FBI Says Foreign Hackers Got Into Election Computers
from the well,-that's-just-great dept
We've written probably hundreds of stories on just what a dumb idea electronic voting systems are, highlighting how poorly implemented they are, and how easily hacked. And, yet, despite lots of security experts sounding the alarm over and over again, you still get election officials ridiculously declaring that their own systems are somehow hack proof.And now, along comes the FBI to alert people that it's discovered at least two state election computer systems have been hacked already, and both by foreign entities.
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.The report apparently noted that Arizona and Illinois were the two states whose systems were exploited -- with both attacks coming from the same IP addresses. From the report, it does not look as if the hacks were specifically about modifying vote totals, but rather accessing voter registration data -- but that's still a pretty big concern.
In response, the Department of Homeland Security has apparently reached out to state election officials offering "help" in better securing their election systems. Doesn't it seem a bit late for them to start securing their systems now? And, of course, it's not like DHS is somehow a great at stopping hackers either. It wasn't so long ago that a 16-year-old kid using the online handle "penis" was able to hack DHS's computer systems.
Maybe, just maybe, people in charge of elections in America should have considered some of this, I dunno, two decades ago when people first raised the issues about vulnerabilities in election systems.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dhs, e-voting, fbi, foreign hackers, hackers, homeland security, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
While there is some overlap to the threat -- after all, if you compromise the voter rolls, you can influence elections -- it's a different system, a different type of hack, and requires a completely different set of security fixes.
[ link to this | view in chronology ]
Re:
If? It's pretty much a given at this point. They are not even subtle about it anymore.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
voter id laws
expunging of "old" registrations
closing or moving polling places in select neighborhoods at the last minute
paving operations in and around polling places in select neighborhoods
How are these not illegal attempts to disenfranchise voters?
And then there is gerrymandering
[ link to this | view in chronology ]
Re: Re: Re: Re:
As for what I mean by "if", don't be dense. I was making a conditional statement. If premise, then result.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Absent any evidence of that, however, I'm not going to assume it's the case.
[ link to this | view in chronology ]
Maybe they need
Time for officials to whine harder instead of doing what should have been done years ago.
[ link to this | view in chronology ]
Re: Maybe they need
[ link to this | view in chronology ]
Paper Ballots
How did the US manage to survive (flourish even) for 200 years without electronic voting machines and the Department of Homeland Stupidity?
[ link to this | view in chronology ]
Re: Paper Ballots
[ link to this | view in chronology ]
Re: Paper Ballots
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
That said, you must be a millennial. As someone slightly older (I'm 29) I remember the election in 2000 quite vividly. The presidential election was thought to be a gimmie by both republicans and democrats - neither side thought the other had a chance. In the end, the election was decided by less than 300 votes (and then unconstitutionally overturned by the US Supreme Court, but that's another issue). There are 370 million Americans, and only 300 votes made a difference.
Bush's margin of victory during his reelection was less than 2% too.
My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don't discount that.
As someone who generally believes that technology can solve (almost) any problem, I have to agree with the poster above you: paper ballots should be the way. And none of those hole-punched things either. X's in boxes all the way.
[ link to this | view in chronology ]
Re: Re:
I'm 33 and I consider myself to be on the older end of the Millennial Generation, not the younger end of Gen X. At any rate I graduated high school right before the turn of the millennium, and faced the common Millennial problems of going to college to get a good job only to graduate into a market where it was a lot harder to find one than I'd been led to believe.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
It can make a HUGE difference....in who happens to sit in the big chair. But apart from a lot of talking, it's been nearly impossible to differentiate Republican and Democratic administrations over the last 3-4 decades. The democrats move a little money into whatever social program is popular, but not enough to matter. The republicans move a little money into (usually) military applications, but not enough to matter. Occasionally one or the other will do something big, there will be a lot of yelling, but then the next administration leaves it as is.
[ link to this | view in chronology ]
Re: Re: Re:
I don't think there is a lot of data in support of your claim.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Cinderella could have been elected and she would have invaded Iraq.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
It's possible that Gore would have invaded Iraq. It's certain that Bush did. It's also pretty clear that Bush and major figures within his administration had been pushing Clinton to invade Iraq for years and Clinton had largely resisted, preferring sanctions and strategic airstrikes to a full-scale invasion.
On the other hand, Bush *did* have congressional support for the invasion, and the later arguments by Democratic supporters like John Kerry and Hillary Clinton that they were misled and had no reason to doubt the Bush Administration's case for war have been less than convincing.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
The neocons who had Bush's ear had been advising an invasion of Iraq for years, for a number of reasons. Saddam was a bad man (true) who had gassed his own people (true) and was hoarding chemical weapons (false) and working on nuclear weapons (false); if we took him out we would be able to spread stability and democracy throughout the region (really, really false).
There were other reasons besides that; people who say oil was *the* reason we went to war are grossly oversimplifying, but it was a factor. And Saddam attempted to assassinate Bush Sr, so I think there was an element of personal revenge involved. There were people who felt Bush Sr should have "finished the job" when we went in the first time, and also Cheney's alleged "one percent doctrine" suggesting that even a one percent chance that a nation was a threat to us was reason enough to go to war.
Be careful attributing any one thing as "the only reason" for something. Especially something as complex as going to war.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
One must also remember that Hussein was a front man for the US until it became convenient to turn him into a monster. He may have gassed some of his people, but many of those attributed to him were from Iranian gas. Photos show clear evidence of asphyxiating gases (Iran's specialty) as opposed to nerve agents which were Iraq's favorite.
Where was the evidence of the massive burials of 250K people at a site? There were none. Note that there was no attempt to kill Bush41, not even the Pentagon included that in its justifications.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Bush said "This is the man who once tried to kill my dad" in a speech. I think he believed it. That doesn't mean I'm defending him; even if it were true it wouldn't be a justification for the war, which, in case I haven't made it clear, I think was a terrible decision based on lies.
[ link to this | view in chronology ]
Re:
There are a number of factors that led to the outcome we saw in 2000. People mostly tend to focus on Nader voters and the Supreme Court halting the recount. But another issue that helped determine the election was that a number of minority voters were incorrectly turned away from the polls, even though they were registered. Surely you can see how this fact is pertinent to the subject at hand: if a foreign power has access to voter registration records, that can swing an election.
And that's just the presidency. There are lots of other elected offices, and ballot initiatives, in any given election. It's true that elections can only be stolen if they're close. But strategic manipulation of close elections could shape policy outcomes.
Or, if attackers were to simply go after the whole thing with a hatchet and tamper with elections in an *obvious* way, it could still achieve their goals: it would cause chaos, paralyze elections, and undermine the public's trust in the democratic process. You could joke that these things have already happened, and you'd have a point, but it could get a lot worse than it already is. And if you don't believe that, well, we are currently looking at a race between the two most unpopular major-party candidates in recorded history, and that's *without* foreign interests attacking our voter rolls (let alone our electronic voting machines, which this story is not actually about but which are very vulnerable nonetheless).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
You'd need to flip at least a couple of hundred bits, in a close race.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Foreign IP adresses, not foreign entities
"The FBI warning in an Aug. 18 flash alert from the agency's Cyber Division did not identify the intruders or the two states targeted. "
"The FBI bulletin listed eight separate IP addresses that were the sources of the two attacks and suggested that the attacks may have been linked, noting that one of the IP addresses was used in both intrusions. "
[ link to this | view in chronology ]
Re: Foreign IP adresses, not foreign entities
Remember folks... an IP address is not a person or even a very good indication of a location of the user.
Russian hackers has more drama.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Do you really believe that voter registration data should only be stored on paper?
Because I think that's a reasonable requirement for ballots, but not for registrations.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Only if the computers in question are air-gapped. If they're networked, they're a *lot* easier to manipulate than paper, because you can manipulate them without being in the same room.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
I'll grant that I haven't seen any hard evidence that these attacks came from Russia, either, and that "the FBI says so" is not sufficient evidence to convince me.
However, there is good evidence to suggest that the DNC servers were compromised by Russian attackers; not just IP addresses but metadata and linguistic analysis. There is further evidence that Russia has attempted to tamper with elections in several European nations.
It is not a stretch to assume that these most recent attacks came from Russia. There is no conclusive evidence yet (at least, not that's been released to the public), but it matches the pattern and is the most obvious conclusion based on what we know right now.
If somebody -- ideally a reputable, independent security analyst -- produces evidence that the attacks actually came from Australia, then I'll believe they came from Australia.
At which point I will ask you what the fuck difference it makes to my point about air-gapping, because people in Australia can't compromise air-gapped computers in America either.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
SECURITY! *WHACK!*
IS! *WHACK!*
AN! *WHACK!*
I.T.! *WHACK!*
PROBLEM! *WHACK!*
NO! *WHACK!*
LAW! *WHACK!*
WILL! *WHACK!*
MAKE! *WHACK!*
US! *WHACK!*
SECURE!! *WHACK!*
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Paranoid, tinfoil-hat, conspiracy theorists
[ link to this | view in chronology ]
Re: Re: Paranoid, tinfoil-hat, conspiracy theorists
[ link to this | view in chronology ]
Re: Re: Re: Paranoid, tinfoil-hat, conspiracy theorists
[ link to this | view in chronology ]
Clinton Foundation
[ link to this | view in chronology ]
HOW fun is this...
MOST election info is the SAME as your drivers license..
You GIVE ACCESS, to the internet for DATA that isnt really needed on the NET..
why WOULD THE election SYSTEM GIVE Access to the NET for this?? WHY??
In Oregon...The WHOLE system is controlled and monitored by 1 REMOTE system.. AND wheN THAT REMOTE GOES down...nothing works..the WHOLE state, Police to workmens comp...ALL are not accessible..
[ link to this | view in chronology ]
Re: HOW fun is this...
There are multiple different locations that should have access to the voter roles, at the district, city, county, and state level. Keeping that information online and secured is reasonable. Having voting machines online is not reasonable. There is a fundamental difference between the two things and I really wish this article hadn't conflated them.
[ link to this | view in chronology ]
Is that interfering with the FBI's own hacks?
What is their end game?
[ link to this | view in chronology ]
Re: Is that interfering with the FBI's own hacks?
[ link to this | view in chronology ]
OPEN SOURCE VS CLOSED SOURCE ELECTIONS
.
Please!... no emails!
[ link to this | view in chronology ]
State Computers
Voter Registration Systems are often outsourced, and the vendors must submit to annual onsite third party audits. The normal issues are finding the money to fix the audit findings, and dealing with public perception.
Voting Systems are different than Voter Registration Systems. The information flow between them is strictly controlled. Having access to a VRS doesn't necessarily mean you have access to add, modify, or delete data within it. There are integrity checks and backups.
Of all the information, the source of the attacks is the one I most trust. The FBI cannot reveal all its sources, but its cyber intelligence units are very good at identifying who is behind the hacks. For the states, they don't need to know who is hacking. They need information on how and how to defend against those methods. That is what the FBI is offering the states.
[ link to this | view in chronology ]