I-Voters: Anyone looking for APTs?

I-Voters is the name of our statewide voter registration system. It is a computer system maintained and operated by the Iowa Secretary of State’s (SoS) Office. Currently, the voter registration records for over two million voters are stored in I-Voters.

I-Voters went into service in Iowa in 2006 and every county is required to store its voter registration records on I-Voters, and every county is required to pay the SoS an annual fee to maintain I-Voters. Normally, when you pay someone a fee, you are entitled to know what you are getting in return. That is not the case with I-Voters. Iowa’s county auditors are not privy to any inside information on I-Voters or if I-Voters was the target of hackers or if a county election system was a target of hackers.

I reviewed the two SoS provided lists below and highlighted the items which mention I-Voters or voter registration. I applaud the SoS, the OCIO, and DHS for building a huge firewall around I-Voters, but what about the backdoors built-in the I-Voters over the last 13 years? What about the flaws in the software code used to create I-Voters? What about advanced persistent threats (APTs)? What about discontent or compromised contractors/employees with access to the code in I-Voters?

Which of the activities below are aimed at identifying the backdoors, detecting inherent flaws in the software application, detecting APTs, and/or vetting the contractors/employees with access to I-Voters? Your comments are welcome! – Joel D. Miller – Linn County Auditor

List of Activities to Occur Before or During the 2018 General Election Cycle according to attached IA Narrative Budget authored by the Legal Counsel for the SoS on 3/23/2018

• Partnership with DHS on the “Last Mile Project,” to provide security posters for each of Iowa’s 99 counties

• DHS assessments, including Risk and Vulnerability, Cyber Resilience Review, External Dependency Management, Infrastructure Survey, and Phishing Campaign

• Joined DHS Information Network

• Preform weekly vulnerability scan

• Upgrades to firewalls protecting internal network

• Joined the Electronic Registration Information Center, Inc. (ERIC) and will be sending out an Unregistered But Eligible (UBE) mailing by October 1, 2018

• Develop and implement county level incident response plans

• 2 table tops session were held in partnership with DHS for County Auditors, elections staff and county IT professionals

• Create and distribute Curbside Voting Signs to counties for use at polling locations

• Requiring “Securing the Human,” an online cybersecurity training program, to county level staff in partnership with the Iowa Office of the Chief Information Officer (OCIO)

• Cybersecurity training opportunities for Secretary of State staff, County Auditors, elections staff, and county IT professionals through conferences at NASED, The Election Center, and The National Election Security Summit

• The Iowa Secretary of State’s Office hosted two Cybersecurity Workshops for County Auditors, elections staff and county IT professionals to promote free services offered by the OCIO, DHS, and other state and federal partners

• Post-election audits will be conducted following the General Election

• Upgrades to Election Night Reporting system, including increased cybersecurity protections such as two-factor authentication

• Hiring an Information Security Officer and Cyber Navigator

• Partnering with OCIO to offer all interested counties malware protection and an intrusion detection system

• Development of training tools for County Auditors, elections staff and precinct election officials

• Development of communications aimed at reassuring the public confidence in the integrity and security of Iowa’s elections

• Development of communications aimed at educating and encouraging voters with disabilities to vote, including veterans with disabilities

• Creation of a Cyber Working Group with local, state and federal partners

The following list of security measures have been implemented to the voter registration system according to a CBS2/Fox28 news story on 7/22/2019:

-Mandatory two-factor authentication for anyone who accesses I-Voters

-Mandatory cybersecurity training for all SOS staff and all elections staff in all 99 counties

-Constant monitoring of voter registration additions and changes, with weekly reports that detect any irregularities (Note: As of 7/31/2019, I have yet to see a weekly report from the SoS)

-Upgraded firewalls and cybersecurity protection

-Upgraded Election Night Reporting system with increased cybersecurity protections

-Required that e-poll books be encrypted

-U.S. Department of Homeland Security (DHS) has conducted several assessments on state and county systems

-DHS runs a weekly vulnerability scan.

-Iowa’s Office of the Chief Information Officer runs a separate weekly scan.

-Placed an Albert Sensor on the state’s voter registration system (I-Voters)

-Housed I-Voters in a secure, off-site location

-Held table top exercises with the Iowa National Guard, state agencies and county auditors

-Hosted several cybersecurity trainings for county auditors and county IT staff

-Partnered with DHS to create a pilot program on a self-assessment cybersecurity tool

-Developed and distributed the first of its kind, personalized cybersecurity posters to every county, a model DHS has replicated in dozens of states

-Developed training tools for county auditors, their staff and precinct election officials related to cybersecurity

-Partnered with the OCIO to have their Security Operations Center monitor networks on Election Day

-Worked with the Iowa Homeland Security and Emergency Management Department to opened their Emergency Operations Center that was staffed by multiple state agency representatives to facilitate Election Day communication

-Coordinated with OCIO, Iowa HSEMD, Iowa Public Safety, DHS, FBI, county auditors and IT department to staff the Department of Public Safety’s Fusion Center on Election Day

-Implemented the first statewide post-election audits in Iowa history



%d bloggers like this: