Reports this week of Russian intrusions into U.S. election systems have startled many voters, but computer experts are not surprised. They have long warned that Americans vote in a way that’s so insecure that hackers could change the outcome of races at the local, state and even national level. Multibillion-dollar investments in better election technology after the troubled 2000 presidential election count prompted widespread abandonment of flawed paper-based systems, such as punch ballots. But the rush to embrace electronic voting technology – and leave old-fashioned paper tallies behind – created new sets of vulnerabilities that have taken years to fix. “There are computers used in all points of the election process, and they can all be hacked,” said Princeton computer scientist Andrew Appel, an expert in voting technologies. “So we should work at all points in that system to see how we make them trustworthy even if they do get hacked.”
The Voting News
Last week, one of the Russia-backed hacker groups that attacked Democratic computer networks also attacked several Russia-focused think tanks in Washington, D.C., Defense One has learned. The perpetrator is the group called COZY BEAR, or APT29, one of the two groups that cybersecurity company CrowdStrike blamed for the DNC hack, according to founder Dmitri Alperovitch. CrowdStrike discovered the attack on the DNC and provides security for the think tanks. Alperovitch said fewer than five organizations and 10 staffers researching Russia were hit by the “highly targeted operation.” He declined to detail which think tanks and researchers were hit, out of concern for his clients’ interests and to avoid revealing tools and techniques or other data to hackers. CrowdStrike alerted the organizations immediately after the company detected the breaches and intruders were unable to exfiltrate any information, Alperovitch said.
A suspected Russian hacker probed a voter registration database in Arizona and another unidentified attacker gained entry to one in Illinois this summer, election officials said, prompting the FBI to warn states their election boards should conduct vulnerability scans. The systems that count votes in elections were not compromised, officials said, and the hacks don’t appear to be politically motivated. Still, the breaches add to concerns such attacks could exploit the personal data of millions of voters for monetary or political gain. Those worries have been running high after July reports that the Democratic National Committee’s email system had been hacked, a breach U.S. intelligence officials believe was perpetrated by the Russian government. “We’re all very aware that it’s less than 80 days before an important election,” said Pamela Smith with Verified Voting, a non-partisan, non-profit organization that advocates for election transparency.
In any other year, hackers breaking into a couple of state government websites through common web vulnerabilities would hardly raise a blip on the cybersecurity community’s radar. But in this strange and digitally fraught election season, the breach of two state board of election websites not only merits an FBI warning—it might just rise to the level of an international incident. On Monday, an FBI alert surfaced warning state boards of election to take precautions against hackers after two election board websites were breached in recent months. According to Yahoo News, those breaches likely targeted Arizona and Illinois board of election sites, both of which admitted earlier this summer that they’d been hacked. Cybersecurity researchers are already speculating that the attacks link to Russia, pointing to the string of recent, likely Russian attacks that have hit the Democratic National Committee and the Clinton campaign. “Someone is trying to hack these databases, and they succeeded in exfiltrating data, which is significant in itself,” says Thomas Rid, a cybersecurity-focused professor in the War Studies department at King’s College of London and author of Rise of the Machines. “In the context of all the other attempts to interfere with this election, it’s a big deal.”
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials. The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections. Those concerns prompted Homeland Security Secretary Jeh Johnson to convene a conference call with state election officials on Aug. 15, in which he offered his department’s help to make state voting systems more secure, including providing federal cyber security experts to scan for vulnerabilities, according to a “readout” of the call released by the department.
National: Harry Reid Cites Evidence of Russian Tampering in U.S. Vote, and Seeks F.B.I. Inquiry | The New York Times
The Senate minority leader, Harry Reid of Nevada, asked the F.B.I. on Monday to investigate evidence suggesting that Russia may try to manipulate voting results in November. In a letter to the F.B.I. director, James B. Comey Jr., Mr. Reid wrote that the threat of Russian interference “is more extensive than is widely known and may include the intent to falsify official election results.” Recent classified briefings from senior intelligence officials, Mr. Reid said in an interview, have left him fearful that President Vladimir V. Putin’s “goal is tampering with this election.” News reports on Monday said the F.B.I. warned state election officials several weeks ago that foreign hackers had exported voter registration data from computer systems in at least one state, and had pierced the systems of a second one. The bureau did not name the states, but Yahoo News, which first reported the confidential F.B.I. warning, said they were Arizona and Illinois. Matt Roberts, a spokesman for Arizona’s secretary of state, said the F.B.I. had told state officials that Russians were behind the Arizona attack.
The FBI says that computer hackers accessed, and in one case stole, voter registration files in two states, potentially compromising personal information and putting crucial election data at risk just three months before voters head to the polls. And if that weren’t unsettling enough, the techniques that the hackers used were neither sophisticated nor particularly hard to employ, proving that it’s not just high-end hackers from foreign governments, like the ones believed to be targeting U.S. political organizations, that elections officials need to worry about in the runup to November. “I don’t think anyone can assume that these vulnerabilities would be unique to these states,” Pamela Smith, the president of Verified Voting, a nonprofit group that advocates transparency and security in U.S. elections, told The Daily Beast. “This is a time when assuming is not the best thing to do.”
It’s 2016: What possible reason is there to vote on paper? When we use touchscreens to communicate, work, and shop, why can’t we use similar technology to vote? A handful of states, and many precincts in other states, have already made the switch to voting systems that are fully digital, leaving no paper trail at all. But this is despite the fact that computer-security experts think electronic voting is a very, very bad idea. For years, security researchers and academics have urged election officials to hold off on adopting electronic voting systems, worrying that they’re not nearly secure enough to reliably carry out their vital role in American democracy. Their claims have been backed up by repeated demonstrations of the systems’ fragility: When the District of Columbia tested an electronic voting system in 2010, a professor from the University of Michigan and his graduate students took it over from more than 500 miles away to show its weaknesses; with actual physical access to a voting machine, the same professor—Alex Halderman—swapped out its internals, turning it into a Pac Man console. Halderman showed that a hacker who has access to a machine before election day could modify its programming—and he did so without even leaving a mark on the machine’s tamper-evident seals. But it wouldn’t even take a full-fledged cyberattack on an electronic voting system to throw a wrench in a national election. Even the specter of the possibility that the American electoral system is anything but trustworthy provides ammunition to skeptics to call foul if an election doesn’t go their way.
Hackers targeted voter registration systems in Illinois and Arizona, and the FBI alerted Arizona officials in June that Russians were behind the assault on the election system in that state. The bureau described the threat as “credible” and significant, “an eight on a scale of one to 10,” Matt Roberts, a spokesman for Arizona Secretary of State Michele Reagan (R), said Monday. As a result, Reagan shut down the state’s voter registration system for nearly a week. It turned out that the hackers had not compromised the state system or even any county system. They had, however, stolen the username and password of a single election official in Gila County. … This spring, a DHS official cautioned that online voting is not yet secure. “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” said Neil Jenkins, an official in the department’s Office of Cybersecurity and Communications.
California: Election Officials on guard after cyber attacks on elections databases in two states | Los Angeles Times
California’s elections agency announced that there is no evidence that the state’s voter registration databases had been targeted by the foreign hackers who reportedly infiltrated elections systems in Arizona and Illinois. Yahoo News reported Monday that personal voter registration information for up to 200,000 people at the Illinois Board of Elections had been downloaded by foreign hackers. The FBI issued an alert early this month warning state elections officials about the data breach, according to the Yahoo report. A spokesman for California secretary of state said the agency, which oversees elections statewide, was aware of the cyber attack reports. “We have no evidence of any breaches or hacks of our system,” agency spokesman Sam Mahood said. Mahood declined to say whether any extra precautions are being taken, saying the agency does not disclose its security protocols. The secretary of state’s website has been down most of Monday but Mahood said that was not caused by a hack or breach. Unlike some other states, California counties have maintained their own databases of registered voters. However, the secretary of state’s office is in the process of centralizing voter registration information in a statewide VoteCal database, which is expected to be operational in September.