FBI Says Foreign Hackers Got Into Election Computers

from the well,-that's-just-great dept

We've written probably hundreds of stories on just what a dumb idea electronic voting systems are, highlighting how poorly implemented they are, and how easily hacked. And, yet, despite lots of security experts sounding the alarm over and over again, you still get election officials ridiculously declaring that their own systems are somehow hack proof.

And now, along comes the FBI to alert people that it's discovered at least two state election computer systems have been hacked already, and both by foreign entities.
The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.
The report apparently noted that Arizona and Illinois were the two states whose systems were exploited -- with both attacks coming from the same IP addresses. From the report, it does not look as if the hacks were specifically about modifying vote totals, but rather accessing voter registration data -- but that's still a pretty big concern.

In response, the Department of Homeland Security has apparently reached out to state election officials offering "help" in better securing their election systems. Doesn't it seem a bit late for them to start securing their systems now? And, of course, it's not like DHS is somehow a great at stopping hackers either. It wasn't so long ago that a 16-year-old kid using the online handle "penis" was able to hack DHS's computer systems.

Maybe, just maybe, people in charge of elections in America should have considered some of this, I dunno, two decades ago when people first raised the issues about vulnerabilities in election systems.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Thad, 29 Aug 2016 @ 2:48pm

    Pretty misleading headline and lede. The weaknesses of electronic voting machines are real, and they deserve attention, but this story isn't about electronic voting machines being hacked, it's about *voter registration databases* being hacked.

    While there is some overlap to the threat -- after all, if you compromise the voter rolls, you can influence elections -- it's a different system, a different type of hack, and requires a completely different set of security fixes.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 6:05pm

      Re:

      "if you compromise the voter rolls,"

      If? It's pretty much a given at this point. They are not even subtle about it anymore.

      reply to this | link to this | view in chronology ]

      • identicon
        David, 30 Aug 2016 @ 4:57am

        Re: Re:

        But to be fair, most attempts of hacking the voter base are by legislative means like Jim Crow laws.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Aug 2016 @ 6:43am

          Re: Re: Re:

          ... and
          voter id laws
          expunging of "old" registrations
          closing or moving polling places in select neighborhoods at the last minute
          paving operations in and around polling places in select neighborhoods

          How are these not illegal attempts to disenfranchise voters?
          And then there is gerrymandering

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 30 Aug 2016 @ 7:49am

            Re: Re: Re: Re:

            These are all very real concerns, but they're yet another separate issue from the one we're talking about. Elected officials in this country manipulating the electoral system to stay in power is an important issue, but it's a completely different one from the question of independent individuals or foreign governments manipulating the electoral system for their own ends. They're related issues but they have different outcomes, and the strategies for dealing with them are different.

            As for what I mean by "if", don't be dense. I was making a conditional statement. If premise, then result.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 30 Aug 2016 @ 11:15am

              Re: Re: Re: Re: Re:

              And people here would never try to make it look as though the hack originated elsewhere.

              reply to this | link to this | view in chronology ]

              • identicon
                Thad, 30 Aug 2016 @ 12:06pm

                Re: Re: Re: Re: Re: Re:

                Of course it's possible that this was a domestic attack executed through foreign proxies to make it appear foreign.

                Absent any evidence of that, however, I'm not going to assume it's the case.

                reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 29 Aug 2016 @ 3:08pm

    Maybe they need

    Maybe they need a way to secure the data so that if it is stolen, it is still protected. Oh wait...it already exists in the form of secure encryption without back doors.

    Time for officials to whine harder instead of doing what should have been done years ago.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 29 Aug 2016 @ 3:32pm

    Paper Ballots

    Paper ballots served the nation well for over 200 years.

    How did the US manage to survive (flourish even) for 200 years without electronic voting machines and the Department of Homeland Stupidity?

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 29 Aug 2016 @ 3:57pm

      Re: Paper Ballots

      Just to repeat: this story has nothing to do with electronic voting machines. It is about voter registration data.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 7:02pm

      Re: Paper Ballots

      Those big-ass machines aren't futuristic enough for us anymore. Look at the election day coverage graphics the news channels sport. We need sleek obsolete electronic machines.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Aug 2016 @ 3:43pm

    I don't understand why everyone is so worked up about this. There's only ever two candidates that could realistically win the election, so any hacker who made a different candidate win would be found out immediately. And in all honesty, if you just look at the decisions made when in office there's been almost no real difference between those two candidates for the last several decades, so rigging it to swing a couple percent of the vote one way or the other will have almost no actual effect.

    reply to this | link to this | view in chronology ]

    • identicon
      Chuck, 29 Aug 2016 @ 4:08pm

      Re:

      Well...for one thing, there's actually quite a lot of difference between the two major party candidates. I'm not saying either is better (full disclosure: I'm voting for Hillary solely to keep the nuclear football out of Trump's hands and otherwise I am really not a fan) but don't pretend it's a meaningless choice.

      That said, you must be a millennial. As someone slightly older (I'm 29) I remember the election in 2000 quite vividly. The presidential election was thought to be a gimmie by both republicans and democrats - neither side thought the other had a chance. In the end, the election was decided by less than 300 votes (and then unconstitutionally overturned by the US Supreme Court, but that's another issue). There are 370 million Americans, and only 300 votes made a difference.

      Bush's margin of victory during his reelection was less than 2% too.

      My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don't discount that.

      As someone who generally believes that technology can solve (almost) any problem, I have to agree with the poster above you: paper ballots should be the way. And none of those hole-punched things either. X's in boxes all the way.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 29 Aug 2016 @ 4:19pm

        Re: Re:

        Man, nobody seems to be able to agree on what a Millennial actually *is*.

        I'm 33 and I consider myself to be on the older end of the Millennial Generation, not the younger end of Gen X. At any rate I graduated high school right before the turn of the millennium, and faced the common Millennial problems of going to college to get a good job only to graduate into a market where it was a lot harder to find one than I'd been led to believe.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 29 Aug 2016 @ 6:53pm

        Re: Re:

        My point being that, a hacker skewing the election by 2% can make a HUGE difference. Don't discount that.

        It can make a HUGE difference....in who happens to sit in the big chair. But apart from a lot of talking, it's been nearly impossible to differentiate Republican and Democratic administrations over the last 3-4 decades. The democrats move a little money into whatever social program is popular, but not enough to matter. The republicans move a little money into (usually) military applications, but not enough to matter. Occasionally one or the other will do something big, there will be a lot of yelling, but then the next administration leaves it as is.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Aug 2016 @ 6:48am

          Re: Re: Re:

          So, what you are claiming is that had Gore "won" the election in 2000 then we still would have invaded Iraq?

          I don't think there is a lot of data in support of your claim.

          reply to this | link to this | view in chronology ]

          • identicon
            I.T. Guy, 30 Aug 2016 @ 7:40am

            Re: Re: Re: Re:

            You really think the President has that much power?
            Cinderella could have been elected and she would have invaded Iraq.

            reply to this | link to this | view in chronology ]

            • identicon
              Thad, 30 Aug 2016 @ 7:54am

              Re: Re: Re: Re: Re:

              The power to declare war? Um, yes, that is in fact a power that the President has.

              It's possible that Gore would have invaded Iraq. It's certain that Bush did. It's also pretty clear that Bush and major figures within his administration had been pushing Clinton to invade Iraq for years and Clinton had largely resisted, preferring sanctions and strategic airstrikes to a full-scale invasion.

              On the other hand, Bush *did* have congressional support for the invasion, and the later arguments by Democratic supporters like John Kerry and Hillary Clinton that they were misled and had no reason to doubt the Bush Administration's case for war have been less than convincing.

              reply to this | link to this | view in chronology ]

            • icon
              Groaker (profile), 30 Aug 2016 @ 2:07pm

              Re: Re: Re: Re: Re:

              The only reason that Bush invaded Iraq was so that history would view him as a "war" president. He knowingly lied to start that war. Did so without the approval of the UN. Slaughtered 100,000 to 1,000,000 displaced 2-4 million. Disrupted the little balance that existed in the region. Is the progenitor of all the wars and slaughters going on there now.

              reply to this | link to this | view in chronology ]

              • identicon
                Thad, 30 Aug 2016 @ 3:27pm

                Re: Re: Re: Re: Re: Re:

                Well, that's clearly not the *only* reason he invaded Iraq -- he was, after all, *already* a war president by then.

                The neocons who had Bush's ear had been advising an invasion of Iraq for years, for a number of reasons. Saddam was a bad man (true) who had gassed his own people (true) and was hoarding chemical weapons (false) and working on nuclear weapons (false); if we took him out we would be able to spread stability and democracy throughout the region (really, really false).

                There were other reasons besides that; people who say oil was *the* reason we went to war are grossly oversimplifying, but it was a factor. And Saddam attempted to assassinate Bush Sr, so I think there was an element of personal revenge involved. There were people who felt Bush Sr should have "finished the job" when we went in the first time, and also Cheney's alleged "one percent doctrine" suggesting that even a one percent chance that a nation was a threat to us was reason enough to go to war.

                Be careful attributing any one thing as "the only reason" for something. Especially something as complex as going to war.

                reply to this | link to this | view in chronology ]

                • icon
                  Groaker (profile), 30 Aug 2016 @ 4:04pm

                  Re: Re: Re: Re: Re: Re: Re:

                  A one percent chance is a violation of the Geneva Conventions. And what could Iraq do to the US. If it had declared war on the US, Iraq would have been naught but green glass.

                  One must also remember that Hussein was a front man for the US until it became convenient to turn him into a monster. He may have gassed some of his people, but many of those attributed to him were from Iranian gas. Photos show clear evidence of asphyxiating gases (Iran's specialty) as opposed to nerve agents which were Iraq's favorite.

                  Where was the evidence of the massive burials of 250K people at a site? There were none. Note that there was no attempt to kill Bush41, not even the Pentagon included that in its justifications.

                  reply to this | link to this | view in chronology ]

                  • identicon
                    Thad, 31 Aug 2016 @ 10:26am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    You seem to be mistaking my description of the Bush Administration's rationale for war for a defense of same. It isn't. Cheney's One Percent Doctrine is madness and he should be tried for war crimes.

                    Bush said "This is the man who once tried to kill my dad" in a speech. I think he believed it. That doesn't mean I'm defending him; even if it were true it wouldn't be a justification for the war, which, in case I haven't made it clear, I think was a terrible decision based on lies.

                    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 29 Aug 2016 @ 4:12pm

      Re:

      I'm as cynical about the two-party system as anybody (I'm about to vote Stein for the second election running), but you do remember that 2000 came down to 400 votes in Florida, yes? And while I will grant there were too many similarities between Bush and Gore for comfort, I think it is reasonable to conclude that a Gore presidency would have been different from the Bush Administration in some very important and fundamental ways.

      There are a number of factors that led to the outcome we saw in 2000. People mostly tend to focus on Nader voters and the Supreme Court halting the recount. But another issue that helped determine the election was that a number of minority voters were incorrectly turned away from the polls, even though they were registered. Surely you can see how this fact is pertinent to the subject at hand: if a foreign power has access to voter registration records, that can swing an election.

      And that's just the presidency. There are lots of other elected offices, and ballot initiatives, in any given election. It's true that elections can only be stolen if they're close. But strategic manipulation of close elections could shape policy outcomes.

      Or, if attackers were to simply go after the whole thing with a hatchet and tamper with elections in an *obvious* way, it could still achieve their goals: it would cause chaos, paralyze elections, and undermine the public's trust in the democratic process. You could joke that these things have already happened, and you'd have a point, but it could get a lot worse than it already is. And if you don't believe that, well, we are currently looking at a race between the two most unpopular major-party candidates in recorded history, and that's *without* foreign interests attacking our voter rolls (let alone our electronic voting machines, which this story is not actually about but which are very vulnerable nonetheless).

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 29 Aug 2016 @ 4:44pm

      Re:

      You clearly do not have even the slightest comprehension of how little vote manipulation is required to swing an election. Sit down, shut up, and try (as best you can) to learn from those who are superior to you.

      reply to this | link to this | view in chronology ]

    • icon
      Groaker (profile), 30 Aug 2016 @ 5:43am

      Re:

      There may only be two candidates at the top of the tickets, but there are likely thousands of candidates who will have a great impact on the way our nation will run. From president to dog catcher.

      reply to this | link to this | view in chronology ]

  • icon
    seedeevee (profile), 29 Aug 2016 @ 4:12pm

    Foreign IP adresses, not foreign entities

    C'mon! The report said foreign IP adresses were linked, not foreign entities.

    "The FBI warning in an Aug. 18 flash alert from the agency's Cyber Division did not identify the intruders or the two states targeted. "

    "The FBI bulletin listed eight separate IP addresses that were the sources of the two attacks and suggested that the attacks may have been linked, noting that one of the IP addresses was used in both intrusions. "

    reply to this | link to this | view in chronology ]

    • identicon
      I.T. Guy, 30 Aug 2016 @ 7:43am

      Re: Foreign IP adresses, not foreign entities

      Because... ya know... I could never issue commands from a compromised machine in Russia. /s

      Remember folks... an IP address is not a person or even a very good indication of a location of the user.

      Russian hackers has more drama.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Aug 2016 @ 4:25pm

    Frankly, they would be stupid not to exploit. Not only foreign governments. Security shoul be priority. Paper is harder to manipulate in secrecy.

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 29 Aug 2016 @ 4:39pm

      Re:

      Once again: this article is about *voter registration rolls*.

      Do you really believe that voter registration data should only be stored on paper?

      Because I think that's a reasonable requirement for ballots, but not for registrations.

      reply to this | link to this | view in chronology ]

    • identicon
      David, 30 Aug 2016 @ 4:59am

      Re:

      Paper is easier to manipulate than computers. But manipulating one piece of paper just gives you one vote.

      reply to this | link to this | view in chronology ]

      • identicon
        Thad, 30 Aug 2016 @ 7:57am

        Re: Re:

        Paper is easier to manipulate than computers.

        Only if the computers in question are air-gapped. If they're networked, they're a *lot* easier to manipulate than paper, because you can manipulate them without being in the same room.

        reply to this | link to this | view in chronology ]

        • icon
          Groaker (profile), 30 Aug 2016 @ 2:11pm

          Re: Re: Re:

          Even air-gapping no longer works if the computers are within a room of each other. Google "cracking air gapped computers" for a large number of references as to how this is done.

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 30 Aug 2016 @ 3:33pm

            Re: Re: Re: Re:

            That's true but misses the point. You can't tamper with an air-gapped US voting machine from Russia.

            reply to this | link to this | view in chronology ]

            • icon
              Groaker (profile), 30 Aug 2016 @ 4:09pm

              Re: Re: Re: Re: Re:

              No, a machine can not be hijacked by airgapping from 6K miles away. But even the US "justice" system is starting to understand that an IP number is just that, and not the DNA of the individual performing the task, nor an identifier of where the machine doing the cracking is located. VPNs can make a computer in Australia look and act like it is coming from a lab in Moscow.

              reply to this | link to this | view in chronology ]

              • identicon
                Thad, 31 Aug 2016 @ 10:35am

                Re: Re: Re: Re: Re: Re:

                That's true, and it may yet turn out that these attacks actually came from Australia. I haven't seen anybody produce any evidence to indicate that as yet, and so I'm not going to assume that it's true.

                I'll grant that I haven't seen any hard evidence that these attacks came from Russia, either, and that "the FBI says so" is not sufficient evidence to convince me.

                However, there is good evidence to suggest that the DNC servers were compromised by Russian attackers; not just IP addresses but metadata and linguistic analysis. There is further evidence that Russia has attempted to tamper with elections in several European nations.

                It is not a stretch to assume that these most recent attacks came from Russia. There is no conclusive evidence yet (at least, not that's been released to the public), but it matches the pattern and is the most obvious conclusion based on what we know right now.

                If somebody -- ideally a reputable, independent security analyst -- produces evidence that the attacks actually came from Australia, then I'll believe they came from Australia.

                At which point I will ask you what the fuck difference it makes to my point about air-gapping, because people in Australia can't compromise air-gapped computers in America either.

                reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Aug 2016 @ 8:14am

        Re: Re:

        Paper is easier to hack because aliens. Right...

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 30 Aug 2016 @ 12:01pm

          Re: Re: Re:

          Paper can be filled out beforehand and then swapped with a little slight of hand... or simply misplaced. There's all sorts of shenanigans that people played with paper ballots. They both have vectors for fraud, just mainly different ones.

          reply to this | link to this | view in chronology ]

  • icon
    radarmonkey (profile), 29 Aug 2016 @ 5:46pm

    Someone needs to get a Clue-by-4 and beat the entire government!

    SECURITY! *WHACK!*
    IS! *WHACK!*
    AN! *WHACK!*
    I.T.! *WHACK!*
    PROBLEM! *WHACK!*
    NO! *WHACK!*
    LAW! *WHACK!*
    WILL! *WHACK!*
    MAKE! *WHACK!*
    US! *WHACK!*
    SECURE!! *WHACK!*

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Aug 2016 @ 6:02pm

    Re: Paranoid, tinfoil-hat, conspiracy theorists

    Are you suggesting it did not happen?

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 30 Aug 2016 @ 4:00am

      Re: Re: Paranoid, tinfoil-hat, conspiracy theorists

      It is possible that the "foreign hackers" were, in fact, the FBI hacking into these databases in an attempt to convince someone to join their hacking plot so the FBI could then arrest them and show that they stopped the terrorists.

      reply to this | link to this | view in chronology ]

  • icon
    NeghVar (profile), 29 Aug 2016 @ 6:46pm

    Clinton Foundation

    They are probably funded by the Clinton Foundation.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 29 Aug 2016 @ 7:40pm

    HOW fun is this...

    Anyone wonder about this..
    MOST election info is the SAME as your drivers license..

    You GIVE ACCESS, to the internet for DATA that isnt really needed on the NET..

    why WOULD THE election SYSTEM GIVE Access to the NET for this?? WHY??

    In Oregon...The WHOLE system is controlled and monitored by 1 REMOTE system.. AND wheN THAT REMOTE GOES down...nothing works..the WHOLE state, Police to workmens comp...ALL are not accessible..

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 31 Aug 2016 @ 10:39am

      Re: HOW fun is this...

      That's a good argument in favor of syncing a local copy of records data, but it's not a good argument against keeping them online where they can be accessed by multiple branches and multiple agencies. If I go to the DMV in Mesa, it should have my information on file just like the one in Tempe.

      There are multiple different locations that should have access to the voter roles, at the district, city, county, and state level. Keeping that information online and secured is reasonable. Having voting machines online is not reasonable. There is a fundamental difference between the two things and I really wish this article hadn't conflated them.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 29 Aug 2016 @ 10:26pm

    Is that interfering with the FBI's own hacks?

    I mean, the FBI are monitoring the voting registration systems at an access level where they see tampering? It's not that they have been notified by the system adminitrators of such access but have found out themselves?

    What is their end game?

    reply to this | link to this | view in chronology ]

  • identicon
    John Mayor, 30 Aug 2016 @ 2:54pm

    OPEN SOURCE VS CLOSED SOURCE ELECTIONS

    Of course... the only way that the DHS is going to be able to realize a truly secure electronic voting system, is if it moves to Free and Open Source Software, and Free and Open Source Hardware! The problem with our electronic voting systems is the same problem faced by Hillary in her use of her cellphone and Internet Server to communicate sensitive government information!... the software and hardware within these, are in the control of "private interests" that we have to trust will do the right thing!
    .
    Please!... no emails!

    reply to this | link to this | view in chronology ]

  • icon
    Security_Geek (profile), 2 Sep 2016 @ 11:02am

    State Computers

    I worked in cybersecurity at a state. The various agencies usually don't share information (they can't figure out cost sharing) and even within a single agency, they tend to keep things in separate systems.

    Voter Registration Systems are often outsourced, and the vendors must submit to annual onsite third party audits. The normal issues are finding the money to fix the audit findings, and dealing with public perception.

    Voting Systems are different than Voter Registration Systems. The information flow between them is strictly controlled. Having access to a VRS doesn't necessarily mean you have access to add, modify, or delete data within it. There are integrity checks and backups.

    Of all the information, the source of the attacks is the one I most trust. The FBI cannot reveal all its sources, but its cyber intelligence units are very good at identifying who is behind the hacks. For the states, they don't need to know who is hacking. They need information on how and how to defend against those methods. That is what the FBI is offering the states.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.