Over a 2-1/2 week period last July, more than 2,500 online “phantom requests” for absentee ballots were made to Miami-Dade County election headquarters, marking the first known cyberattack on a US election. The fake requests for ballots targeted the Aug. 14 statewide primary and included requests for Democratic ballots in one congressional district and Republican ballots in two state House districts, according to a recent Miami Herald report. The fake requests were done so clumsily that they were red-flagged and did not foul up the election. In any case, they would not have been enough to change the outcome. But now confirmed as the first cyberattack aimed at election fraud, the incident is further evidence that the vote-counting process is vulnerable, particularly as elections become more reliant on the Internet. “This is significant because it’s the first time we’ve seen a very well documented case of attempted computer election fraud in the US,” says J. Alex Halderman, a cybersecurity researcher at the University of Michigan who focuses on election-system vulnerabilities. “This should be a real wakeup call because it illustrates the sort of computer voting attacks that many scientists have been warning were possible for years.”
Florida officials “were lucky” that the attacks were so clumsy, he says. The requests poured into the voter headquarters in clumps, much faster than normal, and in many cases the clumps arrived from the same handful of computer IP addresses. At this point, it is unknown what the attackers wanted to achieve. But if they had been only slightly more sophisticated – distributing the requests across a larger number of IP address, for instance – the attack would have been much harder to detect. “We’ve seen very sophisticated attacks against US corporations,” Dr. Halderman says. “If that level of sophisticated attack were directed against these election systems it could have been disastrous.”
… Rapid advances in cyberweapons and malicious software put electronic-voting machines used in the 2012 election at risk and could have tipped the presidential election in some states, cybersecurity experts warned prior to the vote.
“This Florida case is not significant because thousands of votes were lost or changed, it’s significant because it demonstrates the feasibility of the pathway to attack the vote – and because there is online access to other pieces of the voting process,” says Pamela Smith, president of Verified Voting, a nonprofit group focused on ensuring US election integrity.