First-ever cyberattack on US election points to broad vulnerabilities

Experts have confirmed that a fraudulent online request for 2,500 ballots in Florida last year was the first known cyberattack against a US election. And it could be just the tip of the iceberg.

Marc Serota/Reuters/File
Voters stand on line to vote in Florida's Miami-Dade County in this 2004 photo. A cyberattack against the county sought to influence a 2012 primary election by fraudulently requesting 2,500 ballots.

Over a 2-1/2 week period last July, more than 2,500 online “phantom requests” for absentee ballots were made to Miami-Dade County election headquarters, marking the first known cyberattack on a US election.

The fake requests for ballots targeted the Aug. 14 statewide primary and included requests for Democratic ballots in one congressional district and Republican ballots in two state House districts, according to a recent Miami Herald report.

The fake requests were done so clumsily that they were red-flagged and did not foul up the election. In any case, they would not have been enough to change the outcome. But now confirmed as the first cyberattack aimed at election fraud, the incident is further evidence that the vote-counting process is vulnerable, particularly as elections become more reliant on the Internet.

“This is significant because it’s the first time we’ve seen a very well documented case of attempted computer election fraud in the US,” says J. Alex Halderman, a cybersecurity researcher at the University of Michigan who focuses on election-system vulnerabilities. “This should be a real wakeup call because it illustrates the sort of computer voting attacks that many scientists have been warning were possible for years.”

Florida officials “were lucky” that the attacks were so clumsy, he says. The requests poured into the voter headquarters in clumps, much faster than normal, and in many cases the clumps arrived from the same handful of computer IP addresses. At this point, it is unknown what the attackers wanted to achieve.

But if they had been only slightly more sophisticated – distributing the requests across a larger number of IP address, for instance – the attack would have been much harder to detect.

“We’ve seen very sophisticated attacks against US corporations,” Dr. Halderman says. “If that level of sophisticated attack were directed against these election systems it could have been disastrous.”

Halderman knows. In three afternoons and without breaking any tamper-proof seals or leaving any traces, he and a colleague at Princeton hacked into a kind of paperless touch-screen voting machine used by almost 9 million voters in the 2008 presidential election. Just to show how much damage they could do, they installed Pac-Man in place of the voter software.

In 2006, he and Princeton researchers proved that, with just a few minutes access to a touch-screen voting machine, they could install a practically undetectable software virus that could spread to other machines and switch those machines' votes at election time before finally deleting all traces of itself.

Rapid advances in cyberweapons and malicious software put electronic-voting machines used in the 2012 election at risk and could have tipped the presidential election in some states, cybersecurity experts warned prior to the vote.

“This Florida case is not significant because thousands of votes were lost or changed, it’s significant because it demonstrates the feasibility of the pathway to attack the vote – and because there is online access to other pieces of the voting process,” says Pamela Smith, president of Verified Voting, a nonprofit group focused on ensuring US election integrity.

Some Florida officials say the attack also illustrates a need to take such violations more seriously. Law-enforcement officials had dropped their investigation until news media picked up on a Miami-Dade County grand jury investigation into the attack in December.

The Miami-Dade state attorney’s office reported it was unable to identify the hacker because the actions were masked by foreign IP addresses, the Miami Herald reported. But at least some of the IP addresses originated in Miami and could have been further traced, the paper found.

“In this case it seems more of an attack on the voting process,” says Ion Sancho, supervisor of elections in Leon County, Fla., who has studied cybersecurity in detail for systems he oversees. “Most Americans are unaware of the overall insecurity of the Internet and blind to the hacking threat to US elections systems. What we desperately need are law-enforcement authorities that will really take these kinds of attack seriously and really go after them.”

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.