We Need You On That Firewall: South Carolina Reports Nearly 150,000 Hacking Attempts on Election Day 2016
[Screenshot image via scstatehouse]
South Carolina’s state election commission disclosed in a recent report on Election Day 2016 that outsiders attempted to access the state’s voter registration system nearly 150,000 times. The Wall Street Journal has more:
To understand the scale of the hacking attempts against election systems in the 2016 presidential election, consider South Carolina.
On Election Day alone, there were nearly 150,000 attempts to penetrate the state’s voter-registration system, according to a postelection report by the South Carolina State Election Commission.
In harder-fought Illinois, for instance, hackers were hitting the State Board of Elections “5 times per second, 24 hours per day” from late June until Aug. 12, 2016, when the attacks ceased for unknown reasons, according to an Aug. 26, 2016, report by the state’s computer staff. Hackers ultimately accessed approximately 90,000 voter records, the State Board of Elections said.
Unlike in Illinois, South Carolina didn’t see evidence that any attempted penetration succeeded, said Chris Whitmire, the State Election Commission’s director of public information and training, last week. Most of the attempted intrusions in that state likely came from automated computer bots, not thousands of individual hackers.
“Security has been a top priority for the [State Election Commission] since implementing the statewide voting system in 2004,” Mr. Whitmire said about South Carolina.
“However, events leading up to the 2016 General Election, including the breaches of other states’ voter-registration systems, created an election-security environment that was very different,” he added.
The South Carolina report comes in the wake of evidence that there were widespread attempts to breach voter data nationwide:
South Carolina’s and Illinois’s cases aren’t unique, as many states faced virtual threats.
There is evidence that 21 states were potentially targeted by hackers, said Jeanette Manfra, acting deputy undersecretary for cybersecurity and communications at the U.S. Department of Homeland Security, at a Senate Intelligence Committee hearing last month.
There is consensus among U.S. intelligence agencies that Russia attempted to interfere in the 2016 general election with the intent of helping Mr. Trump’s presidential campaign. Special counsel Robert Mueller and Congress are investigating whether members of the Trump campaign colluded with Moscow.
Those hackers were at work months before some of their targets, and the American public, knew. The Democratic National Committee didn’t kick out suspected Russian hackers for 11 months, until June 2016, according to a report issued by U.S. intelligence agencies. Also in June, the Democratic Congressional Campaign Committee learned that suspected Russian hackers had breached its network at least two months earlier. Russian President Vladimir Putin has denied any government role in either hack.
In Illinois, the computer staff at the State Board of Elections noticed on July 12 that the activity of its server for the voter-registration database “had spiked to 100% with no explanation,” according to the state’s report.
The next day, Illinois took its voter-registration database and public-facing website offline for a week, but the hackers already had accessed roughly 90,000 voter records. No records were altered, according to the state’s report, and the issue was resolved before Election Day. Those hackers haven’t been identified, said Ken Menzel, general counsel for the Illinois State Board of Elections.
After these attacks caught the eye of federal officials, South Carolina requested, and got, help in identifying and remedying its security vulnerabilities:
The DNC, DCCC and Illinois breaches caught the attention of the Federal Bureau of Investigation, which on Aug. 18 sent the first of two “flash” alerts to state election officials, warning about attempts to hack election infrastructure. Also that week, the DHS offered cybersecurity help to election officials countrywide, with 33 states and 36 cities and counties ultimately accepting aid.
In South Carolina, state election officials met with FBI and state law-enforcement officials, according to public meeting minutes from August.
On Sept. 6, Marci Andino, the state’s executive director for elections, requested assistance from the DHS, according to emails in documents provided to The Wall Street Journal by Frank Heindel, an activist who has advocated for improving South Carolina’s election security for nearly a decade. The commission earlier this month disclosed about 1,200 pages of documents related to election security in response to a public-records request by Mr. Heindel.
Also in early September, after meetings with its computer staff, South Carolina used an expedited process to hire Soteria, a private cybersecurity firm, Mr. Whitmire said. The South Carolina National Guard’s cybersecurity specialists also conducted on-site security assessments at county election offices, he said.
To “anyone who was willing to help in 2016, we quickly said, ‘Yes, we want your help and we want anything you can do to help,’ ” Mr. Whitmire said.
On Sept. 18, DHS officials remotely completed an initial “cyber-hygiene scan” for South Carolina. The scans examined the state agency’s website and office network, checking for vulnerabilities using a federally-maintained database. The scan didn’t examine vote-tabulation machines, which aren’t connected to the internet, or the statewide voter-registration database.
The DHS discovered 55 vulnerabilities—the virtual equivalent of unlocked doors—across four internet-connected devices used by the State Election Commission, according to a copy of the DHS report. Two of them were classified as “critical,” the highest level of severity.
“Those are the vulnerabilities that can be translated into remote exploitation of the database,” said Curtis Dukes, executive vice president of the nonprofit Center for Internet Security, which provides cybersecurity for private and public entities…
Twenty-five days passed before the majority of the vulnerabilities, including the two most severe ones, were fixed, DHS reports show.
“I would tell you: up to three weeks to patch a vulnerability, that’s too long,” said Mr. Dukes, who was Director of the National Security Agency’s Information Assurance Directorate until January.
Interestingly enough, even once the majority of the vulnerabilities were addressed – and Election Day passed – the attacks continues, albeit more slowly:
By Election Day, South Carolina had resolved all but one low-risk vulnerability, according to a DHS report dated Nov. 8. Malicious actors, who haven’t been identified, tried 149,832 times to find it, according to the South Carolina State Election Commission’s report. Data on the number of hacking attempts in the days before Election Day—or from the 2012 general election—weren’t included in the report and the commission declined a request for those numbers.
Mr. Whitmire said the state saw no indication that it was targeted specifically, but the data show a potential correlation between the election and the virtual assault.
While stray malware hits firewalls regularly, the number of subsequent attempted intrusions against the commission didn’t match the amount observed on Election Day, according to the state’s report, which listed the number of attempted penetrations on the second Tuesday of each month between November 2016 and April 2017.
A month after Election Day, on Dec. 13, the number of hits dropped to 113,372. The attempted penetrations never again rose above 100,000, ultimately decreasing to just 44,754 attempts on April 11.
It’s worth noting a few key things:
- South Carolina wasn’t the only state affected – this is just the most detailed data on attacks like these we’ve had in a while;
- The attacks didn’t stop after Election Day – the site was hit more than 300,000 times more until the last report in April 2017 – suggesting they may continue today;
- The ability of states to seek and get assistance from a variety of entities including DHS seems to have helped here.
This story is a vivid reminder that the hacking threat to the nation’s election system isn’t altered outcomes – it’s breaches of personal data and the resulting loss of trust in the system by individuals. No matter who was behind these attacks – a foreign country, cyberthieves or someone else – protecting voter data (which increasingly lives online) should be a top priority.
South Carolina’s experience puts a face on the hacking threat to the nation’s election system; while there are debates about the degree to which different levels of government should cooperate and who should be in charge, work to protect those files needs to start RIGHT. NOW.
Batten the hatches – and stay tuned …