Responding to Donald Trump’s absurd recent allegations about election rigging, incumbent Republican Secretary of State Kim Wyman today published a sternly-worded statement rebuking her party’s nominee (though not by name) and expressing full confidence in Washington State’s own elections systems.
In recent days, we have heard heated campaign rhetoric about American elections being “rigged” and somehow predetermined. This kind of baseless accusation is irresponsible and threatens to undermine voter confidence on this most basic foundation of democracy.
As a twenty-four year election administrator at the state and local level, with close relationships with the national elections community, federal security experts and independent academics, I have full and complete confidence in our system. Every eligible ballot will be handled securely and will be tabulated carefully and accurately.
As ballots go out this week, I am pleased to note that our paper-based system creates an audit trail. Our state registration system remains cybersecure and our tabulation systems in the counties are air-gapped and not connected to the Internet.
We have multiple layers of security, both physical and electronic.
Voter fraud in the United States is considered extraordinary unlikely by experts. The voting system is highly decentralized, with each state, red, blue and purple, running their own elections with a total of over 9,000 election professionals who are directly accountable to elected or appointed officials. The culture is that professionals leave their personal politics at the door and treat every ballot with integrity.
This is quite true of our 39 tireless county auditors and election directors. Our counties operate with full transparency and welcome observers, some even using live webcams to show ballot processing.
It makes no sense that election managers would somehow indulge in a conspiracy across party lines and state lines.
As with concerns about cybersecurity, Washington remains vigilant to any possible voter fraud. Voters should have trust in our elections system. My hope is that every registered voter will confidently cast their ballot. We will ensure their ballot is tabulated just as they cast it. There will be no rigging on our watch.
The paper trail our vote-by-mail system produces is indeed a great thing, and we’re glad to see Secretary Wyman denouncing Donald Trump’s recent comments.
But we have not forgotten that she recently called for legislation that would allow her office to conduct “citizenship checks”. As she says in the release above, voter fraud in the United States is considered extraordinarily unlikely by experts. We agree, and that’s why we don’t need “citizenship checks” of our voter rolls.
Republicans in other states (like North Carolina, Pennsylvania, and Wisconsin) have used nonexistent “voter fraud” as an excuse to ram through voter suppression schemes that target Democratic voters. Some Republicans have even admitted that the point of these laws are to disenfranchise voters.
Like Pennsylvania Republican Mike Turzai (R‑Allegheny), who boasted in 2012, “Voter ID, which is gonna allow Governor Romney to win the state of Pennsylvania — done.” (Pennsylvania ultimately supported Barack Obama, but the law did cost the Democratic nominee some support, as Republicans intended.)
Washington State doesn’t need citizenship checks, but it does need a strong commitment from its next Secretary of State to bolster cybersecurity.
Kim Wyman’s Democratic challenger Tina Podlodowski has made this a campaign issue. Last month, Wyman’s office put out a press release announcing that a “design flaw” in the state’s MyVote voter lookup tool had been corrected. The release neglected to thank Podlodowski’s campaign for flagging the issue. The “design flaw” exposed voter data that isn’t supposed to be available to the public.
That particular issue has been corrected, but there are other steps that Washington’s Secretary of State should take to improve cybersecurity.
Here are several recommendations from NPI.
Force HTTPS on all websites
As a security-conscious organization, NPI is a proponent of secure protocols that encrypt data as it travels across the Internet.
One of the most important protocols available to us is HTTPS, which utilizes Transport Layer Security, or TLS, for its modern implementation. (TLS replaces the now deprecated Secure Sockets Layer, or SSL.)
Try to connect to nwprogressive.org over HTTP, and you’ll find you can’t — you’ll be upgraded to HTTPS automatically by default.
The Secretary of State should follow suit, as should all public agencies at all levels of government — local, state, and federal. At present, HTTPS is not required on all websites operated by the Secretary of State. Recently, the main website (www.sos.wa.gov) went HTTPS only, which we’re glad to see, but this is not yet the case for many other domains/subdomains the Secretary of State controls.
Here are some examples of pages/URLs where HTTPS is not yet being forced:
- November 8th, 2016 General Election Results (results.vote.wa.gov)
- MyVote | Voters’ Guide, 2016 General Election (weiapplets.sos.wa.gov)
- Washington State Archives (digitalarchives.wa.gov)
For HTTPS to be properly forced, all images, scripts, and embedded media must be served over HTTPS, otherwise mixed-content warnings will be generated.
A quick crawl of www.sos.wa.gov by NPI found a number of pages that still have insecure content, such as this one, this one, and this one.
Qualsys Labs grades www.sos.wa.gov as having an “A” on its highly useful secure hosting server test, which is reassuring.
(nwprogressive.org also scores an “A” along with other NPI websites.)
Reset passwords by having the user follow a link and answer questions
The Secretary of State’s website allows Washingtonians to create online accounts in order to do business with the office electronically. For example, a citizen may create an account to file initiatives online. If you lose your password, it’s possible to reset it without having to call up the Secretary of State’s office.
Unfortunately, the password reset tool currently sends new passwords across the Internet, unencrypted, in the body of an email. That’s bad.
Here’s an example password reset message that the system currently generates:
Your password has been reset at. You may login with your email address and password below at http://www.sos.wa.gov/elections/initiatives/login.aspx
Notice the URL above begins with the http:// prefix, not https://. Because sos.wa.gov is now HTTPS by default, the user is thankfully redirected and cannot login over an insecure connection. This used to be an issue but has been corrected.
Email: somebody@example.com
Note that this is a fake email address substituted for a real one.
New Password: r3o!OhvUjqr
Note this is an fake password generated by NPI, replacing the one that came in the actual email generated today from the Secretary of State’s system.
===
Office of the Secretary of State, Elections Division
520 Union Ave SE, Olympia 98501
PO Box 40229, Olympia 98504
360–902-4180
InitiativeSupport@sos.wa.gov
Making matters worse, users aren’t prompted to change passwords once they login, nor is it obvious how to update one’s account information once logged in using the insecurely sent password. We recommend the Secretary of State do the following:
- Make it simple and easy for users to update their passwords once logged in. For example, on the initiatives portal, there should be a prominent links to Manage My Account / Update My Password on the My Filings screen, and every other screen a user sees while logged in to the system.
- Send users a link to change their password and put that in the body of the email instead of sending the new password in the body of the email. The link should expire after twenty-four hours or less. The new password should be chosen by the user and should meet minimum complexity requirements. Punctuation should be allowed and encouraged in all passwords.
- Require users to set up answers to a set of security questions and provide the correct answers to at least two of those questions before allowing the account password to be reset. Questions like “What is your mother’s maiden name?” should be avoided. Questions like “What is your favorite vacation spot?” are more appropriate. Users should also be able to create their own questions. Users who cannot answer the security questions should be prompted to call the Secretary of State to unlock their account.
Harden web applications
Like NPI, the Secretary of State’s office uses software such as WordPress to manage content. By doing some quick inspecting of the website’s source code and probing for README files, I was able to learn a lot about the software the site is running, including plugins, and what versions of that software are currently in use. This could be valuable information to someone trying to break in.
For security reasons, I’m not going to elaborate any further in this post regarding what I found, as I believe in practicing responsible disclosure.
NPI recommends the Secretary of State take steps to harden its web applications to guard against unwanted intruders. Steps that should be taken include tightening permissions, enabling defenses that can thwart and deflect brute force attacks, and preventing plugins from embedding HTML comments in web page source code.
Implement Content Security Policy and XSS protection
For bonus points, the Secretary of State’s office ought to begin working on implementing Content Security Policy across all of its websites.
This is something we’re starting to work on at NPI, to take our sites’ security to the next level. It’s done by setting server headers.
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript — either reflected or stored — means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript.
By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.
Replacing inline JavaScript is certainly not simple or easy to do — it takes work. But implementing CSP leads to securer websites. We intend to do it, and we urge the Secretary of State to commit to doing it as well.
X‑XSS-Protection can and should be implemented in the meantime to protect users who use Internet Explorer or Chrome/Chromium.
The recommendations outlined above, incidentally, are recommendations that we would urge every public agency everywhere to adopt.
But because the Secretary of State’s office is responsible for so much vital recordkeeping, coordinating with Washington’s thirty-nine county governments, it should be a cybersecurity leader, setting a good example for all to follow.
The question that I have is whether Kim Wyman could have cancelled this year’s Washington Presidential Primary. That seems to be the basis of Tina’s campaign.
If you read Tina’s campaign materials, you can see she’s running on priorities like automatic voter registration, same day registration, prepaid postage for ballots, and outreach to disadvantaged constituencies. Tina has said she is in favor of holding a presidential primary, but she wants it to be meaningful (and this has long been NPI’s position).
The presidential primary must be held by law every four years, but it can be canceled, as it was in 2004 and 2012. The Secretary of State does not have the authority to cancel the election unilaterally (it requires changing state law), but can ask the Legislature to do so.
Tina’s critique of Kim with respect to the presidential primary seems to be that Wyman should have pushed for its cancellation back in 2015, when she couldn’t get the two major parties to agree to move it up to the earlier date she wanted, which would have made the election more relevant (at least for the Republicans; the Democrats had already chosen to utilize caucuses). However, Tina did not articulate this critique very well back in the spring at the time the presidential primary was in the news. By that point, it was way too late to cancel the election, which was held on the default date prescribed by statute. Either a date change or an outright cancellation of the election would have needed to happen months sooner.