FBI Says Foreign Hackers Got Into Election Computers

from the well,-that's-just-great dept

We’ve written probably hundreds of stories on just what a dumb idea electronic voting systems are, highlighting how poorly implemented they are, and how easily hacked. And, yet, despite lots of security experts sounding the alarm over and over again, you still get election officials ridiculously declaring that their own systems are somehow hack proof.

And now, along comes the FBI to alert people that it’s discovered at least two state election computer systems have been hacked already, and both by foreign entities.

The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.

The report apparently noted that Arizona and Illinois were the two states whose systems were exploited — with both attacks coming from the same IP addresses. From the report, it does not look as if the hacks were specifically about modifying vote totals, but rather accessing voter registration data — but that’s still a pretty big concern.

In response, the Department of Homeland Security has apparently reached out to state election officials offering “help” in better securing their election systems. Doesn’t it seem a bit late for them to start securing their systems now? And, of course, it’s not like DHS is somehow a great at stopping hackers either. It wasn’t so long ago that a 16-year-old kid using the online handle “penis” was able to hack DHS’s computer systems.

Maybe, just maybe, people in charge of elections in America should have considered some of this, I dunno, two decades ago when people first raised the issues about vulnerabilities in election systems.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Says Foreign Hackers Got Into Election Computers”

Subscribe: RSS Leave a comment
57 Comments
Thad (user link) says:

Pretty misleading headline and lede. The weaknesses of electronic voting machines are real, and they deserve attention, but this story isn’t about electronic voting machines being hacked, it’s about *voter registration databases* being hacked.

While there is some overlap to the threat — after all, if you compromise the voter rolls, you can influence elections — it’s a different system, a different type of hack, and requires a completely different set of security fixes.

Anonymous Coward says:

Re: Re: Re: Re:

… and
voter id laws
expunging of “old” registrations
closing or moving polling places in select neighborhoods at the last minute
paving operations in and around polling places in select neighborhoods

How are these not illegal attempts to disenfranchise voters?
And then there is gerrymandering

Thad (user link) says:

Re: Re: Re:2 Re:

These are all very real concerns, but they’re yet another separate issue from the one we’re talking about. Elected officials in this country manipulating the electoral system to stay in power is an important issue, but it’s a completely different one from the question of independent individuals or foreign governments manipulating the electoral system for their own ends. They’re related issues but they have different outcomes, and the strategies for dealing with them are different.

As for what I mean by “if”, don’t be dense. I was making a conditional statement. If premise, then result.

Anonymous Coward says:

I don’t understand why everyone is so worked up about this. There’s only ever two candidates that could realistically win the election, so any hacker who made a different candidate win would be found out immediately. And in all honesty, if you just look at the decisions made when in office there’s been almost no real difference between those two candidates for the last several decades, so rigging it to swing a couple percent of the vote one way or the other will have almost no actual effect.

Chuck says:

Re: Re:

Well…for one thing, there’s actually quite a lot of difference between the two major party candidates. I’m not saying either is better (full disclosure: I’m voting for Hillary solely to keep the nuclear football out of Trump’s hands and otherwise I am really not a fan) but don’t pretend it’s a meaningless choice.

That said, you must be a millennial. As someone slightly older (I’m 29) I remember the election in 2000 quite vividly. The presidential election was thought to be a gimmie by both republicans and democrats – neither side thought the other had a chance. In the end, the election was decided by less than 300 votes (and then unconstitutionally overturned by the US Supreme Court, but that’s another issue). There are 370 million Americans, and only 300 votes made a difference.

Bush’s margin of victory during his reelection was less than 2% too.

My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don’t discount that.

As someone who generally believes that technology can solve (almost) any problem, I have to agree with the poster above you: paper ballots should be the way. And none of those hole-punched things either. X’s in boxes all the way.

Thad (user link) says:

Re: Re: Re:

Man, nobody seems to be able to agree on what a Millennial actually is.

I’m 33 and I consider myself to be on the older end of the Millennial Generation, not the younger end of Gen X. At any rate I graduated high school right before the turn of the millennium, and faced the common Millennial problems of going to college to get a good job only to graduate into a market where it was a lot harder to find one than I’d been led to believe.

Anonymous Coward says:

Re: Re: Re:

My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don’t discount that.

It can make a HUGE difference….in who happens to sit in the big chair. But apart from a lot of talking, it’s been nearly impossible to differentiate Republican and Democratic administrations over the last 3-4 decades. The democrats move a little money into whatever social program is popular, but not enough to matter. The republicans move a little money into (usually) military applications, but not enough to matter. Occasionally one or the other will do something big, there will be a lot of yelling, but then the next administration leaves it as is.

Thad (user link) says:

Re: Re: Re:3 Re:

The power to declare war? Um, yes, that is in fact a power that the President has.

It’s possible that Gore would have invaded Iraq. It’s certain that Bush did. It’s also pretty clear that Bush and major figures within his administration had been pushing Clinton to invade Iraq for years and Clinton had largely resisted, preferring sanctions and strategic airstrikes to a full-scale invasion.

On the other hand, Bush did have congressional support for the invasion, and the later arguments by Democratic supporters like John Kerry and Hillary Clinton that they were misled and had no reason to doubt the Bush Administration’s case for war have been less than convincing.

Groaker (profile) says:

Re: Re: Re:3 Re:

The only reason that Bush invaded Iraq was so that history would view him as a “war” president. He knowingly lied to start that war. Did so without the approval of the UN. Slaughtered 100,000 to 1,000,000 displaced 2-4 million. Disrupted the little balance that existed in the region. Is the progenitor of all the wars and slaughters going on there now.

Thad (user link) says:

Re: Re: Re:4 Re:

Well, that’s clearly not the only reason he invaded Iraq — he was, after all, already a war president by then.

The neocons who had Bush’s ear had been advising an invasion of Iraq for years, for a number of reasons. Saddam was a bad man (true) who had gassed his own people (true) and was hoarding chemical weapons (false) and working on nuclear weapons (false); if we took him out we would be able to spread stability and democracy throughout the region (really, really false).

There were other reasons besides that; people who say oil was the reason we went to war are grossly oversimplifying, but it was a factor. And Saddam attempted to assassinate Bush Sr, so I think there was an element of personal revenge involved. There were people who felt Bush Sr should have “finished the job” when we went in the first time, and also Cheney’s alleged “one percent doctrine” suggesting that even a one percent chance that a nation was a threat to us was reason enough to go to war.

Be careful attributing any one thing as “the only reason” for something. Especially something as complex as going to war.

Groaker (profile) says:

Re: Re: Re:5 Re:

A one percent chance is a violation of the Geneva Conventions. And what could Iraq do to the US. If it had declared war on the US, Iraq would have been naught but green glass.

One must also remember that Hussein was a front man for the US until it became convenient to turn him into a monster. He may have gassed some of his people, but many of those attributed to him were from Iranian gas. Photos show clear evidence of asphyxiating gases (Iran’s specialty) as opposed to nerve agents which were Iraq’s favorite.

Where was the evidence of the massive burials of 250K people at a site? There were none. Note that there was no attempt to kill Bush41, not even the Pentagon included that in its justifications.

Thad (user link) says:

Re: Re: Re:6 Re:

You seem to be mistaking my description of the Bush Administration’s rationale for war for a defense of same. It isn’t. Cheney’s One Percent Doctrine is madness and he should be tried for war crimes.

Bush said “This is the man who once tried to kill my dad” in a speech. I think he believed it. That doesn’t mean I’m defending him; even if it were true it wouldn’t be a justification for the war, which, in case I haven’t made it clear, I think was a terrible decision based on lies.

Thad (user link) says:

Re: Re:

I’m as cynical about the two-party system as anybody (I’m about to vote Stein for the second election running), but you do remember that 2000 came down to 400 votes in Florida, yes? And while I will grant there were too many similarities between Bush and Gore for comfort, I think it is reasonable to conclude that a Gore presidency would have been different from the Bush Administration in some very important and fundamental ways.

There are a number of factors that led to the outcome we saw in 2000. People mostly tend to focus on Nader voters and the Supreme Court halting the recount. But another issue that helped determine the election was that a number of minority voters were incorrectly turned away from the polls, even though they were registered. Surely you can see how this fact is pertinent to the subject at hand: if a foreign power has access to voter registration records, that can swing an election.

And that’s just the presidency. There are lots of other elected offices, and ballot initiatives, in any given election. It’s true that elections can only be stolen if they’re close. But strategic manipulation of close elections could shape policy outcomes.

Or, if attackers were to simply go after the whole thing with a hatchet and tamper with elections in an obvious way, it could still achieve their goals: it would cause chaos, paralyze elections, and undermine the public’s trust in the democratic process. You could joke that these things have already happened, and you’d have a point, but it could get a lot worse than it already is. And if you don’t believe that, well, we are currently looking at a race between the two most unpopular major-party candidates in recorded history, and that’s without foreign interests attacking our voter rolls (let alone our electronic voting machines, which this story is not actually about but which are very vulnerable nonetheless).

seedeevee (profile) says:

Foreign IP adresses, not foreign entities

C’mon! The report said foreign IP adresses were linked, not foreign entities.

“The FBI warning in an Aug. 18 flash alert from the agency’s Cyber Division did not identify the intruders or the two states targeted. “

“The FBI bulletin listed eight separate IP addresses that were the sources of the two attacks and suggested that the attacks may have been linked, noting that one of the IP addresses was used in both intrusions. “

Groaker (profile) says:

Re: Re: Re:3 Re:

No, a machine can not be hijacked by airgapping from 6K miles away. But even the US “justice” system is starting to understand that an IP number is just that, and not the DNA of the individual performing the task, nor an identifier of where the machine doing the cracking is located. VPNs can make a computer in Australia look and act like it is coming from a lab in Moscow.

Thad (user link) says:

Re: Re: Re:4 Re:

That’s true, and it may yet turn out that these attacks actually came from Australia. I haven’t seen anybody produce any evidence to indicate that as yet, and so I’m not going to assume that it’s true.

I’ll grant that I haven’t seen any hard evidence that these attacks came from Russia, either, and that “the FBI says so” is not sufficient evidence to convince me.

However, there is good evidence to suggest that the DNC servers were compromised by Russian attackers; not just IP addresses but metadata and linguistic analysis. There is further evidence that Russia has attempted to tamper with elections in several European nations.

It is not a stretch to assume that these most recent attacks came from Russia. There is no conclusive evidence yet (at least, not that’s been released to the public), but it matches the pattern and is the most obvious conclusion based on what we know right now.

If somebody — ideally a reputable, independent security analyst — produces evidence that the attacks actually came from Australia, then I’ll believe they came from Australia.

At which point I will ask you what the fuck difference it makes to my point about air-gapping, because people in Australia can’t compromise air-gapped computers in America either.

ECA (profile) says:

HOW fun is this...

Anyone wonder about this..
MOST election info is the SAME as your drivers license..

You GIVE ACCESS, to the internet for DATA that isnt really needed on the NET..

why WOULD THE election SYSTEM GIVE Access to the NET for this?? WHY??

In Oregon…The WHOLE system is controlled and monitored by 1 REMOTE system.. AND wheN THAT REMOTE GOES down…nothing works..the WHOLE state, Police to workmens comp…ALL are not accessible..

Thad (user link) says:

Re: HOW fun is this...

That’s a good argument in favor of syncing a local copy of records data, but it’s not a good argument against keeping them online where they can be accessed by multiple branches and multiple agencies. If I go to the DMV in Mesa, it should have my information on file just like the one in Tempe.

There are multiple different locations that should have access to the voter roles, at the district, city, county, and state level. Keeping that information online and secured is reasonable. Having voting machines online is not reasonable. There is a fundamental difference between the two things and I really wish this article hadn’t conflated them.

John Mayor says:

OPEN SOURCE VS CLOSED SOURCE ELECTIONS

Of course… the only way that the DHS is going to be able to realize a truly secure electronic voting system, is if it moves to Free and Open Source Software, and Free and Open Source Hardware! The problem with our electronic voting systems is the same problem faced by Hillary in her use of her cellphone and Internet Server to communicate sensitive government information!… the software and hardware within these, are in the control of “private interests” that we have to trust will do the right thing!
.
Please!… no emails!

Security_Geek (profile) says:

State Computers

I worked in cybersecurity at a state. The various agencies usually don’t share information (they can’t figure out cost sharing) and even within a single agency, they tend to keep things in separate systems.

Voter Registration Systems are often outsourced, and the vendors must submit to annual onsite third party audits. The normal issues are finding the money to fix the audit findings, and dealing with public perception.

Voting Systems are different than Voter Registration Systems. The information flow between them is strictly controlled. Having access to a VRS doesn’t necessarily mean you have access to add, modify, or delete data within it. There are integrity checks and backups.

Of all the information, the source of the attacks is the one I most trust. The FBI cannot reveal all its sources, but its cyber intelligence units are very good at identifying who is behind the hacks. For the states, they don’t need to know who is hacking. They need information on how and how to defend against those methods. That is what the FBI is offering the states.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...