ANNAPOLIS, Md. — Maryland legislators learned last week the state’s electronic balloting system may need better security measures to protect voters’ information and that the lawmakers must be the ones to add those protections.
The state’s electoral board told lawmakers Sept. 6 that they are powerless to make those changes, and that any security changes must directly come from the legislative body.
Last year, the state’s Board of Elections voted 4-1 to certify a new system for online ballots, even though experts in cybersecurity and computer science publicly objected. While nearly all states have a system in place for signature verification, the General Assembly did not vote last year on the topic so there was no verification system in place, leaving Maryland as the only state in the nation without one, according to a report last year by Capital News Service.
State officials last week acknowledged the importance of election security in the wake of the 2016 presidential race, after which reports indicated that Russian hackers obtained information from the Democratic campaign illegally. Former director of the FBI Robert Mueller is leading a Justice Department probe into the Trump campaign’s possible collusion with the Russians.
But, State Sen. Steve Waugh, R-Calvert and St. Mary’s, says he believes there is no need for Maryland voters to worry that their ballots were modified last fall.
“(The Russians) want to destabilize America by delegitimizing our government,” Waugh said. “I firmly believe though that Russian interference had zero to do with ballot outcomes anywhere in the state or the nation for that matter.”
Linda Lamone, administrator at the Maryland State Board of Elections, said at the hearing that there has been no evidence found of election interference in the state, but that extra security precautions would be good.
No new security measures are imminent, but Waugh and his peers are committed to finding a bipartisan solution that won’t cost the state too many tax dollars, he said.
“I believe everyone in state and local elections, as well as outside contractors, have their hearts in the right place and want some change,” Waugh said.
Issues surrounding the process of absentee balloting were the main point of concern throughout the three-hour hearing. The current process for requesting an absentee ballot can be done online only if a voter has a Motor Vehicle Administration ID number, the date of issue, and the last four digits of their Social Security number, according to Director of Voter Registration Mary Cramer Washington.
One flaw was a program error that allowed voters to submit their full Social Security numbers. While there is no evidence that any personal data was stolen, the nine-digit identification numbers for 14 percent of Maryland voters were at risk, according to an analysis, performed by the Office of Legislative Audits from October 2015 to April 2016, which covered information from August 2012 to October 2015.
If security isn’t restrictive enough, personal information could leak, which happened at the University of Maryland when hackers stole more than 300,000 personal records from the university’s personal information database.
The Maryland State Board of Elections ran a program to remove the extra digits from the database and the program has been modified to allow only four numbers to be entered, according to Nikki Charlson, deputy administrator at the board.
This issue and others were caused by a lack of oversight from the electoral board, which did not ensure the accuracy or security of data in some cases, according to Steve Jersey and Adam Westover, who both led the audit. Jersey and Westover recommended the electoral board send a letter to Attorney General Brian Frosh in order to quickly implement changes, according to Charlson.
Legislators and auditors also criticized the information needed to obtain an absentee ballot. In the current system, voters can obtain a ballot by mail without their driver’s license information or any part of their Social Security number. The information that is required — including date of birth and address — is often publicly available, which could enable identify thieves.
Charlson and Lamone told legislators that Frosh said in a letter that further security measures must be mandated in a law crafted by legislators.
“Ultimately it is their decision,” Charlson said. “We can, and will, offer our opinion of the administrative impact of the bill, but the attorney general told us it is not in our control.”
Directly after the hearing, a handful of delegates and senators briefly met to begin discussions about a possible bill to add that security, Waugh said. The first steps will be to figure out where to focus and how to allocate resources efficiently, he said. Even though the General Assembly won’t reconvene until Jan. 10, these discussions will continue out of session, Waugh said.
With a gubernatorial election slated for next fall, election security is a hot topic among Maryland legislators, Waugh said. There was concern from some lawmakers about protecting municipal elections, which occur in the state every year, so the legislative body wants to get this completed quickly, Waugh said.
“There’s a general consensus that things must change,” Waugh said. “A tighter and more secure system is better for the state and our citizens.”