Kansas election chief tries to reassure lawmakers on security of Crosscheck voter database

Bryan Caskey, director of elections in the Kansas Secretary of State's office, tells a House committee that steps are being taken to improve security of a voter registration verification system known as Interstate Crosscheck.

? The director of the state’s elections division tried to reassure Kansas lawmakers Wednesday that steps are being taken to ensure the security of a multistate database of voting rolls known as Interstate Crosscheck that is administered by the secretary of state’s office.

Bryan Caskey, who runs the elections office under Kansas Secretary of State Kris Kobach, told the House Committee on Government, Technology and Security that the system currently is not accepting any new data, either from Kansas or any of the other 27 states that participate in the program, and it won’t be reactivated until new security procedures have been tested and verified.

“We are currently finalizing our system and testing it in conjunction with other states,” Caskey told the committee. “To go along with that, we have been partnering with the (U.S.) Department of Homeland Security since October 2016 over various election systems, and DHS is scheduled to do a review of several election systems, including specifically Interstate Crosscheck the first part of February.”

The Interstate Crosscheck system was developed in 2005 as a partnership between Kansas, Missouri, Iowa and Nebraska. It was intended to identify voters who had moved across a state line but had neglected to cancel their voter registration in their former state.

It was also intended to help identify voters who may have cast ballots in multiple states during a single election.

Bryan Caskey, director of elections in the Kansas Secretary of State's office, tells a House committee that steps are being taken to improve security of a voter registration verification system known as Interstate Crosscheck.

The project expanded over the years, and in 2017, Caskey said, it included 28 participating states, including Kansas.

During the 2017 municipal elections, Caskey said, the system identified roughly 140,000 voters in Kansas who may have been registered in at least one other state as well, based on matches of their names and dates of birth. Most of those, however, turned out not to be the same individuals, and he said fewer than 20 were found to have voted in more than one state.

In recent months, though, it has come under intense scrutiny, first when a presidential commission, which Kobach vice-chaired, sought voter data from all 50 states as part of its attempt to document what he had claimed was widespread voting fraud in the 2016 elections, and then after the investigative news organization Pro Publica published a story in October exposing serious security issues with the system.

That Presidential Advisory Commission on Election Integrity has since been disbanded, without the group ever issuing a public report or recommendations.

Pro Publica had found that passwords and user names used to access a computer server housed in Arkansas had been widely shared in unsecure emails and that anyone who obtained that information could easily get into the system and see at least some of the data that states were sharing — data that includes names, addresses, dates of birth and, in some cases, partial Social Security numbers.

That server, known as an FTP, or file transfer protocol server, was used to transmit data back and forth between Kansas and other participating states, but it did not house the entire database.

As a result of that, Caskey said, the system is no longer using that Arkansas server. And while he wouldn’t divulge what steps were being taken to change the way data will be moved back and forth in the future, he did say that the entire 28-state database has never been breached by hackers.

“At no time ever has the Interstate Crosscheck database, in its entirety, sat anywhere other than on internal secretary of state networks,” Caskey said. “And so anything to the contrary is not factual.”

Some members of the panel, however, said they still had concerns.

Rep. Jeff Pittman, D-Leavenworth, for example, asked what kind of liability the state would face if the system ever was breached. Caskey said he believed the secretary of state’s office would be covered by the state’s tort liability fund, although he said attorneys were still researching to find out the extent to which the office would be covered.

But Rep. Tom Sloan, R-Lawrence, who chairs the committee, said he was generally satisfied that the secretary of state’s office was taking proper steps to address security concerns.

“Essentially, we learned that the secretary of state’s office is very concerned about security, that the error the state of Arkansas committed in terms of letting access to some of their sites has been remedied by shutting Arkansas out,” Sloan said.

“Other than that, I think the biggest thing I heard them admit was that they had 20 or fewer cases of Kansans who voted illegally, and most of those were that they voted legally in Kansas but illegally in another state,” he added. “So our voter activities seem to be fine and the safeguards we have in place seem to be working.”