Legislature(2017 - 2018)BARNES 124
05/10/2018 09:00 AM House STATE AFFAIRS
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| Presentation: Election Security: State Policies | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
ALASKA STATE LEGISLATURE
HOUSE STATE AFFAIRS STANDING COMMITTEE
May 10, 2018
9:06 a.m.
MEMBERS PRESENT
Representative Jonathan Kreiss-Tomkins, Chair
Representative Gabrielle LeDoux, Vice Chair
Representative Chris Tuck
Representative Adam Wool
Representative Chris Birch
Representative Gary Knopp
Representative Andy Josephson (alternate)
MEMBERS ABSENT
Representative DeLena Johnson
Representative Chuck Kopp (alternate)
COMMITTEE CALENDAR
PRESENTATION: ELECTION SECURITY: STATE POLICIES
- HEARD
PREVIOUS COMMITTEE ACTION
No previous action to record
WITNESS REGISTER
WENDY UNDERHILL, Director
Redistricting and Elections
National Conference of State Legislatures (NCSL)
Denver, Colorado
POSITION STATEMENT: Presented a PowerPoint on Election
Security: State Policies.
MAURICE TURNER, Senior Technologist
Center for Democracy and Technology
Washington, D.C.
POSITION STATEMENT: Presented a PowerPoint on Cyber Security.
DANIELLE ROOT, Voting Rights Manager
Center for American Progress (CAP)
Washington, D.C.
POSITION STATEMENT: Provided a presentation on cyberattacks.
JOSIE BAHNKE, Director
Central Office
Division of Elections
Office of the Lieutenant Governor
Juneau, Alaska
POSITION STATEMENT: Answered questions during the presentation
on Election Security.
PHILLIP MALANDER, Systems Administrator
Central Office
Division of Elections
Office of the Lieutenant Governor
Juneau, Alaska
POSITION STATEMENT: Answered questions during the Presentation
on Election Security.
ACTION NARRATIVE
9:06:02 AM
CHAIR JONATHAN KREISS-TOMKINS called the House State Affairs
Standing Committee meeting to order at 9:06 a.m.
Representatives Kreiss-Tomkins, Josephson (alternate), Knopp,
and Birch were present at the call to order. Representatives
Wool, Knopp, and LeDoux arrived as the meeting was in progress.
^PRESENTATION: ELECTION SECURITY: STATE POLICIES
PRESENTATION: ELECTION SECURITY: STATE POLICIES
9:06:22 AM
CHAIR KREISS-TOMKINS announced that the only order of business
would be a Presentation: Election Security: State Policies.
9:07:42 AM
WENDY UNDERHILL, Director, Redistricting and Elections, National
Conference of State Legislatures (NCSL), began a PowerPoint on
Election Security. She stated that election security was a key
issue in all states, not just in Alaska. The NCSL redistricting
and elections team has spent most of its time in the past year
working on election security, she said.
9:08:15 AM
MS. UNDERHILL turned to slide 2, titled "What Does NCSL Do?"
She stated the NCSL is a non-partisan organization that works
for legislators and staff throughout the nation. The NCSL does
not make recommendations on policy issues since legislatures
make those decisions; however, the organization provides
research on a number of topics, including election security.
9:09:19 AM
MS. UNDERHILL referred to slide 3, titled "The Plan for the Next
15 Minutes." She said she would provide a quick national
overview on threats to election security, including where the
threats have shown up or might show up and, in particular,
pointing out policy choices that the state might like to
consider. She acknowledged that although she is not a security
expert, Maurice Turner who is an expert would testify later.
Election security was not a new issue even though it may seem as
though it is new, she said. She stated that election security
was relative, such as whether the system is more secure than
prior systems.
9:10:30 AM
MS. UNDERHILL referred to slide 4, which provided a flowchart of
statewide voter registration databases. She directed attention
to the bottom of the slide, showing that registrations can come
to the state via several mechanisms, including self, third-
party, online, and DMV [Department/Division of Motor Vehicle]
registrations. Some states are currently automating their voter
registration processes, including Alaska, since it has automated
its system via the permanent fund dividend application process.
The next most common source of voter registration was via an
online registration system, using paper forms that are mailed in
by voters. Voter registration drives and local election voter
registration provide other means to register voters in person,
she said.
MS. UNDERHILL reported that statewide voter registration
databases are updated on an ongoing basis by state and local
officials, depending on the state. The databases are checked
against other sources of data within the state or by using out-
of-state resources. She said that the registration process was
separated from the voting process so any "messing around" with
registration does not interfere with vote counting. She
cautioned that if "bad actors" did gain access to a voter
registration system it could cause havoc. For example, it would
be possible for people to change or remove individual records or
even to delete a whole database, which could disrupt an entire
election. Voters tend not to make any distinction between voter
registration and elections, so any tampering would be viewed as
tampering with elections.
9:12:42 AM
MS. UNDERHILL referred to slide 5, titled "Voter Registration:
Policy Options." She said some states have same-day
registration, such that a person could appear at a polling place
on Election Day and register to vote. She acknowledged that
this policy has been adopted because people are interested in
increased voter turnout; however, this option does provide a
failsafe for any registration. She stated that maintaining
voter lists translates to good elections. Data is checked by
using in state and out-of-state sources, noting Alaska is a
member of the Electronic Registration Information Center (ERIC),
which is a national cooperative where states share data.
Electronic poll books are in use in some jurisdictions; however,
she cautioned that if the poll book is electronic, it is
important to have a backup on paper or on a stand-alone laptop.
Therefore, any intrusion on Election Day would not have an
impact through an electronic poll book, she said.
9:14:21 AM
CHAIR KREISS-TOMKINS asked for an explanation of poll books and
the significance of electronic poll books.
MS. UNDERHILL explained poll books. Throughout the last 80
years, jurisdictions have printed out all registered voters,
creating a paper poll book. These poll books are distributed to
the polling place at the precinct level and voters sign the
register after providing poll workers with identification. That
data can be in paper or it can also be on a computer as an
electronic register, which often is used as a means to speed up
checking in voters at polling places where lines are an issue.
The electronic poll books can be a direct line to the statewide
registration database or the poll book can be kept on a separate
laptop and uploaded to the statewide voter registration
database.
9:15:50 AM
MS. UNDERHILL continued to review slide 5, stating that voter
registration systems can be reviewed for security and Mr. Turner
would discuss this in more detail. The state or local election
officials can also perform certain security reviews in advance
of the election. The federal government has released an extra
$300 million to states and she assumed that Alaska's share would
likely be $3 million, which can be used for election security.
Some states are using this funding to update their voter
registration databases, she said.
9:16:50 AM
REPRESENTATIVE BIRCH referred to the recent Anchorage municipal
"vote by mail" election. He indicated a lot of expired
information occurred during the election process. He asked
whether she had any recommendations or innovative ways to clean
up voter registration lists, for example, to update voter
registration when people move.
MS. UNDERHILL responded that as states consider "vote by mail"
elections they all have that same question. She acknowledged
that having "clean voter lists" for mail elections was important
since states do not want to mail twice as many ballots as actual
voters. She emphasized how important it is to check data
throughout the year, for example, states can compare vital
records to their election database to identify death records and
update their voter databases. The DMV can also notify the
Division of Elections of any address changes. In turn, the DMV
could mail out a postcard to verify the address change. She
acknowledged that it takes a lot of proactive work prior to
Election Day to keep voter databases updated. She reported that
Colorado has one-fiftieth of the number of provisional ballots
being used due to "clean voter" lists and the state is quite
proud of its database.
9:19:34 AM
REPRESENTATIVE LEDOUX asked whether any "red" states have solely
vote-by-mail elections or if it was primarily "blue" states.
MS. UNDERHILL responded that three states have all vote-by-mail
elections, including Washington, Oregon, and Colorado. She
stated that Colorado, where she lives, was considered a "purple"
state since one body is held by Republicans and the other by
Democrats. She said that Washington State has had all vote-by-
mail elections for some time, although she was unsure if it was
a "blue" state at the time it shifted to a vote-by-mail
election. Utah has nearly all "vote by mail" elections, although
its counties are allowed to make the decision; she anticipated
that Utah would be an all "vote by mail" election in 2018.
States considering moving to all "vote by mail" elections
include Hawaii and California, both "blue" states, and Montana,
a "red" state.
CHAIR KREISS-TOMKINS asked for clarification on reasons that
western states are considering "vote by mail" but eastern states
have not done so.
MS. UNDERHILL responded that she was unsure; however, it was
mostly likely cultural, although size may be a consideration.
Newer states tend to have more of an appetite for change. She
also noted that legislators from eastern states have raised
issues about concern that ballots might be stolen from
mailboxes.
9:23:42 AM
MS. UNDERHILL added that some legislators from Indiana, which is
a "red" state, have also expressed interest in "vote by mail"
elections. However, Indiana has not taken any action, she said.
MS. UNDERHILL referred to slide 6, titled "Voting Itself." She
explained voting options, including absentee and mail voting,
which are considered similar; in-person voting consists of
polling place voting and early in-person voting at a local
election office, and electronically-transmitted ballots have
been considered to be online voting. Electronically-transmitted
ballots have triggered the most security-related concerns;
however, all states are required to send ballots out
electronically to some citizens, primarily to overseas military
voters, so outbound blank ballots via the Internet were
considered normal.
MS. UNDERHILL reported that nearly two-thirds of states allow
voters to return their ballots in some electronic form via an e-
mail attachment or a web portal, she said. Both of those
options cause concern by cyber-security people since e-mail
attachments could be hacked and changed, she said. The portal
not only allows the votes to come in but could become a target
of an attack. She pointed out that tradeoffs exist, for
example, in terms of all mail elections the tradeoff might be
that Native Americans may not have access to private mailboxes
or people in rural areas may also have spotty delivery. In
terms of electronic transmission, overseas voters may not be
able to return a ballot by any other means, she said.
9:26:40 AM
REPRESENTATIVE TUCK asked how in-person voting is different from
vote centers.
MS. UNDERHILL answered that in traditional in-person voting a
person must show up at his/her own precinct, but for
jurisdictions with a vote center model, everyone in a county,
borough, or jurisdiction can vote at any vote center and obtain
an accurate ballot. She described this as being more convenient
for people because they can vote on their way to the office or
school. It saves the state money because fewer facilities are
involved and lessens the need for poll workers, which can be
challenging for some jurisdictions, she said.
9:28:10 AM
MS. UNDERHILL referred to slide 7, titled "Voting Itself: Pre-
Election Policy Choices." She said that training includes
training for election officials, but it could be for poll
workers. She recalled one study showed the number of states
requiring training has increased and they offer voluntary new
training. The training might include cyber-security training or
how to perform chain-of-custody using bipartisan teams or how to
perform physical security for the equipment, including cameras
or locks. Most states do perform accuracy testing just before
an election by running a test stack of ballots marked for George
Washington and Abe Lincoln. The election division knows in
advance what the count should read, the machine counts the
ballots, and the comparison shows the count. She remarked that
it is nice to invite the public in to observe the count and that
helps to build the culture of transparency. The right time to
do contingency planning is prior to a problem, in case a cyber
disaster or natural disaster occurs. States can also review
their recertification requirements, for example, some states
require paper ballots, or no Internet connectivity for voter
equipment, and others remove obsolete references to lever
machines or for certain font size for ballots.
9:30:41 AM
MS. UNDERHILL referred to slide 8, titled "Election Day." She
stated that prohibiting Internet connectivity for voting
equipment is the most important aspect. She said some states
might be concerned about crime.
MS. UNDERHILL referred to slide 9, titled "Post Election Policy
Choices." She highlighted post-election audits, which provide a
means to confirm that the tabulating equipment counted votes
accurately. She said Alaska does have a law relating to post-
election audits. All states require a paper ballot or record
for audits.
MS. UNDERHILL referred to slide 10, titled "Voting Technology"
that showed images of some of the current voting technology
being used.
MS. UNDERHILL turned to slide 11, titled "Voting equipment:
Policy Choices." She mentioned paper ballots; however,
sometimes voting machines provide a record of the winning
candidates, but not all of the candidates, with a barcode or QR
code [Quick response code] at the top. She suggested this was
something to discuss with cyber security personnel. She said
that people with disabilities have a right to vote securely and
privately and it is important to have systems that can be used
at home, even if it is a paper ballot.
9:32:50 AM
MS. UNDERHILL referred to slide 12, which showed a flowchart
diagram. She offered to briefly cover results reporting, noting
that the results are unofficial results and although it is not
good if someone tampers with results as they are transferred
from the local office to the state and to a public display,
however, it will not change the outcome of an election.
9:33:10 AM
MS. UNDERHILL referred to slide 13, titled "Disinformation and
Other Campaign Shenanigans." She reported that several days ago
the US Senate Intelligence Committee referred back to all of the
activities in 2016 as an effort to undermine confidence in the
voting process. She remarked that the committee stated it had
not seen any evidence that vote tallies were manipulated or that
voter registration information was deleted or modified.
9:33:50 AM
MS. UNDERHILL referred to slide 14, titled "Resources," and she
offered to send those to the committee. She provided her
contact information, including her e-mail:
[email protected].
9:34:20 AM
CHAIR KREISS-TOMKINS turned to the next speaker, Mr. Turner,
center for Democracy & Technology.
MAURICE TURNER, Senior Technologist, Center for Democracy and
Technology, expressed his goal to cover threats to the voter
registration systems, voting, and reporting results. When it
comes to threats to voter registration the article in the
Anchorage Daily News [not identified] shows what can happen when
an attacker probes a network and finds a vulnerability. When
talking about threats to voter registration, it relates to what
it means to have an unauthorized actor go in and change
information in the voter registration database.
MR. TURNER described this can happen when the person accesses
the local information technology (IT) infrastructure or any
cloud-based infrastructure that the state or [boroughs] might
contract out. One way hackers operate would be through
"fishing," which is where an individual with access, perhaps the
local IT administrator or election official, with legitimate
access to the database (DB) receives an e-mail, which looks
legitimate but is an attempt to get the username and password
for the person and subsequently impersonate them. That would be
the likely way a person would gain access, he said.
9:36:34 AM
MR. TURNER highlighted another way the database can be
disrupted, which is by targeting the IT infrastructure and
bringing down the infrastructure, so local jurisdictions do not
have access to the state or cloud-based infrastructure. He
stated that local election officials are typically pretty good
with contingency planning, especially given the fact that paper
was the only way to conduct elections. The paper records
provide a backup, he said.
9:37:27 AM
REPRESENTATIVE BIRCH stated that the frontend of the worldwide
web is what people see, but the backend maintains and manages
the records. He asked Mr. Turner whether he could speak to a
secure database and the webpages and how they are separate.
MR. TURNER said the best practice would be to make sure the
frontend and backend systems are disconnected, and the data is
only transferred on a periodic basis, whether it would be at the
end of the day or periodically throughout the day. He agreed
having the two connected directly and continuously would be a
bad idea since any user would have the ability to read and write
to the database on the backend.
9:39:25 AM
MR. TURNER directed attention to "Threats to the Voting Itself."
When it comes to voting there are typically three areas for
effective security procedures, including administrative
controls, such as staff trained on policies and procedures;
technical controls, such as the best IT systems; and also
physical controls, including cameras throughout the facilities
and the strongest locks one can buy. However, these are
meaningless if the organization does not have appropriate
administrative goals in place to properly implement the
technical and physical controls. The goal is to be certain that
there are no gaps in any of the controls. All three controls
need to be in place in order to have an effective security plan
when it comes to the voting itself.
9:40:28 AM
MR. TURNER related the security gaps, noting the importance of
having a paper trail with some measure of accountability for the
vote record that can be audited. The trend has been to go
towards the best practice of a risk-limiting audit. He offered
to cover that at a future hearing since it is definitely a
separate body of work. He emphasized the need for a paper trail
because without one it is not possible to have an effective
audit. He stated that accessibility features are protected by
federal law, which are typically not part of the design process
when the voting systems are being developed; however, they
should be since it can cause gaps. He acknowledged that often
these features may be added on at the end of the process. He
mentioned malware, which is malicious code that could be
introduced into a voting system through a wired network
connection or through a wireless networking connection. Malware
could cause significant disruption such that voters could not
cast their ballots, or the voting record could potentially be
changed.
9:42:17 AM
MR. TURNER related that last year at the largest "hacking"
convention in Las Vegas, CDC participated in a voting machine
hacking village, in which every single voting machine that was
available were subject to having vulnerabilities exploited and
successfully hacked. The first machine had a Wi-Fi network
built into it, so it broadcast its own network. This voting
machine was hacked from two rooms away within ten minutes.
9:43:02 AM
CHAIR KREISS-TOMKINS asked whether the demonstration voting
machines that were hacked were the same type of voting machines
that Alaska uses.
MR. TURNER answered that not every type of voting machine used
throughout the country was represented at the conference.
However, every onsite model was successfully hacked, he said.
9:43:39 AM
MR. TURNER provided another example of how malware can disrupt a
large IT infrastructure. The City of Atlanta recently was hit
with ransomware, a dreaded type of malware installed by a
malicious actor on a system and it spreads as quickly and as far
as possible. The user sees a pop-up screen that demands money
be sent to a particular address because the user's data has been
encrypted or locked up and cannot be accessed. The ransom was
less than $50,000; however, the city was unable to pay it.
Atlanta ultimately spent over $2 million in data recovery and
remediation. Malware can be very small, but it can spread and
have a massive impact.
9:44:51 AM
MR. TURNER said the last security gap when it comes to threats
to the voting process itself is "information silos."
Information silos happens when information stays within a
particular department or organization. The FBI [Federal Bureau
of Investigation], DHS [Department of Homeland Security], state,
county, and city officials have recognized the importance and
benefits of sharing information through all levels of government
and across to different jurisdictions to make sure if something
bad happens in one jurisdiction it can be prevented in others.
He emphasized that DHS was doing a much better job, working with
states and elected officials to make sure information is shared
as broadly as possible.
9:46:12 AM
CHAIR KREISS-TOMKINS asked Mr. Turner to identify the biggest
single vulnerability in Alaska's voting and election system and
his foremost recommendation for improvement to the security of
Alaska's election system.
MR. TURNER said he was very impressed with Alaska's election
system. He stated that the CAP [Center for American Progress]
score was a "B". He suggested that additional consideration be
given to make sure that only the appropriate people have access
to systems, such that two-factor authentication be used at the
local level. The two-factor authentication ensures that the
local election officials are protecting their own legitimate
access to the election and voting systems.
9:47:32 AM
REPRESENTATIVE BIRCH stated that Alaska's machines were
purchased in 1998, so even though it is old it produces a hard
copy record. He did not believe there was any intersection
between the voting machine and the Internet. He asked whether
newer technology could be used, for example, optically scanning
the ballot and reporting the numbers, but retaining the ballot.
MR. TURNER answered that if the machines were produced in the
late 1990s that they would not have any network connectivity.
Typically, newer machines will be "off the shelf" so it would be
incumbent upon the purchasing department to thoroughly vet and
thoroughly test any new machines. Whether the testing would be
done by state staff or contractors, it is important to have a
level of assurance that the new machine can be tested to make
sure that the machines do not have any functions or features it
does not want. For example, the state may decide to not have
network connectivity; however, the machine may have that
functionality. If the only control over network access being
turned on or off was by software that would provide a point of
access for a malicious actor to gain access to the machine and
turn on network connectivity. He emphasized that fully
informing a procurement process was crucial so that the options
and specifications are known.
9:50:39 AM
REPRESENTATIVE BIRCH asked whether Mr. Turner had any sense of
the number of voting jurisdictions in which a hard copy ballot
is retained in addition to an optically-scanned image.
MR. TURNER said he did not know but he offered to research and
provide it to the committee.
9:51:26 AM
MR. TURNER turned to the "Intelligence Report." The goal of the
Russian influence campaign was really to sow doubt by spreading
misinformation. One of the ways to combat this activity is to
ensure that only dedicated devices are used for election
process, including the "public-facing front end" whether it was
dedicated USB flash drives that would only be used one time in
one way to ensure against compromising the information contained
on the drive.
9:52:18 AM
MR. TURNER highlighted the threats to reporting results,
including misinformation, such as reporting unofficial results
most likely through social media. Secondly, we are likely to
see denial of service attacks [DDoS or distributed denial of
service], which is when hundreds or thousands of machines focus
their requests on one website, for example, the State of
Alaska's reporting website, to prevent legitimate traffic from
getting through so it appears that the server is taken offline.
He said some services like Cloudflare's (indisc.) or Google's
"Project Shield" that can help protect against these types of
automated DDOS attacks, but the real goal is to make sure that a
plan to get unofficial reports out if service attacks occur.
The plan if a service attack occurred or some other type of
misinformation happened could include social media, press
releases, traditional means, television or radio.
9:54:50 AM
REPRESENTATIVE KREISS-TOMKINS turned to the next presenter,
Danielle Root, Center for American Progress (CAP), and said Ms.
root would discuss Alaska's CAP report card, which was on
members' desks.
9:55:22 AM
DANIELLE ROOT, Voting Rights Manager, Center for American
Progress (CAP), stated that in 2016, primarily Russian hackers
took unprecedented steps to infiltrate and disrupt [federal],
state and local election systems. National security experts and
state election officials do not know the full extent to which
hackers breached election infrastructure. So far there has been
no evidence that election outcomes were manipulated or altered;
however, it is known that hackers attempted to breach the
election infrastructure of at least 20 states, including Alaska.
For example, Russian operatives reportedly trolled Alaska's
election-related databases in the weeks leading up to the 2016
elections. The infamous hacker, CyberZeist, obtained
unauthorized access to Alaska's election website on Election
Day, but did not succeed because built-in cyber defenses
prevented the hacker from altering data or causing service
disruptions. She cautioned that hackers are using more
sophisticated techniques and may try again. Americans have been
warned that attacks on election infrastructure have and will
continue in future elections, including the upcoming 2018
midterm elections. Unfortunately, security experts and policy
makers agree that state and local elections continue to be ill
equipped to withstand attacks from hackers and foreign
adversaries such as Russia.
9:57:00 AM
MS. ROOT reported that in February 2018, the Thunder for
American Progress published a comprehensive review of the
election-security preparedness in all 50 states and Washington
D.C. detailing the continuing vulnerabilities of state election
infrastructure and assigning grades based on election readiness.
Alaska received a "B" which was the highest grade awarded.
Alaska earned points for adhering to minimum cyber security best
practices related to voter registration systems and for its
widespread use of paper ballots for conducting elections to key
areas of election security.
9:57:43 AM
MS. ROOT indicated that Alaska's election infrastructure remains
vulnerable, which means that the state is open to election-
related attacks. These vulnerabilities must be addressed. One
area needing improvement is the lack of post-election auditing
procedures. Currently, the number of ballots included in
Alaska's post-election audits are ones based on a fixed
percentage as opposed to a statistically-significant number tied
to the margin of victory of one or more ballot contests as is
common with risk-limiting audits. The [risk-limiting audits]
are considered the "gold standard" of post-election audits as
mentioned by other presenters today. Many states are moving
towards risk-limiting audits and the CAP recommends Alaska do
so.
9:58:27 AM
MS. ROOT stated that linking the number of ballots included in
the post-election audit to the margin of victory rather than a
fixed-percentage or number helps to ensure that enough ballots
are examined to create convincing evidence that the outcome is
correct. It also saves resources by guaranteeing election
officials only examine the precise number of ballots necessary,
she said.
MS. ROOT noted that Alaska's post-election audits also do not
include voters stationed or living overseas, absentee or UOCAVA
[Uniformed and Overseas Citizens Absentee Voting Act] ballots.
In 2016, UOCAVA ballots amounted to more than 8,000 of ballots
cast in Alaska during the presidential election. She emphasized
that CAP recommends that all ballot types, including regular,
early voting, absentee, provisional, and UOCAVA be eligible for
inclusion in post-election audits. She cautioned that by only
allowing certain categories of ballots, election officials may
fail to detect anomalies in the tabulation of other ballot
types.
9:59:29 AM
MS. ROOT emphasized that Alaska should terminate its use of
electronic absentee voting, noting Alaska is the only state that
allows any eligible voter to return a voted ballot
electronically. Although she acknowledged that Alaska moved
away from web portals, the state still allows voted ballots to
be returned via fax. As Ms. Underhill mentioned earlier,
computer scientists and computer experts have long warned that
returning ballots via fax was insecure and subject to hacking
and a myriad of ballot delivery problems. Voters deserve to
have the security of their ballots protected and to have their
ballots counted as they intended. She said that having their
ballots transmitted through the mail means a paper record of
intent exists instead of only a vulnerable Internet transaction
that puts the security of their ballots at risk.
MS. ROOT advised that Alaska was awarded $3 million as part of
the 2018 HAVA Election Security Fund to bolster its election
preparedness. While she was glad that Alaska intended to use
the funding to replace old voting machines and bolster its cyber
security protections; she also cautioned that the state should
consider using some of its funding to strengthen the state's
post-election auditing procedures and require all voted ballots
be submitted in-person or returned by mail. She concluded that
by taking these steps Alaska could significantly improve its
election-security preparedness.
10:01:04 AM
REPRESENTATIVE TUCK asked Ms. Root the percentage of ballots
returned electronically in Alaska.
MS. ROOT said that information did not appear to exist, that the
UOCAVA ballots were tracked but it does not track how many are
returned electronically. Some advocacy groups are trying to
obtain that information, but to date no public information was
available, she said.
10:02:10 AM
REPRESENTATIVE KNOPP asked for clarification on the issue with
fax-returned ballots and if it was voter information security
and privacy or if it was due to the potential for ballot
manipulation.
MS. ROOT responded that it depends on how the fax is transmitted
since some states fax via the Internet and that is how ballots
are also returned. She said this means that these ballots are
vulnerable to manipulation. Other states use a dial-up fax, and
any fax service is subject service disruption. Therefore, any
type of cyberattack could prevent an election office from
receiving or counting the voted ballots sent via fax. She
pointed out that mail delivery also can be unreliable. She
highlighted that if a large number of ballots being returned via
fax could be affected by one service disruption, which could
result in a large number of ballots not being counted.
10:04:02 AM
REPRESENTATVE TUCK directed attention to an audit synopsis
provided in committee members' packets. He asked Ms. Root to
identify the UOCAVA acronym.
MS. ROOT answered that UOCAVA refers to the Uniformed and
Overseas Citizens Absentee Voting Act ballots. States are
required to send out electronically or by mail ballots to US
citizens living outside the country but UOCAVA does not require
ballots to be returned electronically, she said.
10:05:02 AM
REPRESENTATIVE TUCK asked about the report referred to the DRE
machine with VVPR under the section voter-verified audit trail.
He asked for clarification on the acronym.
MS. ROOT answered the electronic machines were ones that print
out a receipt of the voter's ballot choices, such that the voter
would select their candidate or ballot initiative on a touch
screen or machine; that the voter can view their decisions in a
viewing window and subsequently confirm that the printed ballot
matched what they chose on the touch screen. Once the voter
touched "yes," the information would be preserved, and election
officials could later review the information during an audit.
However, election officials do not recommend this method and
instead recommends paper ballots because not all voters check
the paper receipt before submitting it.
10:07:28 AM
The committee took a brief at-ease.
10:08:03 AM
CHAIR KREISS-TOMKINS asked for the DOE's perspective on risk-
limiting audits. He further asked about changing the state's
practices on ballots submitted by fax.
10:08:38 AM
JOSIE BAHNKE, Director, Central Office, Division of Elections,
Office of the Lieutenant Governor, stated that the division
attended a technology fair with four federally-certified vendors
looking at new election technology.
MS. BAHNKE referred to two issues, the process of risk-limited
audits and the return of ballots online or by fax as the
weaknesses in the Alaska election system. She described
Alaska's audit process as being very robust. She said the DOE
has looked at other state's risk-limiting audits, such as
Colorado, who has adopted the risk-limiting audits. She advised
members that Alaska is in the process of reviewing the risk-
limiting audit process. In terms of ballot by fax, under
UOCAVA, the state is required to allow for the return of
absentee ballots online or by fax. The CAP has reported ballot
returns as a weakness in Alaska's election system and due to the
ongoing cyber-security concerns the DOE made the decision to
suspend the return of those ballots online. However, the state
will still allow those ballots to be returned from overseas and
nationally via fax or by mail.
10:11:16 AM
REPRESENTATIVE LEDOUX related her understanding that [UOCAVA]
voters can receive their ballot online but can return the ballot
by fax or by mail. She asked whether there was a time when the
ballot could be returned by Internet.
MS. BAHNKE answered yes. In further response, she indicated
that the DOE implemented Internet ballot returns in 2014 and
2016.
CHAIR KREISS-TOMKINS said he remembered friends returning their
ballots by e-mail.
10:12:18 AM
REPRESENTATIVE LEDOUX asked whether this will allow oversees
ballots to be returned by Internet means.
MS. BAHNKE answered that currently the division can provide
online ballots to any voters, that online ballots are not
restricted to UOCAVA voters.
10:12:42 AM
REPRESENTATIVE LEDOUX asked whether any group or geographic area
in Alaska is allowed to return ballots through the Internet.
MS. BAHNKE answered the DOE made decision to suspend that
practice due to ongoing cyber security threats until a more
secure solution exists. In further response, she agreed the
practice was suspended for all groups.
10:13:28 AM
REPRESENTATIVE BIRCH recalled testimony on the potential for
disruption for ballots returned by fax. He asked for an
estimate of how many ballots were faxed in the last election
cycle.
MS. BAHNKE answered she did not have the precise number but
estimated that under 1,000 were returned by fax.
10:14:05 AM
REPRESENTATIVE BIRCH directed attention to the discussion on the
competence of the paper ballot audit trail. He asked how the
[voting] information was transmitted from [rural] Alaska
locations to election central on Election Day.
MS. BAHNKE deferred to Mr. Malander.
10:15:12 AM
PHILLIP MALANDER, Systems Administrator, Division of Elections,
Office of the Lieutenant Governor, advised that the information
is transmitted back via phone lines either verbally or via Paymo
[an online project management application].
10:15:32 AM
REPRESENTATIVE BIRCH asked whether there would be an electronic
transmission. He further asked whether that was susceptible to
any cyber security issue and if it was considered an Internet
connection.
MR. MALANDER said that generally the division does not consider
that to be an Internet connection. Every system has some
vulnerabilities but the risks in that area are considered
relatively low.
10:16:13 AM
CHAIR KREISS-TOMKINS related his understanding that when
Shishmaref or Nome election results are transmitted verbally or
by phone line that it means the information is "called in."
MR. MALANDER answered yes; that is correct.
10:16:33 AM
REPRESENTATIVE BIRCH related that Alaska's voting equipment is
now about 30 years old, so he wondered whether the division has
been looking at vendors who offer similar voting capacity with
paper ballots that provide an audit trail as well as an
electronic or optical scan and transmittal.
MS. BAHNKE answered that the division recently reviewed four
federally-certified vendors at the technology fair and all of
them used paper ballots. She did not see Alaska moving away
from that type of ballot.
10:17:17 AM
REPRESENTATIVE BIRCH asked for clarification on the training
regime since there have been some issues in rural areas.
MS. BAHNKE answered that by statute the director submits a
training plan to the Lieutenant Governor by March 1 in an
election year. She offered to provide a copy of the election
training plan. Since 2016, the division has been working to
improve every aspect of its election management. Election
training was one area, specifically, in which the division has
improved its in-person training. The DOE has spent last month
in the KTOO studio providing more interactive training,
including making DVDs of the training. The division will have
links to that training on its website, so she felt confident
that the concern has been addressed. She said division was also
confident it is ready for the 2018 election.
10:18:47 AM
REPRESENTATIVE LEDOUX asked whether any concern exists that
people living in major cities can vote over a longer period of
time, so they have more voting opportunity than those in rural
areas. For example, a person living in Anchorage can take an
absentee ballot to the Anchorage International Airport US Postal
Facility and have the ballot postmarked on Election Day. She
was unsure if that opportunity existed in the villages.
MS. BAHNKE answered that access to the ballot is central to her
role as the director; however, she said she did not have an
opinion on that issue.
10:20:18 AM
REPRESENTATIVE LEDOUX said she was surprised that the recent
Anchorage "Vote by Mail" election administrative costs were
higher than for routine in person elections. She asked whether
an all-mail ballot would cost the state more to administer.
MS. BAHNKE answered that the Municipality of Anchorage briefed
the Election Policy Workgroup yesterday on its municipal
election. In 2018, the MOA was required to purchase new
equipment and software in order to conduct its vote-by-mail
election. Those will not be ongoing costs, she said. The DOE
reviewed other states whose elections are exclusively vote-by-
mail elections and these states have realized cost savings. She
offered to provide the information to the committee.
10:22:30 AM
CHAIR KREISS-TOMKINS related his understanding that the cost of
Anchorage's municipal vote-by-mail election was driven by one-
time upfront expenditures that would not be necessary in future
years.
MS. BAHNKE answered yes.
10:22:44 AM
CHAIR KREISS-TOMKINS said one recommendation Ms. Root made for
Alaska was to include all ballots, including UOCAVA [Uniformed
and Overseas Citizens Absentee Voting Act] ballots in post-
election audits. He asked whether the division had a
perspective on that recommendation or if it has an intent to
implement anything along those lines.
MS. BAHNKE answered yes; that the division does plan on doing
so.
10:23:10 AM
ADJOURNMENT
There being no further business before the committee, the House
State Affairs Standing Committee meeting was adjourned at 10:23
a.m.
| Document Name | Date/Time | Subjects |
|---|