The Washington PostDemocracy Dies in Darkness

Here’s why cybersecurity experts say Maryland’s ballot delivery system is a target for hackers

A voted places a sticker on her sweater after voting in 2012 in Illinois. (AP Photo/Seth Perlman)

Cybersecurity experts are asking lawmakers to bring Maryland’s ballot access laws — which they say prioritize accessibility to an extent that makes the voting system vulnerable to hacking — in line with other states ahead of November’s elections.

Information revealed last month by special counsel Robert S. Mueller III about Russian interference in the political process highlights the need for states to examine the security of voting systems, advocates and computer scientists warn. But legislators say they must balance those concerns with ensuring ballots can be easily obtained by all eligible Marylanders who want to vote.

“There is a tension there,” said state Sen. Cheryl C. Kagan (D-Montgomery). “With all the news of election tampering in 2016, it’s critically important that voters have confidence in the security and accuracy of our elections . . . . We are also a fairly progressive state that wants to make it reasonably easy for people to vote.”

Maryland is one of three states in which any resident can receive their ballot online and the only state in which there is no signature verification process required by law, advocates said. To have their ballots counted, residents must print them out and return them by mail or in person.

Russians “have already demonstrated that they have all of the tools they would need, and know how to use them, to impersonate real Maryland voters,” Rebecca Wilson of the nonpartisan group SAVE Our Votes said during a committee hearing in the state Senate last month.

4 things we learned from the indictment of 13 Russians in the Mueller investigation

Nikki Charlson, deputy administrator of the Maryland State Board of Elections, said the General Assembly made “a policy decision” that every absentee voter should be able to receive a ballot electronically upon request. The board has worked to “make sure that system is secure,” she said.

“We would not offer a system if we didn’t think it was secure for voters to use,” Charlson said.

But advocates say board officials overestimate the state’s ability to detect hacking.

The scenario they lay out is this: Bad actors — whether inside or outside the United States — could send out “phishing” emails to voters from addresses similar to the State Board of Elections account. Following links in these emails, voters would give up their credentials while mistakenly thinking they had completed and sent in legitimate ballots.

Meanwhile, the bad actors could use the credentials to receive the actual ballot from the board, sent to an email address of their choice. They could then send it in to be counted on Election Day.

Counties would have little way of distinguishing legitimate absentee ballots from fake ones, the advocates say, because Maryland does not check signatures.

In a different scenario, there could also be “chaos on Election Day” if residents go to vote in person and realize their information has been hacked by someone who submitted fraudulent absentee ballots in their names, said Poorvi Vora, a professor of computer science at George Washington University.

The scenarios are strictly hypothetical — officials said they detected no signs of such attempted hacking in Maryland during the 2016 election, and nationally, there have been no widespread campaigns in which hackers mailed in fraudulent ballots.

Md. moves forward with online voting despite warnings from cyberexperts

Charlson said that advocates’ information is incomplete and that “continuous monitoring” is used to mitigate risk created by the online delivery system.

She said she could not publicly share everything the elections board does to guard against hackers because of security concerns.

“Every system has risks,” Charlson said. “We bank and pay bills online, and we do so knowing the risks. We have, however, an obligation to make our online systems as secure as possible.”

Phishing, she added, is “certainly” a concern for the board, which encourages voters to call and ask for information if they have questions about the legitimacy of an email from the board.

Lawmakers opened up the online absentee ballot delivery system to all residents — previously it had been available only to those with disabilities — ahead of the 2016 election cycle, despite concerns from a vocal group of computer scientists and advocates.

The goal was to increase voter participation rates in the state and to make sure accessibility of ballots was not a barrier to voting.

But that goal has not come to fruition, said Sen. Edward J. Kasemeyer (D-Baltimore County), who is sponsoring a bill, backed by advocates and cybersecurity experts, to allow only residents who have disabilities, live overseas or serve in the military to have their ballots delivered online.

The percentage of absentee voters has remained steady over time despite changes to the law, and people who requested online ballots have returned them at lower rates than those who asked for paper ballots, Wilson said. In 2016, 71 percent of voters who received their ballots online returned them, compared with 82 percent who received a hard copy in the mail, she said.

In other efforts to make voting more accessible, the General Assembly has approved bills this session to prohibit municipalities from requiring residents to provide a reason for requesting an absentee ballot and another bill that allows for automatic voter registration at various state agencies.

The version of the bill to limit online ballots that was introduced in the House of Delegates in February did not advance beyond committee.

Kagan said its limits on who can receive their ballots online seemed to her too “constrictive.”

“We have to look carefully at implementation to make sure we’re not disenfranchising a swath of voters,” Kagan said. She said she hoped to introduce amendments that would allow people, including college students, first responders who are out of the state and those on emergency out-of-state trips, to get their ballots online.

Alaska and Washington are the only other states that allow any resident to request an absentee ballot online. But both states have signature verification processes in place, unlike Maryland, officials said.

Read more:

Mice in the couches, mold on the walls: Years of problems at this government-funded shelter for abused women.

Class-action lawsuit says D.C. is destroying belongings of homeless

Drugs, lies, bribery exposed in Virginia’s transportation agency