“A balance of cooperation with the federal government on the one hand and maintaining state independence on the other is certainly a concern that will have to be worked out. But for states to reject federal assistance would be a mistake as well.”
On Friday, the San Diego Union Tribune reported that personal details of over 19 million California voters ended up in the hands of hackers after having been posted to a private cloud server.
The leak was identified by analysts at the Kromtech Security Center, a firm that seeks out signs of anomalies and misconduct on databases of cloud storage accounts. Earlier this month, the firm identified a misconfigured database on an Amazon cloud account containing what appeared to be information on California citizens. The database contained personal details of these individuals, including contact and email addresses, as well as voting precinct information.
Recently, Kromtech researchers identified a breach of that database. Hackers who had penetrated the cloud had deleted all of the content and left a message on the account demanding ransom money in bitcoin for its return.
Kromtech contacted the California government to report its discoveries. After a review of Kromtech’s systems, state officials reported that “no signs” of a breach had been identified. Secretary of State Alex Padilla reported to news sources that “unconfirmed reports that a third party may have uploaded some California voter information” were being investigated.
There are a few very important questions still left unanswered.
Even if the thieves themselves are not interested in this data, there are certainly buyers on Dark Web mediums who would be.
The most pressing: who was the culprit to have originally placed this highly sensitive data on a private cloud server to begin with? State officials and Kromtech both stated that they could not identify the owner of the cloud account. This is disconcerting to say the least. The fact that no signs of a data breach were identified by California suggests that this may have been a highly sophisticated cyberattack, or perhaps even an inside job.
Second on the list, but still important: who are the hackers that deleted and possibly stole the data? Additionally, is this just an individual or group out to make a profit by exploitation, or could there have been some specific interest in voter details? Even if the thieves themselves are not interested in this data, there are certainly buyers on Dark Web mediums who would be.
No doubt that the investigation sparked by this news will continue for the foreseeable future. Likely it will produce some cyber reform at the state level. It may even uncover the individuals responsible for exposing and subsequently deleting the data.
The most important thing to take away from this incident however, is a big warning sign regarding the security of election infrastructure in the United States. This includes two risks: hackers gaining illicit access to voter information, and the ability for criminals to hack voting machines and connected technologies.
The issue of securing voting technology and the IT that forms the basis for election infrastructure came to the forefront after the 2016 election. For the past year, many policymakers have been pushing inquiriries into the vulnerabilities, as well as options for reform to address specific weak points in the system.
Democrats have been particularly zealous on IT related issues, in some instances taking unilateral initiative. In late September for instance, a group of senators arranged a meeting with former top cyber officials from the Obama administration. Dubbed the “Congressional Task Force on Election Security,” the meeting featured appearances by Jeh Johnson, former Department of Homeland Security (DHS) Secretary of the Obama era, and Suzanne Spaulding, the former DHS Under Secretary for the National Protection and Programs Directorate. In arranging the panel, Democrats were signaling their lack of faith in the Trump administration to secure the cyber infrastructure of election processes.
The most important thing to take away from this incident however, is a big warning sign regarding the security of election infrastructure in the United States.
This makes sense considering the party’s experience of being victims of intrusion and hacking during the 2016 elections. But bipartisan cooperation has been seen as well.
In early November, Senators Martin Heinrich (D-NM) and Susan Collins (R-ME) introduced a comprehensive cybersecurity bill aimed at securing technology used in U.S. elections. The bill included funding a bug bounty program for systems manufacturers and a grant program for states to upgrade their voting machine technology.
In light of the recent incident in California, it seems that SAVE contains responses to the big issues affecting the integrity of election infrastructure.
The most important implication of the text of SAVE is to affirm the notion that the technology used for elections constitute critical infrastructure. This idea was first asserted by Jeh Johnson in January shortly before he left DHS. At the time, suspicions of Russian meddling in the presidential election were really beginning to coalesce.
The bill also focuses a lot on intelligence sharing, a big issue in the wake of the 2016 presidential elections, that saw multiple signs of hackers probing state election systems. The federal government apparently delayed sharing with these states what it knew about the probes due to security clearance issues.
The SAVE bill seeks to address this problem by granting access to key state election officials and other appointees. In this way, states would be able to work with federal agencies in addressing any identified threat to the soundness of cyber infrastructure. The money the bill earmarks for bolstering and upgrading election systems is also a good thing.
The effort by the federal government to assert control over election systems is not without its criticisms however. As mentioned, the designation of these systems as critical infrastructure forms much of the basis for this effort. This may have some negative consequences.
As pointed out by state governments and election officials, policies stemming from this assumption, including SAVE, would give the federal government powers to oversee and regulate the election process, essentially usurping a very important aspect of state sovereignty. Back in January, Johnson tried to quell those fears by insisting that the designation of critical infrastructure only means a prioritizing of election machines in cybersecurity and does “not mean a federal takeover … concerning elections in this country.”
A balance of cooperation with the federal government on the one hand and maintaining state independence on the other is certainly a concern that will have to be worked out. But for states to reject federal assistance would be a mistake as well. The recent incidents in California are only the latest reminders of this. DHS has been ramping up its cyber capabilities for a while now. In fact the Department’s cyber office, the National Protection and Programs Directorate (NPPD) was recently turned into its own independent agency by Congressional vote and renamed the Cybersecurity and Infrastructure Security Agency (CISA). It would be foolish for state and local governments to not take advantage of these resources.
The trend of election infrastructure reform has certainly begun to build traction. Hopefully the country will not need any more incidents such as those in California to start implementing actual change.
