How voter registration databases are vulnerable to nefarious actors

Cris Thomas (aka Space Rogue), global strategy lead at IBM X-Force Red, discusses the risks of data being changed or removed in voter registration databases and how voters can counter these actions.

CNET's Dan Patterson interviewed Cris Thomas (aka Space Rogue), global strategy lead at IBM X-Force Red, about the risks of data being changed or removed and how voters can counter these actions. The following is an edited transcript of the interview.

2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.

Dan Patterson: At Black Hat this year in 2018, there were a lot of stories published about an 11-year-old, or a young person took a replica of a state website and was able to target it. I know this isn't exactly election machines, but it's kind of the process around voting and voting machines. Help us understand what actually happened here.

Cris Thomas: Well, it was an interesting setup. The replica of the websites that were used were not exact copies. There were some vulnerabilities that were included in the replicas that were not on the actual websites themselves. However, it does illustrate how easy it can be to access some of these systems that are connected to the internet. While they may not be voting computers themselves, there are other various parts of the election infrastructure that are connected to the internet such as voter registration databases. And that's what we're hearing a lot about in the news these days is these registration databases that have been copied or downloaded from various states by various actors. But one thing I think that people need to remember is that the information that is contained in those databases is public information. You can go, as a member of your county or your precinct, go to your county courthouse and request a copy of that data. All the major political parties have that data, marketers have that data. It's bought and sold from various companies. So the fact that some nefarious person was able to download a copy of it isn't that big of a deal.

SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)

What is a big deal is if they change that data or drop people who thought they were registered and then they are no longer registered. And so when they show up on election day they're told they're not in the polls. But the counter to that is if you're a voter, and you go to your polling place and they say you're not registered, ask to submit a provisional ballot. By submitting a provisional ballot, your vote is still cast on Tuesday, like everybody else's, and then you can go back and verify whether or not you're registered later. And if you are registered, your vote will still count.

Also see


About Dan Patterson

Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.

Editor's Picks

Free Newsletters, In your Inbox