Legislature(2021 - 2022)BUTROVICH 205
01/20/2022 03:30 PM Senate STATE AFFAIRS
Note: the audio and video recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
Audio | Topic |
---|---|
Start | |
Presentation: State of Alaska It Protocol Updates | |
Ballot Measure 2 Discussion | |
Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
ALASKA STATE LEGISLATURE SENATE STATE AFFAIRS STANDING COMMITTEE January 20, 2022 3:34 p.m. MEMBERS PRESENT Senator Mike Shower, Chair Senator Lora Reinbold, Vice Chair Senator Roger Holland Senator Scott Kawasaki MEMBERS ABSENT Senator Mia Costello OTHER LEGISLATORS PRESENT Senator Shelley Hughes Representative Ronald Gillham COMMITTEE CALENDAR PRESENTATION(S): STATE OF ALASKA IT PROTOCOL UPDATES [ON CYBERSECURITY] - HEARD BALLOT MEASURE 2 [RANKED CHOICE VOTING] DISCUSSION - HEARD PREVIOUS COMMITTEE ACTION No previous action to record WITNESS REGISTER PAULA VERANA, Commissioner Designee Department of Administration Juneau, Alaska POSITION STATEMENT: Introduced the Chief Information Officer. BILL SMITH, Chief Information Officer Office of Information Technology Department of Administration Juneau, Alaska. POSITION STATEMENT: Provided a PowerPoint on IT protocol updates on cybersecurity for the State of Alaska. NICK MURRAY, Policy Analyst Maine Policy Institute Portland, Maine POSITION STATEMENT: Invited testifier provided a PowerPoint on ranked choice elections. ACTION NARRATIVE 3:34:07 PM CHAIR MIKE SHOWER called the Senate State Affairs Standing Committee meeting to order at 3:34 p.m. Present at the call to order were Senators Reinbold, Holland, Kawasaki, and Chair Shower. ^Presentation: State of Alaska IT Protocol Updates STATE OF ALASKA IT PROTOCOL UPDATES 3:34:51 PM CHAIR SHOWER announced the consideration of State of Alaska Information Technology updates. CHAIR SHOWER stated that he invited Senator Hughes to join members at the table, although she does not serve on the committee. CHAIR SHOWER made opening remarks. He expressed concern that in October 2022, a month before the election, a data breach compromised 113,000 Alaskans' election data. The Division of Elections certified the election a month later. Despite assurances that the election data was not used nefariously, the state did not conduct a forensic audit, so it is not possible to know for sure. He said he requested the IT protocol updates because the state has had numerous data breaches. CHAIR SHOWER related that last year, the Commissioner of the Department of Health and Social Services (DHSS) acknowledged a data breach happened that could have affected every Alaskan. He shared his knowledge and experience about cyberwarfare risks stemming from his military service. 3:37:19 PM CHAIR SHOWER said he hoped this IT update would inform the legislature, state government, and the public since cybersecurity risks will not diminish or stop. The update will include a broad overview of the state's cybersecurity issues, any state cyberattacks, and potential solutions and ways to mitigate or stave off cyberattacks. He asked the Commissioner Designee and Chief Information Officer to come forward and provide an update. 3:39:11 PM PAULA VERANA, Commissioner Designee, Department of Administration, Juneau, Alaska, introduced Bill Smith as the Chief Information Officer (CIO). She said he would provide an IT protocol update, including all things related to cybersecurity for the State of Alaska. 3:39:39 PM BILL SMITH, Chief Information Officer, Office of Information Technology, Department of Administration, Juneau, Alaska, began an IT protocol update on cybersecurity for the State of Alaska. He stated that his responsibilities included overseeing IT for the State of Alaska. He said cybersecurity is vital to the state and it affects everybody's lives each and every day. He highlighted that the Office of Information Technology's (OIT) priority is cybersecurity, which represents a core element in the department's mission statement. Cybersecurity components are part of every significant initiative undertaken. MR. SMITH said OIT works to align widely-used government industry standards and frameworks. It allows the state to speak in standard terms to other organizations and ensure that security gaps don't exist. He noted that OIT maintains monthly contact with IT personnel from the Legislative Affairs Agency and the Alaska Court System to collaborate on cybersecurity. 3:42:05 PM CHAIR SHOWER recognized Representative Ronald Gillham joined the meeting. 3:42:28 PM MR. SMITH turned to slide 2, Agenda. He said he would briefly review the current global cybersecurity climate, cover the state's current capabilities and enhancements, and discuss OIT's vision for cybersecurity in Alaska going forward. 3:42:43 PM MR. SMITH turned to slide 3, current global security climate to discuss threat activity drivers: [Original punctuation provided] Threat activity drivers: ?Cybercrime is a $6 trillion annual industry ?Industrialization and automation of cyberattack capabilities ?Nation state threats ?Supply chain activity ?Pre-existing vulnerabilities Breaches are no longer just a technical problem best handled by technical people, but instead threat awareness is the responsibility of the whole organization. MR. SMITH said cybercrime is a $6 trillion annual industry, making it the third-largest economy globally. It is big business, so it drives cyberthreat. In the past several years, cybercrime has created a perfect storm. He stated that monetary drivers exist, an unprecedented pandemic caused dynamic changes in how organizations view IT, and the pandemic coincided with the industrialization and automation of cyberattacks. Someone with little experience could buy ransomware code for several hundred dollars and pay people to implement it. That industrialization is widespread and acts as a driver to the increasing volume of threats. The resources behind the cyber- threat activities, such as nation-state threats, have generally been focused on intelligence gathering rather than financial aspects. However, the cyberattacks are very similar, and the methods of attacks are the same. He characterized these crimes as having exploded in the past several years. 3:44:36 PM MR. SMITH discussed supply chain activity. He explained that manipulating software before its release has added a nuance. He discussed the last bullet point on slide 3, pre-existing vulnerabilities. In the current environment, some vulnerabilities get publicized very rapidly. He highlighted one example: the December 2021 Apache Log4j vulnerability that disrupted software worldwide. The scale impacted hundreds of millions of software systems worldwide, but it was simple. It introduced 12 characters into code to take control of the software. It was published in the public domain so people could access it. Cyberattackers did not create this vulnerability, but they exploited it. MR. SMITH explained that cybersecurity breaches have moved from the traditional mindset of IT to something that everybody must consider. Government members are no longer consumers of cybersecurity but are active participants. 3:46:29 PM MR. SMITH said people are taking notice of this threat-rich environment. Nations are collaborating; private-public sector companies and private company competitors share information and resources at an unprecedented level. These discussions provide an opportunity to address the issue. 3:47:12 PM CHAIR SHOWER asked about nation-state threats. He asked for the types of threats the state currently faces from malware or other attacks to give members an idea of the scope of cyberattacks. MR. SMITH provided several examples to illustrate the scope of cyberattacks. OIT implemented an automated anti-fraud capability to examine traffic moving into myALASKA and block non-human traffic. IT put this in place because the state received 12 million attempts per day from automated systems. Once cyberattackers realized their futile efforts, they diminished and are now low. Still, cyberattacks can come in cycles. The Apache log4j vulnerability led to over 20,000 attempts to exploit that vulnerability. He said IT fends off attacks and institutes protective measures every day. He is proud of the systems and people, but continuous improvement is necessary since cyberattacks are a constant threat. 3:50:39 PM MR. SMITH discussed slide 4, Current Capabilities: [Original punctuation provided] • Enterprise Security Solutions to eliminate legacy gaps in coverage • Modernized productivity applications with rapid updates and increased security • Significantly expanded our ability to see attackers in real time • Expanded Endpoint Detection and Response across the executive branch • Upgraded Email Filtering and Spam Detection • Key Security Initiatives • Elevated licensing for State of Alaska employees to increase security features (CRF) • Conducted comprehensive, detailed network inspection(20K+ devices) • Conducted external scanning to identify and address external facing vulnerabilities • Established intelligence and response collaboration (MS-ISAC, CISA) • Strengthened existing partner relations with CISA, FBI, and AKNG • Expanding partnerships by way of participation in the Joint Cyber Security Multistate Program and the Alaska Cyber Group 3:50:40 PM MR. SMITH remarked that the state continually improves its safeguards to protect Alaskans' data. Several years ago, OIT moved the executive branch from a single productivity application to one server. He reported that this improved the state's overall system security. MR. SMITH explained that Expanded Endpoint Detection and Response refers to blocking or isolating the virus or malware with antivirus software. He said removing traditional legacy gaps between agencies has improved the system. MR. SMITH turned to the second bolded bullet point, Key Security Initiatives. He said the state used COVID-19 funding to elevate licensing for state employees due to elevated security benefits. This has improved email security for employees. OIT continues to implement some features. This summer, OIT contracted with an internationally-respected cybersecurity firm that examined over 20,000 devices, networks, and computers. Besides scanning for recent malware, the firm reviewed the historical records. 3:53:19 PM CHAIR SHOWER said computer viruses were an issue during his time in the military ten years ago. He recalled that the military provided software for staff to use at home. He wondered if the state gives detection software to employees who use home computers, iPads, cap cards, or flash drives that might cross- contaminate the state's system through the backdoor. He asked whether OIT provides cybersecurity training to executive branch employees to identify scams. 3:55:25 PM MR. SMITH replied that during his two years working for OIT, the state had conducted cybersecurity training annually for all executive branch employees. He acknowledged that the state might need to offer it more frequently. Currently, the state does not authorize personal devices to connect to the network. He offered to look at connectivity as employee work habits have evolved. 3:56:35 PM CHAIR SHOWER highlighted that because of COVID-19, many people are working from home. He expressed concern about malware attacks. He related that he took his smartphone and laptop to China but never used them. Once home, he discovered hackers had switched the language on his phone to Chinese, and the devices contained viruses. He shared scenarios to illustrate malware attacks on the U.S. Department of Defense (DoD) he learned about during his military service. He expressed concern that a cyberattack could rapidly infiltrate the state's system and leave the state in the dark. He asked what proactive steps OIT has taken. He wondered if OIT needed funding, statutory changes, or partnerships with federal agencies or private contractors to do its work. He said the legislature needs to know since the state must prioritize its funding. He expressed concern that the state is vulnerable and at-risk due to its small population. 3:59:30 PM MR. SMITH responded that his points were accurate. OIT reported that as employees began working remotely during the pandemic, the state spent time increasing its capacity for virtual private networks (VPNs) precisely for those concerns. OIT also spent time on its software patching systems to ensure that the state could patch systems not connected to its network. He advised members that OIT is looking at the right things and making progress. 4:00:24 PM CHAIR SHOWER pointed out that in addition to the executive branch, the state also consists of the legislative and judicial branches. He asked how the state's network connects to the other branches of government. MR. SMITH said the executive branch maintains the State of Alaska network, but the legislative branch uses only an isolated portion of it. Once he realized separation existed, he initiated meetings with the legislature and court system to better understand each other systems. He said he thinks the State of Alaska should have a collaborative and cohesive view of its IT systems. He agreed it would need additional work. 4:01:45 PM CHAIR SHOWER asked if he has considered whether the state needs an entity or working group that could examine IT interactions between the government branches and respond across the board to achieve a better and more holistic approach. MR. SMITH acknowledged there is a better way than an ad hoc method. He has discussed this internally but agreed the administration needs to explore a more formal process across agencies. CHAIR SHOWER suggested that a more formal process must happen quickly because an ad hoc approach doesn't work. An ad hoc response is disjointed, and it is difficult to identify who is in charge, leading to gaps. He advocated for a more structured plan, stating it might be worthwhile to develop a workgroup consisting of members from each branch and experts to develop a comprehensive plan. He expressed interest in working on this together. 4:03:55 PM SENATOR HUGHES said she has met with some private cybersecurity firms. Some firms expressed concern that the state's efforts might be thwarted since the Office of Information Technology (OIT) may not control other state departments but works in an advisory capacity. For example, she heard anecdotally that some departments might push back on IT suggestions for two-factor authentication. She surmised that the Department of Administration stored significant data. She asked what OIT's authority and role is in cybersecurity. MR. SMITH answered that the department's holistic view is to consolidate the executive branch's IT services. This has been initiated but not fully completed. He said OIT does have authority across state agencies. OIT's published information security policies are binding for the entire executive branch. For example, OIT updated multifactor authentication required of all state executive branch employees. He described the reaction, not as pushback but rather it illustrated the differences in legacy structure throughout the state agencies. The IT environment has evolved independently over three decades, whereas IT consolidation is relatively new. One of the most important considerations is rationalizing it, so changes are being made to create a more homogenous environment. It's more likely an agency would indicate that the solution might need additional tweaking to work for their agency. He stated OIT could improve on its collaboration. 4:08:05 PM SENATOR HUGHES observed that OIT sets the policy that state agencies must follow. She asked whether the statutes provide OIT with the authority to protect personal data. She recalled a conversation in another committee on a bill to allow online applications for state services. If the state allows both an online and paper application process and a breach occurs, she wondered whether the state would shut down the online process and strictly go to a paper process. She recalled that there was a protocol in place to do that. However, Article I, Section 22 of the Alaska Constitution requires the legislature to ensure individuals' privacy. In other words, she asked whether the state needs something statutorily to align with the Alaska Constitution or if the legislature should be satisfied that OIT has adopted policies to ensure Alaskans' privacy is protected. She asked for assurance that something more than an internal policy or the OIT chief's cognizance was in place for continuity in future administrations. MR. SMITH stated that Administrative Order (AO) 284 created his position. He advised that statutory underpinning and mapping in AO 284 places IT responsibility within DOA. He agreed to investigate whether AO 284 addresses privacy issues. 4:10:13 PM SENATOR HUGHES surmised that the committee would be interested since privacy concerns impact many other areas. 4:10:24 PM CHAIR SHOWER stated his preference to address this in statute rather than policy since policies often change in future administrations. Thus, once the administration decides on and vets the appropriate path, it would eliminate IT protocol and authority deviations. He cautioned that OIT must carefully review any proposed bill to ensure it gives OIT sufficient authority and flexibility to respond quickly to cybersecurity threats but not constrain or prohibit the division from carrying out its duties since cyberattacks are real-time threats that change daily. He characterized it as a fine line or balancing act. He said he asked a legislation funding and partnership organization for ways to assist the legislature on data protection. 4:11:43 PM CHAIR SHOWER asked if the executive branch departments run separate firewalls or if OIT controls all firewalls to avoid gaps. MR. SMITH responded that it is a mix, with OIT currently maintaining most of the firewalls in the executive branch. However, a few larger departments have their own firewalls. OIT continually works to ensure that the policies are consistent throughout the executive branch so OIT can ensure that the correct configurations are in place. 4:12:35 PM CHAIR SHOWER asked for an update on OIT's use of multifactor authentication because it is an issue that arose related to election integrity. He remarked that the private sector routinely uses multifactor authentication even with smartphones. He characterized it as an easy process that the state could use in many applications, including myALASKA transactions. He expressed frustration when agencies argue that implementing multifactor authentication is difficult because banking safeguards data using this technology every day. MR. SMITH responded that OIT uses Microsoft Azure Active Directory multifactor authentications. It provides state employees the option of using multifactor authentication tools. For example, employees can receive a phone call or a texted code to enter. Employees can also download an application that asks for their authorization using a thumbprint or facial recognition identification, or the department could issue employees a physical fob. 4:14:21 PM CHAIR SHOWER asked for the estimated cost to implement multifactor authentication. He recalled that one estimate for infrastructure was $5 million. MR. SMITH answered that he didnt have the specific figures, but federal Coronavirus Aid, Relief, and Economic Security Act (CARES) funding provided the basic funding for multifactor authentication licensing upgrades. He acknowledged annual operating costs were associated with it. For example, there would be an additional $25-$50 for a fob or token per individual. Many state employees use the free download or receive texts containing codes to enter, and there is no cost for those. 4:15:43 PM MR. SMITH displayed slide 5, Enhancements: [Original punctuation provided] *National Institute of Standards and Technology (NIST) Cybersecurity Framework* Identify • Asset Management • Implementation of Multi-Factor Authentication (MFA) Protect • Continued hardening of the environment • Migration to a secure Cloud Framework • Recurrent Security Training for all state employees Detect • Network threat visibility - ability to detect real-time attacks and block malware, phishing attempts Respond • Security mentor led incident response rehearsals to improve readiness MR. SMITH reviewed the state's cybersecurity enhancements currently underway, as shown on the bullet points on slide 5. He explained that OIT is organized by and uses the National Institute of Standards and Technology (NIST) cybersecurity framework in its security policies. He said OIT could break this into various components to identify threats and protect the security environment. MR. SMITH estimated that the state is approaching 50 percent implementation of multifactor authentication for state employees. He anticipated OIT would finish the full implementation in the coming weeks. He highlighted that its migration to a cloud framework illustrates it uses modernization efforts to improve security and avoid a technology debt. Cloud migration allows OIT to rapidly move to state-of-the-art equipment using technology built with security in mind. 4:17:07 PM MR. SMITH stated that OIT has been using Recurrent Security Training in the past few years, but it is seeking to improve it even more. He reported that OIT brought in a security mentor to work with the state's security office to ensure that the state uses best practices. This effort helps provide employees with professional development opportunities. SENATOR SHOWER asked if OIT was tied into the Emergency Operations Center (EOC) and used tabletop exercises. He cautioned that cyberattacks could shut down transportation vectors, the electric grid, and food supply chains. OIT needs a collaborative response plan beyond protecting computer networks since it could be a real-world material infrastructure problem. 4:19:04 PM MR. SMITH responded that OIT has routinely participated with EOC during the past 18 months to identify ways to collaborate. He said OIT tracks the Alaska Army National Guard's (AKNG) increasing cybersecurity capabilities and looks for ways to use them. He drew attention to the bottom of slide 4 that referenced the AKNG. 4:19:48 PM MR. SMITH reviewed slide 6: Path forward - Focus on the basics. [Original punctuation provided] Focus on executing basic protocols well • Practicing Good Cyber Hygiene5 • Compliance monitoring • Enhance response capabilities • Immediate threat hunting protection against security threats MR. SMITH stressed that the state could avoid 98 percent of cyberattacks by using good cybersecurity practices, including anti-malware software, applying for least privilege access, enabling multifactor authentication, and keeping software up to date to protect data. He reported that OIT has identified gaps that must be shored up, which is an essential part of the plan moving forward. Ensuring that the enterprise systems across the state do not have gaps, and that once implemented new systems are touched frequently to verify the updates, so they operate at an optimal rate. Further, employees must change passwords often and obtain ongoing continuing education and training on cybersecurity. 4:21:18 MR. SMITH moved to slide 7, Path forward - A holistic view. [Original punctuation provided] Simplify the enterprise security environment • Developing a holistic view of security that is: • Integrated • Standardized • Working towards continuous improvement MR. SMITH said this effort was tied to the completion of IT consolidation. He stated that the state's security offices must have a consistent view throughout the state system. He related that several months ago, a cyberattack occurred against the federal government and private sector when hackers breached SolarWinds' software, injecting trojanized code into a file later included in its software updates. Once OIT received notification of the cyberattack, IT staff examined the state's systems to identify SolarWinds software. OIT determined that the state had three instances of SolarWinds software. However, that software was not in use. This highlighted that OIT did not have the proper visibility. Since then, OIT has rushed to increase its visibility. He offered his view that OIT has made tremendous strides to address this in the past year, but the effort must be ongoing. Simplifying the complex system and infrastructure provides another aspect of considering the system holistically. IT must be careful about new platforms and tools, ensuring compatibility with the existing tools. This prevents a patchwork of tools. He characterized this as a critical aspect of how OIT builds its IT structure. Lastly, this provides a holistic view of the IT environment, but not OIT's security tools. OIT must think about how to structure the IT environment from a security perspective rather than simply viewing it as a tool since it is tied together. 4:23:22 PM MR. SMITH turned to slide 8, Path Forward - Zero Trust. Continue the path to Zero Trust • Assume breach • Verify explicitly • Least privileged access "A zero trust cybersecurity approach removes the assumption of trust typically given to devices, subjects (i.e., the people and things that request information from resources), and networks?. This requires device health attestation, data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around an organization's digital resources." National Cybersecurity Center of Excellence (NCCoE), NIST Zero Trust guiding principles 4:23:30 PM MR. SMITH explained that OIT continues the path forward to zero trust. Zero Trust means OIT assumes that all activity in the network could be a data breach. He said OIT's goal seeks to protect the data rather than the network He recalled Chair Shower characterizing cybersecurity as a castle and moat, which is how IT often visualizes it. Instead, IT must bring the wall around the data instead of around the network. This allows IT to determine whether an individual or a bot is attempting to access data. The system requires individuals to validate by using multifactor authentication and permissions. Further, OIT determines whether the person has the appropriate authority to access the specific data via identity management. OIT seeks to determine if the device is associated with a person. If so, the OIT process validates it as a safe device. The diagram on the right side of slide 8 illustrates this. Once the user, the app, and the device are validated, the individual would be deemed a trusted agent and have data access. However, it requires significant work and infrastructure to achieve that sophistication. He reported OIT has been working to implement this piece-by-piece. Thus, with each step taken, OIT improves data safety. He anticipated this process would be ongoing over the next several years. 4:25:28 PM CHAIR SHOWER remarked that he considered this as a starting point. He indicated that the legislature would participate in this process via statutory changes or funding. 4:27:34 PM SENATOR KAWASAKI asked about the type of training new employees would receive. He related several scams that hackers recently used. One was an email purported to be from Representative Steve Thompson stating he was trapped in the Philippines after losing his passport, so he needed money. He asked if state employees receive training on phishing. MR. SMITH responded that OIT tailors its training for phishing. This training cycle highlighted remote work and cybersecurity issues designed to create an awareness of ways to be safe, also called cyber hygiene. 4:30:05 PM SENATOR HUGHES said she serves on the National Council of State Legislatures' (NCSL) Cybersecurity Task Force. She asked whether OIT collaborates with other states. She said she also served on the NCSL's Broadband Task Force. As the state expands its broadband technology, more people apply online, including taking Department of Education and Early Development (DEED) online courses for rural residents. This means the state's network will connect with school districts. She encouraged him to review the report. She asked for an update on OIT's collaboration with other states. MR. SMITH said he participates in IT calls with Washington, Oregon, Nevada, and California every week to discuss issues with members of the National Association of State CIOs. More importantly, the Multi-State Center for Internet Security (MS- ISAC) sponsored by the Department of Homeland Security (DHS) provides OIT an opportunity to share information across states. Currently, OIT has held discussions with several Northwestern states about creating a joint security operations center. ^Ballot Measure 2 Discussion BALLOT MEASURE 2 DISCUSSION 4:33:08 PM CHAIR SHOWER announced the next business before the committee would be a discussion on Ballot Measure 2 - Ranked Choice Voting. He invited Nick Murray, invited testifier, to introduce himself. 4:34:44 PM NICK MURRAY, Policy Analyst, Maine Policy Institute, Portland, Maine provided a PowerPoint on statistics and issues related to ranked choice elections. He explained that the Maine Policy Institute is a small nonprofit public policy organization. He reported that Maine was the first state to use ranked choice voting (RCV) statewide. Maine sent its first ranked choice voting member to the U.S. Congress in November 2018. He stated that his goal is to assist the legislature in avoiding pitfalls, maintaining and increasing voter participation, and minimizing the number of discarded ballots that could disenfranchise voters. 4:35:51 PM CHAIR SHOWER explained that he invited Mr. Murray to present to the committee since Maine had experience with ranked choice voting. 4:36:24 PM MR. MURRAY reviewed slide 1, a false majority. He said his PowerPoint was a combination of data from the Maine Policy Institute (MPI) published in 2019 after Maine's RCV in the 2018 election. The report consists of data compiled from 96 RCV elections throughout the country. He said Princeton Professor Nolan McCarty essentially repeated this analysis the following year for use in a court case challenging RCV in 2020. His research consisted of data from the 96 races plus the two Maine cases for a total of 98. He explained that some of the graphs are from the MPI report and others were from Professor McCarty's report. 4:37:24 PM MR. MURRAY identified one pitfall in RCV is the discarded ballots. In 2018, in over 60 percent of RCV elections, the winner did not earn a majority of the votes. This was true in Maine's Congressional race in 2018, even though the winner had a majority of the total ballots cast in the final round, but only had 49.2 percent of the vote due to the high rate of discarded ballots. MR. MURRAY directed attention to slides 2-4, "Which ballots are discarded?" He explained that ballots are discarded in three ways, those that were overvoted, undervoted or exhausted. Slide 2 illustrates that overvoting occurs when voters select two candidates for their first choice. Slide 3 illustrates undervoting, where the voter marked the first-choice candidate but skipped the second and third choices and marked the fourth choice. It depends on the state's rules, but Maine rules state that the ballot is undervoted if the voter leaves two candidate choices blank. However, if only one choice was skipped, the voter's subsequent choice would be moved up. Slide 4 shows the final way a ballot is not counted and is considered exhausted. That is when the voter selected candidates who did not make it to the final round. In this instance, Jared F. Golden and Bruce Poliquin were the two candidates left in the final round, but this voter did not select them. Thus, this voter's ballot would be exhausted and not count in the final tally. 4:39:53 PM SENATOR HUGHES asked whether the 49.2 percent on slide 1 included the first, second, or third choices or just the first choice. MR. MURRAY answered that the percentage referred to the total number of voters who cast a ballot. The calculation consists of the winners in the final round divided by total votes cast for that race. SENATOR HUGHES commented that a winner typically receives a majority of the votes cast in a standard election. Under RCV, a winner could receive less than the majority and may not have been the voter's first choice. It could be the voter's fourth choice. The winner might only be the first choice for 20 percent of the voters who cast ballots. 4:41:12 PM CHAIR SHOWER offered his view that the ranked choice voting (RCV) system suppresses many votes. 4:41:52 PM MR. MURRAY recalled that a New York mayoral primary candidate only had 30-35 percent of the votes cast. He stated that is the reason the MPI report was titled "A false majority." He said that theme is important. Many proponents of RCV have put forward this as a means to guarantee majority support. However, it doesn't match reality when considering the discarded ballots. 4:42:32 PM MR. MURRAY turned to slide 5, RCV elections average nearly 11 percent ballots discarded. He said this slide was from Professor McCarty's analysis. It mirrors the MPI's analysis, where almost 11 percent of ballots were discarded in RCV elections. This could be compared with less than 1 percent of mailed ballots being rejected in the average U.S. election. He highlighted that the voters who fell within the 11 percent of RCV discarded ballots did not make any ballot-marking error, but they were not included in that final tally. Those voters may not have ranked all candidates or did not rank a candidate the voter did not like. Professor McCarty found that 20 percent of the ballots were discarded in 15 of 98 elections. For example, the mayoral races in Saint Paul and Minneapolis have used RCV for a substantial time. The goal is to limit the number of disenfranchised voters and ensure that participation is as high as possible. He characterized that as a measure of a sound voting system. 4:44:34 PM MR. MURRAY stated that certain demographics could have a high rate of disenfranchised voters. He turned to slide 7, a bubble graph illustrating the McCarty analysis for elections with large senior citizen populations. MR. MURRAY said a similar theme occurs in elections where the demographics show large numbers of noncollege voters. The higher the number of non-college voters result in a higher rate of discarded ballots as shown on slide 8. He stated that Jason McDaniel, a political science professor at San Francisco State University, conducted a study in 2016 that showed RCV exacerbated the voter turnout for certain demographics in the San Francisco population. He quoted the study: The complexity of the system presents barriers to participants that decreases voter turnout and raises higher probability of ballot errors. MR. MURRAY said he also found a correlation between incorrectly marked ballots in foreign-born voters and voters whose primary language was something other than English. Politico reported on the New York City mayoral primary in the South Bronx. He quoted the article, which said "Voters in the South Bronx had a higher incidence of ballot mistakes." He clarified that South Bronx is a socio-economically disadvantaged neighborhood. He highlighted that one could start to see a trend in RCV, where education gaps, English language proficiency, and general knowledge of voting systems could all create barriers for voters. 4:46:38 PM MR. MURRAY stated that the American Civil Liberties Union (ACLU) of Kansas testified, as follows: Low propensity voters are already less likely to participate in elections that do not coincide with congressional or presidential races. By adding additional steps to voting RCV exacerbates this tendency, making it less likely that new and more casual voters will enter the process. MR. MURRAY said that is consistent with McCarty's analysis. 4:47:06 PM CHAIR SHOWER remarked that he found this data fairly disturbing. He related his understanding that ranked choice voting (RCV) was more complicated for minority voters. Still, he was unsure of the causative factor of voter suppression of minorities and the less educated. He asked the causative factor for senior citizens since they are often well-educated. 4:48:32 PM MR. MURRAY answered that he believed that RCV would raise the barriers of information. He offered that creating a more complex system might affect those voters who do not vote in every election. As Mr. McCarty found in San Francisco, RCV tended to exacerbate the disparity for the groups who are already less likely to vote. He expressed concern that this might affect specific demographics, age-based demographics, or perhaps even younger voters. While it is tough to conclude because there isn't sufficient data, it appears that RCV increased information barriers. He stated that the data reflects this barrier in the higher rates of discarded ballots and reduced participation in certain communities. 4:49:48 PM CHAIR SHOWER said he reviewed the charts and the Division of Election's information, and he found RCV was not easy because it created a more complicated system. It seemed somewhat intimidating. He highlighted that RCV was more complex than picking one candidate over another. He expressed concern that RCV may be so complicated that it will suppress the vote and disenfranchise voters for specific groups. MR. MURRAY agreed. 4:51:20 PM SENATOR KAWASAKI referred to the graph on slide 9, with Mr. McCarty's analysis stating RCV elections average nearly 11 percent discarded ballots. He asked if that data was from the 2018 or 2020 election cycle. MR. MURRAY answered that this data was derived from 96 elections, including the 2018 Maine elections. He said the report was written in late 2019 and published in early 2020. It compiled election data as far back as 2000 and perhaps even earlier for a few cases. 4:52:13 PM SENATOR KAWASAKI asked if the discarded ballots included ones where the voter may not have voted for the top two candidates. MR. MURRAY answered yes. SENATOR KAWASAKI asked if he could compare the discarded ballots for 2018 and 2020 since the voters would have experienced more information about RCV in the subsequent election. MR. MURRAY answered that the PowerPoint on [slide 10] shows that data. Mr. McCarty's analysis shows that even when RCV was used over five elections, the rate of discarded ballots was the same. He said the data shows voter education over time was weakly correlated. The discarded ballots represented voters who did not select candidates who advanced to the final round. One pitfall of RCV is that it requires voters to fill in a bubble, thereby voting a preference for a candidate the voter does not support in hopes of getting their ballot to the final round. He compared RCV as a two-dimensional ballot versus a binary ballot. RCV raises the potential for more confusion later on in the ballot process when the Division of Elections reallocates votes. He offered his view that under RCV, voters must vote more strategically. 4:54:13 PM CHAIR SHOWER asked for an explanation of the difference between a ballot that is discarded versus one that is exhausted. Is the bottom line that their vote does not count, is rejected, or only counts in certain circumstances. 4:54:46 PM MR. MURRAY answered that an exhausted ballot is when the voter does not vote for a candidate who advances to the final round. He explained that discarded ballots included overvotes, undervotes, and exhausted choices. CHAIR SHOWER remarked that it would be possible to not count voters' ballots. 4:55:53 PM SENATOR KAWASAKI pointed out that the legislature appropriated $3 million for the Division of Elections to help educate people on RCV. The division has been working hard to familiarize the public with the process He admitted he was initially confused by RCV, but he read the division's literature, watched the video, and now he understands the RCV process. CHAIR SHOWER pointed out that the data shows some voters don't take the time to educate themselves on RCV. However, Alaska is stuck with it. The data indicates that well-educated voters successfully voted in RCV, but the uneducated voters did not. He maintained his concern about RCV. 4:57:02 PM SENATOR HUGHES said the PowerPoint includes slides on discarded and exhausted ballots. Mr. Murray alluded to the fact that RCV could adversely affect voter turnout. She expressed concern that seniors may be confused or not understand how RCV works. She asked how RCV would affect socio-economic voters or disenfranchise voters in races that resulted in more discarded ballots. 4:57:50 PM MR. MURRAY answered that it generally would do so. He explained that he referenced the McDaniel report because it evaluated RCV in one electorate over several decades. He offered to provide a link to the report. The McDaniel report shows exacerbated divisions in turnout from the demographics already less likely to vote. He recalled that the McDaniel report did not point to seniors expressly but focused on foreign-born, minority neighborhoods where voters' first language was not English. Although he did not view seniors as less likely to vote, the general complexity might effectively appear in exhausted ballots. He stated that Maine's constitution only allows RCV for federal races and primaries. Thus, Maine has used RCV in three elections: the gubernatorial primary in 2018 and June 2020 and a congressional race in 2018. 5:00:16 PM SENATOR HUGHES commented that Alaska is switching from a more traditional voting process to RCV, but the state already struggles with voter turnout. She asked if Alaska should expect RCV to reduce voter turnout. MR. MURRAY answered yes; that is a reasonable expectation, based on the data in the PowerPoint. 5:00:46 PM CHAIR SHOWER asked if write-in votes would be invalidated under RCV. MR. MURRAY answered that it would depend on Alaska's regulations. Maine requires ballots to have a write-in line. For example, voters would have a line for write-in candidates and have five candidates, giving the voter six choices. 5:01:26 PM CHAIR SHOWER expressed concern that the RCV process intended to improve the voting process, but that does not appear to happen statistically. He wondered if the legislature gave Ballot Number 2 initiative sufficient scrutiny. He offered his view that Alaska was misled. 5:02:11 PM SENATOR REINBOLD commented that this was the first RCV presentation she had seen. She wondered if voters understand the effects of the RCV ballot initiative, which passed by a small margin. She said she hopes the courts consider whether voters understood the issue. She asked how RCV could be equitable if it increases barriers and disenfranchises the less educated. She said RCV causes her tremendous pause. 5:04:15 PM MR. MURRAY replied that he couldn't comment on any legalities, but her concern relates to the general mismatch of voters' understanding and participation. He discussed the statistics shown on slide 9, comparing the percentage of voters who did not understand RCV to their level of education. He said FairVote commissioned the poll. He identified FairVote as a national group promoting RCV, noting it also ran Maine's initiative. He acknowledged that Alaska's initiative was more complex than Maine's, and campaign financing issues may have complicated it. He reported that over 25 percent of voters not finishing high school and 13 percent of voters with post-graduate degrees found RCV confusing. He pointed out that nearly one in seven of those with a master's or post-graduate degree had difficulty understanding RCV. He stated that Maine was told that RCV would be better for democracy, but he found it problematic since RCV might suppress participation. 5:04:37 PM MR. MURRAY said more support for a specific candidate does not necessarily increase the candidate's chances of winning due to multiple candidates and multiple rankings. It's difficult to understand the potential outcome until the tabulation is completed. 5:07:00 PM CHAIR SHOWER asked for the general political leaning of the organization Fair Votes. MR. MURRAY surmised that FairVote was probably center-left. 5:07:49 PM MR. MURRAY turned to slide 10, which indicated that more voter experience does not guarantee fewer discarded ballots. MR. MURRAY said New York City (NYC) spent $50 million to educate voters on the RCV process. The NYC election had over 1 million voters resulting in over 100,000 voters who did not decide on the winner in the last round. He recalled that figure represented about 15 percent of the ballots cast. MR. MURRAY responded to the claim that RCV might get money out of politics by reviewing slide 12, which showed the independent expenditures in Maine's 2018 gubernatorial. He said Maine experienced independent spending in opposition to candidates for the first time. He remarked that America has generally experienced a significant increase in campaign expenditures in the last two decades. He offered his view that campaign expenditures would not diminish under RCV. 5:09:36 PM MR. MURRAY turned to slide 11 that displayed the following quotes: The promise that ranked choice voting leads to greater democracy is not necessarily fulfilled. Governor Gavin Newsom (D-California "[W]hen it comes to elections, every vote cast in our state should count. The evidence and experience from around the country suggests that Ranked Choice Voting will work against this goal, adding unnecessary confusion and potentially reducing voter turnout." U.S. Senator Mark Begich (D-Alaska) "Under ranked choice voting, the city of San Francisco has seen a depressed voter turnout in communities of color." Councilman Daneek Miller (D-Queens), co- chair of the Black, Latino & Asian Caucus of NYC Council. Also opposed to Ranked choice Voting: Jerry Brown, Former California Governor The NAACP of New York The Vulcan Society (fraternal order of black firefighters) 5:10:13 PM MR. MURRAY said he hopes his presentation identified some of RCV's pitfalls and that the PowerPoint would help the committee identify amendments to protect voter integrity and participation. He added that he has some thoughts on ranked choice voting. CHAIR SHOWER solicited his comments. 5:11:05 PM MR. MURRAY related that traditional elections typically are decentralized and votes usually are called in from precincts. However, RCV requires a central place to tabulate votes. He stated that Maine hired couriers to deliver the ballots to one location and make appropriate data transfers to the Secretary of State. He related his understanding that Alaska's remote communities might need to rely on electronic data transfer to a centralized location for tabulation. Thus, election security concerns might arise. He stated that RCV requires software for the tabulation algorithm, which should be as transparent as possible for voters' benefits. 5:12:30 PM CHAIR SHOWER read a quote from slide 11 that resonated: "Under ranked choice voting, the city of San Francisco has seen a depressed voter turnout in communities of color." CHAIR SHOWER stated his goal is to ensure that everybody eligible to vote gets an opportunity to do so. Voting is one of the most sacred rights in the United States. He anticipated that committee members would help educate people via social media and media. 5:14:29 PM There being no further business to come before the committee, Chair Shower adjourned the Senate State Affairs Standing Committee meeting at 5:14 p.m.
Document Name | Date/Time | Subjects |
---|---|---|
Senate State Affairs agenda 1-20-22.pdf |
SSTA 1/20/2022 3:30:00 PM |
|
DOA 2022 OIT Legislative Presentation Cyber Security 1.19.22_ (003) 1-20-22.pdf |
SSTA 1/20/2022 3:30:00 PM |
|
nick murray PPw presenatation.pptx |
SSTA 1/20/2022 3:30:00 PM |