Computer and network security is always a concern, but in the US presidential election cycle it seems to be playing a more prevalent role than usual. The tedious focus on Hillary Clinton’s email server while Secretary of State, leaked information hacked from the DNC servers, and recent reports that the FBI is investigating possible Russian-sponsored hacks against electronic voting systems in Illinois and Arizona all raise serious concerns about the impact cybersecurity—or a lack thereof—may have on the election.
Illinois and Arizona Hacks
The FBI notified state officials in Illinois and Arizone that it is investigating evidence that hackers targeted voter lists. In and of itself, that is not very serious. What is more concerning is that the attacks may be attributed to Russia—or at least Russian hackers.
Regardless of the source of the attack, the data that is assumed to have been compromised is public information in the first place. Cris Thomas, a spokesperson for Tenable Network Security, explains, “Before we get caught up on who is responsible, we should remember that voter information is not private, you can get all of the same information by filing a request with your local state voter agency. The FBI has been looking into this incident since July and appears to be taking all of the necessary precautions.”
The ability to hack voter information is not the same as hacking votes, but it could still have insidious consequences according to Richard Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States. Clarke outlined a scenario in an ABCNews.com post where the attackers might selectively delete names from the voter lists—eliminating voters expected to vote one way in order to sway the election the other way.
Clarke stated, “Voters who find that they have been deleted from the voter list can file provisional or protest ballots in most states, but if there are many people protesting their deletion, it could lead to chaos at the polls, result in long lines and cause some voters to go home without voting. If that chaos occurs only in areas likely to support one candidate, it could help the other candidate win a close election.”
He went on to say that the possibility also exists that attackers might be able to hack into voter machines and actually change the results reported. Some states have a paper trail backup that might be used to verify if the results are suspicious, but some states don’t even have that audit trail available. Clarke also points out that if the attack is executed well, there may not be enough evidence to trigger a recount or any deeper investigation into the results.
Tenable’s Thomas cautions, “The FBI routinely puts out bulletin alerts and this one is no more cause for concern than any of the others. The fact that the FBI Flash mentions an unknown actor and indicates that there is no credible threat means that this could have been an automated attack not driven by nation-state interests. Attackers setup scripts to scan websites at random, launch SQL injections and grab whatever they can get, so with very little confirmed information available, it’s hard to know for sure.”
However, Thomas also stresses that if the threat model is actually a targeted hack from nation-state attackers, the FBI recommendations are unlikely to keep them out.
“The recent hack of the Arizona and Illinois voting systems prove the grave importance of constantly reviewing your systems for vulnerabilities instead of waiting until a series of attacks has been identified,” declared Bill Berutti, President of Performance and Analytics and Cloud Management / Datacenter Automation for BMC. “The average vulnerability is open for 193 days – as the elections close in, other state systems may want to consider what is already active or vulnerable within their systems.”
Guarding against Real Threats to Vote Integrity
In states across the country and at the federal level as well, the GOP has pushed a narrative of voter fraud in an effort to pass and implement racist and discriminatory voter ID laws. Many of these laws have been shot down by federal courts in recent weeks for being blatantly racist. Meanwhile, there are actual threats to vote integrity that are being ignored.
Clarke pointed out that there is almost no evidence of the sort of voter fraud these laws are ostensibly supposed to protect against and said, “While worrying about a problem that may not exist, many states have done little to modernize or secure their voting records and polling machines against cyberattack.”
As Thomas warned to Fox News, “Our entire democracy depends on systems with minimal, easily bypassed security.”