Board of Election Commissioners of the City of Chicago met Sept. 19.
Here is the minutes provided by the Commissioners:
Board Members:
Marisel A. Hernandez, Chairwoman
William J. Kresse, Commissioner/Secretary (late arrival)
Jonathan T. Swain, Commissioner
Staff:
Lance Gough, Executive Director
Adam W. Lasker, General Counsel
James P. Allen, Communications Director [absent]
Audra Lewicki, Manager-Community Services
Lorel Blameuser, Manager-Purchasing
Bill Perez, Coordinator Hispanic Outreach
Geneva Morris, Videographer
Gary Rycyzyn, Consultant
Irish Sheehy
Guests:
Sandy Hed, Election Works
Helene Gabelnick, League of Women Voters of Chicago
Judd Ryan, ES&S
Tom Burt, ES&S
Adam Carbullido, ES&S
Brad Edwards, WBBM
Andrew Schroedter, WBBM
Mike Wrycle, WBBM
Norma Townsend, Dominion Voting
I. Call to Order: The meeting was called to order at 9:12 a.m.
II. Roll Call: The Chairwoman and Commissioner Swain were present. Commissioner Kresse was not yet present when the Roll was called.
III. Consideration of Agenda: The agenda was approved as presented.
IV. Approval of Minutes: Minutes of past meeting(s) - None to approve at this time.
V. Executive Directors Report
Executive Director Lance Gough recommended to the Chairwoman that the Board should go directly to Old Business - Electronic Poll Books [Section VI B of the agenda] The Chairwoman agreed and directed the meeting to "Old Business" A. Assistant Executive Director - No report at this time B. Communications Director - No report at this time
VI. Old Business
A. Infrastructure Projects and Changes in Election Administration: Nothing to discuss at this meeting B. Electronic Poll Books Electronic Systems & Software: Report on matters regarding the recent exposure of voter data files.
Three representatives from Election Systems & Software (ES&S) appeared before the Board to report on matters related to its recent exposure of voter data files and answer questions posed by the Board and Its staff. From ES&S were: Mr. Tom Burt, President and CEO of ES&S, Mr. Judd Ryan, Vice President of Sales at ES&S and Mr. Adam Carbullldo, Vice President of Product Development at ES&S.
Chairwoman Hernandez gave a brief overview of the situation that mandated the call of this Special Board Meeting:
• On Friday August a web security expert with the company UpGuard found what appeared to be a computer file containing Chicago voters' registration Information
• On Saturday August 12*^ after the file was downloaded by UpGuard cyber risk analyst Mr Chris Vickery, a representative of UpGuard alerted state and local agencies of the data exposure.
• The Chicago Board of Elections received an email at about 5:37 p.m. on Saturday August 12th Inquiring about the file. The Board was told that the file was on an Amazon Web Services (AWS) server. Based on that information and based on a review of a sampling of the data, the Election Board staff quickly determined that the file was one used with our electronic poll books, which are managed by the Board vendor ES&S.
• Board staff alerted ES&S of the data exposure. By 9:44 p.m. on Saturday August 12, the server In question was shut down.
• The Election Board quickly determined that the Issue did not Involve any systems on the Board's websites or servers which are directly managed by the Election Board. No computer network systems or web sites directly managed by the Chicago Election Board were exposed at any time. The Board's web sites do not contain any personally Identifiable Information (Pll because the Board of Election recognizes the sensitive nature of that Information and does not want any data exposure. As this data exposure situation was traced directly to ES&S, the Board asked ES&S to come before the Board to answer questions as to how the data was exposed, the subsequent investigation, and the steps taken to make certain that something like this Is never repeated.
The Chairwoman asked the ES&S representatives if they had a statement to present before receiving questions.
Mr. Tom Burt presented ES&S' Statement:
• First Mr. Burt apologized to the entire Board of Elections for the City of Chicago. ES&S knows that this has caused a great deal of distraction and unnecessary work. It was ES&S's mistake and it sincerely apologizes to the Board of Elections and to the registered voters of the City of Chicago. Mr. Burt provided a brief summary of what occurred.
• Essentially, when ES&S set up a folder on Amazon Web Services (AWS), they set it up with the wrong security settings; they failed to set it to a private setting.
• As soon as ES&S was notified that the analyst at UpGuard had identified the data and downloaded it, ES&S immediately took the servers off-line. That occurred on Saturday August 12. By Monday August 14 ES&S had hired the private cyber security firm CrowdStrike to begin a forensic analysis to determine what had occurred. Crowd Strikes' review of the logs from the AWS server showed that only a few IP addresses had accessed that AWS server, and that all of those IP addresses were known IP addresses from computers utilized by ES&S personnel.
• CrowdStrike also performed a series of dark web searches to see if any of the Board data was on the dark web or was being offered for sale. CrowdStrike's searches on the dark web turned up negative, i.e., there was no sign that any of this information was being offered for sale or was in the hands of any unknown party.
• Additionally, ES&S hired a second firm that specializes in dark web searches in order to have two different firms perform searches of the dark web. Those additional searches have also turned up negative. As such, both cyber security firms retained by ES&S reported that they have not identified any trace of this information on the dark web.
• Accordingly, to the best of ES&S' knowledge, Mr. Vickery was the only person outside of ES&S to have gained access to this data. Discussion ensued, with each of the Board Members asking questions regarding the incident, the subsequent investigation, and the next steps to be taken. The three representatives of ES&S responded.
ES&S stated that the incident was caused by a distracted ES&S employee who failed to change the AWS server security setting to "private." Further, the management team at ES&S failed to audit the settings on the file. While the individual and the team have successfully performed this duty in the past, they failed in this instance.
ES&S has taken the employee and the management team responsible for the data exposure off of any Chicago Board of Elections' projects. Commissioner Swain and Chairwoman Hernandez were adamant that the individual and that management team never again work on a Board project or have access to Board data.
ES&S retained the Kroll firm to assist the Board in addressing voter concerns. Included in the notice that will be issued to voters will be a toll-free telephone number that voters can call if they have any questions. Additionally, voters will also be offered credit restoration services should their credit be impacted in any way. Kroll will be the main vehicle for voter support. ES&S is moving its data away from Amazon Web Services (AWS) systems. ES&S originally chose AWS because of Amazon's long track record as a shared web server provider to many companies, including large enterprises. However, ES&S has been disappointed with AWS and plans to migrate to Microsoft Azure. Commissioner Swain questioned ES&S as to the checks and balances in place both prior to the incident, and going forward.
ES&S stated that it has reviewed its policies regarding system/file rights and permissions and has restricted those privileges to two individuals, located internally at ES&S. Further ES&S has implemented a policy whereby any changes to those rights or privileges require Vice-President level approval. Additionally, the management team, particularly Mr. Adam Carbullldo, Vice President of Product Development at ES&S, will monitor weekly the activity on the Board's files entrusted to ES&S ES&S enhanced its log-in and notification systems so as to track any activity or changes in the system.
ES&S also modified its data retention policy. ES&S had been storing this data with the intent of complying with the 22-month retention policy. It's clear that ES&S does not need to and is not under any obligation to do so. So, ES&S is no longer storing any customer data beyond when it's needed and ES&S will not be storing data on the cloud any more. ES&S has purged and removed all of the Chicago Board data. Going forward, any working files that ES&S holds will be stored on a secure internal storage location. Ail data will be encrypted using high level encryption algorithms for additional protection.
Chairwoman Hernandez had ES&S clarify that any Chicago Board of Election's voter registration data that is needed by ES&S will be stored internally and not on a web cloud server. Mr. Burt, President of ES&S, confirmed this. However, Mr. Ryan pointed out that the only exception is the process on Election Day when the cloud will need to be utilized in order to update the electronic poll books to reflect those who voted early or by mail. However, no storage will be done post- Election Day in the cloud.
All Board Members expressed their dismay at both the exposure and ES&S' lack of respect for the security of the Chicago voter data. ES&S was warned that serious repercussions may still be forthcoming, depending on the results of the continuing investigations, or If ES&S fails to secure the Chicago data, or fails to regain the confidence of the Board.
Chairwoman Hernandez reiterated that the Board of Elections takes every precaution to not put any of our voters' personal information on the Web. The Board recognizes the sensitive nature of that information and that securing this data is crucial to encourage 1.8 million people to register and vote. The Chairwoman told ES&S, "Let me say this without any hesitation and as clearly as possible, we expect you as our vendor to act with the highest integrity, with the highest competence and respect, and protect the Information that we entrust to you. There will be severe repercussions and consequences if we learn of anything. This is not the end, we are still evaluating and assessing what we need to do."
Commissioner Swain voiced his concern that ES&S does not have or has not shown the reverence to the sensitive data that it should.
Commissioner Kresse had ES&S confirm that it is confident that no trace of Board data is present in the dark web and is no attempt at selling the data has been made on the dark web.
C. Voting Equipment - nothing to report at this time D. Legislation - nothing to report at this time
VII. New Business - No new business
VIII. Legal Report - None
IX. Financial Report - None
X. Public Comment-None
XI. Executive Session - None
XII. Adjournment:
A motion to adjourn until the next regular meeting of September 26 at 9:00 a.m. was made by Commissioner Kresse and seconded by Commissioner Swain.
The motion passed by unanimous vote of the Board.
The meeting was adjourned at 9:55 a.m.
https://app.chicagoelections.com/documents/general/BoardMeetingMinutes-2017-09-19.pdf
Alerts Sign-up