Note: This article is part of TechRepublic's series on how states across the US are approaching the cybersecurity threat to the 2018 midterm elections. Read each installment:
or download the entire series as a free PDF.
In July 2016, an IT staffer at the Illinois State Board of Elections noticed something strange: The online voter registration database site had slowed to a crawl. Upon further examination, he found something even more concerning. An intruder had breached the system, and was injecting queries at a rate of about 100 per second.
The staffer quickly diagnosed the problem and notified the state attorney general, who brought in the FBI and the Department of Homeland Security. The investigation ultimately helped lead to a July 2018 indictment that charged 12 Russian intelligence officers for conspiring to interfere with the 2016 US presidential election.
The hackers used a SQL injection in an area of the registration site where users enter their driver's license number. A programming error led to a vulnerability in that data field, so the hacker was able to exploit that and send in queries through that window, said Matt Dietrich, public information officer for the Illinois State Board of Elections.
SEE: Intrusion detection policy (Tech Pro Research)
"It was our mistake, and we were open about that from the start—we were the ones who discovered the breach here, and we closed it and took everything offline," Dietrich said. "We know what that was. We didn't know, though, at the time, where it was coming from."
Illinois was one of at least 21 states whose voter registration databases were targeted by Russian hackers in 2016—but it was the only state with a system that was known to have been breached during these attacks.
"We know that hackers successfully broke into Illinois' system—they didn't change any data, but they broke in," said Danielle Root, voting rights manager at the left-leaning Center for American Progress. "But a lot of national security experts believe that 2016 was kind of a testing ground for hackers to see where the vulnerabilities are and how to break-in in the future."
SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)
When the 2016 attack was discovered, the Illinois elections office closed the website and took the system offline. Officials notified the 76,000 registered voters across the state that their personal data may have been viewed, and directed them to contact the Attorney General's office in case their information had been changed. However, no one reported any suspicious activity in their registrations, Dietrich said.
Since the attack, the state has quickly ramped up its election security measures, including hiring several "cyber navigators" to conduct risk assessments in all 108 local election offices.
"Basically, we changed everything about the way we handled the data in our electronic voter registration database," Dietrich said.
In the past year, Illinois has hired three cybersecurity specialists at the State Board of Elections office. The state is also using about $7 million of the $13.9 million it received from Congress and a state match as part of a 2018 spending bill to address election cybersecurity issues to fund the Illinois Cyber Navigator Program.
Through this program, the state will hire nine cybersecurity professionals to visit all local election authorities statewide. Five have been hired so far, Dietrich said. These professionals are now conducting risk assessments, identifying equipment shortcomings, and providing cybersecurity training to election officials to recognize attacks like phishing.
SEE: Incident response policy (Tech Pro Research)
"The Cyber Navigator program is designed to give all election authorities the same cybersecurity resources and practices that we have here at the state level and in some of the larger counties," Dietrich said. Ohio created a similar program this year as well.
In October, the state announced a partnership with the National Guard, who will be on standby should a cyber incident arise in any of the election offices. About 20 other states have forged similar arrangements this year, Dietrich said.
Illinois is also moving all local election authorities onto the Illinois Century Network, a secure data network used by the state government. "When that gets done, it's going to bring a measure of security to the entire election system," Dietrich said. "It will make sure that when all 108 counties upload their voter registration information to use every day, that it will be traveling on a secure network that is controlled by our own state government."
On guard for attacks
Going into the midterms, Illinois election officials are preparing to combat many types of cyberattacks, Dietrich said. "Knowing what happened to us in 2016, we've been vigilant since then of another similar type of attack, even though the reality is that a hack like that can't affect the election in any way—we had our voter registration database backed up many times, so when they hacked into it, they were unable to change or delete any data," Dietrich said.
It's unlikely that we will see successful attempts to actually alter votes or election outcomes, but further attacks on voter registration databases are expected during the midterms, Root said. If successful, they could result in the disenfranchisement of eligible voters, she added.
"All a hacker would need to do is to go into the databases, change even a few letters of an individual's last name or their address," Root said. "And the voter, if he or she doesn't check her registration prior going to the polls, would be none the wiser. And they would show up on Election Day only to be told that their information doesn't match and that they can't cast a ballot."
SEE: Network security policy template (Tech Pro Research)
Illinois has spent the last two-plus years trying to reassure voters that the election system will be secure going into the midterms and future elections, Dietrich said.
"We want you to have confidence that your data is safe with us. We want you to have confidence in the Illinois election system. And we're keenly aware that any type of irregularity that happens to our system here is going to negate that message," he added.
The Department of Homeland Security has made clear that Russia's goal during the 2016 election was not to change votes, Dietrich said. "The real goal is to get Americans to question the integrity of their election system, to undermine confidence in it," he added. "So with that in mind, we've done everything we possibly can to put out the message that you should be confident in your election system, and the one way to show your confidence is make sure you're registered to vote and get out and vote on election day."
If a cyberattack does occur in your state, Dietrich recommends being transparent with the public about it. Illinois put up a report in August 2016 detailing exactly what happened in the attack they faced, and how the state responded, he said.
"The advice that we would give is the same advice that any entity with an online presence gives, whether it's Equifax or Target or Sony," Dietrich said. "If you have an online presence, you are vulnerable to threats like this, and your only hope is to try your best to stay one step ahead of the hackers. We think that's what we have done. We are trying our best to keep up with every warning from every possible source to be aware and vigilant."
- How Colorado voting became a cybersecurity leader long before Russians tried to hack it (TechRepublic)
- How Florida is bolstering election security after being targeted by Russian hackers (TechRepublic)
- State of Washington has new laws and the Air National Guard to help secure 2018 midterm election (TechRepublic)
- West Virginia moves forward with first mobile voting app, despite fears from security experts (TechRepublic)
- Ohio taps college cybersecurity experts to audit election systems before 2018 midterms (TechRepublic)
- Hackers, trolls and the fight over your vote in the 2018 midterm elections (CNET)
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- Did Russia's election hacking break international law? Even the experts aren't sure (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Election security is a mess, and the cleanup won't arrive by the midterms (CNET)
- Campaign 2018: Election Hacking
- These are the hackers targeting the midterm election
- U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout
- Why voting machines in the U.S. are easy targets for hackers
- Top state election officials meet amid security concerns
- Intel chief Dan Coats says of cyberattacks, "We are at a critical point"
- Russians relied on bitcoin to finance election hacking, prosecutors say
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.