Idaho Secretary of State Lawerence Denney said last week he would like to hire a cybersecurity specialist for his office to lead the state’s efforts to repel attempts to hack its election infrastructure. The new position would give Denney’s agency a full-time worker who can monitor and respond to threats against the state’s voter registration database and coordinate with clerks and other officials across Idaho’s 44 counties.
Denney made the formal request to members of the Idaho state legislature last Friday, though plans for the new position have their origin in the $3.2 million grant the state received last year from the U.S. Elections Assistance Commission. According to a document Denney’s agency submitted to the EAC last July, Idaho would spend up to $220,000 in salary and benefits for a cybersecurity professional specializing in election issues.
“What we’re trying to do is have a point person who can watch all the alerts from the Department of Homeland Security and communicate out to the county clerks,” Kristie Winslow, a spokeswoman for Denney, told StateScoop. “It’s about prevention and making sure any systems related to this office don’t get hacked.”
Currently, Winslow said Idaho’s counties are practically on their own when it comes to responding to cyberthreats. While the Information Technology Services office led by longtime state Chief Information Officer Greg Zickau has cybersecurity personnel, Winslow said it doesn’t have anyone who specializes in election technology.
“We need someone who understands the election systems,” she said.
Idaho’s elections are relatively analog compared to other states’, with 100 percent of voters using hand-marked paper ballots that are counted by optical scanners not connected to any network, Winslow said. But the statewide voter registration system faces persistent cyberthreats, Denney said during his testimony last week.
The rural state is also in the process of installing new voter registration, election-night reporting, campaign finance and lobbyist registration systems. Denney’s office announced last August it had awarded a $4 million Florida-based enterprise software firm Tenex to build new systems, being rolled out over an 18-month period, replacing software that was acquired in 2006.
But aging software isn’t the only risk Idaho’s voter registration database has faced. Until 2017, the state was one of many that participated in the Interstate Voter Registration Crosscheck Program, a database run by the Kansas secretary of state that collects voter registration information from participating states and looks for duplicates, with the claimed goal of rooting out fraudulent records. The program, in addition to finding many false positives, has also been found to have lax security protocols, including the hosting of its records on a server with a publicly accessible IP address. Idaho did not participate in Crosscheck last year.
Along with the new voter-registration and reporting systems and the planned cybersecurity position, Denney’s office is also expanding its security training for county-level officials. Last week, clerks and election supervisors gathered in Boise for a one-day exercise that included DHS, the Idaho National Guard and state Chief Information Security Officer Lance Wyatt. The exercise followed a playbook developed by Defending Digital Democracy, a program at Harvard University’s Belfer Center for Science and International Affairs, that simulates cyberattacks against election systems.
“For a lot it may have been an eye-opening experience,” Winslow said. “The exercise was OK. We have a baseline of where we are.”