Hackers have targeted the voter registration systems of 20 U.S. states, successfully infiltrating four of them, according to a U.S. Department of Homeland Security (DHS) official speaking to the Associated Press on condition of anonymity.
The DHS official said it was unclear whether the attackers were foreign or domestic, though other reports have tied the Russian government to the attacks.
In August the FBI warned state officials of the need to improve voter registration security after hackers targeted voter registration systems in Illinois and Arizona. Testifying before the House Judiciary Committee on Wednesday, FBI Director James Comey acknowledged there have been additional “attempted intrusions at voter registration databases” since then.
The intrusions have prompted concerns over election security as the U.S. presidential election nears. But officials and cybersecurity experts agree it would be “nearly impossible” for hackers to alter an election's outcome because voting systems themselves are rarely connected to the Internet.
The DHS assistant secretary for cybersecurity and communications, Andy Ozment, told lawmakers Wednesday that hackers that compromised the Illinois and Arizona voter databases appeared to be seeking personal data that could be sold for a profit rather than looking to compromise an election.
Earlier this month, Rep. Hank Johnson, D-Ga., introduced the Election Infrastructure and Security Promotion Act of 2016, which would require the DHS to designate voting systems as critical infrastructure, and the Election Integrity Act of 2016, which would limit the purchase of new voting systems that do not provide durable voter-verified paper ballots. But it’s unlikely either bill will be passed before the election, and unclear if the advantages provided by either bill would improve security or outweigh potential downsides.
“Using voter-verified paper audit trails is an easy and cost-effective way to preserve the integrity and accuracy of our vote, but mandating their use may prevent their replacement once a better system is available, leaving that system outdated and vulnerable,” said Cris Thomas, a strategist for Tenable Network Security.
Thomas said the real danger is connecting an election management system (EMS) to the Internet, because that system is typically run on standard PCs and used to configure the ballots for the voting computers, tabulate votes and perform other administrative tasks.
“Compromising an EMS could allow an attacker to change the configuration files used to program voting computers to access sensitive information and potentially alter the election outcome,” said Thomas.
He suggested the federal government consider conducting a bug bounty type of program and invite white-hat hackers to investigate the security of voting machines to identify possible vulnerabilities.
Meanwhile, DHS has offered to help states look into the security of their voter registration systems, and Homeland Security Secretary Jeh Johnson has encouraged state election officials to secure their systems and ensure electronic voting machines are not connected to the Internet.