The expansion of voting by mail during the coronavirus pandemic makes it all the more important that election officials secure voter registration databases from hacking, according to a senior Department of Homeland Security official.
The greater amount of absentee voting and mail-in ballots “shifts the risk towards voter registration data security,” Matt Masterson, senior adviser at DHS’s Cybersecurity and Infrastructure Security Agency, said Wednesday during a virtual conference.
People voting by mail generally won’t have access to the same provisional-balloting process that those voting in person can use if they’ve been left off of voter rolls due to an administrative error. That makes the integrity of voter registration data all the more important in the era of COVID-19, Masterson said.
The novel coronavirus, which has killed more than 120,000 people in the U.S., has forced many states to postpone presidential primaries and ramp up voting-by-mail options. Forty-six states currently offer all of their voters some form of by-mail voting, according to the nonprofit Open Source Election Technology Institute (OSET).
“COVID has changed the game for election officials across this country,” Masterson said at CrowdStrike’s Fal.Con for Public Sector Conference, produced by FedScoop and CyberScoop. “2020 was always going to be a challenging year for them with the preparations they were making to secure their systems — just the high intensity of a presidential election. And then you introduce a pandemic into it.”
Election officials have had to contend with a major source of misinformation in President Donald Trump. The president has erroneously claimed that voting by mail can lead to large-scale fraud. In reality, instances of fraud are exceedingly rare. A Washington Post analysis of three vote-by-mail states found cases of possible fraud in just 0.0025 percent of ballots cast in in 2016 and 2018.
A warning sign in 2016
Securing voter registration databases has always been important, Masterson and other experts say, because they determine who receives a ballot and whether election officials can process them when they’re sent back.
“The [voter registration] system really sits right at the nexus of a whole bunch of separate functions that are very closely related to the complexities of by-mail voting,” Eddie Perez, OSET’s global director of technology development, told CyberScoop. “So it becomes a very rich target because it can have broad ripple effects very quickly.”
The threat to voter registration databases came into sharp focus during the 2016 election, when Russian hackers breached Illinois’ database and had access to records on some 76,000 voters. The intrusion didn’t impact the outcome of the election, and the attackers did not appear to alter any data, but the incident highlighted vulnerabilities in the registration databases.
Since then, DHS officials have harped on the need to protect those databases from ransomware and other threats, offering training to state and local officials. At the same time, state and local IT systems unrelated to voting have been hobbled by a string of ransomware attacks.
“They’ve seen their colleagues in county government, they’ve seen their colleagues in state government impacted by ransomware and how devastating it can be, and so it’s very real to them,” he added.