2018 VRDB Security Report

Executive Summary

The threat of foreign interference in U.S. elections is real. In the wake of the Russian government’s attempt to interfere with election infrastructure in 2016, states are taking cybersecurity more seriously now than ever before. Experts agree that attempts to interfere so far have been aimed at undermining Americans’ confidence in elections, not changing actual vote totals. That means attackers seem particularly interested in seeking to infiltrate systems like elections websites or voter registration databases, which are more readily accessible than the machines that actually tabulate votes. If those systems were compromised, it could create chaos and confusion that could further damage Americans’ faith in our electoral system.

In 2016, voter registration databases (VRDBs) were scanned in multiple states, though only one VRDB was successfully infiltrated. Since that time, the states have been making big improvements to their VRDB security in order to ensure they can entirely stop or quickly respond to any future attacks. To start a conversation about the current state of VRDB security, the Center for Election Innovation & Research (CEIR) convened a meeting in February 2018, which included over forty experts representing state and local election officials, technology experts, the Department of Homeland Security, the Election Assistance Commission, and others. CEIR subsequently conducted a survey of all the states, seeking to better understand the current state of VRDB security. The survey looked at three major areas of VRDB security: (1) prevention, (2) detection, and (3) mitigation. This report discusses the findings of that survey.

Based on the survey responses, it’s clear that states are taking securing their VRDBs seriously, though there’s still room for improvement. Significant majorities have implemented best practices for VRDB backups, cybersecurity training, and monitoring of VRDB access. However, states could still improve in certain areas. Many states, for example, need to review their password requirements and still need to implement multi-factor authentication.