This episode is a part of a special series of interviews conducted at the INCH360 Cybersecurity Conference in Spokane, Washington. Visit their website to learn more about INCH360 and their mission.
In this episode, host Jethro Jones interviews Kevin McMahan, the Assistant Secretary of State for Washington. They discuss the Washington State elections process, measures in place to ensure election security, and the role of information security in state operations.
00:58 Role and Responsibilities
02:10 Ensuring Election Security
03:56 Logical and Accuracy Testing
01:17 Civic Engagement
07:35 Managing Information Security
10:28 Challenges and Solutions
In this episode, host Jethro Jones interviews Kevin McMahan, the Assistant Secretary of State for Washington. They discuss the Washington State elections process, measures in place to ensure election security, and the role of information security in state operations.
00:58 Role and Responsibilities
02:10 Ensuring Election Security
03:56 Logical and Accuracy Testing
01:17 Civic Engagement
07:35 Managing Information Security
10:28 Challenges and Solutions
Creators & Guests
What is Cybertraps Podcast?
We explore the risks arising from the use and misuse of digital devices and electronic communication tools. We interview experts in the fields of cybersafety, cybersecurity, privacy, parenting, and technology and share the wisdom of these experts with you!
[00:00:00] Welcome to the cyber traps podcast. I am Jethro Jones. Your host. You can find me on all the social networks at Jethro Jones. The cyber chaps podcast is a proud member. Of the be podcast network. You can see all of our shows at two B podcast. dot network. And today on the show we have. A special interview from the inch 360 conference.
That's the inland Northwest cybersecurity hub. They put on a conference each year and I have the great fortune of being able to go. Go to that conference. And interview a bunch of people. So that's what you're going to hear on this episode. I hope you enjoy it. And if you want. To learn more about inch 360, go to inch 360 dot O R G.
Kevin, uh, welcome to the Cybertraps podcast. Thanks for being here. We're here at the Inch 360 conference, uh, here in Spokane at the beautiful Gonzaga campus. you're from the Secretary of State's office. Can you tell us a little bit about what you do there? Yeah.
Uh, so I'm the Assistant [00:01:00] Secretary of State, for Secretary Hobbs, and the portfolio that I have the privilege of managing is our Elections Division, um, and then a division called Information Security and Response. think of that as those are, are cyber professionals that reside within that division, and then we also do strategic messaging for the office.
And then I also have a, a newer program called Civic Engagement, uh, where we are engaging, different communities throughout the state, uh, regarding civics. Just to make sure that, individuals understand how to, for example, engage your elected officials or attempt to get an initiative on the ballot and things of that nature that most people kinda remember from high school or junior high but, uh, may have forgotten since then.
yeah, definitely a lot of people have forgotten how to do that and how our voice still does matter. And as it's coming up to election season, I do want to talk a little bit about elections. So if we can start there, a lot of people across country are talking about doing mail in ballots.
Washington's been doing that for years. Can you talk [00:02:00] about how? Washington keeps our elections secure and honest and true and talk about what things you guys are doing to make sure that's the case.
Sure, uh, and it's one of the reasons why Secretary Hobbs is here today is to present that information to the, the audience and he's going to basically walk everyone through the beginning of the ballot all the way till, stored.
so a, a couple things on that. So as, most people know in Washington, we are an all by mail state. One of the benefits of that all by mail state is that we retain that paper ballot, depending upon the type of election that we're doing for the upcoming 2024 general election, which is a presidential.
We are required by law to retain that for 22 months. And so if there is a question or someone wants to go back and say, Hey, we want to do a recount or we want to validate that the, results of the election were what we were told. We have in our possession at the county level that all elections are done at the local level So it's at the county [00:03:00] level and they're retained for 22 months and so that paper ballot is really ideal for us to have that documentation and that kind of Hardcopy proof of this is exactly what the electorate wanted and the voices of Washingtonians have been heard
Yeah, and what I appreciate about that is that you have the physical record and And As voting machines have been implemented in other states, I've used, digital voting machines, and, and there are concerns about those maintaining, integrity during the elections, um, even though they're not connected to the internet, there are, there have been ways that people have demonstrated how they could be hacked and things like that, and, hacking a piece of paper is, still possible, but it's definitely different that you can't affect 3, 000 ballots all at once.
And so, it seems to me that that there are gradations of security around different election methods. Can you talk a little bit about that? Yeah, I'd love to.
So, within our state, and most states, but again, I will only [00:04:00] speak to Washington because I don't want to speak to the other states in the Union.
our election or tabulation equipment is first and foremost certified at the national level before it even comes to our state. So the EAC Uh, which is a, a consortium of professionals that, have both a technical background and some have an elections background. Go through and make sure that the tabulation equipment that is used for elections has gone through its paces and is certified to, basically generate, the results that the, the ballots are providing, right?
Once that is done, that equipment then comes to the state of Washington where the Secretary of State is responsible for certifying that equipment again. And then from there, that equipment goes down to the counties, where the counties then will conduct their own certification test to make sure that it's met all the requirements that are required by RCW or WAC.
Then four times a year, and the reason why I say four times is, uh, we hold elections four times a year in the state of Washington. Approximately two weeks, anywhere from [00:05:00] two weeks to a week out of that election, we send a team from the Secretary of State's office that conducts a logically inaccuracy test.
So we have a test ballot, um, that, Kevin and Steve are going to run and there's a hundred ballots in there, but Kevin's 80 and Steve's going to have 20, right? So we already know what the results are. We run that, uh, logically and actually test to make sure that the tabulation machine generates the results that we already know beforehand as to what they're going to be, and then that's another validation that the system works.
The great thing about that logically and actually test is that we invite the public, and it is required for both public and private. Political parties to be present for that test to make sure that everyone understands that the system is working the way it's designed. and then at the conclusion of the actual election itself, we do what's called a risk limiting audit, where we take those ballots that I talked about previously and we'll do, Randomly sampled, districts, and then we will run that through an algorithm, and we can note that the [00:06:00] results of the election plus the random results that we did generates 99 point, and then it goes out about 16 digits. And so there's a number of levels in there that we make sure that both the systems are working appropriately, and then we do, obviously, a statistical validation that the results are accurate as well.
And then, if you had to, you could hand count everything and get all of them. and know that they're right by human certification, right? Yeah,
and we just did that for the lands commissioner position here in the state of Washington. So during the primary, one of the individuals won the first place outright.
The number two and number three, there were some discrepancies there. Uh, a hand count was done at the request of the parties, uh, and also because of the existing law that we have on, on the dockets. Um, because of the number of differences between the second and third place. It was required by law for us, for the counties to do that, right?
That result then allowed us to go back by hand and we compared [00:07:00] what the results were and what, uh, the actual hand count was, and again, it, it synced up. Um, so we're, we're very proud and, uh, very supportive of the election officials and the hard work that they do at the local level and then the systems that they manage on a, on a consistent basis.
Yeah.
And the reason why that was necessary for the second and third place is because the top two go to the general election from the primary, right? Do I understand that right? That's correct. Yeah.
Our state is the top two, so if the top two candidates happen to be both Republicans or both Democrats or one's a Republican, one's a Democrat, it doesn't matter.
Top two advance to the general election.
Okay. So, uh, the other part of your work is focusing on this information security and, things like that, which is what this conference is about. And so, so that affects more than just elections. There's, there's a lot of other things, businesses, taxes, all that kind of stuff.
How, how do you manage that huge load of, of information security here in the state? And how do you liaison with, private entities within the state [00:08:00] also.
uh, for our office, uh, the secretary of state is responsible, for example, for corporations and charities. So if you have a corporation or charity in our state, you go through our office to basically get that LLC or the, uh, uh, the five, 509, 503, I always forget what the designate, yeah.
and then in addition to that, we have the state library, uh, we have the digital archives, so any documentation at the state level that goes to our digital archives and is retained for, um, for purposes, whether it's historical, or, someone wants to go back and research, uh, information from a collegiate side of the house.
So the, Information Security and Response Division that I spoke about earlier is responsible for maintaining the cyber, protection of the entire office. What we did is we developed a team where we have a senior, a mid, and a journey level cyber security professional. We have a team of three here in eastern Washington and a team of three in western Washington.
They work for our Chief Information Security Officer. Uh, we did a little [00:09:00] unique thing in that we pulled our CISO out from the IT Division and have that individual report directly to the Division Director for Information Security and Response. It's a little bit different because we wanted to make sure that the emphasis of cyber and the protection that we want for our systems are in place.
We have a number of critical systems such as the centralized voter registration database here in the state of Washington called VoteWA. We've got our CCFS which is our corporations and charities fiscal system. You know, so all these, critical systems that we want to make sure are operational for Washingtonians require protection.
Uh, so we do, whether it's a pen test on an annual basis, um, have individuals, come in and conduct an assessment, whether it's the cyber security and information security. agency, it's always a mouthful, to, uh, assist us with that effort, uh, but we believe that we have really brought on a capable and competent team to ensure that, the systems that are [00:10:00] utilized by our office and by the, the state itself are protected.
So I see some parallels between the election stuff and the, the information security part. In that, it seems like there's a lot of work just to make sure that things work and that it's not just like, these are the tasks we need to do, but there's a lot of background work to make sure that those processes can be trusted and relied upon and, things like that.
What would you add to that?
Yeah. following the 20, And then during the 2020 elections, and then again during the 2022 midterm elections, we had a number of county auditors come back to us and say, Hey, a number of our constituents, really want some, some proof as to how our systems work. And so what can you do to assist us with that?
So the team sat down and wrote a document up. So for example, we've got one county auditor who wants to be able to note that there is no Wi Fi or any Uh, radio signals or anything that might have an opportunity to, potentially influence [00:11:00] the, the, their elections office or the tabulation machine. And so we provided them recommendations as to what that looks like or, go out and you can utilize this equipment.
In addition to that, one of the things that happened in, October of 2023, uh, so it wasn't a midterm, but it was an election cycle that was going on, about two weeks before that election took place, we had a county, uh, get ransomware. didn't necessarily impact the auditor's office, uh, but impacted other county capabilities.
And what we did, uh, basically did an after action review and came back and said, we've got to find a way to ensure that if that did happen to the county auditor, that we could provide a resource for where they could still. Conduct their, election without any limitations. So we developed what we refer to as a Go Kitt, very inexpensive, about $2,000.
We have three of them that sit on the west side of the state, three that sit on the east side of the state. And what that allows us to do is to basically, you know, issue those out to the county. Uh, they have to have, laptops or desktops that they know has not been compromised, uh, but then [00:12:00] using some switching and, and, um, some additional equipment we can get that.
operation backup very quickly. We've tested that in six different counties. We've had some counties now turning around and saying, hey, we want to purchase one of these so that we don't have to borrow it from you. We own it ourselves. And one of the good things that Secretary Hobbs has been able to do is he secured additional funding from the state legislature when he came on board in 2022.
We're able to give 80, 000 per year to a county to do election security and that can be both physical or cyber related. And the only requirement we ask that the county have is what's called an Albert sensor. an Albert sensor is basically an intrusion detection system. and that provides that in depth security.
Capability and, uh, support that we think is so paramount, uh, not only for elections, but for the county itself to run, as well as the state. We have an Albert Center, Albert sensor on our network, to make sure that, that we're protected just like our locals are. Yeah.
So what do you want the, [00:13:00] people of Washington to know about all this work that you're doing?
What is the, the key takeaway for them?
Yeah, so if it's specific to elections, what I would ask people to do a couple different things. As I noted earlier, elections are all done at the local level, so go meet your county auditor or your election official. Ask to go through their training so that you can be a reserver during the election itself.
Become educated and informed how elections work here in Washington so that when you see information, whether it's on social media, whether it's Or it's Thanksgiving and your crazy aunt or uncle are making comments that are just slightly off kilter, you are informed and have the information so you can go, that's actually not how this works in our state.
So, so go get informed. The other thing is, kind of back to that social media, um, there is so much information out there right now that people have a tendency to react, right? So, so take a pause. Go [00:14:00] to a source that you believe is very credible, uh, and then do your own research and investigation before you like, or you repost, or anything like that.
What we want to start to tamp down is that amplification of myths and disinformation that doesn't do our democracy, doesn't do our communities, and definitely doesn't do individuals, a great deal of good. Specifically if it's, if it's incorrect, it's misleading, or it's just a, a, an outright lie. Okay,
very good.
Well, thank you very much, and I appreciate your time here at Inch360. I'm excited to hear Secretary Hobbs speak in just a moment, and thank you for your time chatting with us today, Kevin. Thank you very much. It's been a pleasure. I appreciate the opportunity.