In this final installment of our 3-part series on the Brennan Election Security Report, let's consider voter registration systems. We are delighted to see another organization talking about the importance and security risks associated with, voter registration systems. We’ve said all along, and even explained to Congress, there are three primary types of data in the election ecosystem: voter data; ballot data; and election data. The two principal ways to disrupt an election using any of the three vectors we discussed in Part 1 are meddling with the casting and counting of ballots, or with the rolls of registered voters qualified to cast a ballot, grouped according to the jurisdiction where the voters are registered to vote. If a malicious desire to disrupt an election exists, then the voter registration system becomes a honeypot of opportunity (as we say in digital security).
So, it comes as no surprise that we agree with the Brennan Report where it states that voter registration databases are one of “the two most critical parts of America’s election infrastructure” because “they could be manipulated to block voters and cause disorder when citizens attempt to vote.” For example, a malicious actor could simply change a registered voters address or party affiliation or some other data field to prevent them from being allowed to cast anything but a provisional ballot (if even that) in the next election. This alteration can perhaps be remedied in time for them to vote, but even so this will often cause delays, leading to longer poll lines, and might very well make the prospective voter fed up with the entire system and less likely to vote in the future (e.g., that 3rd vector: diminishing turnout). Longer poll lines can make even those voters whose registration records weren’t tampered with less likely to vote. And targeting these attacks to specific precincts in particular jurisdictions of so-called “swing states” could easily change the result of an election via the diminishing turnout tactic.
Where we differ with the Brennan Center is on the necessary protections and security of voter registration systems. Their report describes characteristics of voter registration systems as “built-in protections” that help to control access to voter registration databases. We argue that these facets, while standard and perhaps adequate for their time, are not real protections in the current threat environment. Perhaps ironically (albeit certainly telling), current voter registration databases have the same protections as any other government database, many of which have been noticeably hacked and accessed by foreign adversaries.
The Brennan report goes on to recommend that state governments should update their threat awareness, replace IT, and create contingency plans. All of these prescriptions are great, but we believe they must go further and be more specific.
FACT: The fundamental vulnerability of our voter registration databases is that the databases where changes and updates are facilitated are often the same databases accessible to the public. This makes the online voter registration system inherently insecure! The database that can be reviewed by the public should only ever be a copy of the authoritative database. Requested alterations to the database via the public (web) service should be candidate changes (or "postulate changes" fordatabase geeks) submitted to the back-end system to be staged for update to the authentic and authoritative database. During that submission step, processes can help ensure the authenticity and authorization for the proposed transaction. This is a fundamental architecture, which in the case of voter registration databases we fear has likely been passed by due to over-riding factors such as:
- limited time to launch the service;
- inadequate budget to properly develop;
- lack of a security-centric engineering mindset by those hired to build these web-based services; or worse,
- laziness in development discipline.
And yet the practice of insulating the master (authoritative) database-of-record from potential external goofs or malicious intentions is standard in other fault-tolerant security-conscious environments. For example, Banks and other financial institutions already make it common practice to never connect the back-end systems that store financial transaction to the public network. Ever. There is no reason that voter registration databases should not adopt this common sense practice, and yet in our research we’ve discovered just the opposite is true in many cases. This is just one immediate glaring aspect of the voter data integrity challenge.
That does not (and should not) mean pulling the plug for online voter registration (OVR) services. Rather it means a full analysis, threat assessment, and architectural and engineering review is in order for all of the states’ online voter registration systems to ensure all fault-tolerant integrity principles are adhered to, as quickly as possible. And it shouldn't cost large amounts to do or require months to complete an assessment and recommendations. To be sure, we know a couple of States will score well and have invested in a proper OVR architecture.
Despite some disagreements with the Brennan Report, it is a well-researched paper supported by a broad range of contributors and reviewers (an exercise we've gladly participated in the past on other Brennan works, we just weren't asked this time, but no hard feelings whatsoever; fact is they had more than enough support). The Report is full of useful insights about election security. As one of the first major reports on the subject, we appreciate the hard work and effort invested in its production. We encourage anyone interested in the integrity of our democracy and/or election technology reform and innovation take a little time to read the Report. That all observed, our intent here is to bring technical clarity to these issues wherever we can. And for certain, we enjoy working with the good people at the Brennan Center and look forward to future collaboration opportunities.
Watch this space. In the near future we will release a reference architecture paper for online voter registration system design. Again, our position as explained in Part 2, is that we must have a military-grade fault-tolerant security-centric engineering mindset in thinking through the next-generation election platform architecture. And though buzzword compliant that may read, we're committed to those principles in ElectOS. Finally, watch for more review and comment with regard to election security architecture and other's efforts to assess and report out on the state of things in this vital piece of democracy infrastructure.
Your comments are encouraged as always.
Election Infrastructure Analyst
Office of the CTO