Feds Warn States to Batten Down Hatches Following Election System Attacks


The FBI has launched investigations into malicious cyberattacks on the electronic election infrastructures in Illinois and Arizona, and federal officials last month warned states to take steps to protect their systems as the presidential campaign heats up, according to reports that surfaced this week.

The attacks, dating back to June, led to the illegal download of information on more than 200,000 Illinois voters, leading to a 10-day shutdown of the state's voter registration system.

Hackers also penetrated systems in Arizona but apparently failed to download specific voter information.

A timeline issued by the Illinois Board of Elections confirmed that it contacted the Illinois Attorney General's office, was contacted by the FBI, and has been cooperating with the agency.

The attack on the Illinois voter registration database began on June 23 and was discovered on July 12, according to the timeline. The voter registration database apparently was the victim of an SQL injection attack, resulting from repeatedly entering an authorized database query into a data field on a website. The Illinois AG was notified on July 19.

The attackers reportedly were hitting the database five times per second, 24 hours a day from June 23 to Aug. 12. The site was taken down as a precaution on July 13, and firewall protection prevented further data from being compromised.

Passwords of election authorities and their staffs reportedly were compromised. Personal information of voters also was compromised, but their voting signatures and histories apparently were not exposed.

State voting systems have been dealing with hacking attempts for 10 years, noted Ken Menzel, general counsel of the Illinois State Board of Elections.

However, why hackers targeted Illinois and not other states in this instance is unknown, he told the E-Commerce Times.

"Until law enforcement catches the who, I don't think we're going to have a sense of exactly why," Menzel said.

There are about 7.5 million active voters in Illinois, he noted, and 200,000 is the upper end of the number of records compromised.

The Illinois Attorney General's office is working with the board to notify voters about the breach, said AG spokesperson Eileen Boyce.

The exploitation of vulnerabilities in electronic voting systems has been a nagging worry for years.

"I think we can safely say that it's a unanimous and universal concern that electoral systems are appropriately protected," said Christopher Budd, global threat communication manager at Trend Micro.

Voting data can be exploited in a number of ways, he told the E-Commerce Times, including extortion, phishing schemes, and identity theft -- particularly involving the deceased.

Department of Homeland Security Secretary Jeh Johnson last month hosted a conference call with top state election officials to discuss the cybersecurity issue and the need to protect voting infrastructures. The call participants included members of the U.S. Election Assistance Commission, the Department of Commerce's National Institute for Standards and Technology, and the Department of Justice.

DHS planned to launch a Voting Infrastructure Cybersecurity Action Campaign, Johnson said during the call, enlisting experts of all levels from the government and private sector.

State officials should implement NIST and EAC recommendations on securing voting infrastructure, he advised, which include making sure voting machines are not connected to the Internet while voting is taking place.

Meanwhile, Arizona took its voter registration system offline in June, due to what the FBI characterized as a credible threat, according to Matt Roberts, spokesperson for Arizona Secretary of State Michele Reagan.

"As you might have seen, a credential used by a county user to access the Arizona Statewide Voter Registration System was compromised by malware inadvertently installed on a county computer and subsequently leaked by a known Russian hacker," he told the E-Commerce Times.

"Our office immediately took steps to perform an exhaustive security review of the statewide voter registration system with the help of the Arizona Department of Administration and our voter registration software vendor," Roberts said.

"We found no evidence that anyone was able to penetrate the our security to gain access to the information within the registration database," he noted. "We have implemented enhanced measures to ensure access the system is secure, restored the system and continued its use."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Google Fiber's Long, Tough Road Is Full of Twists and Turns

    Alphabet has been facing significant roadblocks in expanding Google Fiber into new U.While the wrangling wears on, Alphabet apparently has taken a hard look at Google Fiber's bottom line.
  • 5300c769af79e

    27 Open Source DevOps Tools In 7 Easy Bites

    I recently wrote an article featuring 25 DevOps vendors worth watching.However, in the world of DevOps, there are an awful lot of good tools that don't really have a vendor attached, and I thought it was time to give the open source tools their due.
  • 5300c769af79e

    Andrew Horne - Authors & Columnists

    9/14/2016When Andrew Horne, IT practice leader at consulting firm CEB, talks with IT professionals about digitization, the term itself is often greeted with eye rolling.But it's a buzzword business leaders are excited about.
  • 5300c769af79e

    Be Careful Who You Troll in the UK

    Twitter might still be struggling with how to combat trolls, but in the UK, authorites have added new offenses to the list of online behaviors that could land you in hot water with the Crown Prosecution Service (CPS).Released during Hate Crime Awareness Week in the UK, the rules help attorneys effectively bring legal action against social media harassers.