Hackers Target State Voter Databases: Are They Targeting Personal Information or Intending to Tamper with Elections?

As a number of people know by now, the Cyber Crimes Division of the Federal Bureau of Investigation (FBI) recently released a Flash memorandum warning state Boards of Elections about recent hacks. The attacks appear to have targeted voter registration databases in Illinois and Arizona. Reports indicate that the attacks on Arizona’s database were unsuccessful, but that up to 200,000 Illinois voters may have had their personal information exposed as a result of the attacks.

While the FBI did not reveal any suspects, an expert cited by Yahoo News tries to link the methods used in the attack to similar methods previously employed by Russian hackers.

[Rich] Barger [from ThreatConnect] noted that one of the IP addresses listed in the FBI alert has surfaced before in Russian criminal underground hacker forums. He also said the method of attack on one of the state election systems — including the types of tools used by the hackers to scan for vulnerabilities and exploit them — appears to resemble methods used in other suspected Russian state-sponsored cyberattacks.

The potential Russian connection has also attracted the attention of Nevada Senator Harry Reid, who asked FBI Director James Comey to investigate potential ties between the hackers, the Russian government, and any attempt by the Russians to “tamper in [the United States’ upcoming] presidential election.”

Voter registration databases are rich targets for hackers or other bad actors. The databases contain a wealth of information, such as names, addresses, and dates of birth. This personal identifying information (PII) is in one, singular location. States, as well, generally do not protect their databases as well as financial institutions or online marketplaces might protect them. The combination of information and relatively weaker security make any state database, voter or otherwise, a prime target for identity thieves.

The likely motive for the cyberattacks is access to personal identifying information (PII), rather than some intended electoral malfeasance.

What if, though, the bad actors accessed voter registration databases for other purposes? We have all seen the crime noir movie or television show where the bad guys use a burglary, arson or other petty to conceal another, more dastardly conspiracy.  What if Senator Reid is right? What if the Russians, or another foreign government, want to tamper with the upcoming general elections?

The threat from foreign actors accessing voter registration databases is not equivalent to hacking electronic voting machines. Hacking machines is an entirely different threat. The threat from hacking databases is, instead, closer to alleged 1948 Lyndon Johnson-type ballot box stuffing.

Imagine a bad, or foreign, actor accessing registration databases, discovering who usually votes via absentee ballot. Even worse, imagine a foreign actor accessing voter databases and finding who does not usually vote. The information, including the voters’ names and addresses, could be forwarded to associates of the foreign actor here in the United States. Those associates could request, and intercept, absentee ballots. They could identify certain groups of people within the databases for additional targeting, such as elderly voters.

Taking the hypotheticals a bit further, what if the bad actors could inject information into the databases? What if they could “register” people to vote, or otherwise cause fictitious names with fictitious addresses to appear on the voter lists? Assuming a close election in a number of states, such ballot box stuffing could sway the election one way or the other way.

Identifying potential cybersecurity threats and their consequences takes some imagination. The hard work, though, is preparing defenses against the attacks.

States should always be prepared for cybersecurity risks. The attempts to access voter registration databases should neither surprise states, nor catch them off-guard. And states should recognize that cyberattacks, as a whole, are growing more and more sophisticated. Consequently, states should ensure proper cybersecurity measures are in place. The FBI in the Flash memorandum, for example, recommended that state entities are “fully patched” and that they validate user information prior to granting the user access to the databases, in addition to implementing a number of other precautions.