FBI Director James Comey confirmed more state voter-registration databases have been targeted by potentially malicious...
activity and urged states to make sure those systems are secure.
Speaking to the House Judiciary Committee, Comey said the FBI found evidence of activity with a number of state voter databases, but the specific number is unclear. Reports said the FBI found potentially malicious activity against at least 12 states, but some sources put the number of affected states at more than 20.
"There have been a variety of scanning activities -- which is a preamble for potential intrusion activities -- as well as some attempted intrusions at voter-registration databases beyond those we knew about in July and August," Comey told the committee, referring to voter-database breaches reported in Arizona and Illinois. "We are urging the states just to make sure that their deadbolts are thrown and their locks are on, and to get the best information they can from DHS [Department of Homeland Security] just to make sure their systems are secure."
Separately, Secretary of Homeland Security Jeh Johnson told a Senate hearing that 18 states have taken up the offer by the DHS to help improve their election-system security.
"We are seeing a limited number of instances where there have been efforts through cyberintrusions to get into the online presence of various state election agencies," Johnson said. "And one or two of them have been successful; others have not."
Rebecca Herold, CEO of Privacy Professor, said there is a lot of risk in malicious actors stealing information from voter databases.
"The dangers and risks are very wide and, quite frankly, unlimited, given the various types of data contained within all the different state voter-registration databases," Herold told SearchSecurity. "Identity theft certainly is one possibility. As is removing voters from the registration databases -- especially if there is no process in place within any given state to validate such removals are appropriate."
In his comments, Comey was clear to note the malicious activity the FBI found was in voter-registration databases, not the election system itself.
"This is very different from the vote systems in the United States, which is very, very hard for someone to hack into because it's so clunky and dispersed. It's Mary and Fred putting a machine under the basketball hoop at the gym. Those things are not connected to the internet, but the voter-registration systems are," Comey said. "So, we urge the states to make sure you have the most current information and your systems are tight, because there's no doubt that some bad actors have been poking around."
Willis McDonald, threat researcher for Core Security, based in Roswell, Ga., said the voting system may be "clunky and dispersed," as Comey said, but that shouldn't be taken as a security feature.
"By being 'so clunky and dispersed,' it makes the voting system more susceptible to compromise by making it harder to detect anomalies in the system as a whole when a piece of the system has been compromised by either a lone individual in a polling station or a sophisticated hack of voting systems by state-sponsored hackers," McDonald said.
Herold said there is risk of election fraud even if the voting system isn't breached.
"With regard to elections, the ultimate risk is that someone who wants their specific local, regional or state candidate to win could impact the election to their favor," Herold said. "The impact of breached registration databases goes beyond just obtaining the data; it extends out to how that data can then be used for ads, for voting activities, and in the future to target specific groups and individuals for actions that would ultimately be harmful to their livelihood and rights as a U.S. citizen -- not to mention personal safety, which would also be a very real risk."
Ian Gray, cyberintelligence analyst for Flashpoint, based in New York, said data from previous voter-database breaches has already been linked to malicious actors.
"A number of voter databases have previously been advertised for sale on a variety of deep and dark web forums. Additionally, a large amount of information has inadvertently been leaked through misconfigured databases," Gray told SearchSecurity. "Though the voter databases do not likely contain any sensitive information, like social security or credit card numbers, they still contain a large amount of personal information, including name, address, date of birth, phone numbers, etc."
Comey apparently attributed the activity to Russian actors, saying the FBI is trying "to understand just what mischief is Russia up to in connection with our election," but he did not offer any evidence to support this claim.
Gray noted that just because "the attacks may be originating from Russia, it does not necessarily indicate state sponsorship."
"Voter databases include a large amount of personal information, making them potentially lucrative targets," Gray said. "It is more likely that the attackers are financially motivated, rather than politically motivated, given the recent attacks against the Democratic National [Committee] from hackers likely working as proxies for state sponsors. An information warfare operation is a more likely attack vector."
Herold said there was evidence to support the attribution, considering the Democratic National Committee hack was attributed to Russia, but that shouldn't discount the possibility of other actors being involved.
"We must never take our eye off the ball and miss all the other nation states, as well as U.S. special-interest groups, for-hire criminal hackers and fanatical political activists who are also likely interested in getting their hands on that voter-registration data," Herold said. "With all the cyberthreats, vulnerable and untested voting systems, and untrained volunteers and staff responsible for using them, this could be the year when a wide range of unsecured digital hanging chads bring chaos to the election."
Learn more about how human intelligence bolsters cyberattribution methods.
Get info on secure voting and potential e-voting systems.