This section of our website is dedicated to educating Maryland voters about how State and local election officials protect election systems and data. Securing systems and data is a continuous effort in Maryland’s elections community, and the systems and data we use are protected by the industry accepted best practices for critical information systems. We hope that this information is useful and assures you that Maryland’s election officials are serious about protecting our election systems and data and voters can be confident about the integrity of the election process.
How do we keep Maryland’s election systems safe?
Each election system is designed and used differently. As a result, the risks of each system and how we mitigate those risks are different.
For example, the certified voting system is never connected to the Internet. This means that the risks associated with the Internet are not present. We, however, use encrypted removeable media to transfer election results. This means that we take steps to address the risks associated with securing data on removable memory devices. By contrast, the online registration and ballot request system is connected to the Internet. As a result, we must manage the risks associated with the Internet.
Generally, we use a multilayer defense or “defense in depth” to protect election systems and voter data. Simply put, we use various tools to protect the systems – one check verifies another check and redundancies exist to protect and restore systems and data.
- We use vetted and experienced vendors to host, maintain, and protect systems. They use analytics tools and artificial intelligence to monitor websites and SBE network traffic and identify unusual behavior.
- We have an in-house team dedicated solely to securing election systems and data.
- We take advantage of the cybersecurity services offered by the Department of Homeland Security (DHS).
- Each week, CISA scans our websites looking for vulnerabilities and reports on their findings.
- CISA periodically performs Risk and Vulnerability Assessments on many of our systems. These assessments include penetration testing, web application testing, and social engineering exercises.
- CISA performed in-depth non-technical assessments on critical systems. These assessments help us understand how resilient our systems are and how we manage cyber risk, and we continue to use these assessments to guide our work.
- CISA performed an assessment of our cybersecurity practices on critical systems and how we manage risk associated with our vendors and third-parties we rely on (for example, public utilities, telecommunications).
- We take advantage of other services offered by CISA. CISA representatives have assessed local election offices and warehouses to improve the physical security of the buildings.
- We regularly perform software updates and verify that local election officials computers are also updated.
- We continuously update systems to more secure and robust platforms and equipment.
- We follow the State of Maryland's IT practices and generally accepted IT best practices to protect all of our systems and data.
- We own vulnerability scanning and penetration testing tools and regularly run scans, analyze results, and mitigate findings.
- We look for patterns in voter registration and mail-in voting behavior to identify possible unauthorized transactions.
- We only use a voting system that has been thoroughly tested at the federal, state and local levels.
- The voting system has been tested by a federally certified testing lab and approved by the U.S. Election Assistance Commission. The federal testing process includes security reviews as part of the testing process.
- The voting system has been tested at the State level. Before the current system was first used in 2016, we performed rigorous testing before we recommended it for use.
- Each voting unit is tested before it is accepted into the State's inventory and each voting unit is tested before each election.
- We have confirmed the accuracy of the voting systems results.
- We follow strict security and chain of custody procedures.
- We practice responding to cyber and non-cyber incidents so we are ready if it happens.
- We conduct comprehensive post-election audits (PDF) to verify the integrity of the entire process. These audits are heavily focused on custody of critical election supplies (for example, thumb drives used in the voting equipment), voter transactions, and the accuracy of the election results.
- We timely receive and share cybersecurity information. We receive alerts from the federal government – including CISA and the U.S. Election Assistance Commission – and the Multi-State Information Sharing and Analysis Center (MS-ISAC), and share this information with local election officials, and take action based on these alerts. We also attend security seminars and trainings.
Are we ready for the 2022 elections?
Although much of the work of election officials ebbs and flows, our cybersecurity work does not – it is continuous.
- We welcome the additional resources CISA has made available to election officials. These free services help us confirm other findings and identify areas of improvement.
- We have mature IT systems that are protected and monitored in multiple ways.
- We review and test our disaster recovery efforts.
- We remind the election community of the need to be vigilant to protect the systems from phishing attacks, malware, ransomware and other methods of attacks, and we regularly test our response to these types of attacks.
- We have personnel with information security expertise to enhance how we protect our systems and data.
- We include in our contracts requirements for vendors supporting the election process. These requirements include installing updates, having and testing disaster recovery plans, meeting federal standards for securing IT systems.
We’ve made some changes since the last elections, but that’s what we should be doing as systems and risks evolve. We have more information about the security features and best practices related to the voting system and the online voter registration system and voter registration database.
How do we know that the voting system counts accurately?
The system that will process and count ballots in the 2022 Primary and General Elections - the State’s paper-based voting system - is the same system that processed and counted ballots in the 2016, 2018, and 2020 elections. We have confirmed with post-election audits that the voting system counted ballots correctly and reported results accurately. After the 2016 General Election and every election since then, an independent software audit program retabulated all of the ballot images from each election and confirmed the accuracy of the election results for these elections. The results of the 2020 General Election were also confirmed by a manual audit of voted ballots. For the manual audit, election officials hand tally voted paper ballots and compare the hand tally against the voting system’s results for the same ballots.
This voting system has accurately counted over 10.3 million ballots since the 2016 Primary Election.
How are mail-in ballots securely delivered?
Most mail-in ballots (also called absentee ballots) are delivered by the USPS. If a voter requests an electronically delivered absentee ballot, the ballot is delivered via a secure website. On the website, a voter can choose to print a blank ballot and mark the ballot by hand or mark his or her ballot using an online tool and print the ballot. All voted mail-in ballots must be returned by mail or personally delivered to an official ballot box or to election official. Ballot boxes, which were introduced in the 2020 General Election, are under 24/7 surveillance and access to the box is limited to authorized election officials.
How would we recover if one or more of our systems or data is compromised?
Although we rigorously and continuously protect our systems, we also have equally rigorous plans to restore systems and return to “business as usual” if any of the systems become unavailable.
- Both State and local election officials have incident response and disaster recovery plans.
- We continuously back up our IT systems and the data in the systems.
- We test plans and practice responding to various scenarios.
- There are contingency plans in place for early voting and election day. If the electronic pollbooks can’t be used, each voting location has either a back-up electronic or paper list of registered voters.
If the electronic devices we use to check in voters can’t be used, each voting location has either a back-up electronic or paper list of registered voters.
If the scanning unit won't accept voted ballots, each unit has a secure, emergency ballot bin where voters can deposit voted ballots for counting later. Replacement equipment must be deployed within 2 hours but during this time, voting will continue.
Maryland’s voting system is a paper-based system. This means that if the results on the encrypted removable media can’t be used, election officials can use the paper ballots marked by voters to generate election results.
What should I know about election security?
The partnership between State, federal and private sector security experts is working. We have no higher priority than ensuring the integrity of our election systems. The rapid evolution of physical and cyber risks requires that we be constantly vigilant, sharing information with federal, State and private sector partners, and holding vendors to tough standards of accountability. While there is no evidence of security breaches at this time, we are and will continue to utilize every appropriate and available resource to safeguard our election system from malicious intent.
We hope that this information assures Maryland voters that we have taken the appropriate steps and implemented best practices for information systems to protect the systems and data we use to conduct elections. From the voter registration process to the voting process to the posting of election results, we have ways to protect, monitor, test, and restore the systems and processes. We are constantly looking for ways to enhance how we protect these systems and respond to new risks.
If you have a question that we haven’t answered here, please submit your question via our Feedback Form.