Election security

2018 Election Vulnerability: Voter Registration Systems

By Nicholas Weaver
Friday, February 23, 2018, 9:00 AM

The Russian information-operation strategy can be summed up as “chaos monkeys”: agents seeking to destabilize the United States by exploiting fissures in our society. The Mueller indictments announced Friday show just one aspect. Guccifer 2.0 and WikiLeaks were another. And there is no indication that these efforts are over. So if Russia’s goal is chaos, and its tools include hacking and blatantly circulating that stolen information and otherwise disrupting U.S. political systems, its No. 1 target in 2018 stands to be voter registration, not vote tabulation. And there is reason to think that Russia has already targeted these systems.

Most states have mandated voter-verifiable paper ballots to prevent interference with tabulation. But even in the states that haven’t yet taken this proactive measure, tabulation is still not the likely target. Tampering with tabulation is hard to detect. The chaos goal is not to change the outcome but to create doubt about the legitimacy of the election, so discreet activity is not optimal.

Simple strategies in deregistering voters could cause chaos in a very public manner. This year’s midterms are widely expected to be a wave election, with Democrats picking up substantial seats in the House. From the Russian viewpoint, this is ideal. To U.S. opponents eager to create more conflict in a legislature that already appears incapable of passing bills, a Democrat-controlled House, in strong opposition to the president, is desirable. Even better is if such wins are publicly seen as illegitimate by a substantial fraction of the U.S. population.

This could be achieved by targeting as many voter registration databases as possible. Consider what would happen if 10 to 20 percent of voters were randomly deregistered in the biggest Republican precincts in multiple House districts. The result would be long lines and voters giving up and walking away. That visual statement of interference is the objective. Imagine how the various echo chambers would react to such electoral chaos.

And unlike tabulation systems, voter registration databases are often state or county affairs. This means each successful compromise is capable of targeting more voters for the same effort.

So what should be done? First, states need to build their voter registration systems to withstand attacks and plan for this particular assault. Such preparation starts with improving security overall. Here, append-only logs are critical. It’s key to have a separate system that records every addition or deletion from the voter rolls, and a copy of the log should be put on write-only media (such as writable DVDs). Having a copy of this data available at each polling place, and using an independent system from the normal record book, would allow poll workers to quickly check and recover data in the event of an attack on registration records.

As another line of defense against registration tampering, every polling place in 2018 should have enough provisional ballots for at least 20 percent of the expected turnout. This is less ideal than preventing the attack, but it’s necessary to have plans in place to conduct the election should defenses be breached.

The Russian influence monkeys may seek to cast their own vote for electoral chaos in 2018. It must not be allowed to happen