N.H. Not Among States Seeking Cybersecurity Help Ahead of 2018 Elections

Feb 26, 2018

With its paper ballots and in-person registration requirements, New Hampshire's voting system is less digitally wired — and therefore somewhat less susceptible to cyberattacks — than many of its peers.

But this state, like all others, also maintains an online database with personal information on all of its registered voters. Federal security officials have offered to scan these systems for possible vulnerabilities as part of a broader package of “cyber-hygiene” efforts ahead of the 2018 elections, but New Hampshire election officials have said no thanks.

More than 30 states have reportedly partnered with the U.S. Department of Homeland Security to safeguard their systems against hacking in advance of this year’s midterm elections. At this point, New Hampshire isn’t one of them — and the state’s elections officials remain wary of allowing the federal government to in any way encroach on their autonomy when it comes to voting procedures.

“We believe that the elections are the purview of the states,” says Deputy Secretary of State Dave Scanlan. “We don't want to see a federalization of elections, and when you open the door to their help, if it really isn't needed, it is problematic.”

Scanlan said the Secretary of State’s office hasn’t yet started working with state-level officials on cyber-preparedness efforts for the 2018 elections, but he's confident that New Hampshire’s Department of Information Technology can keep the door closed to would-be intruders.

“New Hampshire's centralized voter database is pretty much standalone,” Scanlan said. “There is external reachout to the supervisors of the checklist and the town clerk, but there really is no other system that is tied into that that creates a door that could be opened to obtain that information.”

The state does share information from its voter database with at least one other source: The Interstate Voter Registration Crosscheck Program (often referred to simply as “Crosscheck”), a system designed to allow election officials to flag voters who are registered in multiple states in an effort to detect possible cases of wrongful voting. (Being registered to vote in more than one place is not, itself, a crime, as long as you don’t vote in more than one place in any given election.)

The Crosscheck program has come under scrutiny for “data security flaws that could imperil the safety of millions of peoples’ records,” as detailed by the investigative reporting outlet ProPublica and others. The technology blog Gizmodo has also detailed Crosscheck’s cybersecurity issues, noting in part:

“In 2014, the Virginia State Board of Elections accidentally sent Kansas the first four digits of voters’ Social Security numbers instead of the last four digits. In the same year, Idaho officials were told to cancel registrations of potential multi-registrants, only to be informed a month later that instruction was given in error. States have routinely downloaded the wrong voter files or mistakenly deleted files intended for other states to download.”

Citing concerns about such security vulnerabilities, a group of Democratic lawmakers in New Hampshire introduced a bill to end the state’s participation in Crosscheck earlier this year. It failed along party lines when it came up for a vote in the Senate.

Scanlan said New Hampshire takes steps to protect the information it shares with the Crosscheck program.

“The information that we send to the Crosscheck program to be matched is double-encrypted,” Scanlan said. “And it requires the recipient host of that information to call our office to get the password to open it up so the matches could be made.”

A recent report from a left-leaning think-tank raised further questions about how well-protected New Hampshire’s election systems are against cyberattacks.

The Center for American Progress, a liberal policy outfit based in Washington, gave New Hampshire election systems a “C” grade on a newly released cyberpreparedness report card. (The Granite State was hardly alone: 23 other states received a “C,” while another 17 received a “D” or “F.”) 

In New Hampshire’s case, the report found fault with the state’s lack of any mandatory post-election audits, which can be used to detect possible tampering.

Report author Michael Sozan said New Hampshire’s reliance on paper-based election systems puts it in a better position than many others who rely on online voter registration and voting tools — but that doesn’t mean outside interference is entirely out of the question.

“Some people say, okay, well there can’t be hacking or tampering if the machines are not really hooked to the internet, but that’s not true,” Sozan said. “There can still be tampering with individual machines, and sometimes the machines are even networked amongst themselves.”

New Hampshire officials declined to respond to the center's questions as part of the research phase of the report, writing that "openly publishing the details of [New Hampshire's] cyber security efforts would be, by itself, a degradation of those strategies." 

In an interview, Scanlan said mandatory post-election audits have been contemplated several times before.

“It's not something this office has closed the door on,” Scanlan said. “But we believe that if there was some type of a post-election audit of those devices to take place, it should be done at the state level, there should be uniform procedures across the board, there should be a scientific basis for the sampling that is occurring, and it should not be done on the local level on election night with a bunch of different moderators conducting the audit however they think is best.”