The FBI has evidence that foreign hackers have accessed the state election databases in two US states. According to Yahoo News, the FBI sent out a “flash alert” to election offices and officials across the US, asking them to take better security precautions.
Yahoo’s Michael Isikoff reports:
Those concerns prompted Homeland Security Secretary Jeh Johnson to convene a conference call with state election officials on Aug. 15, in which he offered his department’s help to make state voting systems more secure, including providing federal cyber security experts to scan for vulnerabilities, according to a “readout” of the call released by the department.
At the time, Secretary Johnson said the Department of Homeland Security wasn’t aware of any “specific or credible cybersecurity threats”. But just three days later, the FBI sent out a more detailed bulletin that said it was investigating intrusions on two state election websites in the past few months. According to Yahoo, which saw the bulletin, one of those hacks led to “exfiltration” of US voter registration data.
The FBI brief didn’t outline what states were at risk, but Yahoo cites “sources familiar with the document” as saying that Arizona and Illinois are the two states at risk. Illinois election officials reported a security breach on July 12. As a result, the Illinois Voter Registration System was shutdown for nearly two weeks. That Illinois breach happened because of an SQL-injection. (That’s low-level stuff, Illinois is for a fairly large state.)
The fact that the FBI is sending out bulletins — and that Homeland Security is doing briefings — is notable but hardly surprising. Just two months ago, Russian hackers were able to infiltrate the DNC, which led to plenty of embarrassing moments in the run-up to the Democratic National Convention.
In the wake of the DNC hack, security expert Bruce Schneier wrote about hacking the vote:
However we respond to this act of aggression, we also need to increase the security of our election systems against all threats — and quickly.
We tend to underestimate threats that haven’t happened — we discount them as “theoretical” — and overestimate threats that have happened at least once. The terrorist attacks of 9/11 are a showcase example of that: administration officials ignored all the warning signs, and then drastically overreacted after the fact. These Russian attacks against our voting system have happened. And they will happen again, unless we take action.
Schneier is right. It’s not a matter of “if” these systems — especially local systems — will be hacked. It’s when.
It’s not as if officials lack options for better security. Andrew Appel, a professor of computer science at Princeton, wrote two good pieces on how to protect against outside intrusions. The problem, of course, is that many local election offices aren’t run by security experts. And while it’s great that the FBI and Department of Homeland Security are offering support, the track record for those guys isn’t so hot either.
We should all just prepare ourselves for this getting a lot worse before it gets better.