Extortionists have recently shut down municipal computer systems in Texas, Maryland, Florida and New York, threatening to erase databases unless the cities pay a ransom. Now officials around the country are concerned that the tool the hackers used, known as ransomware, could be tapped to target state voter registration rolls and disrupt confidence as the nation heads into the 2020 election.
Illinois, for example, is making its voter registration database accessible only from a closed fiber-optic network, rather than the open internet, according to Matt Deitrich, a spokesman for the State Board of Elections. The Prairie State is making progress, though it still has a way to go, he says. Less than a third of its 108 jurisdictions currently connect to the database via the dedicated network.
The security effort is worth it, Deitrich says. If a hacker locks down even one county's election agency with ransomware, that can create the impression the whole system is compromised. "It's a phenomenon that can undermine voter confidence," Deitrich said.
Ransomware would be a new feature of election hacking, which came to public attention after intelligence officials said Russian hackers probed voter registries during the 2016 presidential campaign. A ransomware attack in 2020 could prove devastating, preventing voters from registering or poll workers from confirming voter eligibility, officials say. The hackers' goal wouldn't be changing the votes that were cast, but spreading doubt that eligible voters were able to make their voices heard.
Ransomware locks down a victim's computer system until a ransom, usually in bitcoin or another cryptocurrency, is paid. Hackers often threaten to erase data. It spreads like other malware does, through email attachments or unsecured links.
These attacks are already a common digital frustration: Cities, hospitals and individuals have all been hampered by frozen computers. Albany, the capital of New York, was hit earlier this year. The Port of San Diego and San Francisco's Muni public transit system have been hit. Even golfing group the PGA of America has been a victim of ransomware attacks. The situation has gotten so bad that more than 225 mayors recently signed a resolution not to pay ransoms in cyberattacks.
The Department of Homeland Security is concerned that voter registration databases are susceptible to ransomware. Intelligence officials say Russian military hackers tried to access such databases ahead of the 2016 election. And a Senate committee found that Russians tried to penetrate the voter systems of all states. The committee found that Illinois' system had been penetrated, but it saw no evidence that hackers changed any information.
"A successful ransomware attack at a critical point before an election could limit access to information and has the potential to undermine public confidence in the election itself," DHS spokesman Scott McConnell said in a statement.
The Cybersecurity Infrastructure Security Agency, a DHS division, is working with state election officials to prevent ransomware infections, according to a Reuters report that's since been confirmed by the DHS. CISA is providing educational material and scanning systems for vulnerabilities, in addition to giving advice on how to recover from ransomware attacks.
The biggest point of vulnerability
Unlike voting systems, which rarely if ever connect to the internet, voter registration databases typically do. That makes them vulnerable.
State election officials say the biggest point of vulnerability is at the level of county and local election agencies, which typically need access to voter rolls and are tasked with distributing absentee ballots. Wisconsin knows this challenge well, because it has more municipal election agencies than any other state, according to Reid Magney, spokesman for the Wisconsin Elections Commission.
"Our concern is more that one of those 1,850 municipalities might be hit by a ransomware attack somewhere around the time of an election," Magney said.
The state is using federal grant money to help local election agencies make sure their devices are secure. It also requires users to authenticate their identities with a physical token, called a FIDO key, when they log in to state systems.
Because county and local election agencies are autonomous, state election officials can't force them to hire IT staff or adopt specific practices with their own systems. But they can offer training for staff and funding for improved devices and software.
States like Illinois, Wisconsin and Washington have also found ways to divide systems into segments, so that one compromised account won't spread beyond a specific county. They emphasize the importance of online and physical data backups, and they continually update systems that scan for malicious software and filter out questionable emails.
The most important activity may be reminding people to. This can be hard, because many phishing attacks try to appear legitimate by mimicking messages from banks or major email providers like Google.
"The best prevention is knowledge," said Mark Neary, assistant secretary of state in Washington. A ransomware attack in the Evergreen State could disrupt its new same-day registration process, which allows voters to register and receive a ballot until 8 p.m. on election day.
In addition to moving its voter registration database to a dedicated network, Illinois is also scanning its systems for vulnerabilities and signs of intrusion. The state is especially motivated, Deitrich, the election board spokesman says, because it was breached in the 2016 election.
Working with DHS has sped progress, he says, even if the partnership was prompted by "the worst of circumstances."