The facts about transmission of unofficial election results.
In a few states it is a legal practice to use cellular modems to transmit unofficial election results after the polls are officially closed and all voting has ended. ES&S uses private network connectivity, industry best practices, and numerous security safeguards to protect the transfer of these unofficial election night results.
These early, unofficial results help the news media report results quickly on election night. Final official results are physically uploaded at election headquarters prior to the final certification of elections. The physical ballots and printed results tapes are always protected.
Below are the most frequently asked questions about modems and election firewall security.
How has ES&S made the modeming of unofficial election night results secure?
Our most recent configuration for jurisdictions that wish to send unofficial results on election night uses a mobile private network. This private network is specifically designed for high-security applications in critical infrastructure environments. This solution has been tested by state election authorities and federally accredited Voting System Test Laboratories (VSTLs), certified by multiple states and proven in several implementations. In this configuration, all transmissions are segregated from the public internet. By using a dedicated, private connection, the public internet’s best-effort routing paths are avoided, and concerns over data security are reduced. ES&S is currently working to obtain state certification approval of private networking for every customer who requires modeming and it is legally permissible in their state.
How does the private network work?
When a modem is provisioned on a private network, it is authenticated and authorized to ensure that it has been deployed for private network access. The modem is set up with specific codes to provide the proper level of authorization onto the private network, and each private network is assigned a unique access point name to ensure that only the provisioned modem communicates within the private network. Each private network is built with a dedicated connection using specific IP addresses assigned only to authorized devices which isolate the data from the public internet. The private network also uses a secure network protocol to enhance security measures by authenticating and encrypting all data.
How are Election Management Systems (EMS) segregated from the private network?
EMS programs, including Election Reporting Manager (ERM) and Electionware, run on hardened computer workstations, meaning they are locked down with allowed access only to the functions required to conduct an election. Unused ports are blocked, and unnecessary services are removed. Only the Data Communications (SFTP) server, which sits behind the firewall in what’s known as the DMZ, has any connection to the private network. Results reports and data exported from ERM/Electionware are copied to removable media when transferred outside of the secure EMS for external results reporting.
How does ES&S protect Election Management Systems that receive unofficial results by modem?
ES&S uses industry best practices to protect the Data Communications server (sometimes referred to as the Results Management System, or RMS) and EMS network segments. This is done through network segmentation, stateful packet inspection, and restricting access to ports and protocols required for secure election night results transmission. Firewalls are configured to only allow inbound connections on the DMZ network segment to traffic required for results transmission using industry-leading network security equipment. No other inbound or outbound connections are allowed based on the firewall configuration’s script tested by VSTLs and certified by states. Furthermore, the firewall is configured to use a VSTL-tested and state-certified firewall hardware, firmware and configuration script. On the internal network, only the EMS can initiate a data transfer connection to the Data Communications server. This is accomplished via a specific network port on a specific IP address per the certified configuration of the firewall. Per the firewall rules and certified configuration, direct connectivity from the outside (Internet) to the inside EMS network does not exist.
Who maintains the firewall located at a jurisdiction’s election headquarters?
ES&S performs the initial firewall installation for the majority of our customers who use modem transmission to ensure the firewalls are configured to the state-certified configuration. Once implemented, the ongoing EMS network administrative responsibility shifts from ES&S to the jurisdiction. By secure design, no remote management access is enabled on the firewall. All management duties must be performed while physically on-site at the firewall location and locally connected to the firewall. Due to the state-certified configuration, changes and updates to the firewall are prohibited outside of a state-approved Engineering Change Order (ECO) or new certified ES&S Voting System release. When changes to the firewall are approved by the State, ES&S works with jurisdictions to install the approved changes and confirm the certified functionality of the overall EMS.
What can jurisdictions do to further increase the security of unofficial modem transmissions?
ES&S strongly recommends that jurisdictions follow the Principle of Least Privilege and only power on and connect the firewall to external telecommunication networks when being tested or when in actual use.