Election Security and Accuracy
This section is an overview of the security features of election systems and the security procedures used by San Mateo County Elections designed to ensure the integrity and accuracy of the voting process and results.
The County’s voting technology is comprised of two main components, voter registration and voting tabulation. These two systems are completely separated and secured in multiple ways. The voting tabulation system is a closed system and does not connect to the internet.
Voter Registration System
San Mateo County uses an election management system (EMS) from DFM Associates, Inc. called EIMS. This system stores election information including voter data and voter participation history. Below are some of the systems and protocols in place to protect the County’s voter registration system.
Federal Declaration of Critical Infrastructure
In January 2017, the Department of Homeland Security (DHS) designated U.S. elections as critical infrastructure. While the designation does not come with funding and counties are not required to participate, San Mateo County Information Services Department (ISD), a department of the Assessor-County Clerk-Recorder & Elections (ACRE) works with the federal government. The designation helps to improve communication between the federal government and state and local officials in protecting the elections infrastructure.
The voter registration database servers are located inside the County network behind the County firewall, which is constantly monitored and patched. The County subscribes to the Department of Homeland Security’s Cyber Hygiene Service whereby DHS and ACRE security vendors perform regular vulnerability scans of the County’s network and the internet.
San Mateo County Elections Department also has in place a Cybersecurity Defense Team (CSDT) which works closely with San Mateo County Information Service Department, the Secretary of State office (SOS), DHS, EI-ISAC, and cybersecurity expert firm. Together these groups are constantly monitoring cybersecurity risks and taking appropriate actions to ensure the security of San Mateo County systems network and elections operations. The CSDT also provides oversight over cybersecurity incidents and tracking and coordinates appropriate cybersecurity incident events with the SOS and EI-ISAC. Additionally, the CSDT coordinates with the appropriate groups to ensure Multi-Factor Authentication (MFA) is appropriately implemented.
All users must have a unique username and password to sign in to the County network. Passwords must be changed every 60 days per the County security standards. All remote users entering the County network must use a VPN connection to access the network. Multi Factor Authentication is utilized by Elections staff who have the capability to update election website contents or social media platforms.
At the County, there are multiple security systems to help protect the internal users from malware and phishing. All incoming email is scanned and evaluated for malware and phishing. All internet traffic is monitored and known phishing sites are blocked. Other types of malicious links may be blocked so that malware can’t be downloaded inside the County network.
All computers and fileservers connected to the San Mateo County network must have the most recent version of anti-virus software that has been tested and approved by ISD, installed, and actively running on these devices and configured for daily virus definition file updates. Similarly, all computers and fileservers must be configured to receive updates and patches. Internal vulnerability assessments are also conducted. All laptops must be protected with full disk encryption.
Users can only log in to EIMS if they are connected to the County network. County logins are used to access EIMS. Users are assigned roles in EIMS with limited access and rights within the application required to perform their assigned responsibilities. . All changes to records are logged and are auditable.
EIMS servers are County owned and located in secured County buildings. All EIMS applications are run on County servers that reside in a secured data center. No election data is stored in the cloud. The EIMS servers’ backups are run on a set timetable and the backups are replicated to at least one other site. All servers are running an operating system that is up to date and have anti-malware software that is updated on a routine basis.
EIMS is connected to the California Secretary of State (SOS) voter registration database, referred to as VoteCal, via a secure point-to-point, high-speed connection. VoteCal links all the voter registrations databases in the 58 California counties. Voter registration data is transmitted between VoteCal and EIMS to update voter status. The County employs a security appliance between the County and the SOS that limits what the State connection can do inside the County network. This security appliance also limits who can exit through the line and access the VoteCal data. Only authorized Elections staff can access VoteCal.
Many safeguards are in place to protect VoteCal from unauthorized access, intrusion, manipulation, or corruption.
First, VoteCal adheres to industry-standard security controls established by the National Institute of Standards and Technology (NIST 800-53r4) and the International Organization for Standardization (ISO 27001).
Second, VoteCal has utilized industry-standard best practices to implement recommendations from the Department of Homeland Security (ST16-001) for “Securing Voter Registration Data.” These recommendations, which were distributed by the National Association of Secretaries of State Elections Committee, are designed to prevent malicious actors from using a variety of means to interfere with voter registration websites and databases.
Third, VoteCal’s database resides on servers located on a secure internal network. VoteCal’s data does not reside in a cloud, but rather resides locally. Only a select few authorized staff have access to the database. Network safeguards and server hardening/security enhancement techniques have been employed to protect the system from external intrusion.
Fourth, the SOS conducts routine vulnerability scans and security audits to proactively identify and address security vulnerabilities. In addition, the SOS routinely applies the latest software security patches to ensure that VoteCal remains protected against emerging security threats. The SOS also deploys malware/anti-virus software on infrastructure and end-point devices.
Finally, VoteCal’s data is encrypted at rest and in transit. No access exists between the VoteCal public website servers, used for the public website, and the VoteCal database servers, where voter data resides.
Vote Center Connections
In June 2018, San Mateo County moved to a new All-Mailed Ballot/Vote Center election model. Vote Centers replaced polling places. Each Vote Center has between 3-7 epollbooks for check-in of voters.
Epollbooks are configured with dual password authentication required for each user. The epollbook data is encrypted at rest and in transit, and the epollbooks are monitored remotely from our central office.
The epollbooks are controlled by mobile device management, and only authorized applications are installed.All unused ports and connections on designated IT assets and other devices will be sealed and/or blocked from use. IT assets will be secured when not in use and stored in a secure location.
Voters can verify 24 hours a day, 7 days a week that their voter registration is accurate via the Voter Lookup tool on the San Mateo County Elections website. The Voter Lookup tool uses HyperText Transfer Protocol Secure (HTTPS) which means that all data sent and received is encrypted.
The data for this voter lookup is an extract from the voter registration database servers. The lookup does not have access to live data and the extract only pulls data that is necessary to run the voter lookup.
Voter data may be provided to a candidate running for office, a ballot measure committee or to persons or groups for elections, scholarly, journalistic, political or governmental purposes as determined by the SOS. All other requests for voter data are denied.
Voting Tabulation System
In 2019, San Mateo County began using Dominion’s Democracy Suite Voting System as its voting tabulation system. It is a paper-based system, which is secure and accurate and allows a verifiable audit trail of the votes cast.
It is also important to remember that voting equipment is only one component of an overall election system that includes citizen involvement, transparency, external security measures, management policies and procedures, and professional election officials. Altogether these measures ensure reliable and trustworthy elections.
The San Mateo County Elections Office is committed to fair, accurate, and secure elections, and is going beyond state and federal requirements for voting system security and accuracy. As part of the ACRE department, the Elections Division clearly recognizes that cyber attacks are a reality of life in this digital era, and that it is necessary to constantly continue hardening our cybersecurity, policy and tools. To achieve these goals, ACRE works with cybersecurity vendors and the Secretary of State’s VoteSure program. Additionally, ACRE staff and County Information Services Department (ISD) staff continuously work with the DHS, MS-ISAC and EI-ISAC to understand the latest security threats and how to protect against them as do relevant vendors. ACRE’s vendor who manages our website also receives EI-ISAC notifications, notifications from the Drupal open source consortium related to security issues and employ two-factor authentication. “We share the public’s concern for election security and are committed to using state-of-the-art cybersecurity tools and techniques to achieve this.”
Overview of Dominion System
Voting Systems Certification and Independent Testing
Federal Certification Testing
Voting system certification standards employed in California are among the most stringent in the nation. Every voting system certified for use in California, including the Dominion voting system, must comply with the Federal Voting System Standards issued by the Federal Election Commission. An Independent Testing Authority (ITA) selected and approved by the National Association of State Election Directors (NASED) rigorously tests each voting system’s hardware, firmware, and software for compliance with the Federal Voting System Standards. Voting systems certified by the ITA are issued a NASED Qualified identification number to show that they meet or exceed the Federal Voting System Standards.
State Certification Testing
In addition, California election law requires the Secretary of State to certify all voting systems used in the state. Before the California examination of a voting system, the system must be tested by a Nationally Recognized Test Laboratory (NRTL) and shall meet or exceed the minimum requirements set forth in the ‘Performance and Test Standards for Punch Card, Mark Sense, and Direct Recording Electronic Voting Systems’, or in any successor voluntary standard document developed and promulgated by the Federal Election Commission. Voting systems vendors must submit each hardware, firmware, and/or software update to the ITA and the Secretary of State for testing to maintain their voting system’s certification.
Security within the Dominion ImageCast X (ICX)
Voting at Vote Centers on ImageCast X
San Mateo County implemented a new voting system in November 2019, which has the following functionality:
- It is impossible to “overvote” (vote for more candidates that can be elected).
- Voters can immediately correct their ballot choices if they make a mistake.
- It is impossible to incorrectly mark the ballot, eliminating ambiguity regarding voter intent.
- Voters are alerted to un-voted or under-voted races on the summary screen.
- Voters must view a summary screen of all their ballot choices before printing their ballot – giving voters an opportunity to review and change their choices, if necessary.
- Once a voter prints their ballot, the voter is given one last opportunity to review and change their ballot choices before they cast their paper ballot into a designated ballot box.
- Printed paper ballots provide an auditable record, ensuring an election is conducted accurately and securely.
Equipment safeguards against unauthorized access
The ICX system (Ballot Marking Tablet) includes both physical and electronic intrusion detection controls, such as numbered wire seals (commonly used in elections), and time-stamped transaction logs that record every system action related to the voting process. Data cannot be inserted or altered by unauthorized personnel because the database structure is proprietary and is protected by encrypted passwords determined by the Elections Administrator.
Equipment safeguards against external access
The ICX voting system is activated by the voter using a one-time issued voter smart card provided by an election official at a Vote Center. This eliminates the possibility of hackers or others being able to gain access to the system attempting to tamper with or subvert the election. In addition, the voting devices and tabulation computers are never connected to an external network (including the internet), so there is no opportunity for someone to access the system remotely and alter computer code or election results. The only devices connected to an ICX are a certified printer and an Audio Tactile Interface (ATI). An ATI is an accessible device that allows a voter with disability to use the ICX.
Clear Audit Trail
Each ICX ballot marking device prints a physical paper ballot that reflects a voter’s marked choices. Each ICX paper ballot is printed with an AuditMark, or a visual audit trail, allowing a voter to verify how the ballot marking device interpreted the voter’s marked choices. All audit reports, audit trail documents, databases, and election reports can be archived in hard copy and/or saved electronically to CD-ROM to preserve information as required by the Election Code.
Equipment Designed for Secure Operation
Each individual ICX ballot marking device and printer are self-contained voting systems, independent of, and not networked to, other devices. This allows for greater security and flexibility at Vote Centers in the event an ICX device malfunctions; it will not affect the other ICX devices. This decentralized system is a significant advantage over locally networked electronic voting devices that have a single point of failure.
The ICX voting system has 2-hours of battery backup to protect against power failures and voting interruption or stoppage. No voter or ballot information is stored on any of the ICX ballot marking devices. The ICX sole purpose is to produce a paper ballot that is used to cast a voter’s vote.
Integrated Diagnostics and Internal Control
The ICX voting system uses error-checking techniques to ensure the accuracy of reading and writing digital data. Repetitive data integrity checks ensure that only authorized devices (printer and ATI) are properly connected.
The ICX voting system incorporates a durable commercial off-the-shelf tablet that has a capacitive touchscreen, which is commonly found in today’s tablets and smartphones. Voters will find the system intuitive and easy to use.
Voting System Transparency
Logic and Accuracy Testing
The accuracy of the ICX voting devices is tested by “Logic and Accuracy” testing before and after each election as required by the Election Code to make certain that the voting system is working properly. Votes from a hand-tallied spreadsheet are entered on the ballot marking tablets. Printed totals from the voting system are then compared to the hand-counted results. Additional functional tests are performed manually on each voting device. The schedule of Logic and Accuracy testing and functionality testing is posted in advance of each election, and these testing sessions are open to the public.
Hash Testing/Version Control Testing
Before each election, version control testing will be conducted to make sure that each component of the voting system is using a certified version of the vendor’s software and firmware.
Post-election audits are an essential step in the canvassing of an election, as well as a requirement to certify election results. Currently, most post-election audits in California have been conducted using the one percent manual tally, which involves choosing a random sampling of one percent of all precincts from Vote Centers and one percent of batches of Vote by Mail ballots.
San Mateo County has piloted a Risk-Limiting Audit (RLA), a new post-election audit procedure meant to even further guarantee the accuracy of the outcome. RLA’s draw a more dynamic sample of ballots from the election and provide a greater statistical certainty that the election results are accurate.
Other Security Measures and Procedures
Ensuring voters have access to accurate information is a key component of election integrity. VoteSure is the California Secretary of State’s initiative to provide voters with official, nonpartisan information about elections, and a portal to report false or misleading information.
Security at the San Mateo County Elections Office
All voting equipment and databases are located at the Elections Division building. This building has a security system with cameras. Access to the voting equipment warehouse, voter registration database servers, and the Vote by Mail area is restricted to staff with card keys. The voter registration servers are located behind locked doors with very limited access. The card keys create audit trails. In addition, ACRE has implemented a Disaster Recovery capability at a secured location in the event of a disaster occurring at the Elections Division building.
All visitors must sign in at the front counter and are escorted at all times by a staff member.
Established procedures such as “chain of custody” on all equipment via logs, signature sheets and an inventory control and tracking system utilizing bar code technology establishes tight controls of voting equipment and machines. Paper ballots and vote tally electronic storage components cannot be handled by any single Elections employee or Election Officer at any time.
All new staff undergo a background check through the Department of Justice (DOJ) and Federal Bureau of Investigation (FBI).
There is rigorous staff training to mitigate risks and cybersecurity breaches. Staff are required to complete an information security class each year.
Two-person integrity is enforced around voted ballots.
Election staff follow an onboarding procedure for new staff and assigning roles and security rights. When staff leave, offboarding procedures terminate computer system and building access.
Elections personnel ensure a policy-driven email usage policy that enforces best practices to protect sensitive data and protect against exposure to common e-mail-based threats such as malware and malicious links via spear phishing. Both extensive personnel sensitization and training as well as highly effective technical measures significantly reduce the threat posed by email-based attacks and user vulnerabilities.
Identifying and Eliminating Malicious Misinformation and Disinformation
Public-Facing Website Compromise
Although public-facing, official informational websites are not tied to the voting process, the information they provide aids in informing voters and helps to maintain confidence in the overall integrity of the elections process. In the event of a malicious attack against an official public-facing SMC website, substantial procedural and technical measures are in place to identify, mitigate, and remediate any such incident.
Security at Vote Centers
Voting devices will be delivered to the Vote Centers prior to the beginning to the voting session. They are kept in a secure location at each Vote Center. Each ballot-issuing device will be stored inside a secure case and sealed with a tamper evidence seal. The presiding Vote Center lead will be required to verify that the correct seals are intact on the voting devices before they may be opened and used in the election. Vote Center staff also verify that all counts are zero before the opening of the polls.
Other Management and Operation Procedures
Internal management and operational procedures are crucial to the success and reliability of any voting system, including our previous optical scan system. The following procedures will be carried forward or instituted:
- An audit of the electronic tally of the number of votes cast will be conducted against the number of signatures on VBM ballots in the election.
- Vote Center Representatives are required to certify in writing that the proper locks and seals were found to be intact on the voting equipment before the polls open.
- Vote Center Representatives will be required to verify the voting system has no votes that have been pre-loaded into the system.
- A physical inventory of all voting devices will be conducted before and after each election to ensure custody of all voting devices is maintained.
- All procedures will be in writing. All Vote Center staff, early voting workers, county Elections staff, and central counting workers will undergo extensive training in both voting equipment operation and election law/procedures.