abhaxas.png

[Image from Abhaxas’ Twitter page]

Recently, the Miami Herald ran a story about the boasts of a hacker named Abhaxas that he had twice compromised Florida’s election systems by gaining access to servers with sensitive data. State and local election officials – and their vendors – vehemently denied the hacker’s claims and insisted that their systems (and the personally-identifiable voter data on them) remained insecure.

That didn’t stop what the Herald called “major geek news clearinghouses” like Gizmodo and Slashdot from publicizing news of the alleged hack, leading to lots of “here we go again” in the comments.

Even more importantly, the hacker appears to have taken the public denials of harm as a challenge – and has invited others to do the same. Last week, he tweeted the location of the vendor’s server, saying it had a “hack me” sign on it and noting “hack one, have access to all”.

He then posted a directory listing of the Florida database with the (sarcastic) observation “Glad you cleaned up, pretty secure now guys”.

Whether or not the targets of the hack believe it is real – or believe the data released is as sensitive as the hacker claims – it is abundantly clear that outside threats to election systems are real, as is the need to guard against them.

The rise of so-called “hacktivism” – a movement popularized by WikiLeaks but prevalent on the Internet in many different forms – is in some ways an extension of the whistleblowing or muckraking tradition that has long been part of American public culture. While some hackers have purely selfish if not criminal motives for their activity – stealing personal information for financial gain or simply engaging in high-tech vandalism – hacktivists use their skills to advocate for better online security by identifying vulnerabilities and shaming site hosts into fixing them.

[Most recently, Abhaxas turned his attention to the official website for the State of Montana, releasing 16 databases with the plea “Coders, please stop exposing your databases it’s not even fun anymore.”]

For the election community going forward, the proper response to this challenge is threefold:

1. Election offices must identify, train and support professionals with the necessary skills to maintain and protect the security of the election system;

2. Technologists and other researchers must work to identify the latest vulnerabilities in the nation’s elections and help devise defenses to address them; and

3. Most importantly, the chief election official and policymakers in every jurisdiction must take information security seriously and take care to invest appropriate resources in people, processes and technology that will ensure that election systems are not compromised.

Every jurisdiction will have its own approach to addressing the vulnerabilities in its systems and defending against these kinds of attacks – but the important thing is to acknowledge that the threat exists. Doing nothing is simply an invitation for a hacktivist – or worse, a real “black hat” hacker with theft or chaos as a goal – to make the threat as real as tomorrow’s front page.

Posted in Uncategorized