HOUSE BILL REPORT
SB 5843
As Passed House:
February 27, 2024
Title: An act relating to security breaches of election systems and election-related systems.
Brief Description: Concerning security breaches of election systems and election-related systems.
Sponsors: Senators Nguyen, Boehnke, Hasegawa, Hunt, Kuderer, Mullet, Nobles, Randall and Valdez; by request of Secretary of State.
Brief History:
Committee Activity:
State Government & Tribal Relations: 2/14/24, 2/20/24 [DP].
Floor Activity:
Passed House: 2/27/24, 58-37.
Brief Summary of Bill
  • Requires every county to install and maintain an intrusion detection system to monitor their network and to disclose certain malicious activity or breaches of security of information technology systems.
  • Authorizes the Secretary of State to certify the results of an election if a county canvassing board refuses to certify the results of the election without cause.
  • Establishes violations and penalties related to election interference, including prohibited interference by election observers, destruction of voted ballots and certain election supplies and materials, interference with the operation of a voting center, and unauthorized access to election administration locations and systems.
HOUSE COMMITTEE ON STATE GOVERNMENT & TRIBAL RELATIONS
Majority Report: Do pass.Signed by 4 members:Representatives Ramos, Chair; Stearns, Vice Chair; Gregerson and Mena.
Minority Report: Do not pass.Signed by 1 member:Representative Christian, Assistant Ranking Minority Member.
Minority Report: Without recommendation.Signed by 2 members:Representatives Cheney, Ranking Minority Member; Low.
Staff: Connor Schiff (786-7093).
Background:

Voting Systems
A "voting system" is the total combination of mechanical, electromechanical, or electronic equipment including the software, firmware, and documentation required to program, control, and support the equipment that is used to define ballots, cast and count votes, report or display election results, and maintain and produce any audit trail information.  The Secretary of State (Secretary) must inspect, publicly test, and certify all voting systems, or components of a system, prior to its use in the state. 

 

Voting System Security.
A manufacturer or distributor of a voting system or component that is certified by the Secretary must immediately disclose to the Secretary and Attorney General any breach of its system security if: 

  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of an election; or
  • personal information of residents in any state has been, or is reasonably believed to have been, acquired by an unauthorized person as a result of the breach and the personal information was not secure. 

 

Voting System Security Reporting
The Secretary must annually consult with the Washington State Fusion Center, the State Chief Information Officer, and each county auditor to identify instances of security breaches of election systems or data.  The Secretary must identify whether the source of the breach is a foreign or domestic entity, to the extent possible.  Each year, the Secretary must submit a report to the Governor, State Chief Information Officer, Washington State Fusion Center, and appropriate legislative committees that includes information on any security breaches and options to increase security of the election systems and prevent future breaches.  

 

Shared Voter Registration System
The Secretary maintains a centralized statewide voter registration list that is the official list of eligible voters for all elections in the state.  Voter registration information received by each county auditor is electronically entered into the database.

 

Voting Centers
County auditors must open a voting center for each primary, special election, and general election.  Each voting center must provide, among other things, ballot materials and in-person voter registration.  

 

No person may interfere with a voter attempting to vote in a voting center.  Interference with a voter attempting to vote is punishable as a gross misdemeanor.

 

Any person who willfully defaces, removes, or destroys any supplies or materials that the person knows are intended for use in a voting center is guilty of a class C felony. 

 

Any person who tampers with or damages or attempts to damage any voting machine or device, prevents the correct operation of a voting machine, or any unauthorized person who makes or has in his or her possession a key to a voting machine, is guilty of a class C felony. 

 

Ballot Counting Observers
Washington permits voting by mail.  The county auditor or county canvassing board processes returned ballots.  County auditors must request that observers be appointed by the major political parties to be present during the processing of ballots at the counting center. 

 

Election Certification
Ten days after a special election, 10 days after a presidential primary, 14 days after a primary, and 21 days after a general election, a county canvassing board must complete the canvass and certify the results.  The county canvassing board must execute a certificate of the results of the election signed by all members of the board or their designee.  Failure to certify the returns, if they can be ascertained with reasonable certainty, is punishable as a class C felony. 

 

Election Staff
Every person with election duties who willfully neglects or refuses to perform such duties, or who, in the performance of such duty, fraudulently violates any of the provisions of law relating to the duty is guilty of a class C felony and must forfeit the person's office. 

 

Ballots
A person who knowingly destroys, alters, defaces, conceals, or discards a completed voter registration form or signed ballot declaration is guilty of a gross misdemeanor.  Any person who intentionally fails to return another person's completed voter registration form or signed ballot declaration to the proper state or county elections office by the applicable deadline is guilty of a gross misdemeanor.

 

Conviction of a Public Officer

The conviction of a public officer of any felony or malfeasance in office requires, in addition to any other penalty imposed, the forfeiture of the individual's office.  The individual is disqualified from holding any public office in the state. 

 

Penalties
Class C felonies may be subject to a prison sentence not to exceed five years, a fine not to exceed $10,000, or both.  Gross misdemeanors may be subject to a prison sentence not to exceed 364 days, a fine not to exceed $5,000, or both.

Summary of Bill:

Voting System Security
Every county must install and maintain an intrusion detection system that passively monitors its voting system network at all times for malicious traffic and is supported by a qualified and trained security team with access to cyber-incident response personnel who can assist the county in the event of a malicious attack.  The system must support the unique security requirements of state, local, tribal, and territorial governments and possess the ability to receive cyber intelligence threat updates to stay ahead of evolving attack patterns. 

 

A county auditor or county information technology director participating in the shared voter registration system operated by the Secretary of State (Secretary) or operating a voting system that is certified by the Secretary must immediately disclose any malicious activity or information technology (IT) system security breach to the Secretary and Attorney General if:

  • malicious activity was detected by an IT intrusion detection system, a malicious domain blocking and reporting system, or an endpoint security software;
  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of election systems, IT systems used to support and manage election administration, or peripheral IT systems that support the auditor's office in day-to-day activities;
  • the breach has, or is reasonably likely to have, compromised the security, confidentiality, or integrity of an election within the state; or
  • personal information of residents in any state has been, or is reasonably believed to have been, acquired by an unauthorized person as a result of the breach and the personal information was not secure.

 

Voting System Security Reporting
For purposes of the Secretary of State's annual report on election security breaches, "domestic entity" is defined as an entity organized or formed under the laws of the United States, a person domiciled in the United States, or a citizen of the United States.

 

Certification of Election Results
If the county canvassing board refuses to certify election results without cause, the Secretary of State may examine the records, ballots, and results of the election and certify the results of the election within two business days after the certification deadline. 

 

Violations and Penalties
Class C Felonies. 
While observing the processing of ballots, observers may not touch any ballots, ballot materials, or election systems.  Unauthorized physical contact or access to ballots or election systems is a violation punishable as a class C felony. 

 

Any person who willfully defaces, removes, or destroys any supplies or materials that the person knows are intended for use in a voting center, election office, ballot counting area, ballot storage area, or election system including materials and systems meant for enabling a voter to prepare the voter's ballot is guilty of a class C felony. 

 

Any person who willfully and without authority accesses or assists another person or entity with unauthorized access to a voting center, election office, ballot counting area, ballot storage area, or any election system, or provides unauthorized access to these locations to another person or entity, whether electronic or physical access, is guilty of a class C felony.

 

Any unauthorized person who accesses or assists another person or entity with unauthorized access to a voting center, election office, ballot counting area, ballot storage, or an election system, voting machine, or device to be used in a primary, special, or general election is guilty of a class C felony. 

 

Every person charged with the performance of any duty under state or local election laws, who provides unauthorized access to a person or entity to physical locations or electronic or physical access to election software or hardware used in any element of conduct of an election is guilty of a class C felony and must forfeit their office. 

 

Gross Misdemeanors. 
No person may interfere with the operation of a voting center.  Interference includes unauthorized access or handling of ballots and access to voting equipment or election systems.  Unauthorized access includes access by elected officials and county staff in a manner not required by their job function.  Interference with the operation of a voting center is punishable as a gross misdemeanor. 

 

A person who knowingly destroys, alters, defaces, conceals, or discards a voted ballot is guilty of a gross misdemeanor.  Any person who intentionally fails to return another person's voted ballot to the proper state or county elections office by the applicable deadline is guilty of a gross misdemeanor.

Appropriation: None.
Fiscal Note: Available.
Effective Date: The bill takes effect 90 days after adjournment of the session in which the bill is passed.
Staff Summary of Public Testimony:

(In support) The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency recently reiterated to the Secretary of State that nation-states and criminals are trying to exploit state, local, tribal, and territorial government infrastructure.  In the last six months, there have been many attacks.  A passive sensor would notify a county of a breach and counties would have a team that could respond to an attack.  The Secretary of State would know to put in additional levels of protection to protect VoteWA when attacks occur.  The bill closes a loophole by addressing domestic attacks.  The Secretary of State would be able to certify election results if a county refuses to certify an election without cause. 


(Opposed) The bill would be mandating installation of the Albert sensor system and is targeting three counties.  The requirement conflicts with county authority.  Local governments are not inept and have professional expertise.  Local governments choose systems that work best for their specific needs.  Local information technology staff are the local experts.  Counties should have control over their data and who see it.  The state would need to create a new authority to have the Secretary of State prescribe these requirements.  Local governments should not have liability if required to have certain security components.  County security systems are secure and counties take data security seriously.  There are many questions about the Albert system.  Counties have limited information on what the Albert system does.  Counties have to ask permission to make any changes under that system, which is an affront to local control.  Counties look for innovative ways to make sure data is safe.  

Persons Testifying:

(In support) Kevin McMahan, Office of the Secretary of State.

(Opposed) Rob Coffman, Lincoln County; and Tom Gaines, Grant County Washington.
Persons Signed In To Testify But Not Testifying: None.