cvsen moron March 7, 2017 Office of Procurement Services Commonwealth of Kentucky 702 Capital Avenue Room 096 Frankfort. Kentucky 40601 Dear Office of Procurement Services: This correspondence is intended to provide justification for the decision to sole- source the contracting of an elections security audit and assessment project to advise the Kentucky State Board of Elections on how best to ensure the security and privacy of its election processes and election data, now and in the future. After reviewing the Kentucky State Board of Elections? needs, CyberScout and Nordic Innovations Labs realize they can assemble one team that can deliver a unique elections security and audit assessment solution. Together, the team brings a set of capabilities to the effort that simply will not be identified in any other firm or team. These capabilities include: . A highly-regarded expert in the exact type of voting elections technology that Kentucky utilizes in its elections in its 120 counties, as well as the specific attacks that can lead to disruptions or inaccuracies in the voting process. This expert was able to hack voting machines in Ohio and Florida during testing, altering vote counts in several different previously undiscovered ways and garnering national recognition. The expert?s level of industry experience is unmatched. . A group that protects 770,000 organizations in the public and private sector from having their identity information breached. This kind of experience brings unique abilities to identify and ?x the issues with how Kentucky protects the privacy of its voter rolls. . An expert in auditing of voting processes who has participated in post-election review processes in a number of states, including Colorado, Connecticut, and Florida, and has advised the Secretary of State's office of California on best auditing practices. This expert's firm submitted expert witness testimony as to voting machine security for the recounts conducted in Michigan, and Wisconsin for the 2016 election. liil mutiny! Full. All -. SEX 082?1913 I ?51? it. 10"} fut i ?fa-.7 '4 A privacy expert with elite credentials in guiding change to processes and systems in such a way_that security issues are not introduced during periods of change, as Kentucky hopes to do over the next year. Ours is a small team with limited overhead. and the skillset we bring is a unique ?t with what Kentucky needs. Our team is ready and equipped to respond immediately to tackle this important and necessary endeavor. Kentucky?s elections security audit and assessment has four primary objectives: Objective Unique capability 1) Determining and mitigating the risks in how the Kentucky State Board of Elections protects the identities of its registered voters. Eric Hodge leads the Consulting Practice at CyberScout, a firm that protects identity of more organizations in public and private sectors than any other. Together with Harri Hursti and Margaret McAlpine from NordicLabs, the team?s government experience includes the Commonwealth of Massachusetts, and voter privacy work in Ohio and California during recent elections. mm. m! ?ute All A?l?a'hlt II, ~73 \Wm Civil-??rsts! mm 2) Identifying and recommending actions to Our team's voting infrastructure mitigate the shortcomings in the security expert, Harri Hursti, has of the voting process. These actions are unmatched experience with the likely to include changes to process, very voting infrastructure that oversight, and potentially configuration of the Commonwealth of Kentucky the voting machines and systems. The uses. Mr. Hursti is one of the focus will be on improving awareness most highly regarded about the known weaknesses of the consultants in the world in the systems and putting controls in place to field of detecting security limit the risk that these weaknesses vulnerabilities in the voting present. machines and systems that are in use across the Commonwealth of Kentucky. He was awarded the prestigious EFF Pioneer Award (an annual prize presented by the Electronic Frontier Foundation for people who have made significant contributions to the empowerment of individuals in using computers) for his work with voter security in 2009. 3) Reviewing whether the data integrity and Our team?s elections technology attribution of votes is suf?cient enough auditing expert, Margaret that the risk of inaccuracy in post-election McAlpine has performed audits recounts and audits will be limited. This in CO, FL, and CT and advised will include ensuring that the technical, the Secretary of State of CA to procedural, and organizational controls help them assure the accuracy surrounding the validity of the vote counts of their machines. Nordic and the votes themselves are sound and Innovation Labs submitted suggesting remediation where there is expert witness testimony for the room for improvement. The aim is to 2016 recounts in PA, MI, and ensure that the process from selection of WI. an option in the voting both to having a reviewable and reliable data set of voter outcomes is sound. l. [hi an in .ul 81.1w Ni mm 1.8? 1: wwaytm-r'x-ruut rum . a a} ?a 4) Advising the Kentucky State Board of Our thought-leader in Privacy, Elections on security and privacy risks Lisa Berry-Tayman, carries the inherent in its new voter-related initiatives prestigious Fellow in Privacy as they are deployed in 2017. For credential and years of success example, in 2017 the Kentucky State in guiding change to processes Board of Elections will deploy electronic and systems that ensure poll books statewide. Our team will outstanding security. effectively assist with the security and integrity of this deployment. The team has implemented components of ePollbooks and has reviewed security controls for a number of ePollbooks instances. No other team possesses such focused expertise in elections security and auditing to adequately consider and address elections processes in the Commonwealth of Kentucky. The infrastructure involved in the voting process is very different from traditional network infrastructure, and properly ensuring its security requires the sort of specialized expertise that is not found in general IT risk and audit firms. Moreover, our expertise will assist the Kentucky State Board of Elections in providing consistency and continuity across the full scope of the project. Using a single team for all four of these interconnected objectives will allow the Kentucky Board of Elections to receive the best possible advice from beginning to end. For example, risks identi?ed during the identity protection and voter security phases will inform decisions that will need to be made later in the year, as the Kentucky Board of Elections rolls out new initiatives, like ePollBooks, real-time elections tracking, and voter outreach. Having performed similar work in other states, the team estimates that the fees and 1 duration of the effort to meet each objective would be: Objective Estimated Fees Duration 1 - Voter roll privacy $78,000 8 weeks 2 Feasibility study for election $150,000 9 weeks technology security . 3 - Auditing election systems to increase $40,000 4 weeks con?dence in results 4 Advising on maintaining security $36,000 Ongoing over the during planned changes in 2017 course of 2017 TOTAL $304,000 u" Furl 8934.8? fur)? . ?in, 1? b. v2.4.1. a iv.? H: it'lthh Pix/1A. vlwt?. outrun; . i: However, the team will need to understand the scope and complexity of Kentucky's election technology and processes before committing to fees and timing. We are eager to provide more information or examples regarding our experience and . abilities. Thank you for your consideration. Sincerely, WW Eric Hodge Dlroctor of Consulting. CyberScout {33.11? Sun In! ?6 8881:8159? 5.14: Vin. l? Au- . l- in?: - r. ?Marc 1.: ?5154. N-