Executive Summary
Under substantial scrutiny and amid a national environment of misinformation and distrust, election officials across the country successfully administered highly secure and accessible elections in 2020 and 2022. In order to secure election infrastructure against both foreign and domestic threats, many of these officials worked hard to improve cybersecurity practices in their state. One critical component of this effort was ensuring the security of state voter registration databases (VRDBs). Any disruption to a state VRDB could have serious consequences for the smooth operation of elections and thus, erode voter trust and confidence.
The Center for Election Innovation & Research (CEIR) conducts a biennial survey to assess the state of VRDB security in the U.S. The survey looks at three major areas of VRDB security: prevention, detection, and mitigation. Responses to the 2018 and 2020 surveys demonstrated the seriousness with which states take cybersecurity. They also demonstrated substantial progress in security practices from 2018 to 2020. In both years, CEIR identified several areas of strength alongside opportunities for growth. Most recently, in 2020, we cited the states’ strength in implementing best practices around establishing password requirements, monitoring login attempts, backing up VRDBs, training users, and requiring tabletop exercises. While we noted growth in the use of multi-factor authentication (MFA) between 2018 and 2020, we saw room for improvement. Finally, we called for progress in monitoring and auditing VRDB activity.
In this report, we demonstrate that respondent states have largely maintained the best practices they adopted in previous years. In terms of prevention, detection, and mitigation, states reported similarly encouraging practices in 2022 and demonstrated growth in key areas when compared to 2020. In the 2020 report, we called for further adoption of MFA; that progress was evident in 2022. We also saw states adapt to changes in best practices for password requirements, bring more IT support in-house, and adopt additional email security.
Still, opportunities for growth remain. The 2020 report noted room for improvement in the frequency with which states monitor and audit VRDB traffic and login attempts, and that need for improvement remains. Elsewhere, it appears there may have been slight regression in terms of minimum character requirements for user passwords. This remains a best practice and we would expect to see growth in this area in the future. The 2022 survey asked about two new topics: security procedures for remote third-party access and adherence to the 3-2-1 rule in backing up VRDB systems. Both areas show encouraging initial results, even though there is room for growth. Overall, despite a few areas in which states could improve their practices, after three surveys, CEIR remains encouraged by the state of VRDB security across the country.