Annapolis Lawmakers Have a Chance to Secure Maryland’s Elections
March 8th, 2018 by CHHS RAs
By CHHS Extern Tyler Babich
Since the first revelations of Russia’s attempts to influence American elections surfaced in 2016, the issue has been the subject of non-stop media attention and political debate. Intelligence leaders have confirmed that the Russian government targeted American election systems. Officials now warn that the effort is continuing in 2018. It is now publicly known that Maryland was one of the states targeted by hackers. After a Baltimore Sun article first made this threat public, the State Board of Elections publicly verified the information. This revelation inspired action by lawmakers and advocates alike who want to ensure a fair, valid election in 2018 and the future. But even with the resounding encouragement by experts, Maryland’s State Board of Elections (SBE) has not adopted best-practice protections. It will take an act of leadership from the House of Delegates, Senate, and the Governor’s Office to enact the rules necessary to secure Maryland’s elections.
On February 27th, the House Ways and Means Committee heard testimony on bills addressing election security. CHHS staff provided testimony regarding House Bill 1658 “Election Law – Absentee Ballot Requests, Delivery, and Marking”. This bill, sponsored by Election Subcommittee Chair Delegate Alonzo Washington, seeks to address weaknesses in Maryland’s election system. If adopted, as CHHS advises, Maryland would require most absentee ballots to be sent to voters at a physical mailing address, rather than electronically.
As it stands, the SBE permits absentee ballots to be requested and distributed electronically to any registered voters who request one. This has the benefit of enabling voter participation, but the vulnerabilities that come with it are gaping.
Vulnerabilities for Fraud and Man-in-the-Middle Attacks
Maryland’s current rules only require basic information about a voter before emailing an absentee ballot. This information, such as name, address, and the last four digits of your Social Security Number, is either entirely public or easily accessible on the internet. Thanks to major breaches of private companies and government databases over the past few years, virtually no Maryland voters’ personal information is private anymore. By going to websites that sell personal information from illegal hacks, someone trying to forge votes can find the information they need to trick the SBE into granting an absentee ballot. The ballot is then sent to whichever email address the requester provides. It cost no money to create an email address that mimics a voter’s real email address. The bad actor then receives someone’s legitimate ballot to print, fill out, and mail in to be counted as a legitimate vote. With the help of bots, this could be replicated thousands of times by a single person.
A “Man-in-the-Middle Attack” (MITM) is a broad term describing a popular hacking strategy in which a hacker steps between two entities’ communication. A MITM lets the hacker intercept communication and impersonate one or both of the original entities while victims remain oblivious. Maryland’s absentee request system is vulnerable to a simple MITM that simultaneously denies a ballot to legitimate voters, while notifying the hacker of one more voter to impersonate without suspicion.
Mitigating the Vulnerabilities with a Brick Defense
If HB1658 is passed into law, most absentee ballots would be distributed by post mail to a brick-and-mortar address, instead of the more vulnerable email option. The SBE already has tools to detect suspicious activity when absentee ballots go to brick-and-mortar addresses. Additionally, making a fraudulent brick-and-mortar address is not feasible. While spoofing an email address is easy, the cost and effort of making a fake building prevents that from being an option for anyone trying to influence an election. Mail theft is still possible, but that requires unreasonable resources to significantly impact an election. If a voter does suspect their ballot or other mail was stolen, the US Postal Service has a law enforcement and security arm to investigate the matter.
Experts Agree on the Steps for Change
These vulnerabilities are not new, and neither are the recommendations coming from security experts. In 2014, CHHS Founder and Director Michael Greenberger submitted a 19 page memo explaining the vulnerabilities in Maryland’s systems and recommendations to address them. The SBE did not implement the memo’s recommendations.
Dr. Poori Vora, a computer science professor at George Washington University, travelled to Annapolis on her own initiative to support HB1658 and some of the other election security bills being considered in the Ways and Means Committee. Her testimony, co-authored with Professor Carsten Schürmann, made clear that even being aware of a cyberattack is very difficult without having proper tools in place. Detecting and preventing attacks will require meaningful change on the part of the SBE.
Even if the Russian government’s intent is not to back a preferred candidate, the vulnerabilities are still exploitable by anyone else who does have a horse in the race. And undermining confidence and democratic norms still warrants preparedness. Markus Rauschecker, the Cybersecurity Program Director at CHHS, warns that raising enough doubts in the legitimacy of an election can be a serious problem even if the actual vote tallies go unaltered.
If Maryland’s lawmakers are serious about securing elections from illegal interference, they should heed the advice coming from a consensus of intelligence, cybersecurity, and homeland security experts. For years the SBE has declined calls to improve system security and they are leaving good options on the table. The only officials with authority over the SBE are the General Assembly and Governor. Given everything known about the vulnerabilities and threats impacting Maryland’s elections in 2018, elected leaders should enact the legislation before them.