Recognizing and Addressing Threats to Statewide Voter Registration Databases
An unclassified DHS/CISA report presents historical reporting and threat assessments concerning voter-registration databases, outlines possible exploitation of compromised data, and recommends mitigations for state and local election officials.
The report characterizes itself as an unclassified overview of threats from foreign and domestic actors, based on intelligence-community, law-enforcement, and state-election reporting. It is an advisory threat assessment for state and local officials, not a new investigation establishing each cited event independently.
“This product provides an unclassified overview of the threats to statewide voter registration databases from both foreign and domestic actors.”
The historical survey says Russian actors accessed voter-registration files from a U.S. county website in at least two instances in 2016. It also recounts CISA/FBI reporting that members of the Iranian Republic Guard Corp obtained voter-registration data in at least one state during 2020 attempts; these are summaries of cited reports rather than duplicate corroboration.
“in at least two separate instances, Russian actors accessed voter registration files from a US county website.”
The report assesses that compromised identity fields could enable absentee-ballot requests for low-propensity voters or be used to alter addresses, polling places, and party affiliation; it also warns that deletion at scale could disrupt election administration. These are hypothetical attack avenues in this section, not findings that such exploitation occurred.
“That information could enable bad actors to request absentee ballots at scale for low-propensity voters.”
The report argues that PII breaches outside voter-registration systems may still create election risk because Social Security numbers, addresses, names, birth dates, and driver’s-license numbers overlap with data used to maintain voter rolls and verify absentee-ballot requests. It provides commercial-breach examples but does not show that the exposed information was actually used against an election.
“Because much of this same data is used to verify voter eligibility, maintain voter rolls, and verify identity for absentee ballot requests”
Recommendations include frequent offline backups and tested restoration, multifactor authentication and least privilege, DDoS coordination, network segmentation, endpoint monitoring, and tested incident-response and ransomware-recovery plans. The conclusion encourages state officials to collaborate with DHS on election-infrastructure security.
“States should schedule frequent, routine back-ups of the voter registration database files and store them securely offline.”