By Josh Schmidt
Capital News Service
Legislators learned last week that Maryland’s electronic balloting system may need better security measures to protect voters’ information and that the lawmakers must be the ones to add those protections.
The State Board of Elections told lawmakers Sept. 6 that they are powerless to make those changes, and that any security changes must directly come from the legislature.
Last year, the State Board of Elections voted 4-1 to certify a new system for online ballots, even though experts in cybersecurity and computer science publicly objected.
While nearly all states have a system in place for signature verification, the General Assembly did not vote last year on the topic so there was no verification system in place. This left Maryland as the only state in the nation without one, according to a report last year by Capital News Service.
State officials last week acknowledged the importance of election security in the wake of the 2016 presidential race, after which reports indicated that Russian hackers obtained information from the Democratic campaign illegally.
Not to worry
But, State Sen. Steve Waugh, R-Calvert and St. Mary’s, says he believes there is no need for Maryland voters to worry that their ballots were modified last fall.
“(The Russians) want to destabilize America by delegitimizing our government,” Waugh said. “I firmly believe though that Russian interference had zero to do with ballot outcomes anywhere in the state or the nation for that matter.”
Linda Lamone, administrator at the Maryland State Board of Elections, said at the hearing that there has been no evidence found of election interference in the state, but that extra security precautions would be good.
No new security measures are imminent, but Waugh and his peers are committed to finding a bipartisan solution that won’t cost the state too many tax dollars, he said.
“I believe everyone in state and local elections, as well as outside contractors, have their hearts in the right place and want some change,” Waugh said.
Issues about absentee balloting
Issues surrounding the process of absentee balloting were the main point of concern throughout the three-hour hearing by the Senate Education, Health and Environmental Affairs Committee and the House Ways & Means Committee.
The current process for requesting an absentee ballot can be done online only if a voter has a Motor Vehicle Administration ID number, the date of issue, and the last four digits of their Social Security number, according to Director of Voter Registration Mary Cramer Washington.
One flaw was a program error that allowed voters to submit their full Social Security numbers. While there is no evidence that any personal data was stolen, the nine-digit identification numbers for 14 percent of Maryland voters were at risk, according to an analysis, performed by the Office of Legislative Audits.
If security isn’t restrictive enough, personal information could leak, which happened at the University of Maryland when hackers stole more than 300,000 personal records from the university’s personal information database.
The Maryland State Board of Elections ran a program to remove the extra digits from the database and the program has been modified to allow only four numbers to be entered, according to Nikki Charlson, deputy administrator at the board.
This issue and others were caused by a lack of oversight from the elections board, which did not ensure the accuracy or security of data in some cases, according to Steve Jersey and Adam Westover, who both led the audit. Jersey and Westover recommended the electoral board send a letter to Attorney General Brian Frosh in order to quickly implement changes, according to Charlson.
Legislators and auditors also criticized the information needed to obtain an absentee ballot. In the current system, voters can obtain a ballot by mail without their driver’s license information or any part of their Social Security number. The information that is required — including date of birth and address — is often publicly available, which could enable identity thieves.
AG Frosh says legislators must act
Charlson and Lamone told legislators that Frosh said in a letter that further security measures must be mandated in a law crafted by legislators.
“Ultimately it is their decision,” Charlson said. “We can, and will, offer our opinion of the administrative impact of the bill, but the attorney general told us it is not in our control.”
Directly after the hearing, a handful of delegates and senators briefly met to begin discussions about a possible bill to add that security, Waugh said. The first steps will be to figure out where to focus and how to allocate resources efficiently, he said. Even though the General Assembly won’t reconvene until Jan. 10, these discussions will continue in the interim, Waugh said.
With a gubernatorial election slated for next fall, election security is a hot topic among Maryland legislators, Waugh said. There was concern from some lawmakers about protecting municipal elections, which occur in the state every year, so the legislative body wants to get this completed quickly, Waugh said.
“There’s a general consensus that things must change,” Waugh said. “A tighter and more secure system is better for the state and our citizens.”
An enterprise-level security assessment of MD electoral systems’ controls would be well worth the money. I don’t think any critical audits have ever been done even though Office of Legislative Audits has done partial work. NIST, NSA, or a number of other Federal agencies would be happy to contract for this work. I think major findings are likely to be reported if Democrats come to their senses and act proactively.
How about making sure American citizens and Maryland residents are the only ones who can vote and not non-citizens and illegal aliens like College Park is planning to have vote in its elections… Then, we can worry about “Russian hacking and interference”