Recent State Voter Registration System Cyberattacks Prompt FBI Alert

After cyberattacks that compromised voter registration computer systems in Arizona and Illinois this summer, the FBI issued an alert bulletin earlier this month warning that states should take extra precautions to safeguard election databases.

First reported Monday by Yahoo News, the leaked document is dated Aug. 18. While Arizona and Illinois are not specifically identified in the bulletin, Yahoo cited unnamed sources who said those were the places referenced in it. The episodes in the two states varied widely in scope and neither appears to pose an imminent threat to the integrity of the November elections.

A known hacker from Russia is believed to be behind the Arizona incident, according to Matt Roberts, director of communications for the secretary of state’s office there.

The FBI alert comes amid a chaotic presidential election cycle when the Russian government has been suspected of stealing and leaking emails and other documents from the Democratic National Committee. And as Republican presidential nominee, Donald J. Trump has suggested that the outcome of this November’s election could be “rigged” against him.

With the hacking incident in Illinois, personal information for “fewer than 200,000” voters was exposed in a cyberattack that began on June 23 and was identified on July 12, according to the general counsel for the state’s board of elections, Ken Menzel.

“We’re very confident that no record was added, deleted or altered,” Menzel said by phone on Monday. He declined to comment on whether a foreign party was suspected to be behind the cyberattack.

In Arizona, an investigation turned up no evidence that hackers had accessed any voter records at the state or local level, Roberts told Route Fifty on Monday. But computer login credentials for a county election official there had been taken and posted online, he said.

The breach in Illinois resulted in the state’s online voter registration system getting shut down on July 13. It began operating again on July 21 and was fully restored by July 28. When the system was down, people could not register to vote online, but could do so by mail or in-person.

The Arizona incident disrupted the state’s voter registration database between June 28 and July 7. Counties could not process voter registration information during that time and an online system tied to public campaign financing was also disabled.

Much of the information in voter registration databases tends to be publicly available.

But an unspecified number of the records breached in Illinois did contain more sensitive material, such as driver’s license and state identification numbers and the last four digits of Social Security numbers, Menzel said.

Images of people’s signatures and data showing whether or not they’d voted in past elections were not exposed, he added.

In Menzel’s view, the likelihood of the cybersecurity breach having any impact on the November election is remote.

“The election process isn’t really at great risk from what happened with this hack,” he said. Though he acknowledged: “There might be some individual fallout” due to the fact that personal information for some people was compromised “but it’s not a systemic kind of danger.”

If voter registration records were to be deleted or changed by hackers, it raises the specter that problems could arise when people go to vote. But Menzel described this as unlikely—at least in Illinois.

“I don’t see that as a real viable scenario,” he said.

One reason he takes this view, is the state level voter database acts as a repository of sorts for information kept in databases throughout Illinois’ 109 election jurisdictions, which include 102 counties and seven cities.

If a person is registered to vote in their county, the key thing is that their registration information is correct in the local level database there when they go to cast their ballot.

The state does run Illinois’ only online voter registration system.

But when a person registers online to vote, their information is sent from the state, to their local jurisdiction. The locality then confirms the voter’s eligibility, and then the person’s information is added to the state database.

“If our system were badly gummed-up, we’d go to the most recent backup file,” Menzel said, “and then the counties would upload their data to fix anything that had been missed.” He added: “It wouldn’t be the catastrophe that one might fear.”

When Arizona made the decision in June to disable its voter registration system, the FBI had informed the state’s Department of Administration that a username and password for a county level election official had appeared on the internet.

Arizona cybersecurity staff later determined that a computer virus, or a malicious piece of software, probably something known as a “keylogger,” had enabled that person’s login information to be captured.

Because county level voter registration systems in Arizona communicate with those at the state level, officials there opted to shut down the entire system, Roberts explained.

Pamela Smith is president of Verified Voting, a nonpartisan group that advocates for accuracy and transparency in elections.

She noted that situations like the ones that forced the voting registration systems offline in Arizona and Illinois could be more troublesome as voter registration deadlines approach in some states, and as Election Day nears.

“It could be really bad in late October,” she said. As Smith discussed the hacking incidents, she added: “These are kind of wake up calls.”

Even if a person discovers a problem with their voter registration when they show up to a polling place, most will still have options to cast a ballot.

In some states they can submit what’s known as a provisional ballot, which election officials would later examine to determine the voter’s eligibility. And in 13 states and the District of Columbia, according to the National Conference of State Legislatures, there’s same day registration, allowing people to register and vote on Election Day.

That said, if a large number of voter records were somehow unexpectedly deleted or altered, it would likely cause difficulties and confusion for election workers and voters alike.

“It’s important to protect the information, protect it from any tampering, anything that could cause disruption, or basically even just cause more work for election officials,” Smith said.

The FBI alert that came to light Monday offers technical details about some of what state officials should be looking out for, based on the recent hacking directed at election systems.

Included in it are suspicious internet protocol, or IP, addresses, which are strings of numbers that identify computers on a network.

Also in the document are recommendations the bureau says states should take to protect their election databases. For instance, searching computer logs for commands associated with a specific type of cyberattack known as an SQL injection, ensuring that software is “patched” to guard against hacking threats and conducting vulnerability scans on government websites.

Menzel said Illinois had toughened password requirements in the wake of the breach this summer.

But, to avoid revealing information to hackers, he didn’t want to go into further detail about other security upgrades the state was making to protect its election computer system.

Hacking threats to the system are not new, and are not abating. “It remains under continuous attack,” Menzel said.

“Various people, in various places, here and all over the globe, have been trying to get into the thing for 10 years,” he continued. “What’s noteworthy now is somebody managed to do it.”