Recent attempts to hack voter registration systems, including a successful attack in Illinois this week, point to a glaring cybersecurity deficiency across the nation: State-readiness to defend against potential cyberattacks is inadequate, according to experts, and voter registration systems are among the most susceptible entry points for hackers to gain access to sensitive information of Americans — and possibly even manipulate elections.
"Both campaign and state voter registration databases are weak targets and the low-hanging fruit," said Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center for International Relations and Public Policy. "A lot of the systems used to store health-care records, pension information and voter registrations are old, intermittently used and handled by staff with little to no training in cybersecurity," she said.
"To be blunt, a kid could have done this. That's how bad it is," said internet security expert Joseph Steinberg.
These findings are particularly alarming in light of reports that Russian hackers were behind two recent attempts to breach voter registration databases in Illinois and Arizona.
"They all hold valuable information, whether internal party policies that can shape the elections or the personal information of the electorate. The value of targeting those databases is not only to steal information (voters' names, birthdays, SSNs, etc.) but also to conduct an information operation and manipulate election results directly or indirectly by affecting turnout, disrupting election sites and ultimately sow doubt in the legitimacy of the election itself," Spidalieri said.
"If it was a foreign government, could someone be adding or removing people from the database in order to impact elections?" Steinberg said. "Could someone be assembling lists of contacts in order to contact them with election-related propaganda? Could someone want to mess up the database the day of the election or right before in order to cause election issues?" He added, "We don't need to know who or why to know that we have a serious problem."
The recent attacks should be seen as inevitable rather than surprising. A Pell Center report on state cybersecurity programs published before the recent election hacks concluded that "no state is cyber ready."
There are more than 2,000 different jurisdictions around the United States, and all have different types of voting machines and limited resources to update them. Hired staff or those who volunteer on Election Day have limited to no training in cybersecurity, said Spidalieri.
"States are advocating for bigger IT budgets, but they are slow to implement some of their new programs, and the voting systems have so far been a lower priority." she said. "It's a pretty grim picture all over the United States," she added.
In August, Department of Homeland Security Chief Jeh Johnson warned state election officials about potential cyberattacks that could interfere with the elections and said he would consider designating certain electoral systems as "critical infrastructure."
Currently, voting systems are not considered critical infrastructure under federal regulations, so those in charge of these systems are on their own in terms of deciding on the best approaches in dealing with cybersecurity threats.
Taking into consideration preparedness plans, such as regular threat assessments, incident response and information sharing, the Pell Center report found the most cyber-ready U.S. state was California, followed by Maryland and Michigan.
Since the Pell Center data was published a little less than a year ago, some states — Indiana, for example — have launched cybersecurity commissions and passed cyber-related legislation.
In Pennsylvania, another key presidential election state, Secretary of State Pedro A. Cortés said it is working to ensure the security and integrity of the November election. "In recent weeks, there has been talk about vulnerabilities in the nation's election infrastructure," Cortés said in a release. "Our election staff is working closely with federal and state experts to implement all available strategies to strengthen security."
A spokeswoman for the Pennsylvania Department of State stressed the distinction between voter registration databases and actual voting systems. In Pennsylvania, precinct voting systems are never connected to the internet. And while Pennsylvania's online voter registration application is on the web, applicants' personal information is stored in a statewide Uniform Registry of Electors voter registration database that is not connected to the internet and is only accessible internally.
A spokeswoman for the New Jersey Office of Homeland Security and Preparedness said it is working with federal and state partners and continuously reviewing the effectiveness of the security controls for all state systems and monitoring them for any suspicious activity. She said one major difference between New Jersey's voter registration system and that of Arizona and Illinois — states hit by recent attacks — is that New Jersey does not allow online voter registration.
Commission recommendations and conversations, though, are not the same as implementation, and states don't have much to show for existing efforts. "It's a good effort to bring experts together to talk about issues in states, but it's still not a solution," Spidalieri said. "No state has yet devised a comprehensive plan that aligns the state economic vision with their security priorities when it comes to this issue."
Mauricio Paez, a partner at Jones Day who manages the firm's privacy and cybersecurity practice, said the problem is not only that many voter registration systems in the United States are antiquated from a security perspective but that "there's a decentralized approach in terms of dealing with these breaches, because there is no uniform standard for states to address these risks."