Washington State
House of Representatives
Office of Program Research
BILL
ANALYSIS
State Government & Tribal Relations Committee
SB 5843
Brief Description: Concerning security breaches of election systems and election-related systems.
Sponsors: Senators Nguyen, Boehnke, Hasegawa, Hunt, Kuderer, Mullet, Nobles, Randall and Valdez; by request of Secretary of State.
Brief Summary of Bill
  • Requires every county to install and maintain an intrusion detection system to monitor their network and to disclose certain malicious activity or breaches of security of information technology systems.
  • Authorizes the Secretary of State to certify the results of an election if a county canvassing board refuses to certify the results of the election without cause.
  • Establishes violations and penalties related to election interference, including prohibited interference by election observers, destruction of voted ballots and certain election supplies and materials, interference with the operation of a voting center, and unauthorized access to election administration locations and systems.
Hearing Date: 2/14/24
Staff: Connor Schiff (786-7093).
Background:

Voting Systems
A "voting system" is the total combination of mechanical, electromechanical, or electronic equipment including the software, firmware, and documentation required to program, control, and support the equipment that is used to define ballots, cast and count votes, report or display election results, and maintain and produce any audit trail information.  The Secretary of State (Secretary) must inspect, publicly test, and certify all voting systems, or component of a system, prior to its use in the state. 

 

Voting System Security.
A manufacturer or distributor of a voting system or component that is certified by the Secretary must immediately disclose to the Secretary and Attorney General any breach of its system security if: 

  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of an election; or
  • personal information of residents in any state has been, or is reasonably believed to have been, acquired by an unauthorized person as result of the breach and the personal information was not secure. 

 

Voting System Security Reporting
The Secretary must annually consult with the Washington State Fusion Center, the State Chief Information Officer, and each county auditor to identify instances of security breaches of election systems or data.  The Secretary must identify whether the source of the breach is a foreign or domestic entity, to the extent possible.  Each year, the Secretary must submit a report to the Governor, State Chief Information Officer, Washington State Fusion Center, and appropriate legislative committees that includes information on any security breaches and options to increase security of the election systems and prevent future breaches.  

 

Shared Voter Registration System
The Secretary maintains a centralized statewide voter registration list that is the official list of eligible voters for all elections in the state.  Voter registration information received by each county auditor is electronically entered into the database.

 

Voting Centers
County auditors must open a voting center for each primary, special election, and general election.  Each voting center must provide, among other things, ballot materials and in-person voter registration.  

 

No person may interfere with a voter attempting to vote in a voting center.  Interference with a voter attempting to vote is punishable as a gross misdemeanor.

 

Any person who willfully defaces, removes, or destroys any supplies or materials that the person knows are intended for use in a voting center is guilty of a class C felony. 

 

Any person who tampers with or damages or attempts to damage any voting machine or device, prevents the correct operation of a voting machine, or any unauthorized person who makes or has in his or her possession a key to a voting machine, is guilty of a class C felony. 

 

Ballot Counting Observers
Washington permits voting by mail.  The county auditor or county canvasing board processes returned ballots.  County auditors must request that observers be appointed by the major political parties to be present during the processing of ballots at the counting center. 

 

Election Certification
Ten days after a special election, 10 days after a presidential primary, 14 days after a primary, and 21 days after a general election, a county canvassing board must complete the canvass and certify the results.  The county canvassing board must execute a certificate of the results of the election signed by all members of the board or their designee.  Failure to certify the returns, if they can be ascertained with reasonable certainty, is punishable as a class C felony. 

 

Election Staff
Every person with election duties who willfully neglects or refuses to perform such duties, or who, in the performance of such duty, fraudulently violates any of the provisions of law relating to the duty is guilty of a class C felony and must forfeit the person's office. 

 

Ballots
A person who knowingly destroys, alters, defaces, conceals, or discards a completed voter registration form or signed ballot declaration is guilty of a gross misdemeanor.  Any person who intentionally fails to return another person's completed voter registration form or signed ballot declaration to the proper state or county elections office by the applicable deadline is guilty of a gross misdemeanor.

 

Penalties
Class C felonies may be subject to a prison sentence not to exceed five years, a fine not to exceed $10,000, or both.  Gross misdemeanors may be subject to a prison sentence not to exceed 364 days, a fine not to exceed $5,000, or both.

Summary of Bill:

Voting System Security
Every county must install and maintain an intrusion detection system that passively monitors its voting system network for malicious traffic at all times by a qualified and trained security team with access to cyber-incident response personnel who can assist the county in the event of a malicious attack.  The system must support the unique security requirements of state, local, tribal, and territorial governments and possess the ability to receive cyber intelligence threat updates to stay ahead of evolving attack patterns. 

 

A county auditor or county information technology director participating in the shared voter registration system operated by the Secretary of State (Secretary) or operating a voting system that is certified by the Secretary must immediately disclose any malicious activity or information technology (IT) system security breach to the Secretary and Attorney General (AG) if:

  • malicious activity was detected by an IT intrusion detection system, a malicious domain blocking and reporting system, or an endpoint security software;
  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of election systems, IT systems used to support and manage election administration, or peripheral IT systems that support the auditor's office in day-to-day activities;
  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of an election within the state; or
  • personal information of residents in any state have been, or is reasonably believed to have been, acquired by an unauthorized person as result of the breach and the personal information was not secure.

 

Voting System Security Reporting
For purposes of the Secretary of State's annual report on election security breaches, "domestic entity" is defined as an entity organized or formed under the laws of the United States, a person domiciled in the United States, or a citizen of the United States.

 

Certification of Election Results
If the county canvassing board refuses to certify election results without cause, the Secretary of State may examine the records, ballots, and results of the election and certify the results of the election within two business days after the certification deadline. 

 

Violations and Penalties
Class C Felonies. 
While observing the processing of ballots, observers may not touch any ballots, ballot materials, or election systems.  Unauthorized physical contact or access to ballots or election systems is a violation punishable as a class C felony. 

 

Any person who willfully defaces, removes, or destroys any supplies or materials that the person knows are intended for use in a voting center, election office, ballot counting area, ballot storage area, or election system including materials and systems meant for enabling a voter to prepare the voter's ballot is guilty of a class C felony. 

 

Any person who willfully and without authority accesses or assists another person or entity with unauthorized access to a voting center, election office, ballot counting area, ballot storage area, or any election system, or provides unauthorized access to these locations to another person or entity, whether electronic or physical access, is guilty of a class C felony.

 

Any unauthorized person who accesses or assists another person or entity with unauthorized access to a voting center, election office, ballot counting area, ballot storage, or an election system, voting machine, or device to be used in a primary, special, or general election is guilty of a class C felony. 

 

Every person charged with the performance of any duty under state or local election laws, who provides unauthorized access to a person or entity to physical locations or electronic or physical access to election software or hardware used in any element of conduct of an election is guilty of a class C felony and must forfeit their office. 

 

Gross Misdemeanors. 
No person may interfere with the operation of a voting center.  Interference includes unauthorized access or handling of ballots and access to voting equipment or election systems.  Unauthorized access includes access by elected officials and county staff in a manner not required by their job function.  Interference with the operation of a voting center is punishable as a gross misdemeanor. 

 

A person who knowingly destroys, alters, defaces, conceals, or discards a voted ballot is guilty of a gross misdemeanor.  Any person who intentionally fails to return another person's voted ballot to the proper state or county elections office by the applicable deadline is guilty of a gross misdemeanor.

Appropriation: None.
Fiscal Note: Available.
Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.