Interview with Lori Augino, Washington State Director of Elections, on Russia hacking attempts and modernizing state elections systems

Recently, the Washington State Secretary of State released a statement that the Department of Homeland Security had notified the office that Washington State was one of a number of states targeted by Russia in a hacking operation attempting to influence the 2016 election.

Just a few days before that announcement, the Secretary of State’s office released a request for proposals (RFP) that represented the most significant election system modernization effort the state had ever pursued.

As a result of those two news items, I interviewed Lori Augino. She serves as the Director of Elections in the Office of the Secretary of State under Kim Wyman.  I’ve edited the interview for length.

———————————

DJ: I’ve reviewed the RFP your office has released.  I know the timing of that has come out right as the news broke about Russia’s efforts to hack Washington State’s elections system.  Tell me about the background of your efforts to modernize the state elections system and the thinking that went into this RFP. 

Augino:  So back in 2014, Secretary Wyman convened a group of county election officials from across Washington and we kicked off a technology summit. So really the mission at that time was to start identifying our pain points. We knew at that time we had an eight-year-old system and that both Secretary Wyman and I from local election administration knew that we had an opportunity to make some improvements.

Our old system has struggled with the ability to adapt to changes in state law. Session after session after session you see me going to the legislature testifying “Yeah we can’t do that because our system won’t allow us to do that in a secure way.”  It didn’t happen quickly but we were talking about replacing a system that touches the responsibility of 39 elected officials, the elected county auditors across Washington. So that is an effort that took time because we had to build the support, we had to convene the right people, and really have a very thoughtful approach to issuing what we did.  So I swear to you we’re not making that up with I saw that we launched back in 2014.

DJ:  If you got all 39 county auditor elections officials to agree on anything that takes a lot of time, much less a full revamp of the system. And this is, let me just make sure I correctly understand. I assume all 39 officials agree with this RFP approach, or nobody has been obstinate or raised concerns?

Augino:  No, not at all. In fact we have letters of support from the Washington State Association of County Auditors, which went to the legislature during this last session.  So we had to get a funding package passed in this last session and the funding package was really that final piece that we needed to be able to issue the RFP. 

Security is absolutely a component of the RFP. It’s focused around meeting our business requirements, but something that we learned through our experience is that multi-factor authentication is a great thing to have in any new system that you’re looking at. So of course we built that in as a business requirement for our new system which will just help bring our security up even more. Our system is secure now, don’t get me wrong, but you have to learn from these new threats and these new threats are coming out every day. So paying attention to those and leveraging these partnerships so we have this partnership with Homeland Security now, you’ve got to leverage that partnership to ensure that they remain secure.

DJ: This seems like a pretty significant change in that my understanding is all or most of the 39 election officials and departments and auditors essentially run all of the printing, distribution, tabulation of ballots, and they must aggregate those totals and then they send those totals to the Secretary of State’s office. That’s the current system.  This new RFP looks like it’s a much deeper level of engagement with counties that has been the case before. In other words, the Secretary of State’s office is taking on more of the responsibility of elections than it has previously. Is that accurate?

Augino:  Let me step back, so when the Help America Vote Act (HAVA) passed back in the early 2000s that shifted responsibility for voter registration from the counties to the state. And the state at that time took a hybrid approach to how that technology would support the work of the county auditors. But remember, you didn’t have a smartphone back when HAVA passed and when the system that we have now was built. So looking at what was available from a technological perspective then, it was pretty darn state of the art. But what we have available to us now, light-years, I mean light-years ahead of where we were when the system was created.

So we can leverage technology in a much greater way that will help reduce our risk. Right now county auditors have to enter data about ballot measures or candidates in multiple locations. Imagine the risk that could ensue from having to enter that and prove it in so many different places. We need to better leverage technology to reduce some of those risks.

But that federal law really back then shifted the responsibility.

Now this is not touching tabulation. County auditors have the full responsibility now. We do certify the voting systems that can be used in counties, but the county auditors are responsible for selecting that technology and for supporting the tabulation side of their operations and this RFP doesn’t go there. Essentially the modernization effort is everything but tabulation. We want to leverage technology in a better way.

DJ: I know elections officials have been concerned about technology and elections integrity before this election, really since elections were first held.  But these concerns were not usually threats from a foreign nation. How has this specific experience of Russia attempting to hack Washington State’s elections in 2016 informed the modernization effort moving forward, and specifically the attacks from foreign nations.

Augino:  So I would talk to you about that one example, perhaps that multi-factor authentication and using that as a requirement for administrators to login to the system. That’s one example. But we also rely on our state’s Office of the Chief Information Officer. They have policies that are in place and this modernization effort ties to those policies so that we’re ensuring that any vendor that’s responding is going to have to meet those security standards, whether they’re fiber security standards, or even potentially physical security standards. Those are things we tie to in this RFP to ensure that the system that we have is just as secure, if not more secure than what we have in place now.

DJ: It sounds like those are reasonable and smart ideas certainly multi-factorial identification, falling in line with Chief Information Officer about state protocols, these seem like best practices to follow. Those also sound like things that would have been the right, smart things to do before we became aware in the last 12 months about threats to our state and county election systems. Has the Secretary of State’s office changed the modernization scope or thought differently about modernization as a direct result of the Homeland Security news, public and private, or attacks on the systems? Has that information changed the modernization in any way?

Augino:  Well we’re consistently evolving, we’re, I’ll give you an example, last year right before the general election we partnered with Homeland Security and we’re one of the states that’s been working very closely with them and taking recommendations, making the adjustments, I won’t get into too much detail because some of it you don’t talk about because you have to make sure your system remains secure. But following best practices that we’re learning from that partnership with Homeland Security applying that to the system that we already have and then of course that would still apply to any system that we would put in in the future. Does that make sense?

DJ:  Respectfully, I still don’t hear that there have been changes to the modernization effort that are a direct result of this knowledge other than implementing best practices.  Are there things you’re doing differently as a result of this knowledge about Russia?

Augino:  We have developed essentially a new partnership with and are continuing to work with Homeland Security in new ways.  And really it’s mostly about communication. There’s definitely more work that can be done in augmenting some of the security standards, but the biggest challenge that I’ve seen is just helping Homeland Security know who to talk to when there are threats against elections sector. So that clearly wasn’t in place in 2016 and election officials have been fighting, Secretary Wyman and myself have been working hard to ensure those lines of communications will be open so those mistakes are not made again.

Prior to 2016, it wasn’t a common occurrence for election officials to talk to Homeland Security. Now, I probably talk with them every couple of weeks, if not more.