Report: Election Systems' Hacks Far Greater Than First RealizedPotential Loss of Confidence in Election Process Feared
Russian hackers struck election systems in almost twice as many states as previously reported, according to Bloomberg News, which reports that 39 states were affected. Voter registration systems were among those hacked.
See Also: The Power and Scale of XDR
In one instance, investigators uncovered evidence that the attackers tried to delete or modify voter information in an Illinois voter database, which contained names, dates of birth, gender, driver's license numbers and partial Social Security numbers on 15 million people, half of whom were active voters, according to the news report. As many as 90,000 records were ultimately compromised in Illinois, states the report, which cited three unnamed people with direct knowledge of the U.S. investigation.
In an unclassified version of a top-secret report released in January, the U.S. intelligence community said that Russian President Vladimir Putin ordered an influence campaign aimed at undermining public faith in America's democratic process and preventing Hillary Clinton from being elected president (see Intelligence Report Blames Putin for Election-Related Hacks).
Loss of Confidence
"The threat mainly comes from the potential for the loss of confidence in the results than the threat of manipulating the results themselves," says former White House Cybersecurity Coordinator Michael Daniel. "It would be extremely difficult to actually change the outcome of an election on a statewide or national scale. You would have to know in advance where the close districts would be, flip only just enough votes to change the outcome, but not so many that you get noticed. It is far easier to try to undermine confidence by going after voting registration rolls, for example."
Herb Lin, senior research scholar at Stanford University's Center for International Security and Cooperation, says breaching voter registration systems, which are managed state by state, is the most serious threat to the U.S. electoral system.
"Each state has a single public-facing voter registration database, and selective manipulation or alteration of voter registration records could throw elections into public chaos or clandestinely suppress enough voters to change the outcome of close elections," Lin says.
Stewart Baker, former assistant secretary for policy at the Department of Homeland Security, says states, with the help of the federal government, should avoid dependence on electronic systems. "Voting systems were largely designed without heavy reliance on IT, and we should be very skeptical of efforts to switch to digital systems," Baker says. "Paper ballots, perhaps scanned but still available for recounts, backup of all vote and count data as well as voter registration data are all measures we should adopt. The fact is that digital systems will probably never be secure enough for a process that is as tempting a target for our adversaries as voting."
Illinois Seen as "Patient Zero"
Bloomberg characterizes Illinois' electoral system as "patient zero" in the government's probe that led investigators to discover a "hacking pandemic that touched four out of every five U.S. states. Using evidence from the Illinois computer banks, federal agents were able to develop digital signatures - among them, internet protocol addresses used by the attackers - to spot the hackers at work."
The Department of Homeland Security shared the signatures with all states. Thirty-seven states reported finding traces of the hackers in various systems, one of the people familiar with the probe told Bloomberg. In Florida and California, investigators found those traces in systems run by a private contractor managing critical election systems, Bloomberg reports.
Lin sees compliance with a cybersecurity checklist as insufficient to protect election systems. "Though it is a place to start but I fear that this is the dominant practice among most users of information technology, state governments included," he says.
"The best way to test security is to subject it to a white-hat penetration team that can operate in an unconstrained manner and conduct its tests unannounced," Lin says. "Every state should insert 100 fake voter registration records and challenge their penetration testers to delete or alter these records, and a measure of success would be how many records the penetration tests could affect."
Daniel suggests defending state election systems against hacks from Russia and other nation-states won't get easier unless more is invested in security. Also, he says the shortage of cybersecurity professionals at the state level hinders the defense of election systems.
"It is also a matter of time and focus - election officials are busy people," says Daniel, president of the Cyber Threat Alliance, a not-for-profit information sharing and analysis organization. "We also need to broaden the focus beyond worrying about the security of just the voting machines, although those are important. We need to look at the full array of what makes up the electoral infrastructure, from voter registration rolls to election night reporting, not just the voting machines, and make risk-informed decisions about where to invest additional resources."