FBI says foreign hackers are trying to gain access to election systems

On this primary election day in Arizona, there are some disturbing reports about Arizona’s election data base being vulnerable to foreign hackers.

There is also this recently released analysis from the Institute for Critical Infrastructure Technology, ICIT Analysis: Hacking Elections is Easy! Part One: Tactics, Techniques and Procedures (link to .pdf).

Michael Isikoff reports for Yahoo News, FBI says foreign hackers penetrated state election systems:

The FBI has uncovered evidence that foreign hackers penetrated two state election databases in recent weeks, prompting the bureau to warn election officials across the country to take new steps to enhance the security of their computer systems, according to federal and state law enforcement officials.

The FBI warning, contained in a “flash” alert (.pdf) from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility of cyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.

Those concerns prompted Homeland Security Secretary Jeh Johnson to convene a conference call with state election officials on Aug. 15, in which he offered his department’s help to make state voting systems more secure, including providing federal cybersecurity experts to scan for vulnerabilities, according to a “readout” of the call released by the department.

Johnson emphasized in the call that Homeland Security was not aware of “specific or credible cybersecurity threats” to the election, officials said. But three days after that call, the FBI Cyber Division issued a potentially more disturbing warning, titled “Targeting Activity Against State Board of Election Systems.” The alert, labeled as restricted for “NEED TO KNOW recipients,” disclosed that the bureau was investigating cyberintrusions against two state election websites this summer, including one that resulted in the “exfiltration,” or theft, of voter registration data. “It was an eye opener,” a senior law enforcement official said of the bureau’s discovery of the intrusions. “We believe it’s kind of serious, and we’re investigating.”

The bulletin does not identify the states in question, but sources familiar with the document say it refers to the targeting by suspected foreign hackers of voter registration databases in Arizona and Illinois. In the Illinois case, officials were forced to shut down the state’s voter registration system for 10 days in late July, after the hackers managed to download personal data on up to 200,000 state voters, Ken Menzel, the general counsel of the Illinois Board of Elections, said in an interview. The Arizona attack was more limited, involving malicious software that was introduced into its voter registration system but no successful exfiltration of data, a state official said.

The FBI bulletin listed eight separate IP addresses that were the sources of the two attacks and suggested that the attacks may have been linked, noting that one of the IP addresses was used in both intrusions. The bulletin implied that the bureau was looking for any signs that the attacks may have attempted to target even more than the two states. “The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected,” the alert reads. “Attempts should not be made to touch or ping the IP addresses directly.”

“This is a big deal,” said Rich Barger, chief intelligence officer for ThreatConnect, a cybersecurity firm, who reviewed the FBI alert at the request of Yahoo News. “Two state election boards have been popped, and data has been taken. This certainly should be concerning to the common American voter.”

Barger noted that one of the IP addresses listed in the FBI alert has surfaced before in Russian criminal underground hacker forums. He also said the method of attack on one of the state election systems — including the types of tools used by the hackers to scan for vulnerabilities and exploit them — appears to resemble methods used in other suspected Russian state-sponsored cyberattacks, including one just this month on the World Anti-Doping Agency.

The FBI did not respond to detailed questions about the alert, saying in a statement only that such bulletins are provided “to help systems administrators guard against the actions of persistent cyber criminals.” Menzel, the Illinois election official, said that in a recent briefing, FBI agents confirmed to him that the perpetrators were believed to be foreign hackers, although they were not identified by country. He said he was told that the bureau was looking at a “possible link” to the recent highly publicized attack on the Democratic National Committee and other political organizations, which U.S. officials suspect was perpetrated by Russian government hackers. But he said agents told him they had reached no conclusions, and other experts say the hackers could also have been common cybercriminals hoping to steal personal data on state voters for fraudulent purposes, such as obtaining bogus tax refunds.

The Washington Post editorialized today, How to hack- and rig-proof U.S. elections:

A MONDAY report from Yahoo News’s Michael Isikoff raised concerns that this year’s election will be rigged — though not in the way Donald Trump has predicted. Election systems in at least two states — Arizona and Illinois — have been compromised, seemingly by foreign hackers, possibly operating out of Russia or Iran. These revelations are only more worrying in light of the Russian government’s other apparent attempts to sway this year’s presidential election toward Mr. Trump, such as the hacking of the Democratic National Committee and subsequent leaking of party documents.

In fact, for the moment, the news does not suggest that foreign governments are rigging the election, or anything close. Without evidence of deeper penetrations, the latest revelations amount to little more than a warning. Election systems have vulnerabilities. Government officials and perhaps Congress can and should do more to ensure the integrity of the ballot box.

In both states, hackers appear to have been interested in taking rather than changing information stored on state systems, penetrating election databases containing voter information. Even then, they managed to extract information — up to 200,000 voters’ personal data — only in the Illinois case. In Arizona, election officials discovered malicious software before any data was taken. Though election tampering might be a motive, the penetrations could have simply been in service of petty crime — hackers gathering personal information to commit identity theft.

U.S. elections are hackable, though it is much harder than some appear to believe. There are three main areas of vulnerability, according to Andrew Appel, a Princeton University computer scientist. Hackers could tamper with voter records, removing names from official rolls. They could attack electronic voting machines. And they could disrupt the proper tallying of voting results as they are collected from various precincts.

In each case, one key to ensuring integrity is creating a paper trail that can be matched to the electronic records. Electronic voter rolls can be checked against paper ones; electronic vote counts can be compared to paper ballots filled in during the voting process; statewide vote tallies can be checked by examining and adding the results reported publicly in each precinct.

Yeah, let me stop you right there. This is true as an academic theory but not in practice. It is not the way that Arizona actually counts your ballot.

Arizona counts the digital image of your ballot, not the paper ballot itself. And while the paper ballot is retained for a number of months after an election, ostensibly as a paper record to verify the vote, the digital images used to actually count the vote are not. Unless someone successfully brings an election challenge in court — exceedingly rare — the paper ballots are not much security to verify the vote.

Only a small fraction of paper ballots are ever subject to a hand count audit in Arizona. It is only a partial hand count audit because the early ballots and election day ballots cast in a given precinct are not combined together to obtain a “total precinct count.” (That is tallied by the election division computers). If there are no problems with the partial hand count audit, we are to take it on faith that the “total precinct count” is also accurate. But the total number of ballots cast in a given precinct are never audited by a hand count, so how can we say for certain?

This is why there is currently is a lawsuit in Pima County to challenge this process. The Arizona Daily Star reports, County to hold onto ballot images after suit filed:

The Pima County Elections Department will hold onto digital images of ballots cast during the Aug. 30 primary election, despite its current policy of clearing them out daily after results are tabulated.

That’s in response to a lawsuit filed in Pima County Superior Court last week that alleges state law requires the county to hold onto those images for at least 22 months. The suit seeks a temporary restraining order, preliminary injunction and permanent injunction to prevent the county “from destroying” the files.

“Pima County has a duty to preserve the ballot image files … until such files no longer have any administrative, legal, fiscal, research or historical value,” the complaint reads.

John Brakey, whose organization AUDIT-AZ hired the attorney who filed the suit, said the county’s current practice of deleting the digital images makes it difficult to verify that the results of elections are accurate.

“(The images) are part of the chain of custody, that’s what’s really counted,” he said. “If you take those and destroy them, you’ve destroyed your database.”

Brad Nelson, county elections director, said Brakey is correct that it is digital images of ballots that are scanned and counted by the county’s new ballot counting system. However, Nelson said that while some local elected officials have “at least supported the idea of obtaining scanned images of ballots and letting them go out into the world,” his office has received instructions from the Arizona Secretary of State’s Office that keeping the images or using them to verify results “is against the law.”

“They are not something that I can retain or use for audit purposes currently,” he said.

Nelson disagreed that his office’s handling of ballot images could compromise elections, pointing out that there have been a handful of elections since the new equipment came online, including last November’s bond vote and the presidential preference election earlier this year. Audits of them, during which original ballots from randomly selected precincts and races were hand counted, showed no irregularities, Nelson said.

“The audits have come out perfect, they match every time,” he said. “The accuracy is astounding.” [See the explanation of the audit above.]

Nelson said a hearing in the case is scheduled for Aug. 30, election day. Amelia Cramer, chief deputy with the Pima County Attorney’s Office, said the images are “being retained pending the outcome of the litigation.”

Stay tuned.