On Monday, we learned just three private companies sell and service more than 90% of the nation's elections systems and are not subject to federal regulations or inspections. Tuesday, the news on risks to our voting systems gets even worse.
Forbes is highlighting a report from cybersecurity firm Carbon Black which reveals, among other things, more than 81.5 million voter records are available on the dark web.
Not only does it reveal that nation-state politically motivated cyberattacks are on the up, with China and Russia responsible for 41.4% of all the reported attacks, but that voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status.
Security experts fear not enough has been done to prepare state officials for possible attacks.
Earlier this year, Venafi surveyed security professionals with regards to election infrastructure risk. That research revealed that 81% of them thought threat actors will target election data as it is transmitted by voting machines. Worryingly, only 2% were 'very confident' in the capability of local, state and federal government to detect such attacks and only 3% thought the same about their abilities to block those attacks.
The concern is warranted given fewer than half of states have requested the Department of Homeland Security's free assessment of election vulnerabilities. Because state and local officials run elections, the federal government only can step in to help if asked. Some states have asked for help and still are waiting even though the midterms now are just one week away.
Under the department's National Protection and Programs Directorate, the agency branch that coordinates cyber protection of U.S. infrastructure, a team of DHS officials are prepared to examine statewide election systems. They can check for cybersecurity vulnerabilities and run in-person exercises like phishing tests to ensure election officials are prepared to guard against attempts to hack their email accounts.
The Department of Homeland Security has already provided or is scheduled to provide the service, which is free for states that request it, to only 21 states, a department spokesman told ABC News, concerning election experts who fear some states may not be aware of potential vulnerabilities.
(...)
... ABC News asked election officials in all 50 states whether they have participated, and 19 states -- Arizona, Colorado, Connecticut, Delaware, Iowa, Illinois, Indiana, Maryland, Massachusetts, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Rhode Island, South Carolina, Utah, Washington and Wisconsin -- confirmed that they had, while several others declined to comment.
A Louisiana election official said the state is currently undergoing a DHS assessment, which will be complete after the November midterms. A New York official said the state has completed paperwork and is awaiting an assessment.
Some states are using outside vendors instead of DHS. Some are relying on state National Guards which "have cybersecurity capabilities and have run cyber training exercises in the past." Others think they are not at risk.
An election official from Maine, which did not undergo a DHS assessment, said the state's voter-registration database is the only Internet-accessible part of its election system and is "heavily password protected, backed up, and monitored for suspicious activity" by state IT staff.
And Arkansas passed on DHS’s offer because election officials feel they’re already well prepared.
“We just did not do some of the same things some of the other people are doing,” said Chris Powell, press secretary for Arkansas’s secretary of state. “None of the machines or tabulators or any of that is ever connected to the Internet at any time, so we’re not worried about cyber-attacks on that or anything like that.”
Election-security watchdogs and cybersecurity experts have voiced concerns about multiple potential vulnerabilities to American elections—from electronic voting machines, to the programming of those machines, to voter-registration databases managed by state officials, county officials, or private vendors.
Another big concern comes from lack of a paper trail in states that still use electronic voting machines without backup.
Fourteen states will conduct the midterm elections where voters will register their choices in an electronic form but will not leave behind any paper trail that could be used to audit and verify the outcome.
Delaware, Georgia, Louisiana, New Jersey and South Carolina have no paper backup systems anywhere in the state. Nine other states have several jurisdictions without a physical alternative to electronic records — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas.
Experts have urged states to have backup systems after officials from U.S. intelligence agencies and the Department of Homeland Security said that Russian entities scanned election systems in at least 21 states before the 2016 election in an attempt to breach. Seven states had their computer systems breached to various degrees, officials have said. Illinois has said its voter registration system was breached. But officials have said no votes were altered.
(...)
While Congress in March approved a $380 million federal grant to states to boost the security of their election systems, state officials say it was long overdue and was money left over from a 2002 law and not new money in light of the vulnerabilities identified in state election systems during the 2016 election.
Lawmakers proposed dozens of bills since January 2017 to address election security but failed to pass any legislation that would require states and local jurisdictions to have paper ballots as backup to digital voting systems.
81.5M Voter Records For Sale On Dark Web Ahead Of Midterm Elections (Forbes)
QUARTERLY INCIDENT RESPONSE THREAT REPORT (Carbon Black)
Fewer than half of US states have undergone federal election security reviews ahead of midterms (ABC News)
Paper Is Big Again, at Least for Elections. These States Don’t Have It (Roll Call)