Securing Voter Registration Data

Overview

Voter registration databases (VRDB) are rich targets and may be an attractive target for computer intrusions. This problem is not unique to individual states—it is shared across the Nation. The keys to good cybersecurity are awareness and constant vigilance.

What are the threats that may place voter data at risk?

Malicious actors may use a variety of methods to interfere with voter registration websites and databases. Some methods of attack are listed below and provide guidance that is applicable to VRDBs and many other computer networks.

• Phishing attempts are forged emails, texts, and other messages used to manipulate users into clicking on malicious links or downloading malicious file attachments. Phishing attacks can lead to credential theft (e.g., passwords) or may act as an entry point for threat actors to spread malware throughout an organization, steal voter information, or disrupt voting operations. For guidance to defend against phishing, see Avoiding Social Engineering and Phishing Attacks.
• Injection flaws are broad web application attack technique that attempts to send commands to a browser, database, or other system, allowing for a regular user to control behavior. The most common example is Structured Query Language (SQL) injection, which subverts the relationship between a webpage and its supporting database, typically to obtain information contained inside the voter registration database. Another form is command injection, where an untrusted user is able to send commands to an operating systems supporting a web application or database.
• Cross-site scripting (XSS)vulnerabilitiesallow threat actors to insert and execute unauthorized code in web applications. Successful XSS attacks on voter registration websites can provide the attacker unauthorized access to voter information. For prevention and mitigation strategies against XSS, see Compromised Web Servers and Web Shells.
• Denial-of-service (DoS)attacksprevent legitimate users from accessing information or services. A DoS attack can make a voter registration website unavailable or deny access to voter registration data. Contact your Internet service provider (ISP) to discuss ways they can help block DoS attacks targeting your organization. For more information on DoS, see Understanding Denial-of-Service Attacks.
• Server vulnerabilities may be exploited to allow unauthorized access to sensitive information. An attack against a poorly configured server running a voter registration website may allow an adversary access to critical information and to the supporting voter registration database itself.
• Ransomware is a type of malicious software that infects a computer system and restricts users' access to system resources or data until a ransom is paid to unlock it. Affected organizations are discouraged from paying the ransom, as this does not guarantee access will be restored to a compromised VRDB. For more information on ransomware, see the Cybersecurity and Infrastructure Security Agency (CISA) resource page on ransomware.

What prevention measures should I employ to protect against these threats?

CISA encourages election officials and network administrators to implement the recommendations below, which can prevent as many as 85 percent of targeted cyberattacks. These strategies are common sense to many, but CISA continues to see intrusions because organizations fail to use these basic measures:

• Patch applications and operating systems. Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Implement application allow listing. Allow listing is one of the best security strategies as it allows only specified programs to run while blocking all others, including malicious software.
• Restrict administrative privileges. This may prevent malicious software from running or limit its capability to spread through the network.
• Implement input validation. Input validation is a method of sanitizing untrusted user input provided by users of a web application and may prevent many types of web application security flaws, such as SQLi, XSS, and command injection.
• Implement firewalls. When anyone or anything can access your network at any time, your network is more susceptible to being attacked. Firewalls can be configured to block data from certain locations (Internet Protocol [IP] allow listing) or applications while allowing relevant and necessary data through.

A commitment to good cybersecurity and best practices is critical to protecting voter registration data. Here are some questions you may want to ask of your organization to help prevent attacks against voter registration websites and databases:

1. Backups: Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
2. Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
3. Staff Training: Have we trained staff on cybersecurity best practices?
4. Vulnerability Scanning and Patching: Have we implemented regular scans of our network and systems and appropriate patching of known system vulnerabilities?
5. Application Allow Listing: Do we allow only approved programs to run on our networks?
6. Incident Response: Do we have an incident response plan and have we practiced it?
7. Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
8. Penetration Testing: Have we attempted to hack into our own systems to test the security of our systems and our ability to defend against attacks?

How do I respond to unauthorized access to voter registration data?

Implement your security incident response and business continuity plan. It may take time for your organization's information technology (IT) professionals to isolate and remove threats to your systems and restore normal operations. In the meantime, you should take steps to maintain your organization's essential functions according to your business continuity plan. Organizations should maintain and regularly test backup plans, disaster recovery plans, and business continuity procedures.

Contact CISA or law enforcement immediately. To report an intrusion and to request incident response resources or technical assistance, we encourage you to contact CISA (central@cisa.dhs.gov or 888-282-0870) or the Federal Bureau of Investigation (FBI) through a local field office or the FBI's Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937).

References

This information is being provided as a public service and for informational purposes. CISA does not endorse any person, company, product or service. References are presented alphabetically:

• Brennan Center for Justice (NYU School of Law): Better Safe Than Sorry: How Election Officials Can Plan Ahead to Protect the Vote in the Face of a Cyberattack.
  • https://www.brennancenter.org/publication/better-safe-sorry
• Center for Election Innovation & Research: Voter Registration Database Security
  • https://electioninnovation.org/2018-vrdb-security/
• Center for Internet Security (CIS) Benchmarks
  • https://www.cisecurity.org/cis-benchmarks/
• CIS: A Handbook for Elections Infrastructure Security
  • https://www.cisecurity.org/elections-resources/