The findings are based on a data analysis of potential risks identified in a mail voting “attack tree”
Herndon, Va. (January 24, 2022) – Results of a study published in the scientific journal Risk Analysis indicate that the recent increase in mail-based voting due to COVID-19 has not jeopardized the safety of the U.S. elections process. Instead, mail-based voting increases voter access and may reduce the likelihood of adversarial interference, the authors argue.
The COVID-19 pandemic led to swift changes in the U.S. primary elections held during and after March 2020. By the general election in November 2020, 94 percent of states had expanded their traditional use of mail-based voting. (Eight states already used mail-in ballots as their standard voting process.) This rapid expansion of mail-based voting has led to questions about the security of elections going forward.
To address these concerns, Natalie Scala, associate professor at Towson University and an expert in elections security, examined the risks involved with mail-based voting with colleagues from Towson and the U.S. Military Academy. Their investigation focuses on the only known mail voting “attack tree,” generated in 2009 by the Elections Assistance Commission (EAC) and the University of South Alabama. This graphical representation divides dozens of potential attack scenarios, from the registration of deceased voters to coercion of voters via advertisements, into three categories: insider threats, external threats, and voter error.
Using the state of Maryland as a case study, the researchers updated the attack tree to reflect changes that have taken place over time and in response to the COVID-19 pandemic. These changes include the use of more drop boxes, extra time for returning ballots, and more allowable reasons to request absentee ballots. An investigation of local and national media reports, documentation from bipartisan think tanks and organizations, and voter instruction sheets, as well as discussions with Board of Elections officials, allowed them to identify 30 “new” threats. Insider threats included manipulating a return envelope, deliberately misspelling a name on a ballot, and denying or altering a vote. External threats included stealing or destroying ballots, acquiring access to a drop box, and stealing blank ballots from mailboxes. An expired voter ID was a new threat assigned to voter error.
The updated attack tree included a total of 73 potential threat scenarios associated with mail-based voting (40 insider, 23 external, and 10 voter error). Using an established assessment framework, the researchers then conducted an analysis to determine the relative likelihood of each attack scenario.
Their results indicate that the top three (most likely) threat scenarios for each branch in the attack tree are: 1. losing a ballot in the destination mailroom (insider threat) 2. organizing coercion through debate and vote parties (external threat), and 3. failing to sign a ballot correctly (voter error).
All three are found in the original attack tree, along with five other “higher-than-average” potential threats. “To fully secure the integrity of mail-based votes, these scenarios should have the attention of election officials and policy makers,” says Scala, adding that “most states and localities already had mitigations in place before 2020.” To assist election officials, the authors make specific recommendations for mitigating each threat (for example, ensuring that mailrooms are appropriately staffed to handle the influx of ballots and their timely delivery).
Importantly, says Scala, none of the 30 “new” threats were identified by the analysis as of high concern. “What we found in our study is that the dramatic scale-up of mail voting in the 2020 election did not increase risk,” she explains. “We argue that expanding mail voting is safe and should be used moving forward because it increases voter access and reduces the likelihood of adversarial interference.”