During the last presidential election year, foreign adversaries waged disinformation campaigns and, in a small number of cases, infiltrated voter registration databases (VRDBs). Now, there are a growing number of reports raising the specter of another presidential election that will be conducted under the shadow of extensive foreign interference campaigns. In 2016, the Russian government was the predominant adversary seeking to interfere with U.S. elections. This year, China and Iran have joined Russia as potential threats to the integrity of our nation’s elections. We can—and should—expect attacks on election infrastructure and other attempts to undermine voter confidence. Fortunately, election officials have continued to work tirelessly over the last few years, meaning this year’s election will be the most secure election in recent history.
The Center for Election Innovation & Research (CEIR) conducts a biennial survey to assess the state of voter registration database security (VRDB) in the U.S. The survey looks at three major areas of VRDB security: prevention, detection, and mitigation. The responses to the inaugural survey in 2018 showed that, in the wake of heightened awareness and concern over foreign interference in elections, the states were taking VRDB security seriously. However, there was still room for improvement, particularly with regard to VRDB user access requirements and efforts to prevent phishing.
CEIR confirms that the states continue to improve their practices, with several states making great strides in the last two years. Compared to 2018, almost twice as many states now require multi-factor authentication and passwords that are at least eight characters long. Nearly all states are monitoring all VRDB log in attempts, and while the states were already regularly backing up their VRDBs in 2018, this year’s survey shows that most states are backing up their VRDBs on a daily basis. Additionally, VRDB users are receiving the training they need; nearly every state trains users on how to identify cyberthreats, and every state uses tabletop exercises to learn how to respond to real-world scenarios.
However, there is still room for improvement. Six states indicated they still do not use multi-factor authentication to restrict access to their VRDBs. Several states also need to improve their monitoring and auditing practices. For instance, there are still a small minority of states that do not monitor or audit their VRDB data input forms to protect against malicious input. Ultimately, however, the states are making significant strides toward improving their VRDB security, a trend we expect to see continue in 2022.