Securing Voter Registration Databases: 2024 Survey Preliminary Results
Research by Kira Flemke, Stefan Martinez-Ruiz, April Tan, & Kyle Upchurch
A state’s voter registration database is at the center of running elections, so its security is critical.[1] Voter registration databases (VRDB) verify voter eligibility, set voting districts, support audits of election results, and much more. States follow best practices from national security experts, the technology industry, and other state election officials to keep these voter registration databases secure. Attacks on these databases are very unlikely to succeed today.
The Center for Election Innovation and Research (CEIR) has been surveying states about voter registration database security every two years since 2018 (see the 2018, 2020, and 2022 in-depth technical reports). These surveys have consistently found that strong and improving policies and practices to secure voter registration databases are widespread across states.
This brief report is a preview of four key areas of VRDB security among current respondents to CEIR’s 2024 survey on VRDB security.[2] These early responses to the 2024 survey indicate that states have strong practices to secure the VRDBs at the center of election administration:
- Staffing and cybersecurity training: In every responding state, professional IT staff manage the VRDB and VRDB users receive cybersecurity training.
- Securing access: In every responding state, VRDB access is secured by multi-factor authentication or similar steps, limiting users to necessary information, or both.
- Identifying and stopping risks: Each responding state identifies and stops potential threats with monitoring of VRDB activity, regular audits of the system and traffic, or both.
- Backing up critical data: All responding states have robust back-ups of their VRDBs to restore data and functionality with minimal disruptions to election administration.
In 2024, states proactively defend their systems, use state-of-the-art technology to immediately detect and stop any attempted cyberattack, and maintain secure backups to restore data and functionality rapidly. CEIR’s biennial survey of VRDB security practices began in 2018, after foreign actors targeted voter registration databases to sow confusion and distrust during the 2016 general election. Several states’ systems were targeted in those efforts, but bad actors only successfully accessed the VRDB in one state. In Illinois, bad actors were able to view—but not edit—records during the breach, before the state shut down the VRDB for nearly two weeks to stop the intrusion and restore the database.[3] Since 2016, states—including Illinois—have made great strides in their VRDB security.[4] Today, states would detect and stop an attack immediately. Secure backups would restore data and functionality without meaningful disruption to election administration. In short, an attack on a state’s VRDB today is highly unlikely to be successful.
Results from CEIR’s VRDB Security Survey Project
CEIR has been surveying states about VRDB security every two years since 2018 (see the 2018, 2020, and 2022 reports online) with 39 states participating over time. By 2022, most states had adopted strong policies and practices to secure their voter registration databases. Twenty-three states have submitted responses to the 2024 survey at the time of this report, representing a wide range of regions, populations, and political majorities.[5] These responses are a guide to what states do to secure their voter registration databases in 2024. Combined with past reports showing strong VRDB security policies and practices, the initial 2024 responses indicate the widespread adoption of best practices to keep VRDBs secure.
Staffing and Cybersecurity Training
Controlling who can access and manage a VRDB is an important part of system security. The person managing a voter registration database should be an IT professional familiar with security. All responding states have a professional IT staff member responsible for their VRDB.
States must also train their staff to avoid cybersecurity risks.[6] Figure 2 shows that responding states train users on improving cyber hygiene, reducing insider threats, and avoiding password phishing and other social engineering.
Defining Types of Threats
Social Engineering: A social engineering attack “uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.”[7] Phishing is a common method by which attackers pose as a trusted person to steal sensitive information such as passwords.[8]
Insider Threats: An insider threat is “the potential for an individual who has or had authorized access to an organization’s critical assets to use their access… to act in a way that could negatively affect the organization.”[9]
Cyber Hygiene: Just as personal hygiene involves basic practices to stay healthy, cyber hygiene refers to actions taken to protect the health of digital systems.[10]
Securing Access
Many election staffers use a state’s voter registration database, so it is vital to have secure access policies.Multi-factor authentication (MFA or2FA) is a well-known best practice that adds an extra layer of security. Even if a bad actor stole or broke a password, that alone would not be enough to gain access.
Figure 3 shows that nearly all responding states require MFA when logging in to their voter registration database. The one responding state that does not use MFA secures access by requiring a direct wired connection to the VRDB.[11]
Another good practice is the principle of least privilege, which limits a user’s access to only what they need for their specific job.[12] All but one of the responding states follow this practice.
Identifying and Stopping Risks
The first step in fixing a problem is knowing there is one. Figure 4 summarizes how states handle three key practices: recording login attempts, regular system audits, and monitoring VRDB traffic. Most states perform these tasks regularly.
Most responding states record both failed and successful login attempts and compare traffic over time to a baseline level to spot any unusual activity. Nineteen of 22 responding states reported using specialized cybersecurity sensors, called Albert sensors, or similar tools to detect attempted intrusions and analyze potential threats.[13]
Backing Up Critical Data
Regular backups are essential to quickly restore a system if a problem occurs. Figure 5 shows that all responding states said they regularly back up their database.
Having an offline backup adds an extra layer of security, protecting data even if the system connection is down. Sixteen states reported using offline backups, and 16 states separately reported encrypting their backups for added safety.
Key Takeaways
Because state voter registration databases are a target for domestic and foreign bad actors, states have strong policies and practices to prevent issues and fix them if they arise. The CEIR survey in 2024, as in 2018, 2022 and 2020, suggests that responding states are ready to handle cybersecurity threats to voter registration databases in this election season.
The measures described in this report, while important and effective, are just the top line of what states are doing to ensure VRDB security. Election officials’ efforts go far beyond what is described here.
About the Survey
CEIR sends this survey to chief election officials in all 50 states and the District of Columbia. While other researchers have done extensive work on VRDB security, this is likely the only repeated direct survey of state election staff on the topic.[14] CEIR encouraged chief election officials to work with their technical staff to answer survey questions. To prevent bad actors from using this information to refine their attacks, all responses are strictly confidential, and CEIR only reports on collective results.
Notes and Citations
[1] The Help America Vote Act (HAVA) of 2002 requires that all states with voter registration implement “a single, uniform, official, centralized, interactive computerized statewide voter registration list defined, maintained, and administered at the State level…” (52 U.S.C. § 21083(a))
[2] This brief report contains responses received through August 30, 2024. See previous CEIR VRDB Security Reports for more information about the survey.
David Becker, Jacob Kipp, Jack R. Williams, and Jenny Lovell, “Voter Registration Database Security,” The Center for Election Innovation and Research, September 2018, https://electioninnovation.org/research/2018-vrdb-security-report/
“Voter Registration Database Security,” The Center for Election Innovation and Research, August 2020, https://electioninnovation.org/research/2020-vrdb-security-report/
Kristin Sullivan, Kyle Yoder, Stefan Martinez-Ruiz, Kyle Upchurch, April Tan, and Kira Flemke, “Voter Registration Database Security in 2022,” The Center for Election Innovation and Research, January 2023, https://electioninnovation.org/research/2022-vrdb-security-report/
[3] Rick Pearson, “3 years after Russian hackers tapped Illinois voter database, officials spending millions to safeguard 2020 election”, Chicago Tribune, August 5, 2019. https://www.chicagotribune.com/2019/08/05/3-years-after-russian-hackers-tapped-illinois-voter-database-officials-spending-millions-to-safeguard-2020-election/
[4] CEIR reports on the specific progress made in Illinois in the 2018 VRDB Security Report. Security practices in Illinois are identified and discussed in that report with permission from state officials. For more, see David Becker, Jacob Kipp, Jack R. Williams, and Jenny Lovell, “Voter Registration Database Security,” The Center for Election Innovation and Research, September, 2018, https://electioninnovation.org/research/2018-vrdb-security-report/
[5] Due to data verification and ongoing outreach, this data may change before CEIR releases a subsequent technical report.
[6] To conduct cybersecurity training, election officials turn to top experts in the field. Eighteen states use cyber exercise consulting from CISA, and several states supplement with training from Federal Virtual Training Environment (FedVTE) or National Initiative for Cybersecurity Careers and Studies (NICCS) education and training. Two states reported using resources from all three sources. Among the five states that did not report using training resources from the three organizations or initiatives listed above, nearly all reported using another training program.
[7] “Avoiding Social Engineering and Phishing Attacks,” Cybersecurity & Infrastructure Security Agency, February 1, 2021, https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
[8] “Phishing,” Cybersecurity & Infrastructure Security Agency, December 8, 2022, https://www.cisa.gov/news-events/alerts/2022/12/08/cisa-releases-phishing-infographic
[9] Daniel L. Costa, “CERT Definition of ‘Insider Threat’ – Updated”, Carnegie Mellon University, Software Engineering Institute’s Insights, March 7, 2017, https://insights.sei.cmu.edu/blog/cert-definition-of-insider-threat-updated/; Specific to cybersecurity, there are both unintentional threats (e.g., accidental exposure of information) and intentional (e.g., identifying weaknesses or disrupting operations.) For more information, see “Defining Insider Threats,” Cybersecurity & Infrastructure Security Agency, n.d., https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats
[10] Poor cyber hygiene could include “the failure to patch known vulnerabilities, poor configuration management, and poor management of administrative privilege. For more information, see Tony Sager, “Cleaning Up a Definition of Basic Cyber Hygiene,” Center for Internet Security, July 16, 2020, https://www.cisecurity.org/insights/blog/cleaning-up-a-definition-of-basic-cyber-hygiene
[11] Question asked states to identify requirements for multi-factor authentication. Only one state responded that MFA was not required. In a text comment, this state clarified that users must use a direct wired connection to access the VRDB.
[12] “Least Privilege,” Cybersecurity and Infrastructure Security Agency, September 14, 2005, updated May 10, 2013, https://www.cisa.gov/uscert/bsi/articles/knowledge/principles/least-privilege
[13] “Albert Network Monitoring and Management,” Center for Internet Security, n.d., https://www.cisecurity.org/services/albert-network-monitoring
[14] The following are some of the other notable reports and resources, from academic and technical products to more public facing explainers, that have informed CEIR’s understanding on VRDB security:
Jack Cable, Andrés Fábrega, Sunoo Park, and Michael A Specter, “A Systematization of Voter Registration Security,” Journal of Cybersecurity, Volume 9, Issue 1, June 8, 2023, https://doi.org/10.1093/cybsec/tyad008;
Carter Casey, Johann Thairu, Susie Heilman, Susan Prince, Brett Pleasant, and Marc Schneider, “Recommended Security Controls for Voter Registration Systems,” MITRE, November 2019, https://www.mitre.org/news-insights/publication/recommended-security-controls-voter-registration-systems;
“Securing Voter Registration Data,” Cybersecurity & Infrastructure Security Agency, February 1, 2021, https://www.cisa.gov/news-events/news/securing-voter-registration-data;
“Frequently Asked Questions (FAQ): Public Voter Registration Information and Security of State Voter Registration Databases,” National Association of Secretaries of State, August 2022, https://www.nass.org/sites/default/files/Election%20Cybersecurity/NASS-briefing-FAQ-info-security-2022_8.25.22.pdf