Lance Bellers - Fotolia

Voter data breach leads to questions of tampering and state security

Election registration databases in two states were attacked and the resulting voter data breach has led to questions of possible election tampering and inadequate state security.

The FBI said hackers attacked two state election websites and accessed voter registration databases, and one expert believes there will undoubtedly be more voter data breaches before November's election.

The states in question were not mentioned in the "flash" alert from the FBI, but officials from Arizona and Illinois have admitted their voter record systems were attacked on voter records. An Arizona state official told Yahoo News that malicious software was introduced into its voter registration system but no data was stolen, and Ken Menzel, the general counsel of the Illinois State Board of Elections, said hackers had stolen personal data on as many as 200,000 state voters.

The FBI memo noted there may have been a connection between the two attacks because one of eight IP addresses associated with the breaches was used in both cases.

"The FBI is requesting that states contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected," the alert read. "Attempts should not be made to touch or ping the IP addresses directly."

Menzel said attackers were able to exploit "a chink in the armor in one small data field in the online registration system," which according to the FBI, may have been a SQL injection vulnerability found with penetration testing tools Acunetix, SQLMap and DirBuster.

Peter Tran, general manager and senior director at RSA, the security division of EMC, said this type of vulnerability can be common.

"It's no surprise that the state voter systems in question may have been victim to garden variety SQL exploitation techniques, mainly due to the prevalence of older website-driven databases and interfaces, typically found at the local city and state government environments," Tran told SearchSecurity. "Attacking the databases themself [sic] using SQL injection, particularly if it's the path of least resistance, can yield a harvest of data and system control beyond voter registration public records such as the core voter file, ballot or voting history, campaign finance or donor data and other sensitive personal identifiable information and political capital."

Tran noted that voter registration data is placed in the public record domain and can be legally purchased from sites like NationBuilder and Instant Checkmate, but that doesn't necessarily lessen the value of a voter data breach for an attacker.

"Public record data in general, such as basic voter registration information, is relatively low-risk by itself. However, this is rarely the case as nation state and other cybercriminals aggregate multiple sources of data from open source and breached data to form high-value target profiles that can be leveraged in a number of ways ranging from identity fraud to corporate and/or government espionage," Tran said. "Essentially, it's farming and cultivating data crops, so over time, the data becomes more valuable and risks go up for individuals."

Because IP addresses used in the attacks had been seen in Russian hacking forums, Senate minority leader Harry Reid wrote to FBI director James Comey with fears that the voter data breaches may result in more than just stolen information.

"I have recently become concerned that the threat of the Russian government tampering in our presidential election is more extensive than widely known and may include the intent to falsify official election results," Reid wrote. "The prospect of a hostile government actively seeking to undermine our free and fair elections represents one of the gravest threats to our democracy since the Cold War and it is critical for the Federal Bureau of Investigation to use every resource available to investigate this matter thoroughly and in a timely fashion."

Comey refused to comment on any investigations in progress at a conference hosted by security firm Symantec Tuesday, but he did say the FBI takes "very seriously any effort by any actor, including nation-states, and maybe especially nation-states, that moves beyond the collection of information about our country and that offers the prospect of an effort to influence the conduct of affairs in our country."

State election security

Privacy Professor CEO Rebecca Herold said people should worry about voter data breaches making personal information available, but noted there was another issue to focus on in the wake of these attacks.

"What is an overwhelmingly huge additional concern is that these voting systems, which are associated with, if not the sources of, the stolen records, are so poorly secured that they could be hacked and changed in ways that would change the outcomes of elections throughout the U.S.," Herold told SearchSecurity.

The release of this FBI alert came just three days after Secretary of Homeland Security Jeh Johnson said the DHS knew of no "specific or credible cybersecurity threats relating to the upcoming general election systems."

Even so, Johnson "encouraged state officials to focus on implementing existing recommendations from NIST and the EAC on securing election infrastructure" and "offered the assistance of the Department's National Cybersecurity and Communications Integration Center to conduct vulnerability scans, provide actionable information, and access to other tools and resources for improving cybersecurity."

A number of state officials have gone on record expressing concern over this offer from the DHS, and Georgia Secretary of State Brian Kemp even went so far as to claim this was an attempt by the White House to expand federal control over state election processes and data.

Herold approved of the DHS offer but said it could have taken a less controversial form.

"I think that the offer is good, if it was an attempt to shine light on the very real and significant problems that exist within most of the states' voting systems and associated elections systems. However, to maintain the independence of states' election processes and data, it would be more proactive for DHS to issue guidance, which would be that offered help, that could then be used by each state that does not include direct involvement of the Federal agency into state systems, which creates problems and could be viewed as Federal government overreach into state issues," Herold said. "There should not be any access that could be viewed as an attempt by the Federal government to have undue influence on the outcomes of each state's elections."

Tran said the suggestion of the DHS to follow NIST guidelines was one of the best ways to improve state election security.

"The internet and the increased push to cloud-based data-driven systems has no physical borders and as a result, determining a governance, risk and compliance model should not be thought of in terms of local city, state and/or federal borders," Tran said. "In terms of a sustainable model, voting systems should be thought of more as part of the national critical infrastructure, perhaps one of the main drivers of why the DHS is offering its assistance in helping to shore up the near and midterm challenges. As a framework to help address concerns of 'federalization' at the state level, the NIST Cybersecurity Framework can help guide, as a viable model to determine the best approach to both technology and policy, that is fair and balanced to address core cybersecurity best practices."

Herold said Congress may want to consider new regulations requiring states to "demonstrate that they are performing due diligence to ensure their voting and elections systems and databases are adequately secured."

"The spectrum of possibilities is very wide for those who would want to see our election outcomes be very different from the actual votes of our citizens," Herold said. "The spectrum of possibilities is also very wide for how using inadequately secured systems could create outcomes that do not reflect the actual votes simply because the lack of effective security controls within systems and applications created mistakes ... that could provide results drastically different from the original votes. It truly is a matter of national homeland security to require our elections to occur with effective safeguards in place."

Next Steps

Learn more about why secure e-voting may be 20 to 30 years away.

Find out what the election has to do with aPaas.

Get info on how 191 million voter registration records were exposed.

Dig Deeper on Government information security management