Election cybersecurity law urged as RI faces 60 million cyber ‘events’ a day

PROVIDENCE, R.I. (WPRI) — Rhode Island lacks a law mandating even basic election cybersecurity protocols despite state government experiencing tens of millions of cyber “attempts” per day, ranging from reconnaissance to attacks.

Experts told Target 12 Rhode Island’s secretary of state and Board of Elections have been proactive in implementing election cybersecurity safeguards. But those same experts also say those protections need to be enshrined in law.

Jade Borgeson, chief of staff at the Rhode Island Department of Administration, said the 60 million cyber “attempts” against state government each day come from “advanced persistent threat (APT) countries” such as Russia, Iran, North Korea, and Ukraine.

Borgeson said because of safeguards in place, there’s been “no compromise to state data” and “extremely limited impact” to Rhode Island constituents from the daily attempts.

State Representative Deb Ruggiero said the aftermath of the 2016 presidential election, with revelations of cyber attacks, highlighted the need for a state cybersecurity elections bill.

“It’s not a question of if, but it’s going to be a matter of when,” said Ruggiero. “And the state needs to be prepared.”

As the chair of the House’s Innovation, Internet and Technology Committee, Ruggiero introduced a bill in February that would have established a cybersecurity review board, required cybersecurity training for election officials, and created a cybersecurity incident response group.

The bill was filed on behalf of Secretary of State Nellie Gorbea.

It passed the House unanimously but died in the Senate. Greg Paré, a Senate spokesperson, told Target 12 the Senate could take up the bill again if it meets later this fall.

“Governors will change, secretaries of state will change, boards will change, but cyberattacks will always be here,” Ruggiero said.

The Board of Elections decided not to take a position on the bill, meaning it didn’t support the bill or oppose it.

Miguel Nunez, deputy director of elections at the BOE, said the board conducted cybersecurity and physical security audits of election facilities following elections in 2017 and 2019.

“On both occasions, the results were that the voting systems in Rhode Island were secure,” Nunez said.

But John Marion of Common Cause Rhode Island said there’s more work to do.

“We probably should codify some of the good practices that are just practices at this point,” Marion said. “A ransomware attack on election day could cripple our elections and could cripple peoples’ trust in our elections.”

Jesse Roberts, vice president of cybersecurity at Compass IT Compliance, has previously been invited to speak at the Rhode Island Joint Cyber Task Force meeting. He agreed with Marion.

“A bill mandating that the system is tested before every election is probably a good idea,” Roberts said.

Even though Roberts likes most of what he sees in the bill, he told Target 12 a section only briefly mentioned in the bill establishing “a third party assessment of election systems,”should be more prominent.

“Any body of government shouldn’t really audit themselves,” said Roberts. “There should always be an independent third party to audit.”

The Center for American Progress did a comprehensive analysis of election security in all 50 states in 2018. No states received an “A” grade.

Looking at New England states, Rhode Island and Connecticut both received “B” letter grades, while Massachusetts, Vermont, New Hampshire and Maine received “C” letter grades.

(Story continues below)

The CAP report concluded that while Rhode Island’s post-election audits are a good practice, the state allowing “some electronic absentee voting undermines overall effectiveness of these audits.”

The report concluded the state should “prohibit voters stationed or living overseas from returning ballots electronically.” Instead, ballots should be returned by mail or delivered in person.

Comments are closed.