Stolen credentials allow hackers to delete voter registration records
A government cyber security monitor revealed on Monday that hackers had gained access to a voter election system. That access could be used to drastically distort the results of an election.
Details about the breach were spare. The hackers targeted an unnamed county, and thus far there is no evidence that any actual election manipulation occurred.
A phishing scam was used to steal the login credentials of an unnamed county elections official. Those credentials could potentially be used to delete voter registration information and bar voters from casting a ballot. The attack was detected early, and no voter records appear to have been altered.
This revelation comes in the wake of a report from Arizona election officials outlining a similar scheme. Leaked FBI documents also revealed that hackers targeted two unnamed election systems. Using an SQL attack, these hackers were able to steal voter registration data.
The theft of registration is considered by officials to be a minor threat because this data is already publicly available. Much more alarming, however, is the ability to both access and manipulate data. At the very least this has the potential to undermine voter confidence in elections. And in a worst case scenario this strategy could be used to subvert the democratic process entirely.
This issue has received intense focus from both cyber security experts and government officials following a hack of the Democratic National Committee in July. Some have blamed that attack on hackers sponsored by the Russian government, but blame has not been definitively assigned, and motives remain obscure.
What is most alarming about the recent breach in the unnamed county is how easily it was perpetrated. Phishing schemes are ubiquitous and relatively unsophisticated. They are also one of the most effective strategies for stealing login credentials. It would not take a large, well-funded, or especially sophisticated group of hackers to gain access to highly sensitive voter information.
Securing election systems at all levels and in all parts of the country is a herculean task. There are over 9,000 jurisdictions nationwide. Many have their own unique processes for collecting, tallying, and reporting ballots. This makes it difficult to secure uniformly, but also means that a common vulnerability prohibits breach of the system as a whole.
Secretary of Homeland Security Jeh Johnson commented earlier this month that “We should carefully consider whether our election system, our election process is critical infrastructure, like the financial sector, like the power grid. There’s a vital national interest in our electoral process.”