Read the full stored bill text
AN ACT Relating to election security; amending RCW 29A.12.050 and 1
29A.12.180; adding a new section to chapter 29A.12 RCW; and creating 2
a new section. 3
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF WASHINGTON:4
NEW SECTION. Sec. 1. (1) The legislature finds that the 5
electronic and physical security of election and voting 6
infrastructure are of primary importance, and wishes to require new 7
security requirements. The legislature further finds that:8
(a) Requiring the use of the ".gov" top-level domain on all 9
websites and email communication reduces opportunities for confusion 10
and cyber threats. The ".gov" top-level domain is managed by the 11
United States department of homeland security through the 12
cybersecurity and infrastructure security agency, is limited to bona 13
fide government agencies, and features fraud prevention controls. 14
There is no fee charged to adopt a ".gov" top-level domain.15
(b) Requiring the partitioning of internal government networks, 16
servers, and other supporting electronic infrastructure separate from 17
other electronic equipment housed in the same location or locations 18
can also provide a more secure environment. Partitioning means 19
physically and electronically separating election and voting 20
infrastructure from other county assets with the goal of reducing 21
Z-0158.2
SENATE BILL 5014
State of Washington 69th Legislature 2025 Regular Session
By Senators Boehnke, Bateman, Chapman, Dozier, Hasegawa, Liias,
Nobles, Riccelli, Valdez, and Wellman; by request of Secretary of
State
Prefiled 12/05/24. Read first time 01/13/25. Referred to Committee
on State Government, Tribal Affairs & Elections.
p. 1 SB 5014
vulnerability to attacks that may occur on other parts of a county's 1
cyber infrastructure. Partitioning also allows access to the 2
infrastructure to be more tightly controlled and monitored.3
(c) Because the secretary of state and county election offices 4
are electronically interconnected and speedy communication with the 5
state when a county is under attack or has suffered a security breach 6
is imperative, requiring all vendors supporting county or state cyber 7
assets to communicate to the secretary of state and the attorney 8
general immediately after detecting a breach or successful cyber 9
attack against their assets is necessary to maintain security.10
(2) The legislature intends to require adoption of these security 11
measures in all county election offices as soon as practicable, but 12
no later than July 1, 2027. 13
Sec. 2. RCW 29A.12.050 and 2003 c 111 s 305 are each amended to 14
read as follows: 15
((If voting )) (1) The secretary of state must approve systems 16
used in the conduct of elections prior to the system being used in 17
conducting any primary or election, including the following:18
(a) Voting systems ((or)), voting devices, or vote tallying 19
systems ((are to be used for conducting a primary or election, only 20
those that have the approval of the secretary of state or had been )), 21
unless approved under this chapter or the former chapter 29.34 RCW 22
before March 22, 1982((, may be used));23
(b) Any mechanical, electromechanical, or electronic equipment or 24
platform, including software, firmware, or hardware that is used to 25
provide voter assistance. This includes equipment or platforms used:26
(i) In issuing a ballot;27
(ii) To facilitate voters' response to a required notice;28
(iii) To provide an electronic means for submission of a ballot 29
declaration signature under RCW 29A.60.165; or30
(iv) To issue, authenticate, or validate voter identification; 31
and32
(c) Any component part of a voting system that the secretary of 33
state determines requires prior approval before use in an election or 34
primary. ((Any))35
(2) The secretary of state may, after review, determine that a 36
modification, change, or improvement to any voting system or 37
component of a system ((that)) does not ((impair its accuracy, 38
efficiency, or capacity or extend its function, may be made without )) 39
p. 2 SB 5014
require a full reexamination or reapproval by the secretary of state 1
under RCW 29A.12.020. 2
Sec. 3. RCW 29A.12.180 and 2024 c 28 s 1 are each amended to 3
read as follows: 4
(1) A manufacturer or distributor of a voting system or component 5
of a voting system that is certified by the secretary of state under 6
RCW 29A.12.020 shall disclose to the secretary of state and attorney 7
general any breach of the security of its system immediately 8
following discovery of the breach if: 9
(a) The breach has, or is reasonably likely to have, compromised 10
the security, confidentiality, or integrity of an election in any 11
state; or 12
(b) Personal information of residents in any state was, or is 13
reasonably believed to have been, acquired by an unauthorized person 14
as a result of the breach and the personal information was not 15
secured. For purposes of this subsection, "personal information" has 16
the meaning given in RCW 19.255.010. 17
(2) Every county must install and maintain an intrusion detection 18
system that passively monitors its network for malicious traffic 24 19
hours a day, seven days a week, and 365 days a year by a qualified 20
and trained security team with access to cyberincident response 21
personnel who can assist the county in the event of a malicious 22
attack. The system must support the unique security requirements of 23
state, local, tribal, and territorial governments and possess the 24
ability to receive cyberintelligent threat updates to stay ahead of 25
evolving attack patterns. 26
(3) A county auditor or county information technology director of 27
any county, participating in the shared voter registration system 28
operated by the secretary of state under RCW 29A.08.105 and 29
29A.08.125, or operating a voting system or component of a voting 30
system that is certified by the secretary of state under RCW 31
29A.12.020 shall disclose to the secretary of state and attorney 32
general any malicious activity or breach of the security of any of 33
its information technology (IT) systems immediately following 34
discovery if: 35
(a) Malicious activity was detected by an information technology 36
intrusion detection system (IDS), malicious domain blocking and 37
reporting system, or endpoint security software, used by the county, 38
the county auditor, or the county election office;39
p. 3 SB 5014
(b) A breach has, or is reasonably likely to have, compromised 1
the security, confidentiality, or integrity of election systems, 2
information technology systems used by the county staff to manage and 3
support the administration of elections, or peripheral information 4
technology systems that support the auditor's office in the office's 5
day-to-day activities; 6
(c) The breach has, or is reasonably likely to have, compromised 7
the security, confidentiality, or integrity of an election within the 8
state; or 9
(d) Personal information of residents in any state was, or is 10
reasonably believed to have been, acquired by an unauthorized person 11
as a result of the breach and the personal information was not 12
secured. For purposes of this subsection, "personal information" has 13
the meaning given in RCW 19.255.005. 14
(4) A manufacturer of, distributor of, or organization contracted 15
to provide support to, the voter registration database system 16
required by RCW 29A.08.125, the official voter list required by RCW 17
29A.08.105, or systems or components of the voter registration system 18
used by the secretary of state shall disclose to the secretary of 19
state and attorney general any security breach of any of that 20
organization's systems immediately following discovery of the breach 21
if:22
(a) The breach has, or is reasonably likely to have, compromised 23
the security, confidentiality, or integrity of an election in any 24
state; or25
(b) Personal information of residents in any state was, or is 26
reasonably believed to have been, acquired by an unauthorized person 27
as a result of the breach and the personal information was not 28
secured. For purposes of this subsection, "personal information" has 29
the meaning given in RCW 19.255.010.30
(5) For purposes of this section: 31
(a) "Malicious activity" means an external or internal threat 32
that is designed to damage, disrupt, or compromise an information 33
technology network, as well as the hardware and applications that 34
reside on the network, thereby impacting performance, data integrity, 35
and the confidentiality of data on the network. Threats include 36
viruses, ransomware, trojan horses, worms, malware, data loss, or the 37
disabling or removing of information technology security systems.38
(b) "Security breach" means a breach of the election system, 39
information technology systems used to administer and support the 40
p. 4 SB 5014
election process, or associated data where the system or associated 1
data has been penetrated, accessed, or manipulated by an unauthorized 2
person. The definition of breach includes all unauthorized access to 3
systems by external or internal personnel or organizations, including 4
personnel employed by a county or the state providing access to 5
systems that have the potential to lead to a breach.6
(((5))) (6) Notification under this section must be made in the 7
most expedient time possible and without unreasonable delay.8
NEW SECTION. Sec. 4. A new section is added to chapter 29A.12 9
RCW to read as follows: 10
Each county auditor shall implement cybersecurity measures 11
including but not limited to: 12
(1) Implementation and adoption of the ".gov" top-level domain 13
available through the United States department of homeland security 14
through the cybersecurity and infrastructure security agency for all 15
election and voting systems and infrastructure. This adoption is 16
required for election and voting systems and websites and may include 17
all county cyber assets and email domains. 18
(2) Electronic and physical partitioning of all election and 19
voting infrastructure from other county information technology 20
systems. 21
(3) Isolation of all ballot counting equipment and voting system 22
components as defined in RCW 29A.12.005 from any other network 23
including: 24
(a) Internal networks within a county election office;25
(b) Printer sharing networks external to the ballot counting 26
system; 27
(c) The internet, world wide web, or other similar networks;28
(d) Wifi and radio connectivity; 29
(e) Wired connectivity; and 30
(f) Any telephonic or other connectivity. 31
(4) No configuration of voting systems to: 32
(a) Establish a connection to an external network; or33
(b) Connect to any device external to the voting system.34
(5) Purchase of voting systems that include documentation listing 35
security configurations and network security best practices and 36
operating those systems used for conducting primaries and elections 37
in a manner consistent with that documentation. 38
p. 5 SB 5014
(6) Restricting all data transfers from any voting system to 1
using single use, previously erased devices that contain no 2
information prior to connection with the system. This includes pen 3
drives, flash memory drives, memory sticks, and any other removal 4
media used to transfer data. Devices used in data transfer must 5
either be provided by the secretary of state to the county auditor 6
for single use, or the media must be overwritten by the county 7
auditor by following guidelines for media sanitization defined in 8
rules promulgated by the secretary of state. 9
--- END ---
p. 6 SB 5014