Breach podcast: Step 2, election hacking -- voter registration

ESSvote.com

Step 2: Voter registration

Let's say you press on past digital propaganda and decide you are going to vote. You register. That data has to live somewhere. And it has to remain accurate. If a group wanted to engage in voter suppression, they could hack state registration databases and remove names -- or just change addresses in a way that would create election-day chaos.

(What is this? Go to the beginning. Or just click below to listen)

"(Voter) records are maintained in computer databases, many of which are connected directly or indirectly to the internet, and subject to the same kind of data breaches that affect other kinds of internet systems," said Matt Blaze, a computer science professor at the University of Pennsylvania, where he’s been working on voting technology for the past fifteen years. “We often don't find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote."

This isn't a theoretical risk. The U.S. government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

Even more ominous: If someone wanted to tip an election, they'd do this only in zip codes that traditionally leaned one way or the other.

"Because with the marketing data these days we can microtarget down to the neighborhood how we know a certain neighborhood’s going to vote," said Maggie MacAlpine, co-founder of security firm Nordic Innovation Labs. "We've had some elections that were decided by less than 1,000 people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, 'Well, I should be registered, why aren’t I registered?' If you can keep that spike under the radar, you can actually change things that way."

Many jurisdictions use e-poll books at voting locations now, to get the best registration information in the hands of poll workers. They also add another layer of technology to the process that can be hacked.

--Partial transcript--

MATT: Well first thing is that the voters have to be registered, right?

ALIA: Matt Blaze, the “We can't secure software” guy again.

MATT: All of those uh, records are maintained in computer databases, um, many of which are connected directly or indirectly to the internet, and um, subject to the same kind of data breaches that affect other kinds of internet systems. And we often don't find out that we’re not listed on the voter registration database when we should be until we show up at the polls to vote. ALIA: Almost every cybersecurity person we talked to zeroed in on this point as an easy vulnerability, because why go through the trouble of changing a vote, if you can just stop the right voter from getting in the booth? Here's Maggie McAlpine again.

MAGGIE: Because with the marketing data these days we can micro target down to the neighborhood how we know a certain neighborhood’s going to vo— going to vote. We've had some elections that were decided by less than a thousand people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, well, I should be registered, why aren’t I registered? If you can keep that spike under the radar, um, you can actually change things that way.

ALIA: Mark Kuhr, co-founder and CTO of crowdsourcing cybersecurity company Synack, isn't just concerned with deleting people's voter registration.

MARK: But you can also, you know, potentially register people that shouldn't be allowed to vote or people that have— have been deceased, uh, from— from cemetery records or things like that.

BOB: And the 2016 election we know the federal government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

MAGGIE: And that's worth noting too, that that's just the people who know about it. Now, the life cycle on Fortune 500 companies finding out that they've been hacked is something like 300 days on average.

BOB: So they may not even know if their registration was breached or tampered with for a long while, and by then it's too late. There's no redoing election day.

JAKE: But the other way that your vote can get messed with, I think that something I've been saying from the— So I was um, Obama's national deputy field director in 2008.

BOB: This is Jake Braun, executive director of the University of Chicago Cyber Policy Initiative and organizer of the Voting Village at Def Con.

ALIA: Almost every cybersecurity person we talked to zeroed in on this point as an easy vulnerability, because why go through the trouble of changing a vote, if you can just stop the right voter from getting in the booth? Here's Maggie McAlpine again.

MAGGIE: Because with the marketing data these days we can micro target down to the neighborhood how we know a certain neighborhood’s going to vo— going to vote. We've had some elections that were decided by less than a thousand people, and the burden tends to be on the voter to say that you are registered or not. So if just ten people in the right place at the right time come in and say, well, I should be registered, why aren’t I registered? If you can keep that spike under the radar, um, you can actually change things that way.

ALIA: Mark Kuhr, co-founder and CTO of crowdsourcing cybersecurity company Synack, isn't just concerned with deleting people's voter registration.

MARK: But you can also, you know, potentially register people that shouldn't be allowed to vote or people that have— have been deceased, uh, from— from cemetery records or things like that.

BOB: And the 2016 election we know the federal government says that Russians tried to access voter registration databases in at least 21 states, and in two states they were able to succeed to some degree.

MAGGIE: And that's worth noting too, that that's just the people who know about it. Now, the life cycle on Fortune 500 companies finding out that they've been hacked is something like 300 days on average.

BOB: So they may not even know if their registration was breached or tampered with for a long while, and by then it's too late. There's no redoing election day.

JAKE: But the other way that your vote can get messed with, I think that something I've been saying from the— So I was um, Obama's national deputy field director in 2008.

BOB: This is Jake Braun, executive director of the University of Chicago Cyber Policy Initiative and organizer of the Voting Village at Def Con.

JAKE: And we spent hundreds of hours and had hundreds of people um, working on understanding how to reduce long lines on election day. They think that John Kerry lost 20,000 votes in Columbus alone because of long lines. And one of the most disconcerting things that could happen that is in line with what the Russians have already done, is just delete a bunch of people from the voter rolls or just change the names and addresses around and then all of a sudden, you know, a fifteen minute line turns into six hour long line and then you don't wind up voting at all.

ALIA: Oh my god. You know, that actually happened to me. I showed up to vote and they said uh, you're actually registered in a different county. Had no idea. Wasted like three hours of my day.

BOB: And so you had to then drive to the other county to vote?

ALIA: Yes.

BOB: Good for you that you did, yeah.

ALIA: Well, yeah, but a lot of people don't have that ability because they have a job that doesn't allow that sort of flexibility.

BOB: Of course. And you — throughout all of this, remember that half of people don't vote even in our most important elections. So the truth is it doesn't take very much to get another one or two percent of people to give up for any kind reason.

ALIA: Just make it inconvenient.

BOB: Just make it difficult.

ALIA: And then there's how your registration is stored at the precinct. Some places have started using e-pollbooks.

BOB: It’s basically an iPad. And that's great because it's quicker, it can help make those lines shorter, and can be updated immediately, on the fly, live.

ALIA: But if technology can be updated live, it can be hacked live.

BOB: Precisely. This just adds another vulnerability into the mix.

ALIA: They looked into e-pollbooks at Def Con too.

MAGGIE: There was one instance where we found that it had been lent by the vendor to the county that it was given to uh, taken back afterwards and none of the 65,000 I think people's personal information including social security numbers had been wiped from it, and then it had been sold on Ebay, and that's where we got it. So that — we actually had to call the, uh, I think the state FBI for that um, to tell them, before we could disclose it at Def Con.