FBI warns states of foreign efforts to hack election databases

by WorldTribune Staff, August 29, 2016

The FBI’s Cyber Division has issued a “flash” alert warning state officials that foreign hackers may be targeting their election databases.

The FBI said in the alert it has “uncovered evidence that foreign hackers penetrated two state election databases in recent weeks,” according to federal and state law enforcement officials.

researcher-finds-191-million-us-voter-registration-records-online-2-2The “flash” alert, made available to Michael Isikoff of Yahoo News, urges state officials to take additional steps to secure their systems, including conducting “vulnerability scans” of their databases.

Election officials are urged to sharply restrict access to their databases and “implement the principle of least privilege for database accounts.”

The alert says that “any given user should have access to only the bare minimum set of resources required to perform business tasks.”

The possibility of cyberattacks, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections is a growing concern, U.S. intelligence officials have said.

That concern led Homeland Security Secretary Jeh Johnson to convene a conference call with state election officials on Aug. 15, in which he offered his department’s help to make state voting systems more secure, including providing federal cyber security experts to scan for vulnerabilities, according to a “readout” of the call released by the department.

The FBI is investigating cyberattacks against two state election websites this summer, including one that resulted in the “exfiltration,” or theft, of voter registration data. “It was an eye opener,” one senior law enforcement official said of the bureau’s discovery of the intrusions. “We believe it’s kind of serious, and we’re investigating.”

While the two states are not identified in the FBI alert, sources say it refers to the targeting by suspected foreign hackers of voter registration databases in Arizona and Illinois.

In the Illinois case, officials were forced to shut down the state’s voter registration system for ten days in late July, after the hackers managed to download personal data on up to 200,000 state voters, Ken Menzel, the general counsel of the Illinois Board of Elections, said.

The Arizona attack involved malicious software that was introduced into its voter registration system but there was no successful exfiltration of data, a state official said.

“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, who reviewed the FBI alert at the request of Yahoo News. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the American voter.”

A full-blown cyberattack that seriously disrupts the November elections is remote, but not out of the question, analysts say. About 40 states use optical-scan electronic-voting machines, allowing voters to fill out their choices on paper. The results are tabulated by computers.

These are “reasonably safe” because the voting machines are backed up by paper ballots that can be checked, says Andrew W. Appel, a Princeton University computer science professor who has studied election security. But six states and parts of four others (including large swaths of Pennsylvania, a crucial swing state in this year’s race) are more vulnerable because they rely on paperless touchscreen voting, known as DREs or Direct-Recording Electronic voting machines, for which there are no paper ballot backups.

“Then whatever numbers the voting computer says at the close of the polls are completely under the control of the computer program in there,” Appel wrote in a recent blog post entitled “Security Against Election Hacking.” “If the computer is hacked, then the hacker gets to decide what numbers are reported. … All DRE (paperless touchscreen) voting computers are susceptible to this kind of hacking. This is our biggest problem.”