- Atlantic Magazine, June 16, 2017
It’s not really all that hard to hack American democracy.
That fact should be driven home by a recent article from The Intercept detailing the contents of a highly classified NSA report that found evidence of a massive Russian cyberattack on voting software and against over 100 election officials. While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.
Recent reporting by Bloomberg has supplemented these reports, showing that such attempts by Russian hackers spread across 39 states. Some of the most extensive efforts came in Illinois, where hackers gained access to the whole state database and as many as 90,000 records including identifiers like partial Social Security numbers, driver’s license numbers, and names. The potential damage to the integrity of the actual vote was limited by the fact that the state database was merely a top-level aggregation of county-level databases and data entry, but Illinois was a disturbing proof-of-concept.
Russia’s intrusions were instructive. While it’s unclear just how many records they accessed or how deeply they’d compromised systems that could actually electoral outcomes, their probing illustrated how easily elections infrastructure is compromised—and also how officials might not have any idea just how compromised it already is. Using social engineering and phishing, they reached every level of the voting infrastructure, from the private vendors that create electronic ballots to state coordinators and local officials. And according to Bloomberg, the main reason intelligence officials know about that systematic attack was only because a contractor for the Illinois state board of elections noticed an unauthorized download of voter data.
Read full article in the Atlantic