By the end of the summer, all 100 county boards of elections in North Carolina will be rid of the computer servers that hold voter registration data. The information will be stored in the cloud instead.
This is an early step in what will be a yearslong and nearly $3 million process to upgrade state and county election systems to improve security, usability and efficiency, according to the N.C. State Board of Elections.
The state will upgrade its voter registration and back-end data management, which are essential for running elections but little seen or understood by voters. The changes will not affect voting machines or the election equipment that makes, scans and counts ballots.
Originally designed in 1998 and put in place statewide in 2006, North Carolina’s current election information management system is made up of a network of data servers in the state office and every county, woven together by a network of computer programs.
That was “almost another geological era of cybersecurity risk management,” according to John Sebes, co-founder and chief technology officer at the nonprofit Open Source Election Technology Institute. Back then, election administrators were not worrying about computer hacks from foreign nations or even criminals looking to make a buck.
“We have to recognize it’s not just the technology front that’s evolved so much; it’s the threat,” Sebes said.
The scope of the projects shows how election administration has evolved since the turn of the century. Running elections now requires handling ever more data managed through increasingly complex voting technologies, all while protecting against the kinds of cybersecurity threats that challenge major corporations and the federal government.
‘Limit the surface area of attack’
Updates planned over the next three years will make cybersecurity practices more consistent across all 100 county boards of elections, streamline updates to the back-end systems, write new software for use at the county and state levels, and replace the state servers with new hardware, according to Brian Neesby, chief information officer for the State Board of Elections.
Moving voter registration data from county servers to the cloud lays the foundation for all the other changes.
“This is a big step toward the implementation of modernization as opposed to talking about modernization,” said Derek Bowens, Durham County’s election director.
The State Board of Elections often consults with county election directors on elections improvements, and Bowens said he hopes that the board will consult with directors like him in the process of designing the new election management system.
Several other agencies have an interest in how the State Board of Elections runs. The board coordinates its security stance with other state agencies, like the Department of Information Technology and the Department of Public Safety, and with federal agencies, including the National Guard, FBI and Department of Homeland Security.
When complete, the state’s election infrastructure will be more resistant to computer attacks, and managing election data should be easier, Neesby said. Election security experts agree, with one important caveat: if it is done correctly.
North Carolina is adding Microsoft into the mix to take advantage of the kind of computer servers and security that only a multinational tech company can provide.
The state’s plan to move the counties’ voter registration systems to the cloud by the end of the summer means putting the data on Microsoft’s servers to be accessed remotely in each county.
“Overall, the migration will improve our security posture because we will limit the surface area of attack; the cloud will allow us to exert easier control over our security practices,” Neesby wrote in an email to CPP.
Relying on companies like Microsoft can be a two-edged sword, according to Duncan Buell, chair emeritus in computer science and engineering at the University of South Carolina. If the contract is written well and the software that will connect the counties to the cloud is secure, the move will likely be an improvement.
But since Microsoft serves some of the most important government and commercial clients, it is a huge target, Buell said.
“They will be attacked by everybody, and they have been attacked by everybody,” Buell said.
In the past, governments have been hesitant to store sensitive state data on a private company’s computers, Sebes said, because it raises questions about data ownership and custodianship.
But in the age when the technological capacity of companies like Microsoft far outpace what local governments are able to offer and with the development of specific products for government use, states are getting over old fears, Sebes said.
“All you’re really losing control of is where the hardware lives and who does the physical security, and who does the personnel security for the physical data center staff,” Sebes said. “That’s a reasonable amount to give up.”
Responding to the threat
In March 2020, malware froze Durham County’s website and many of its computer systems. The hack did not seem to target the county’s voting systems, which were not directly affected. However, since the attack happened so close to the primary election and threatened to delay post-election audits, it raised alarms.
The county Board of Elections installed a localized version of its election management system and was quickly able to overcome other inconveniences like disabled phone lines and limited access to emails. In the end, the audits were only slightly delayed.
This kind of computer attack has become more common across the country and is just one of many ways hackers can inject chaos into an election.
Though the ultimate impact on Durham’s primary election was minimal, the incident showed the importance of running election systems independently of other government systems, creating redundancy in the system and establishing backup plans in place should something fail.
Doomsday scenarios include scrambling the voter registration system so it is impossible to know who can vote, cutting power to the grid in major cities or a successful disinformation campaign convincing enough people to not trust the election results. Another worst-case scenario is the much-discussed but low likelihood of a hack into voting machines.
Though Russian state hackers probed voter registration databases in all 50 states in 2016, successfully infiltrated Illinois’ system and compromised one voting systems contractor, no votes were changed, and the outcome of the election was legitimate.
The sudden awareness of foreign nations’ attempts to interfere in U.S. democracy sparked a dramatic response from Congress and federal agencies. The federal government found state election systems were vulnerable and needed significant security upgrades.
In January 2017, the Department of Homeland Security designated election infrastructure as part of the nation’s “critical infrastructure,” meaning it is among the most important systems keeping the country functioning.
The designation and its accompanying changes fueled a consensus among election experts and the federal and state governments that the 2020 elections were the most secure elections ever held in the United States.
There is also consensus that states still have room to improve.
Upgrades a matter of budgets, funding not guaranteed
Counties and the Board of Elections have wanted to upgrade the voter registration system “for the better part of a decade,” Neesby said, but they did not have the funding or the staff.
Election officials weren’t originally thinking about security. They just wanted to make a cumbersome system more streamlined, according to Neesby.
But with the cybersecurity threat to U.S. democracy laid bare in 2016, the federal government increased funding and resource sharing with states to shore up their election systems.
At the moment, federal funds through the Help America Vote Act pay for almost two-thirds of the state board’s IT personnel, according to a statement from the board’s spokesperson, Pat Gannon, which he released opposing the Senate’s proposed budget, which would cut off these resources.
Without federal funding, the state could not modernize its election management system, Gannon wrote.
A funding loss would put the state in a difficult position, as its current systems are “outdated and subject to predictive faults, memory and functional limitations and inadequate reliability,” according to the part of the state board’s IT report focused on replacing state servers.
North Carolina is not an outlier in using old technology. Without funding or an external force, state governments are often reluctant to upgrade their election systems, Buell said.
South Carolina only upgraded its voter registration software after the state bought new electronic poll books that didn’t work with the old programs, Buell said. He served on the Richland County Board of Elections for two years and worked with the League of Women voters to advocate for election security.
North Carolina counties will not experience much change when the state board transfers the registration data to the cloud, according to Sara LaVere, elections director for Brunswick County. The login process and interface will change a little, and the state will dispose of the county server, she said.
The bigger changes will be phased in step by step over the next couple of years, according to Neesby. The state is rewriting software for the entire registration management system, designed for use in the cloud.
“The current system was built in 1998, which is an antiquated coding and software platform that has reached end-of-life for software and hardware functionality,” the state board’s IT report reads. “Modernization is necessary for functional and security reasons.”