections  the tradeoff  might be                                                               
that Native  Americans may not  have access to  private mailboxes                                                               
or  people in  rural areas  may also  have spotty  delivery.   In                                                               
terms  of electronic  transmission,  overseas voters  may not  be                                                               
able to return a ballot by any other means, she said.                                                                           
9:26:40 AM                                                                                                                    
REPRESENTATIVE TUCK asked how in-person  voting is different from                                                               
vote centers.                                                                                                                   
MS.  UNDERHILL answered  that in  traditional in-person  voting a                                                               
person  must   show  up   at  his/her   own  precinct,   but  for                                                               
jurisdictions with  a vote  center model,  everyone in  a county,                                                               
borough, or jurisdiction  can vote at any vote  center and obtain                                                               
an accurate ballot.  She  described this as being more convenient                                                               
for people  because they can vote  on their way to  the office or                                                               
school.   It saves the  state money because fewer  facilities are                                                               
involved  and lessens  the need  for poll  workers, which  can be                                                               
challenging for some jurisdictions, she said.                                                                                   
9:28:10 AM                                                                                                                    
MS. UNDERHILL  referred to slide  7, titled "Voting  Itself: Pre-                                                               
Election  Policy  Choices."   She  said  that  training  includes                                                               
training  for  election  officials,  but it  could  be  for  poll                                                               
workers.   She  recalled one  study showed  the number  of states                                                               
requiring  training has  increased and  they offer  voluntary new                                                               
training.  The training might  include cyber-security training or                                                               
how to perform chain-of-custody using  bipartisan teams or how to                                                               
perform physical  security for  the equipment,  including cameras                                                               
or locks.   Most states  do perform accuracy testing  just before                                                               
an election by running a test  stack of ballots marked for George                                                               
Washington  and Abe  Lincoln.   The  election  division knows  in                                                               
advance  what  the count  should  read,  the machine  counts  the                                                               
ballots, and the  comparison shows the count.   She remarked that                                                               
it is nice to invite the public  in to observe the count and that                                                               
helps to  build the culture of  transparency.  The right  time to                                                               
do contingency  planning is prior to  a problem, in case  a cyber                                                               
disaster  or natural  disaster occurs.   States  can also  review                                                               
their  recertification  requirements,  for example,  some  states                                                               
require  paper ballots,  or no  Internet  connectivity for  voter                                                               
equipment,  and  others  remove   obsolete  references  to  lever                                                               
machines or for certain font size for ballots.                                                                                  
9:30:41 AM                                                                                                                    
MS. UNDERHILL  referred to slide  8, titled "Election Day."   She                                                               
stated   that  prohibiting   Internet  connectivity   for  voting                                                               
equipment is  the most  important aspect.   She said  some states                                                               
might be concerned about crime.                                                                                                 
MS. UNDERHILL referred  to slide 9, titled  "Post Election Policy                                                               
Choices."  She highlighted post-election  audits, which provide a                                                               
means  to confirm  that the  tabulating  equipment counted  votes                                                               
accurately.   She said Alaska does  have a law relating  to post-                                                               
election audits.   All  states require a  paper ballot  or record                                                               
for audits.                                                                                                                     
MS. UNDERHILL  referred to slide  10, titled  "Voting Technology"                                                               
that  showed images  of  some of  the  current voting  technology                                                               
being used.                                                                                                                     
MS.  UNDERHILL  turned to  slide  11,  titled "Voting  equipment:                                                               
Policy  Choices."     She   mentioned  paper   ballots;  however,                                                               
sometimes  voting  machines  provide  a  record  of  the  winning                                                               
candidates, but not  all of the candidates, with a  barcode or QR                                                               
code [Quick  response code] at the  top.  She suggested  this was                                                               
something to  discuss with  cyber security  personnel.   She said                                                               
that people with  disabilities have a right to  vote securely and                                                               
privately and  it is important to  have systems that can  be used                                                               
at home, even if it is a paper ballot.                                                                                          
9:32:50 AM                                                                                                                    
MS.  UNDERHILL referred  to slide  12, which  showed a  flowchart                                                               
diagram.  She offered to  briefly cover results reporting, noting                                                               
that the  results are unofficial  results and although it  is not                                                               
good  if someone  tampers with  results as  they are  transferred                                                               
from  the local  office to  the state  and to  a public  display,                                                               
however, it will not change the outcome of an election.                                                                         
9:33:10 AM                                                                                                                    
MS. UNDERHILL  referred to slide  13, titled  "Disinformation and                                                               
Other Campaign Shenanigans."  She  reported that several days ago                                                               
the US Senate Intelligence Committee  referred back to all of the                                                               
activities in  2016 as an  effort to undermine confidence  in the                                                               
voting process.   She remarked  that the committee stated  it had                                                               
not seen any evidence that  vote tallies were manipulated or that                                                               
voter registration information was deleted or modified.                                                                         
9:33:50 AM                                                                                                                    
MS. UNDERHILL referred  to slide 14, titled  "Resources," and she                                                               
offered  to  send those  to  the  committee.   She  provided  her                                                               
contact       information,       including      her       e-mail:                                                               
9:34:20 AM                                                                                                                    
CHAIR  KREISS-TOMKINS turned  to  the next  speaker, Mr.  Turner,                                                               
center for Democracy & Technology.                                                                                              
MAURICE  TURNER, Senior  Technologist, Center  for Democracy  and                                                               
Technology,  expressed his  goal to  cover threats  to the  voter                                                               
registration  systems, voting,  and reporting  results.   When it                                                               
comes  to  threats  to  voter registration  the  article  in  the                                                               
Anchorage Daily News [not identified]  shows what can happen when                                                               
an attacker  probes a  network and finds  a vulnerability.   When                                                               
talking about threats  to voter registration, it  relates to what                                                               
it  means  to  have  an  unauthorized  actor  go  in  and  change                                                               
information in the voter registration database.                                                                                 
MR. TURNER  described this  can happen  when the  person accesses                                                               
the  local  information  technology (IT)  infrastructure  or  any                                                               
cloud-based  infrastructure that  the state  or [boroughs]  might                                                               
contract  out.    One  way   hackers  operate  would  be  through                                                               
"fishing," which is where an  individual with access, perhaps the                                                               
local  IT administrator  or  election  official, with  legitimate                                                               
access  to the  database  (DB) receives  an  e-mail, which  looks                                                               
legitimate but  is an  attempt to get  the username  and password                                                               
for the person and subsequently  impersonate them.  That would be                                                               
the likely way a person would gain access, he said.                                                                             
9:36:34 AM                                                                                                                    
MR.  TURNER   highlighted  another   way  the  database   can  be                                                               
disrupted,  which  is  by targeting  the  IT  infrastructure  and                                                               
bringing down  the infrastructure, so local  jurisdictions do not                                                               
have  access to  the  state or  cloud-based  infrastructure.   He                                                               
stated that  local election officials  are typically  pretty good                                                               
with contingency  planning, especially given the  fact that paper                                                               
was  the  only way  to  conduct  elections.   The  paper  records                                                               
provide a backup, he said.                                                                                                      
9:37:27 AM                                                                                                                    
REPRESENTATIVE BIRCH  stated that  the frontend of  the worldwide                                                               
web is  what people  see, but the  backend maintains  and manages                                                               
the records.   He asked  Mr. Turner whether  he could speak  to a                                                               
secure database and the webpages and how they are separate.                                                                     
MR.  TURNER said  the best  practice would  be to  make sure  the                                                               
frontend and  backend systems are  disconnected, and the  data is                                                               
only transferred on a periodic basis,  whether it would be at the                                                               
end of  the day or  periodically throughout  the day.   He agreed                                                               
having the  two connected  directly and  continuously would  be a                                                               
bad idea since any user would  have the ability to read and write                                                               
to the database on the backend.                                                                                                 
9:39:25 AM                                                                                                                    
MR. TURNER directed attention to  "Threats to the Voting Itself."                                                               
When  it comes  to voting  there  are typically  three areas  for                                                               
effective    security   procedures,    including   administrative                                                               
controls,  such  as staff  trained  on  policies and  procedures;                                                               
technical  controls,  such  as  the best  IT  systems;  and  also                                                               
physical  controls, including  cameras throughout  the facilities                                                               
and  the  strongest  locks  one  can buy.    However,  these  are                                                               
meaningless  if  the  organization   does  not  have  appropriate                                                               
administrative  goals   in  place   to  properly   implement  the                                                               
technical and physical controls.  The  goal is to be certain that                                                               
there are  no gaps in  any of the  controls.  All  three controls                                                               
need to be  in place in order to have  an effective security plan                                                               
when it comes to the voting itself.                                                                                             
9:40:28 AM                                                                                                                    
MR. TURNER  related the security  gaps, noting the  importance of                                                               
having a paper trail with  some measure of accountability for the                                                               
vote  record that  can be  audited.   The  trend has  been to  go                                                               
towards the best  practice of a risk-limiting audit.   He offered                                                               
to  cover that  at  a future  hearing since  it  is definitely  a                                                               
separate body of work.  He  emphasized the need for a paper trail                                                               
because  without one  it is  not  possible to  have an  effective                                                               
audit.   He stated that  accessibility features are  protected by                                                               
federal law, which  are typically not part of  the design process                                                               
when  the  voting  systems are  being  developed;  however,  they                                                               
should be  since it can cause  gaps.  He acknowledged  that often                                                               
these features  may be added  on at the end  of the process.   He                                                               
mentioned  malware,  which  is   malicious  code  that  could  be                                                               
introduced  into   a  voting  system  through   a  wired  network                                                               
connection or through a wireless  networking connection.  Malware                                                               
could  cause significant  disruption such  that voters  could not                                                               
cast their  ballots, or  the voting  record could  potentially be                                                               
9:42:17 AM                                                                                                                    
MR.  TURNER  related that  last  year  at the  largest  "hacking"                                                               
convention in  Las Vegas,  CDC participated  in a  voting machine                                                               
hacking village,  in which every  single voting machine  that was                                                               
available were  subject to  having vulnerabilities  exploited and                                                               
successfully  hacked.   The  first machine  had  a Wi-Fi  network                                                               
built into  it, so  it broadcast  its own  network.   This voting                                                               
machine was hacked from two rooms away within ten minutes.                                                                      
9:43:02 AM                                                                                                                    
CHAIR  KREISS-TOMKINS  asked  whether  the  demonstration  voting                                                               
machines that were  hacked were the same type  of voting machines                                                               
that Alaska uses.                                                                                                               
MR. TURNER  answered that not  every type of voting  machine used                                                               
throughout  the  country  was   represented  at  the  conference.                                                               
However, every onsite model was successfully hacked, he said.                                                                   
9:43:39 AM                                                                                                                    
MR. TURNER provided another example  of how malware can disrupt a                                                               
large IT  infrastructure.  The  City of Atlanta recently  was hit                                                               
with  ransomware,  a  dreaded  type of  malware  installed  by  a                                                               
malicious actor on a system and  it spreads as quickly and as far                                                               
as possible.   The user sees  a pop-up screen that  demands money                                                               
be sent to a particular address  because the user's data has been                                                               
encrypted or  locked up and cannot  be accessed.  The  ransom was                                                               
less  than $50,000;  however,  the  city was  unable  to pay  it.                                                               
Atlanta ultimately  spent over  $2 million  in data  recovery and                                                               
remediation.   Malware can be very  small, but it can  spread and                                                               
have a massive impact.                                                                                                          
9:44:51 AM                                                                                                                    
MR. TURNER  said the last security  gap when it comes  to threats                                                               
to   the   voting   process  itself   is   "information   silos."                                                               
Information  silos  happens  when   information  stays  within  a                                                               
particular department  or organization.  The  FBI [Federal Bureau                                                               
of Investigation], DHS [Department  of Homeland Security], state,                                                               
county,  and city  officials have  recognized the  importance and                                                               
benefits of sharing information  through all levels of government                                                               
and across to  different jurisdictions to make  sure if something                                                               
bad happens  in one jurisdiction  it can be prevented  in others.                                                               
He emphasized that DHS was doing  a much better job, working with                                                               
states and elected  officials to make sure  information is shared                                                               
as broadly as possible.                                                                                                         
9:46:12 AM                                                                                                                    
CHAIR  KREISS-TOMKINS asked  Mr. Turner  to identify  the biggest                                                               
single vulnerability  in Alaska's voting and  election system and                                                               
his foremost  recommendation for  improvement to the  security of                                                               
Alaska's election system.                                                                                                       
MR.  TURNER said  he was  very impressed  with Alaska's  election                                                               
system.   He stated that  the CAP [Center for  American Progress]                                                               
score was a  "B".  He suggested that  additional consideration be                                                               
given to make  sure that only the appropriate  people have access                                                               
to systems,  such that two-factor  authentication be used  at the                                                               
local  level.   The  two-factor authentication  ensures that  the                                                               
local  election officials  are  protecting  their own  legitimate                                                               
access to the election and voting systems.                                                                                      
9:47:32 AM                                                                                                                    
REPRESENTATIVE   BIRCH  stated   that   Alaska's  machines   were                                                               
purchased in  1998, so even though  it is old it  produces a hard                                                               
copy  record.   He did  not  believe there  was any  intersection                                                               
between the  voting machine and  the Internet.  He  asked whether                                                               
newer technology  could be used, for  example, optically scanning                                                               
the ballot and reporting the numbers, but retaining the ballot.                                                                 
MR. TURNER  answered that  if the machines  were produced  in the                                                               
late 1990s  that they  would not  have any  network connectivity.                                                               
Typically, newer machines will be "off  the shelf" so it would be                                                               
incumbent upon  the purchasing department  to thoroughly  vet and                                                               
thoroughly test any  new machines.  Whether the  testing would be                                                               
done by  state staff or  contractors, it  is important to  have a                                                               
level of  assurance that the  new machine  can be tested  to make                                                               
sure that the  machines do not have any functions  or features it                                                               
does not  want.  For  example, the state  may decide to  not have                                                               
network  connectivity;   however,  the  machine  may   have  that                                                               
functionality.   If the  only control  over network  access being                                                               
turned on  or off was by  software that would provide  a point of                                                               
access for  a malicious actor to  gain access to the  machine and                                                               
turn  on   network  connectivity.    He   emphasized  that  fully                                                               
informing a procurement  process was crucial so  that the options                                                               
and specifications are known.                                                                                                   
9:50:39 AM                                                                                                                    
REPRESENTATIVE BIRCH  asked whether Mr.  Turner had any  sense of                                                               
the number  of voting jurisdictions  in which a hard  copy ballot                                                               
is retained in addition to an optically-scanned image.                                                                          
MR. TURNER  said he did not  know but he offered  to research and                                                               
provide it to the committee.                                                                                                    
9:51:26 AM                                                                                                                    
MR. TURNER turned to the "Intelligence  Report."  The goal of the                                                               
Russian influence campaign  was really to sow  doubt by spreading                                                               
misinformation.   One of the ways  to combat this activity  is to                                                               
ensure  that  only  dedicated  devices   are  used  for  election                                                               
process, including  the "public-facing front end"  whether it was                                                               
dedicated USB  flash drives that would  only be used one  time in                                                               
one way to ensure against  compromising the information contained                                                               
on the drive.                                                                                                                   
9:52:18 AM                                                                                                                    
MR.  TURNER   highlighted  the  threats  to   reporting  results,                                                               
including  misinformation, such  as reporting  unofficial results                                                               
most likely  through social  media.  Secondly,  we are  likely to                                                               
see  denial of  service attacks  [DDoS or  distributed denial  of                                                               
service], which is  when hundreds or thousands  of machines focus                                                               
their  requests  on  one  website,  for  example,  the  State  of                                                               
Alaska's reporting  website, to  prevent legitimate  traffic from                                                               
getting through so  it appears that the server  is taken offline.                                                               
He  said some  services like  Cloudflare's (indisc.)  or Google's                                                               
"Project Shield"  that can  help protect  against these  types of                                                               
automated DDOS attacks, but the real  goal is to make sure that a                                                               
plan  to get  unofficial reports  out if  service attacks  occur.                                                               
The  plan if  a service  attack occurred  or some  other type  of                                                               
misinformation  happened   could  include  social   media,  press                                                               
releases, traditional means, television or radio.                                                                               
9:54:50 AM                                                                                                                    
REPRESENTATIVE  KREISS-TOMKINS  turned  to  the  next  presenter,                                                               
Danielle Root, Center  for American Progress (CAP),  and said Ms.                                                               
root  would  discuss  Alaska's  CAP report  card,  which  was  on                                                               
members' desks.                                                                                                                 
9:55:22 AM                                                                                                                    
DANIELLE  ROOT,  Voting  Rights   Manager,  Center  for  American                                                               
Progress (CAP),  stated that in  2016, primarily  Russian hackers                                                               
took  unprecedented steps  to infiltrate  and disrupt  [federal],                                                               
state and local election systems.   National security experts and                                                               
state election  officials do  not know the  full extent  to which                                                               
hackers breached election infrastructure.   So far there has been                                                               
no evidence  that election outcomes were  manipulated or altered;                                                               
however,  it  is  known  that hackers  attempted  to  breach  the                                                               
election infrastructure of at least  20 states, including Alaska.                                                               
For  example,  Russian  operatives  reportedly  trolled  Alaska's                                                               
election-related databases  in the weeks  leading up to  the 2016                                                               
elections.      The   infamous   hacker,   CyberZeist,   obtained                                                               
unauthorized  access to  Alaska's  election  website on  Election                                                               
Day,  but  did  not  succeed   because  built-in  cyber  defenses                                                               
prevented  the  hacker  from altering  data  or  causing  service                                                               
disruptions.     She  cautioned  that  hackers   are  using  more                                                               
sophisticated techniques and may try  again.  Americans have been                                                               
warned  that attacks  on election  infrastructure  have and  will                                                               
continue  in  future  elections,   including  the  upcoming  2018                                                               
midterm elections.   Unfortunately,  security experts  and policy                                                               
makers agree  that state and  local elections continue to  be ill                                                               
equipped   to  withstand   attacks  from   hackers  and   foreign                                                               
adversaries such as Russia.                                                                                                     
9:57:00 AM                                                                                                                    
MS.  ROOT  reported  that  in  February  2018,  the  Thunder  for                                                               
American  Progress  published  a   comprehensive  review  of  the                                                               
election-security preparedness  in all  50 states  and Washington                                                               
D.C. detailing  the continuing vulnerabilities of  state election                                                               
infrastructure and assigning grades  based on election readiness.                                                               
Alaska  received  a "B"  which  was  the highest  grade  awarded.                                                               
Alaska earned points for adhering  to minimum cyber security best                                                               
practices  related  to voter  registration  systems  and for  its                                                               
widespread use of  paper ballots for conducting  elections to key                                                               
areas of election security.                                                                                                     
9:57:43 AM                                                                                                                    
MS. ROOT indicated that  Alaska's election infrastructure remains                                                               
vulnerable,  which means  that  the state  is  open to  election-                                                               
related attacks.  These vulnerabilities  must be addressed.   One                                                               
area needing  improvement is the  lack of  post-election auditing                                                               
procedures.    Currently,  the  number  of  ballots  included  in                                                               
Alaska's  post-election   audits  are  ones  based   on  a  fixed                                                               
percentage as opposed to  a statistically-significant number tied                                                               
to the  margin of victory  of one or  more ballot contests  as is                                                               
common  with risk-limiting  audits.   The [risk-limiting  audits]                                                               
are  considered the  "gold standard"  of post-election  audits as                                                               
mentioned  by other  presenters today.   Many  states are  moving                                                               
towards  risk-limiting audits  and the  CAP recommends  Alaska do                                                               
9:58:27 AM                                                                                                                    
MS. ROOT  stated that linking  the number of ballots  included in                                                               
the post-election  audit to the  margin of victory rather  than a                                                               
fixed-percentage or  number helps to  ensure that  enough ballots                                                               
are examined  to create convincing  evidence that the  outcome is                                                               
correct.    It  also  saves resources  by  guaranteeing  election                                                               
officials only  examine the precise number  of ballots necessary,                                                               
she said.                                                                                                                       
MS. ROOT  noted that  Alaska's post-election  audits also  do not                                                               
include voters  stationed or living overseas,  absentee or UOCAVA                                                               
[Uniformed and  Overseas Citizens  Absentee Voting  Act] ballots.                                                               
In 2016,  UOCAVA ballots amounted  to more than 8,000  of ballots                                                               
cast in Alaska during the  presidential election.  She emphasized                                                               
that  CAP recommends  that all  ballot types,  including regular,                                                               
early voting,  absentee, provisional, and UOCAVA  be eligible for                                                               
inclusion in  post-election audits.   She cautioned that  by only                                                               
allowing certain  categories of  ballots, election  officials may                                                               
fail  to  detect anomalies  in  the  tabulation of  other  ballot                                                               
9:59:29 AM                                                                                                                    
MS.  ROOT emphasized  that  Alaska should  terminate  its use  of                                                               
electronic absentee voting, noting Alaska  is the only state that                                                               
allows   any   eligible   voter   to  return   a   voted   ballot                                                               
electronically.   Although  she  acknowledged  that Alaska  moved                                                               
away from  web portals, the  state still allows voted  ballots to                                                               
be  returned  via  fax.   As  Ms.  Underhill  mentioned  earlier,                                                               
computer scientists  and computer  experts have long  warned that                                                               
returning ballots  via fax  was insecure  and subject  to hacking                                                               
and  a myriad  of ballot  delivery problems.   Voters  deserve to                                                               
have the  security of their  ballots protected and to  have their                                                               
ballots counted  as they  intended.  She  said that  having their                                                               
ballots  transmitted through  the mail  means a  paper record  of                                                               
intent exists  instead of only a  vulnerable Internet transaction                                                               
that puts the security of their ballots at risk.                                                                                
MS. ROOT  advised that Alaska was  awarded $3 million as  part of                                                               
the  2018 HAVA  Election Security  Fund to  bolster its  election                                                               
preparedness.   While she  was glad that  Alaska intended  to use                                                               
the funding to replace old  voting machines and bolster its cyber                                                               
security protections;  she also  cautioned that the  state should                                                               
consider  using some  of its  funding to  strengthen the  state's                                                               
post-election auditing  procedures and require all  voted ballots                                                               
be submitted in-person  or returned by mail.   She concluded that                                                               
by  taking these  steps Alaska  could  significantly improve  its                                                               
election-security preparedness.                                                                                                 
10:01:04 AM                                                                                                                   
REPRESENTATIVE  TUCK asked  Ms.  Root the  percentage of  ballots                                                               
returned electronically in Alaska.                                                                                              
MS. ROOT said that information did  not appear to exist, that the                                                               
UOCAVA ballots  were tracked but it  does not track how  many are                                                               
returned  electronically.   Some  advocacy groups  are trying  to                                                               
obtain that  information, but to  date no public  information was                                                               
available, she said.                                                                                                            
10:02:10 AM                                                                                                                   
REPRESENTATIVE KNOPP  asked for  clarification on the  issue with                                                               
fax-returned  ballots and  if it  was voter  information security                                                               
and  privacy  or if  it  was  due  to  the potential  for  ballot                                                               
MS. ROOT responded that it depends  on how the fax is transmitted                                                               
since some  states fax via the  Internet and that is  how ballots                                                               
are also  returned.  She said  this means that these  ballots are                                                               
vulnerable to manipulation.  Other  states use a dial-up fax, and                                                               
any fax  service is subject  service disruption.   Therefore, any                                                               
type  of  cyberattack  could  prevent  an  election  office  from                                                               
receiving  or counting  the  voted  ballots sent  via  fax.   She                                                               
pointed  out that  mail delivery  also  can be  unreliable.   She                                                               
highlighted that if a large  number of ballots being returned via                                                               
fax  could be  affected by  one service  disruption, which  could                                                               
result in a large number of ballots not being counted.                                                                          
10:04:02 AM                                                                                                                   
REPRESENTATVE  TUCK  directed  attention  to  an  audit  synopsis                                                               
provided in  committee members'  packets.  He  asked Ms.  Root to                                                               
identify the UOCAVA acronym.                                                                                                    
MS.  ROOT  answered  that  UOCAVA refers  to  the  Uniformed  and                                                               
Overseas  Citizens  Absentee  Voting  Act ballots.    States  are                                                               
required  to send  out electronically  or by  mail ballots  to US                                                               
citizens living outside  the country but UOCAVA  does not require                                                               
ballots to be returned electronically, she said.                                                                                
10:05:02 AM                                                                                                                   
REPRESENTATIVE TUCK  asked about the  report referred to  the DRE                                                               
machine with  VVPR under the section  voter-verified audit trail.                                                               
He asked for clarification on the acronym.                                                                                      
MS. ROOT  answered the electronic  machines were ones  that print                                                               
out a receipt of the voter's  ballot choices, such that the voter                                                               
would  select their  candidate or  ballot initiative  on a  touch                                                               
screen or machine;  that the voter can view their  decisions in a                                                               
viewing window  and subsequently confirm that  the printed ballot                                                               
matched what  they chose  on the  touch screen.   Once  the voter                                                               
touched "yes,"  the information would be  preserved, and election                                                               
officials  could later  review the  information during  an audit.                                                               
However,  election officials  do  not recommend  this method  and                                                               
instead  recommends paper  ballots because  not all  voters check                                                               
the paper receipt before submitting it.                                                                                         
10:07:28 AM                                                                                                                   
The committee took a brief at-ease.                                                                                             
10:08:03 AM                                                                                                                   
CHAIR  KREISS-TOMKINS asked  for the  DOE's perspective  on risk-                                                               
limiting audits.   He  further asked  about changing  the state's                                                               
practices on ballots submitted by fax.                                                                                          
10:08:38 AM                                                                                                                   
JOSIE BAHNKE,  Director, Central  Office, Division  of Elections,                                                               
Office  of  the Lieutenant  Governor,  stated  that the  division                                                               
attended a technology fair  with four federally-certified vendors                                                               
looking at new election technology.                                                                                             
MS. BAHNKE  referred to two  issues, the process  of risk-limited                                                               
audits  and  the return  of  ballots  online  or  by fax  as  the                                                               
weaknesses  in  the  Alaska  election   system.    She  described                                                               
Alaska's audit  process as being very  robust.  She said  the DOE                                                               
has  looked  at  other  state's  risk-limiting  audits,  such  as                                                               
Colorado, who has adopted the  risk-limiting audits.  She advised                                                               
members  that Alaska  is in  the process  of reviewing  the risk-                                                               
limiting  audit  process.   In  terms  of  ballot by  fax,  under                                                               
UOCAVA,  the  state  is  required  to allow  for  the  return  of                                                               
absentee ballots online  or by fax.  The CAP  has reported ballot                                                               
returns as a weakness in Alaska's  election system and due to the                                                               
ongoing  cyber-security concerns  the  DOE made  the decision  to                                                               
suspend the return  of those ballots online.   However, the state                                                               
will still allow  those ballots to be returned  from overseas and                                                               
nationally via fax or by mail.                                                                                                  
10:11:16 AM                                                                                                                   
REPRESENTATIVE  LEDOUX related  her  understanding that  [UOCAVA]                                                               
voters can receive their ballot  online but can return the ballot                                                               
by fax or by  mail.  She asked whether there was  a time when the                                                               
ballot could be returned by Internet.                                                                                           
MS.  BAHNKE answered  yes.   In further  response, she  indicated                                                               
that  the DOE  implemented Internet  ballot returns  in 2014  and                                                               
CHAIR KREISS-TOMKINS  said he remembered friends  returning their                                                               
ballots by e-mail.                                                                                                              
10:12:18 AM                                                                                                                   
REPRESENTATIVE  LEDOUX asked  whether  this  will allow  oversees                                                               
ballots to be returned by Internet means.                                                                                       
MS.  BAHNKE  answered that  currently  the  division can  provide                                                               
online  ballots  to  any  voters, that  online  ballots  are  not                                                               
restricted to UOCAVA voters.                                                                                                    
10:12:42 AM                                                                                                                   
REPRESENTATIVE LEDOUX asked whether  any group or geographic area                                                               
in Alaska is allowed to return ballots through the Internet.                                                                    
MS.  BAHNKE  answered  the  DOE made  decision  to  suspend  that                                                               
practice  due to  ongoing  cyber security  threats  until a  more                                                               
secure  solution exists.   In  further response,  she agreed  the                                                               
practice was suspended for all groups.                                                                                          
10:13:28 AM                                                                                                                   
REPRESENTATIVE  BIRCH recalled  testimony  on  the potential  for                                                               
disruption  for  ballots  returned  by  fax.   He  asked  for  an                                                               
estimate  of how  many ballots  were faxed  in the  last election                                                               
MS.  BAHNKE answered  she did  not  have the  precise number  but                                                               
estimated that under 1,000 were returned by fax.                                                                                
10:14:05 AM                                                                                                                   
REPRESENTATIVE BIRCH directed attention  to the discussion on the                                                               
competence of  the paper ballot  audit trail.   He asked  how the                                                               
[voting]   information  was   transmitted  from   [rural]  Alaska                                                               
locations to election central on Election Day.                                                                                  
MS. BAHNKE deferred to Mr. Malander.                                                                                            
10:15:12 AM                                                                                                                   
PHILLIP MALANDER,  Systems Administrator, Division  of Elections,                                                               
Office of  the Lieutenant Governor, advised  that the information                                                               
is transmitted back via phone  lines either verbally or via Paymo                                                               
[an online project management application].                                                                                     
10:15:32 AM                                                                                                                   
REPRESENTATIVE BIRCH  asked whether there would  be an electronic                                                               
transmission.  He  further asked whether that  was susceptible to                                                               
any cyber  security issue  and if it  was considered  an Internet                                                               
MR. MALANDER said  that generally the division  does not consider                                                               
that  to  be an  Internet  connection.    Every system  has  some                                                               
vulnerabilities  but  the  risks  in  that  area  are  considered                                                               
relatively low.                                                                                                                 
10:16:13 AM                                                                                                                   
CHAIR   KREISS-TOMKINS  related   his  understanding   that  when                                                               
Shishmaref or  Nome election results are  transmitted verbally or                                                               
by phone line that it means the information is "called in."                                                                     
MR. MALANDER answered yes; that is correct.                                                                                     
10:16:33 AM                                                                                                                   
REPRESENTATIVE BIRCH  related that  Alaska's voting  equipment is                                                               
now about 30  years old, so he wondered whether  the division has                                                               
been looking  at vendors who  offer similar voting  capacity with                                                               
paper  ballots  that  provide  an  audit  trail  as  well  as  an                                                               
electronic or optical scan and transmittal.                                                                                     
MS.  BAHNKE answered  that the  division  recently reviewed  four                                                               
federally-certified  vendors at  the technology  fair and  all of                                                               
them used  paper ballots.   She  did not  see Alaska  moving away                                                               
from that type of ballot.                                                                                                       
10:17:17 AM                                                                                                                   
REPRESENTATIVE  BIRCH asked  for  clarification  on the  training                                                               
regime since there have been some issues in rural areas.                                                                        
MS.  BAHNKE  answered that  by  statute  the director  submits  a                                                               
training  plan  to the  Lieutenant  Governor  by  March 1  in  an                                                               
election year.   She offered  to provide  a copy of  the election                                                               
training  plan.   Since 2016,  the division  has been  working to                                                               
improve  every  aspect  of its  election  management.    Election                                                               
training was  one area, specifically,  in which the  division has                                                               
improved its  in-person training.   The DOE has spent  last month                                                               
in  the   KTOO  studio   providing  more   interactive  training,                                                               
including making  DVDs of the  training.  The division  will have                                                               
links  to that  training on  its website,  so she  felt confident                                                               
that the concern has been addressed.   She said division was also                                                               
confident it is ready for the 2018 election.                                                                                    
10:18:47 AM                                                                                                                   
REPRESENTATIVE  LEDOUX  asked  whether any  concern  exists  that                                                               
people living  in major cities can  vote over a longer  period of                                                               
time, so  they have more  voting opportunity than those  in rural                                                               
areas.   For example, a  person living  in Anchorage can  take an                                                               
absentee ballot to the Anchorage  International Airport US Postal                                                               
Facility and  have the  ballot postmarked on  Election Day.   She                                                               
was unsure if that opportunity existed in the villages.                                                                         
MS. BAHNKE answered  that access to the ballot is  central to her                                                               
role  as the  director; however,  she said  she did  not have  an                                                               
opinion on that issue.                                                                                                          
10:20:18 AM                                                                                                                   
REPRESENTATIVE  LEDOUX said  she  was surprised  that the  recent                                                               
Anchorage  "Vote  by  Mail" election  administrative  costs  were                                                               
higher than for  routine in person elections.   She asked whether                                                               
an all-mail ballot would cost the state more to administer.                                                                     
MS. BAHNKE  answered that the  Municipality of  Anchorage briefed                                                               
the  Election   Policy  Workgroup  yesterday  on   its  municipal                                                               
election.    In  2018,  the  MOA was  required  to  purchase  new                                                               
equipment  and  software in  order  to  conduct its  vote-by-mail                                                               
election.   Those will not be  ongoing costs, she said.   The DOE                                                               
reviewed other  states whose  elections are  exclusively vote-by-                                                               
mail elections and these states  have realized cost savings.  She                                                               
offered to provide the information to the committee.                                                                            
10:22:30 AM                                                                                                                   
CHAIR KREISS-TOMKINS  related his understanding that  the cost of                                                               
Anchorage's municipal  vote-by-mail election  was driven  by one-                                                               
time upfront expenditures  that would not be  necessary in future                                                               
MS. BAHNKE answered yes.                                                                                                        
10:22:44 AM                                                                                                                   
CHAIR KREISS-TOMKINS  said one recommendation  Ms. Root  made for                                                               
Alaska was  to include all  ballots, including  UOCAVA [Uniformed                                                               
and Overseas Citizens Absentee Voting Act] ballots in post-                                                                     
election  audits.     He  asked   whether  the  division   had  a                                                               
perspective  on that  recommendation or  if it  has an  intent to                                                               
implement anything along those lines.                                                                                           
MS. BAHNKE  answered yes;  that the division  does plan  on doing                                                               
10:23:10 AM                                                                                                                   
There being no  further business before the  committee, the House                                                               
State Affairs  Standing Committee meeting was  adjourned at 10:23                                                               

Document Name Date/Time Subjects