RI Board of Elections Vice Chair Defends System - “You Don’t Have a Choice With Zero Risk”
Sunday, August 11, 2019
The Chair of the Rhode Island Board of Elections is defending the state’s current voting system after the national publication Vice singled out Rhode Island as being the most vulnerable and called it “particularly problematic” in light of its connectivity to the internet — and potential for hacking — on election night.
Others claim the system is deeply flawed and an embarrassment.
In the Vice article published this week entitled "Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials," the publication singled out Rhode Island saying, "unlike other states, [it] conducts its elections from a centralized office at the state Board of Elections, instead of farming out election administration to each county or jurisdiction. The election reporting system the researchers found online, therefore, was the reporting system for the entire state."
GET THE LATEST BREAKING NEWS HERE -- SIGN UP FOR GOLOCAL FREE DAILY EBLAST“This is a fair discussion point — but it’s a question of comparative risk,” said Rhode Island Board of Elections Chair Steve Erickson in a phone interview on Friday. “I don’t think the Vice article addresses the issue of comparative risk of getting the results to a centralized location.”
“There’s always a perception of perceived risk versus actual risk — and people act more on perceived risk more than actual risk,” said Erickson. “There has been no evidence shown that it would be feasible for the seconds that the [voting locations connect to the internet to send results] that could be used to alter or monitor their results. That’s the wrong question — that risk is virtually non-existent.”
Erickson said, however, that he was not okay with any risk.
The New York Times has also flagged Rhode Island's issue.
“I’m never ‘fine’ with any risk,” said Erickson. “I’ve had this discussion with my wife — she was an internal audit director for a Fortune 500 company and did tech audits, and she said the answer was obvious, when I asked which system is more secure — a system where unofficial results are transmitted through a secure line [over the internet] over 30 seconds from the polling location to the centralized location — and then backed up with the physical transporation from thumb drives the next day — or giving those thumb drives to individuals to drive up to central on election night?"
“It is far more likely to tamper with data-driven [results] when they’re physically out of control of the state board of elections — without unofficial data to back them up,” said Erickson. “You don’t get to have a choice with zero risk — you don’t have zero risk when you get out of bed in the morning.”
But Erickson's assessment is different from others. According to Vice, “Although only one system was found online in Rhode Island, this one was particularly problematic, the researchers note. Rhode Island, unlike other states, conducts its elections from a centralized office at the state Board of Elections, instead of farming out election administration to each county or jurisdiction. The election reporting system the researchers found online, therefore, was the reporting system for the entire state.”
According to Vice, Rhode Island's entire system is vulnerable.
Addressing Critics
Critics of the Rhode Island election system were scathing following the Vice report, including former Republican gubernatorial candidate Ken Block.
“A huge black eye for RI Secretary of State Gorbea and the RI Board of Elections. After assuring everyone that Rhode Island's new elections gear was not connected to the internet, independent researchers prove that in fact RI's systems ARE on the internet, and therefore exposed to being hacked, said Block. ”Elections are now high tech endeavors, but our elections officials are technological dinosaurs,” said Ken Block, former candidate for Governor.”
In the Vice article, vendor ES&S was quoted as saying that their firewall is not exposed to the internet — and Erickson said the state always knew of the internet connection. But, information provided by the company to Rhode Island officials show the system does connect.
“There’s nothing connected to the firewall that is exposed to the internet,” Gary Weber, vice president of software development and engineering for ES&S, told [Vice] Motherboard. “Our [election-management system] is not pingable or addressable from the public internet.” This makes them invisible to bad actors or unauthorized users, he said.”
Erickson said that the state was already addressing the issue of whether to continue to use modems — or not — ahead of the Vice article.
“We were on top of this before the vice report. We’ve had this issue on our radar for 2020 — since we found out the [current] modems would not be functional 2020,” said Erickson, who noted the Board of Elections did not buy the machines — which had the modems already installed — in 2015, and that it was the Secretary of State’s office.”
Erickson said that the Board of Elections will be taking up in September whether to upgrade the modems — or go back to a system where modems aren’t used.
“It comes downs to perceived risk — we need to make sure the public has confidence in the system — if they don’t have confidence, we need to make sure they do,” said Erickson.
"[Prior to the 2018 election] We regularly met with experts from a variety of state and federal agencies -- including Homeland Security, DOJ, and the FBI, as well as experts in cybersecurity to review every possible threat to the systems -- we had them audited in advance --- I was personally at a meeting of the task force where I raised the issue of modem transmission, it was evaluated, and determined not to be a vulnerability, and did not require last-minute modifications of the data transmission system to a less reliable method," said Erickson.
"Since 2018 we have continued to have internal discussions about this issue, and have continued to press ESS on the issue of EAC certification," said Erickson. "We view the current need to upgrade the modems as an opportunity to revisit, with sufficient time to evaluate options, prior to the 2020 election."
Editor's Note: A previous version identified Erickson is Chair; he is now Vice-Chair.
Related Articles
- UPDATED: Hacker Claims to Have Taken Sensitive Data from City of Providence
- Robert Whitcomb’s Digital Diary: Clinton, Russian Hackers, and CVS Pressure
- Up to 90 Million Facebook Users Affected by Hackers
- LIVE: Secretary of State Gorbea Working to Ensure Election Security
- NEW: Langevin Announces Winners of RI Cybersecurity Contest
- Langevin is Skeptical on Chinese Part of Cybersecurity Agreement
- NEW: Langevin Calls for Commitment to Building Stronger Cybersecurity Workforce
- NEW: Langevin Talks Cybersecurity on C-SPAN
- UPDATED: Cybersecurity Symposium Held Today at URI
- NEW: Langevin Urges Passage of Cybersecurity Bill
- Raimondo Names Steinmetz Policy Advisor on Cybersecurity
- Roger Williams University Cybersecurity Expert on Malware Impacting Power Grids, and More
- Monday on LIVE: Decider’s Zalben, Cybersecurity Expert Freedman & Business Monday
- Gorbea on State of Cybersecurity, Improving Elections in RI on LIVE
- Trends in Cybersecurity with Endgame Top Expert on LIVE
- Robert Whitcomb: Low Rating for Cybersecurity; Low Wages and Benny’s Demise
- Cherry Bekaert Names National Leader of Information Assurance & Cybersecurity
- MA Gov. Baker Announces Creation of New Cybersecurity Center
