This is the second part of a five part blog series. Click here to read the first part of our series.
Any United States citizen who is above the age of eighteen has the ability to vote in the state that they reside in. In addition to these requirements, before every election, any potential voter who meets the previous requirements must be registered to vote in their state, except for North Dakota, which does not require voter registration before the election (usa.gov). So, when it comes to eligible voters, it seems pretty straight-forward about who can cast a vote. However, what would happen if the database that exists with all of the registered voters was breached and is potentially altered to either include voters that shouldn’t be eligible or, perhaps even more damaging, remove legally-eligible voters so that when they show up on election day, they are unable to cast a vote? Although there isn’t any concrete evidence that there have been successful altering taking place, it is a legitimate concern since there have been reported breaches have either taken place or have been attempted.
It would seem that if one would want to alter an election, the most effective way for a bad actor to successfully do this would be to gain access to the voter databases and delete eligible voters from the database. This could severely impact the election since the bad actor would be able to see the voting history of all of the registered voters and, depending on which way they would want the election to turn out, they can remove any percentage of voters that they would not want to vote, rendering them ineligible, and swinging the election in favor of the preferred candidate.
According to Professor William Rials, who is the Associate Director and Professor of Practice of the Tulane University School of Professional Advancement Applied Computing and Technology Program, where he focuses on continually delivering and updating the program curriculum based on innovative and emerging technologies, the largest threat to the current election system is the availability and integrity of these databases. He believes that cyber criminals looking to disrupt the elections would target these voter registration databases months and even years leading up to election day since incorrect or modified voter data could have an impact on the election process (Dunaway, 2020).
Just over 2 months before the 2016 Presidential elections, in August of 2016, the FBI confirmed there were security events concerning the voter databases in at least two states. In one of the states, Arizona, a nefarious actor was able to load malicious software, also known as Malware, onto a computer in the Gila County Election Department, where it recorded the keystrokes of the computer user, gaining the username and password of the user (Stern, 2016). A short time later, the bad actor attempted to use the information obtained to try and access the voter information. However, because of the different levels of security set up for that information, they were unable to get past the second layer of defense and a further breach was averted.
They weren’t as lucky in Illinois. Using an “SQL” injection on a public-facing site, hackers were able to gain access to the Voter Registration Database. Although officials have come out and said that it doesn’t appear that any information was changed, the hack that took place compromised up to 200,000 personal voter records. The hack also shut down the voter registration system for 10 days (Volz & Finkle, 2016). A shut down of that length, in such close proximity to a general election, can potentially have a significant impact on voter turnout. It doesn’t appear that the voter turnout was significantly impacted in Illinois in 2016, with voter turnout tallying 63.1%, slightly above the national average of 60.1% voter turnout (United States Election Project, 2016), however, we won’t know how many people tried to register while the systems were unavailable.
The Mueller Report, which was the findings from the thorough investigation regarding the security and validity of the 2016 elections completed by Robert Mueller, a former director of the FBI and special counsel to the Department of Justice, it is believed that the GRU, the intelligence unit of Russia, was able to gain access to at least one voter database in Florida, as well (Mueller, 2019). However, the Mueller Report does not go into depth about what occurred with the Florida databases that were infiltrated and the FBI did not provide additional information about this breach, so there is not enough information to ascertain what the outcome of the breach was.
In terms of cybersecurity, what took place in Arizona and Illinois attempted to affect the three principles that make up the cornerstone of every security infrastructure, Confidentiality, Integrity, and Availability, also known as the CIA Triad. The CIA Triad refers to the goals and objectives to keep the systems that they are protecting safe. Confidentiality is about making sure that whatever is supposed to be private, stays private, and not seen by anyone who is not supposed to see it. When it comes to Integrity, the goal is to ensure that the information that is being guarded isn’t altered in any way and that the information that is there is authentic and correct. Finally, Availability tries to make sure that the systems and networks are up and running so that users are reliably able to access it when they need it. When the hackers got the username and password of the employee in the election department in Gila County, and when the hackers gained access to 200,000 personal voter records, Confidentiality and Integrity were breached. Just because it doesn’t appear that any of the information was altered, the Integrity was breached when the ability to change the information was present to the actor. Availability was affected when Illinois had to shut down their registration systems for 10 days. If a user wanted to register to vote during those 10 days, they would not have been able to access the systems to register. This poses a major threat to the current system since it calls into question the security of the current system.
According to a September 2016 report from CBS News, more than 10 other states had their systems probed or breached, like what happened in Arizona and Illinois (CBS News, 2016). They did not provide any additional information identifying those states, however, they did mention that there was the certainty that none of the voter databases were altered. Although it doesn’t seem like any damage was done since there was no altering of data, the reports of these databases can lead to doubt, suspicion, and uncertainty about the security of elections, which would then potentially lend credence to delegitimizing the election.
Click here for the next part of this series where we will deep dive into the vulnerabilities of voter machines and how the aging infrastructure can impact the accuracy of an election.
Christopher King and Shlomo Ross have just completed their certification at Fullstack Academy Cyber Bootcamp and are pursuing careers in Cyber Security
Sources:1)usa.gov Who Can and Can't Vote in US Elections. USA.gov2)Dunaway, R. (2020, September 17). Targeting the biggest cybersecurity threat to voting in the 2020 election. Tulane3)Stern, R. (2016, August 30). FBI Links Cyberattacks on Arizona and Illinois Voter-Registration Data to Foreign Hackers. Phoenix New Times4) Volz, D., & Finkle, J. (2016, August 29). Voter Registration Databases in Arizona and Illinois Were Breached, FBI Says. Time5)United States Election Project. (2016, November). 2016 November General Election Turnout Rates. United States Election Project6)Mueller, R. (2019, March). Report On The Investigation Into Russian Interference In The 2016 Presidential Election. Justice Department7)CBS News. (2016, September 28). More state election databases hacked than previously thought. CBS News