This section of our website is dedicated to educating Maryland voters about how State and local election officials protect election systems and data. Securing systems and data is a continuous effort in Maryland’s elections community, and the systems and data we use are protected by the industry accepted best practices for critical information systems. We recently completed, in partnership with the U.S. Department of Homeland Security (DHS), a poster showing how we protect the election process, systems and data (PDF). We hope that this information is useful and assures you that Maryland’s election officials are serious about protecting our election systems and data and voters can be confident about the integrity of the election process.
Were Maryland’s election systems compromised before the 2016 General Election?
Although U.S. Department of Homeland Security informed us that we were one of 21 states with suspicious online activities before the election, there’s no evidence that Maryland’s election systems or voter data were breached or compromised.
In early August 2016, we identified some unusual activity on the online registration and ballot request system and immediately blocked the IP address associated with the activity. In response, we provided log files to the FBI, one of the State’s cybersecurity vendors, and a partner of our web hosting company. All three entities reviewed the transactions related to the suspicious activities, and all three entities came to the same conclusion – there were “no suspicious artifacts.” In other words, there was no evidence that the online registration and ballot request system was breached or fraudulent transactions were submitted. The system was probed but not breached.
What is the difference between a “probe,” a “breach,” and a “hack”?
There are different words to describe cyber activities – scans, probes, breaches, and hacks – and they mean different things.
- A “scan” is an automated way of reviewing websites, typically for content. Scans happen every day on every website. It is the equivalent of a potential burglar driving down your street looking for open windows.
- A “probe” is an unsuccessful attempt to gain access to a system. This is what happened to our online voter registration and ballot request system before the 2016 General Election. This is the equivalent of a potential burglar trying to open a door but the door is locked. Because of the security measures we had in place, our “door” was locked. After a couple of attempts, the individual or individuals behind this attempt moved on.
- A “breach” or “hack” is a successful attempt to gain access to a system. There is no evidence that our systems were or have been breached or hacked.
How do we keep Maryland’s election system safe?
Each election system is designed and used differently. As result, the risks of each system and how we mitigate those risks are different.
For example, the certified voting system is never connected to the Internet. This means that the risks associated with the Internet are not present. We, however, use thumb drives to transfer election results. This means that we must address the risks associated with securing data on removable memory devices. By contrast, the online registration and ballot request system is connected to the Internet. As a result, we must manage the risks associated with Internet.
Generally, we use a multilayer defense or “defense in depth” to protect election systems and voter data. Simply put, we use various tools to protect the systems – one check verifies another check and redundancies exist to protect and restore system and data.
- We use experienced vendors and consultants to host, maintain, and protect systems. They use analytics tools and artificial intelligence to monitor websites and SBE network traffic and identify unusual behavior.
- We take advantage of the cybersecurity services offered by the Department of Homeland Security (DHS).
- Each week, DHS scans our websites looking for vulnerabilities and reports on their findings.
- DHS performed a Risk and Vulnerability Assessment on many of our systems. This assessment included penetration testing, web application testing, and social engineering exercises.
- DHS performed in-depth non-technical assessment on critical systems. This assessment helps us understand how resilient our systems are and how we manage cyber risk.
- DHS performed an assessment of our cybersecurity practices on critical systems and how we manage risk associated with our vendors and third-parties we rely on (for example, public utilities, telecommunications).
- We take advantage of other services offered by DHS. Representatives of DHS are assessing local election offices and warehouses to improve the physical security of the buildings.
- We regularly perform software updates and verify that local election officials’ computers are also updated.
- We follow the State of Maryland’s IT practices and generally accepted IT best practices to protect all of our systems and data.
- We own vulnerability scanning and penetration testing software and regularly run scans, analyze results, and mitigate findings.
- We look for patterns in voter registration and absentee voting behavior to identify possible unauthorized transactions.
- We only use a voting system that has been thoroughly tested at the federal, state and local levels.
- The voting system has been tested by a federally certified testing lab and approved by the U.S. Election Assistance Commission. The federal testing process includes security reviews as part of the testing process.
- The voting system has been tested at the State level. Before the current system was first used in 2016, we performed rigorous testing before we recommended it for use.
- Each voting unit is tested before it is accepted into the State’s inventory and each voting unit is tested before each election.
- We follow strict security and “chain of custody” procedures.
- We conduct comprehensive post-election audits (PDF) to verify the integrity of the entire process. These audits are heavily focused on custody of critical election supplies (for example, thumb drives used in the voting equipment), voter transactions, and the accuracy of the election results.
- We timely receive and share cybersecurity information. We receive alerts from the federal government – including DHS and the U.S. Election Assistance Commission – and the Multi-State Information Sharing and Analysis Center (MS-ISAC), share this information with local election officials, and take action based on these alerts.
How would we recover if one or more of our systems or data is compromised?
Although we rigorously and continuously protect our systems, we also have equally rigorous plans to restore systems and return to “business as usual” if any of the systems become unavailable.
- Both State and local election officials have disaster recovery plans.
- We continuously back up our IT systems and the data in the systems.
- We test plans and practice responding to various scenarios.
- There are contingency plans in place for early voting and election day. If the electronic pollbooks can’t be used, each voting location has either a back-up electronic or paper list of registered voters.
If the scanning unit won’t accept voted ballots, each unit has an emergency ballot bin where voters can deposit voted ballots for counting later. Replacement equipment must be deployed within 2 hours but during this time, voting will continue.
Maryland’s voting system is a paper-based system. This means that if the results on the thumb drives can’t be used, election officials can use the paper ballots marked by voters to generate election results.
Were we ready for the 2018 elections?
Although much of the work of election officials ebbs and flows, our cybersecurity work does not – it is continuous.
- We welcome the additional resources DHS has made available to election officials. These free services help us confirm other findings and identify areas of improvement.
- We have mature IT systems that are protected and monitored in multiple ways.
- We review and test our disaster recovery efforts.
- We remind the election community of the need to be vigilant to protect the systems from phishing attacks, malware, ransomware and other methods of attacks.
- We are including in contracts requirements for vendors supporting the election process. These requirements include installing updates and having and testing disaster recovery plans.
We’ve made some changes since the 2016 elections, but that’s what we should be doing as systems and risks evolve. We have more information about the security features and best practices related to the voting system and the online voter registration system and voter registration database.
Does a company that works with the State's election systems have ties to Russia?
In July 2018, the FBI notified us that ByteGrid, an Annapolis-based company that hosts certain election systems, had been acquired by a New York-based private equity firm that is partly owned by a Russian citizen. The FBI stated at that time that they had no evidence of wrongdoing and notified SBE of the information.
In response to this information, we asked DHS to conduct an independent, exhaustive, and on-site assessment of State systems hosted by the company. In November 2018, we received the DHS report. The report states that DHS’s Hunt and Incident Response Team “did not identify any indications that a compromise had occured on [our] network or [the election systems hosted by ByteGrid].” (Emphasis added.) In other words, DHS did not find any evidence that our main network or the systems hosted by ByteGrid have been compromised. Since parts of this report include specific information about our network and systems, we have redacted those parts to protect the systems and the data.
What are our next steps?
At the end of 2018, ByteGrid LLC transferred ownership of its Annapolis data center to Intelishift, a privately owned, Virginia-based data center. Based on our research (including information from the federal government), this sale means that the data center hosting several of SBE's election systems no longer has connections to Russian investors. In response to this information, SBE extended its contract with the Annapolis data center through December 31, 2019. We will continue to monitor the systems vigorously and strive to make our election systems and data as secure as possible.
What should I know about election security?
The partnership between State, federal and private sector security experts is working. We have no higher priority than ensuring the integrity of our election systems. The rapid evolution of physical and cyber risks requires that we be constantly vigilant, sharing information with federal, State and private sector partners, and holding vendors to tough standards of accountability. While there is no evidence of security breaches at this time, we are and will continue to utilize every appropriate and available resource to safeguard our election system from malicious intent.
We hope that this information assures Maryland voters that we have taken the appropriate steps and implemented best practices for information systems to protect the systems and data we use to conduct elections. From the voter registration process to the voting process to the posting of election results, we have ways to protect, monitor, test, and restore the systems and processes. We are constantly looking for ways to enhance how we protect these systems and respond to new risks.
If you have a question that we haven’t answered here, please submit your question via our Feedback Form.