SAINT PAUL — Secretary of State Steve Simon today re-released the detailed 20-point plan for the $6.6 million of federal Help America Vote Act (HAVA) funds disbursed last year to Minnesota. The 20-point plan was developed by a working group of election officials, legislators and/or staff from all four legislative caucuses, cybersecurity experts, and other stakeholders to determine the best use for these federal election security funds.
“Minnesotans continue to face artificial delays in accessing our federal election cybersecurity funding,” said Secretary Simon. “We anticipated the need for a detailed plan before spending these funds, which is why I last year convened a working group, which included elected legislators from both parties in the House, and the Senate DFL. The working group’s proposals were submitted to the legislature on November 27, 2018, for review. While we continue to wait for the Senate to work with Minnesotans to enhance our election security, it is important that all Minnesotans see exactly what the working group proposed. I remain ready – even eager – to answer any of the as yet unasked questions from the Senate majority about how we will spend these federal funds to enhance our election cybersecurity. All they have to do is ask.”
Secretary Simon early this year announced his “Investing in Democracy” agenda, a central element of which is to enhance Minnesota’s election cybersecurity and to modernize and secure the Statewide Voter Registration System (SVRS). In addition to allocating $1.5 million to modernize and secure SVRS, the HAVA working group made the following recommendations:
Cybersecurity training for counties and cities
Also recommended by the Election Infrastructure Subsector Government Coordinating Council
It is proposed that the Office hire a “cyber navigator” to assist counties and cities with election-related cybersecurity needs, including assistance responding to cybersecurity incidents. The purpose of a navigator is to provide practical cybersecurity knowledge, support, and services to local election officials who would otherwise not have them. The navigator would work with county IT staff or vendors to create cybersecurity policies, mitigate vulnerabilities, and establish best cyber hygiene practices within each office. Additionally, these navigators would serve as a resource for local election offices as they consider improvements to their own cybersecurity.
Automatic behavioral analysis
Also recommended by the U.S. Department of Homeland Security and the Election Infrastructure Subsector Government Coordinating Council
Database Activity Monitoring Software (DAM) is technology that monitors and analyzes database activity in real-time to alert and block suspicious activity.
Investing in this software will allow the Office of the Secretary of State to have increased monitoring capabilities to oversee its databases, and quickly identify and block any malicious activity.
Network segmentation
Also recommended by the U.S. Department of Homeland Security
Network segmentation is the practice of splitting the Office’s network into subnetworks. These subnetworks limit what the users are able to access. Network segmentation is vital for the Office because it isolated potential malware or ransomware (if introduced) from traveling to other office networks.
Security information and event management (SIEM) software
Also recommended by the U.S. Department of Homeland Security
Security Information and Event Management (SIEM) is technology that provides real-time analysis of logs and security alerts generated by network hardware and applications in a single location. SIEM technology will allow IT administrators to search one comprehensive log, thus reducing the time necessary to look through potential suspicious activity.
Next generation anti-virus software
As viruses and malware advance, so must antivirus software. Additional antivirus software will detect new viruses and malware without daily/hourly signature updates, and is needed to augment the Office’s current “signature based” antivirus software with next generation “behavior based” software.
Privileged access management (PAM)
Also recommended by the U.S. Department of Homeland Security and the Election Infrastructure Subsector Government Coordinating Council
Privileged Access Management (PAM) refers to systems and processes for giving organizations better control and monitoring capability into who can gain privileged access to the computer or system. This automated system ensures that the right users have the right access at the right time.
Infrastructure upgrade
The Office of the Secretary of State will need an infrastructure upgrade or replacement to accommodate the additional capacity needed to support the load of SIEM and DAM systems.
Additional network storage and backup storage
Added network storage is needed to store the additional logs that are captured by the SIEM and DAM systems. In order for the Office to remain compliant with Minnesota Statutes regarding data practices and data retention, the Office needs more storage capacity.
Data core continuous data protection (CDP)
Continuous Data Protection (CDP) provides automatic captures of data on network storage for recovery in the event of data corruption or a ransomware infection.
In the event of data corruption or a ransomware infection immediately before or during an election, hours can be too long and may be detrimental to the administration of Minnesota’s elections.
Additional licensing for systems scanning/testing
Also recommended by the Election Infrastructure Subsector Government Coordinating Council and National Institute of Standards and Technology
Additional licenses are needed so that all of the Office’s public facing websites and online tools can be scanned for vulnerabilities. It is proposed that the Office purchase 20 additional licenses to ensure all of the Office’s public facing websites can be scanned and a full vulnerability review of the underlying code completed.
Temporary policy writer
Also recommended by the U.S. Department of Homeland Security
The Department of Homeland Security and this subcommittee recommends that the Office hire a policy writer to develop written cybersecurity policies and procedures. Once initial policies are done, the Office believes current staff will be able to conduct annual reviews and updates.
Ongoing support for multi-factor authentication (MFA)
Also recommended by the Election Infrastructure Subsector Government Coordinating Council and the National Institute of Standards and Technology
Multi-Factor Authentication (MFA) is a security system that requires more than one piece of information to verify a user’s identity for a login. Using MFA provides an extra safeguard for the Office of the Secretary of State when county or local election officials access our system.
Study Minnesota’s post-election review and to recommend changes to the post-election Review process
After every state general election, Minnesota counties must perform a post-election review of election results returned by the optical scan ballot counters used in the state (Minnesota Statutes 206.89). The review is conducted by a hand count of the ballots for each eligible election in the selected precincts and compared with the results from the voting system used in those precincts. The purpose of this review is to verify accurate tabulation of the voting system. An outside expert should be hired to analyze the post-election review and to inform any necessary improvements to increase the likelihood of detecting tabulation errors.
Conduct a study of Minnesota’s data sharing partners
The Office of the Secretary of State exchanges data with third parties including the Courts, the Department of Public Safety, Social Security Administration, and others. This data is shared to ensure Minnesota’s voter registration list is accurate and to address any potential eligibility challenges. The Office of the Secretary of State (OSS) should engage an outside consultant to audit the security of information transferred between the OSS and outside agencies. The consultant would work with the OSS to address any security concerns and develop additional protocols as needed.
Invest in secure information sharing with counties
Local election officials are routinely the targets of phishing attacks. The OSS should contract with a vendor to further secure data exchanges between counties and the OSS, including enhanced email security and developing a secure portal for hyperlinks and other sensitive information to be shared.
Enhancing website security and accessibility
The Secretary of State’s public website (https://www.sos.state.mn.us) is our primary public information channel. Strengthening the security of this website is vital to ensure that the public has access to reliable and accurate information, secure from those who wish to spread disinformation for any purpose. We should invest in additional security measures to enhance the security of the website. This proposal compliments the cybersecurity subcommittee proposal of investing in software that would validate the code of the website to ensure its accuracy and security.
Additionally, it is proposed that the Office makes the entire website accessible to persons with a disability. In addition to making the website more accessible, the Office should invest in a mobile-friendly webpage format.
Recruiting and training election judges
The OSS should dedicate additional resources to assist counties and cities in recruiting election judges and conducting additional election judge training related to accessibility at the polling place, using e-poll books, and general security measures. Election judges are at the front lines of our elections. Equipping them with the latest training on issues relevant to today’s elections will ensure voters continue to receive the assistance needed.
Expand absentee and mail-voting for voters with a disability
Mail voting in Minnesota, whether in all-mail jurisdictions or by absentee ballot, is currently not fully accessible to voters with disabilities. All forms of domestic mail voting currently require ballots to be sent to voters in paper form and to be completed manually. Voters serving in the military or living abroad, however, have the ability to receive their application via email, mail, or fax.
The OSS should make absentee and mail voting for voters with a disability accessible. Accessible absentee and mail voting can be accomplished by either expanding or improving the current process for military and overseas voters or purchasing software that will allow voters with a disability to receive and mark their ballot electronically, and then return the printed ballot to their local election official.
Provide sub grants to local communities for improved election security and accessibility
The OSS should invest in the security of local jurisdictions’ elections by providing sub-grants to for the following items:
Each awardee will have the autonomy to spend their allotted funds on any of the above items consistent with the requirements of the 2018 HAVA Election Security Funds.