On the afternoon of Oct. 5 — the last day to register in the state of Florida — prospective voters logged into registertovoteflorida.gov and were greeted with a roadblock. Messages in orange or red or black announced: “There is a problem with the page you are looking for, and it cannot be displayed” or “We are unable to process your request” or simply “This service is unavailable.” Other attempts to access the site never loaded at all, displaying a blank page in lieu of the registration portal.
Eight days later, voters registering last-minute in Virginia faced a similar predicament when they visited vote.elections.virginia.gov. A message on the page thanked them for coming but informed them that “due to a network outage the Citizen Portal is temporarily unavailable.” Feel free to print your ballot, though, and apply by mail by the end of day, the error message said.
These failures on the last day of registration in two pivotal states laid bare the ramifications of vulnerable voting systems that can crumble at the eleventh hour of a historic election. State officials scrambled to bring the portals back online and explain the errors. Advocates pleaded for judges to extend the voting deadlines, arguing voters had been robbed of a basic right at an essential time. And those clued into the world of rickety voting registration systems shook their heads in knowing disappointment.
“I don’t think anyone is in the position to pound the table and argue that these systems are robust,” said Mark Lindeman, director of science and technology policy at Verified Voting, a nonpartisan organization focused on election integrity and the responsible use of technology.
The temporary shutdown of these portals likely only impacted a small fraction of the states’ voters. (A federal judge in Florida predicted that the state’s website collapse left some 20,000 people unable to register, about .0014 percent of the state’s 14 million voters.) But in highly contested elections, a few thousand voters can mean the difference between a win and a loss.
“The hacker or failure doesn’t need to affect 100 percent of the votes to be effective or catastrophic. You only have to have enough go awry to change the margin of victory,” said Harri Hursti, a hacker and data-security expert.
Florida chalked up its outage — which state officials said lasted 15 minutes, though users reported several hours of errors — to “an extremely high volume of traffic.” Over the course of the afternoon, the website received an unprecedented 1.1 million requests per hour. Before that, roughly 213,000 Floridians had used the portal to register in all of 2020, according to Politico. A similar crash happened on the last day to register ahead of the midterm elections in 2018.
A large influx of requests can be the result of a denial-of-service attack, in which hackers clog a site with traffic until it collapses under the load. But typically those attacks generate millions of hits per second, rather than an hour.
Florida officials denied that any such attacks occurred.
“At this time, we have not identified any evidence of interference or malicious activity impacting the site,” Florida’s Secretary of State Laurel Lee said. Cloudflare CEO Matthew Prince, who leads the company that protects the state’s elections website, tweeted that he had seen no indications of a cyberattack.
In Virginia, which also experienced a computer glitch in 2016 that prohibited voters from accessing the site on the last day of registration, the explanation for the problems this month boiled down to a simple cable cut. A construction crew widening a state highway had inadvertently severed a fiber optic cable installed earlier this year to help the state handle increased web demand during the coronavirus. That disruption in a sleepy railroad town along the James River reverberated across the state, bringing down the statewide portal for several hours and forcing local election officials to manually confirm the registration status of voters who cast early ballots that same day.
Governor Ralph Northam maintained the issue in Virginia was unfortunate and accidental, saying the state did not have a backup plan for that particular cable and the episode showed the need to continue efforts at creating a secure network.
“Obviously, we have a lot of work to do,” he said in a press conference.
The line between incompetence and nefariousness hardly matters to Hursti. A system so fragile as to be brought down by a million requests — “a number that would have been unreasonable to handle 30 years ago, but definitely not today” — or one cut cable is not a system that should be entrusted with something as serious as voting, he said.
“We sometimes only talk about security in regards to hacking, but security is also availability and reliability, so in a sense, both of these states have already failed in administering a secure election,” said Hursti, who has often been called upon by state agencies to find vulnerabilities in election systems. He said some states have risen to the challenges imposed by an evolving cyber landscape, while others rely on “myriad byzantine old systems that should have been thrown away a long time ago.” He recalled one agency he worked with recently that was still using Windows XP, an outdated Microsoft operating system from the early 2000s.
Voter registration is the first piece of the puzzle in a citizen’s journey to cast a ballot, yet the process has been overlooked and neglected, according to election security experts. There are no federal certification standards for voter registration systems, which are the responsibility of each state and can vary widely in robustness and accessibility.
“The voting machines themselves are subject to all sorts of testing. We can talk about whether that’s adequate or not, but at least it is there,” said Dan Wallach, a professor at Rice University who studies electronic voting systems. “There are absolutely zero requirements when it comes to voter registration. Nothing, nothing, nothing.”
Researchers have long warned about vulnerabilities in electronic voting machines, many of which are outdated and finicky. But no wide-ranging study has been done on the voter registration systems across the country, despite the fact that it is one of the only elements of voting that can be completed entirely online in 40 states. A number of election cybersecurity experts reached for this article admitted they did not know enough about voter registration systems to comment on how susceptible they are to trouble and sabotage.
Online voter registration remains open in 11 states, including Utah (through Oct. 23), Iowa (Oct. 24), and Colorado (Oct. 26). The portals in the highly contested presidential battleground states of Michigan and Pennsylvania, and the electoral behemoth of California, close Monday. Fewer than 12,000 votes awarded Trump the victory in Michigan in 2016.
“I fully expect that we’ll see more problems,” admitted Wallach.
Meanwhile, in Florida and Virginia, the question of whether or not to extend voter registration deadlines in the wake of portal failures was thrust upon the courts. A federal judge in Virginia quickly acted to extend the deadline two days, arguing the shutdown caused “tremendous harm.”
After a brief 19-hour extension in Florida, US District Court Judge Mark E. Walker denied a motion by voter advocacy groups to further extend the registration deadline, all while expressing exasperation that the portal’s failure might have prevented thousands of potential voters from taking part in November’s presidential election.
“This Court notes that every man who has stepped foot on the Moon launched from the Kennedy Space Center, in Florida. Yet, Florida has failed to figure out how to run an election properly — a task simpler than rocket science,” wrote Walker in closing.