States Waiting To Share Voter Data While Kansas Shores Up Security

Jan 18, 2018

Some states fear that a Kansas voter record system could fall prey to hackers, prompting a delay in the annual collection of nearly 100 million people’s records into a database scoured for double-registrations.

Kansas Secretary of State Kris Kobach touts the program, called Crosscheck, as a tool in combating voter fraud. Last year, 28 states submitted voters’ names, birth dates, and sometimes partial social security numbers, to Kobach’s office.

But last fall, the news outlets ProPublica and Gizmodo reported a raft of cybersecurity weaknesses. For instance, Crosscheck relied on an unencrypted server for transmitting all that data.

Election officials in other states told Kansas to fix the problems, a process Kobach’s office says is nearly complete.

“We still have work to do finishing testing everything,” said Bryan Caskey, who handles elections matters in Topeka. “We all just need to make sure that we’re doing everything we can to ensure the integrity of the program.”

Normally Kansas starts collecting voter registration records from other states on Jan. 15, but hasn’t started yet this year because of the security weaknesses.

The Illinois election board nearly pulled out of Crosscheck last fall. Matt Dietrich, a spokesman for the agency, said his agency gave Kansas with a list of IT problems that need fixing before their state will send any more data.

“They’re not going to be able to just give us a date,” Dietrich said, “and have us give them data — until they address these things that we told them about."

Kobach’s will no longer rely on that unencrypted data transmission system, which ran through the Arkansas Secretary of State.

“In this year’s version of the program, Kansas is taking all that in-house,” Caskey said.

Though it relied on Arkansas for data transmission — letting states upload their records and get lists of potential double-registered names in return — Caskey said Kansas had already been handling data storage without that state’s help. Now, he said, the Kansas office is confident it can handle the transmission safely, too.

Storing data for other states landed a Kansas state agency in trouble last year. Hackers accessed more than 5.5 million social security numbers stored by the Kansas Department of Commerce on behalf of 10 states.

In 2016, legislative auditors completed a three-year review of information technology security at 20 Kansas agencies that store sensitive information. They turned up significant weaknesses at most, including unpatched vulnerabilities that could open the door to hackers. The Secretary of State’s Office was not part of that audit.

Caskey said legislative auditors last reviewed his office’s IT security several years ago, and that they found no problems.

More recently, he said, the office hired an outside firm to review its cybersecurity. The U.S. Department of Homeland Security is also reviewing Kansas’ election systems for safety, including Crosscheck. That’s part of the office’s efforts to revamp security since the 2016 elections.

"So we're doing everything that we know to do,” he said. Threats evolve over time, he said, but “I'm as confident as I can be today."

Celia Llopis-Jepsen is a reporter for the Kansas News Service, a collaboration of KCUR, Kansas Public Radio, KMUW and High Plains Public Radio covering health, education and politics. You can reach her on Twitter @Celia_LJ. Kansas News Service stories and photos may be republished at no cost with proper attribution and a link back to kcur.org.