Voting Cybersecurity Concerns Some State Officials

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Adrianne Appel

Oct. 6 — Voters should avoid filling out their ballots online due to cybersecurity threats and risk of harming confidence resulting from an election data breach, state election officials said at a recent gathering of governors.

But the officials said that the climate for adopting long distance means of casting ballots—including voting online—has cooled in reaction to hacking incidents.

After the breaches, demand for online voting has decreased, Connecticut Secretary of State Denise Merrill, said in Boston Oct. 5 at a meeting of the National Governor’s Association focused on cybersecurity, called “Meet the Threat, States Confront the Cyber Challenge.” Many states faced “increasing pressure but that has slowed down,” she said.

Although most states allow those not present to cast their vote on paper ballots through the mail, some states allow them to be sent through the internet, Pam Smith, president of Verified Voting, a non-profit voting advocacy organization in Carlsbad, Calif., said.

“Sending a voted ballot over the internet is fraught with risk” because “the internet is a dangerous place,” Smith said. “If you don’t have to put it online, don’t,” she said.

Early this year, state election boards in Arizona and Illinois suffered cybersecurity incidents. The hackers had various success in their attacks—no voter records were stolen in Arizona but election records were tampered with in Illinois. Regardless of the hacks' success, congressional hearings (189 PRA, 9/29/16) and national coverage of voting-system data breach risks have caused the public to question the integrity of the ballot box.

Voting Systems Secure

Although voters may have lost some confidence in the voting system, there is little risk to states that employ methods that don't connect to the internet.

There is little actual risk that states’ existing voting systems will be hacked, Merrill said. This is because most states use voting systems that aren't connected to the web, she said.

Even if a ballot box of one state is hacked it doesn't mean the whole U.S. will feel the affects of the hacking attack.

The nation’s election system is highly decentralized, and made up of thousands of local voting precincts, Merrill said. “When people talk about the hacking of the election system, there is no one system,” Merrill said. Instead, it’s a collection of 9,000-10,000 election jurisdictions by local communities, she said.

The decentralized voting system allows for a hack in one state to not affect the voter roles and outcomes in another state, she said.

Voter Confidence at Issue

The lack of perceived risk of a cybersecurity attack against a state election system doesn't seem to quell voters confidence that their ballot will remain secret.

“I’m most concerned about the panic surrounding cybersecurity” of the ballot box Merrill said.

There is little risk that other state’s voter registration systems, which are online, will be hacked, Matthew Masterson, commissioner of the U.S. Election Assistance Commission, said. Most election officials around the country don’t feel their systems are at risk, Masterson said.

“When you talk to election officials about threats to voting, they’re worried about the janitor not opening up the gym in time for voting,” Masterson said.

‘Trying to Scare People.'

Not all state election officials agreed that state voting systems are immune from cybersecurity attacks.

Arizona Secretary of State Michele Reagan said Oct. 5 at a separate event that all state voter registration systems are vulnerable to intrusion and tampering.

“We need to take our heads out of the sand,” Reagan said. State officials need to be made aware of the threat that voter registration systems will be hacked, she said at the Cambridge Cyber Summit, hosted by the Massachusetts Institute of Technology, the Aspen Institute and CNBC.

At the end of the day, the hackers may not have wanted the voter information but wanted to scare potential voters to lower their confidence in the U.S. system.

“They weren’t after information they were trying to scare people,” Reagan said. “And it did have the intended effect,” she said.

The state has fortified its voter registration data, to make it less vulnerable to manipulation. “We got lucky and they couldn’t get into our database,” Reagan said.

To contact the reporter on this story: Adrianne Appel in Boston at aappel@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.