Election officials confident voter rolls secure after hack attempt

WASHINGTON – Arizona election officials said that “at no point” was voter registration information “accessed or manipulated” after an attempted hack into the state’s database over the summer.

The Arizona Statewide Voter Registration System, which holds personal information on 3.4 million Arizona voters, was shut down for 10 days in June after an FBI warning of a “credible threat” to the system, according to the Arizona Secretary of State’s office.

“Our office performed an exhaustive security review of the statewide voter registration system with the help of the Arizona Department of Administration and our voter registration software vendor,” said Matt Roberts, a spokesman for the secretary of state.

He said the office also took steps to ensure the voter rolls were secure for Tuesday’s primary election.

Cybersecurity experts said the hack attempts – voting records in Illinois were also reportedly targeted – appeared to be fairly crude and unsuccessful, but they serve as reminders that any online system can be a target.

“This election cycle has brought home the fact that our election infrastructure and our election technology is technology and, like all technology, it is intentionally subject to attacks,” said Lawrence Norden, a voting technology expert at the Brennan Center for Justice at the New York University School of Law.

“That doesn’t mean that the integrity of our national election is at risk, but it does mean that we should be thinking of all the security measures that we know about and make sure they’re in place,” he said.

Norden said that the integrity of elections should not be questioned as a result of this summer’s hacks. But an Arizona State University expert said that as voters head to polls, they should remain alert and file complaints if they face any difficulties.

“Test it out. Make sure you’re in the system. Go to your polling place and make sure everything runs smoothly,” said

Jamie Winterton, director of Strategic Research Initiatives at ASU’s Global Security Initiative. “The best thing to do is to show up and vote.”

Winterton said Tuesday this summer’s attempted hack did not appear to be “particularly sophisticated” in that it attempted to get into the voter database using simple code, which is “not a terribly difficult thing to protect against because code has weird symbols in it.”

“Code has equal signs, semicolons, and quotes. Nobody’s name has those things,” Winterton said. “Just by making some simple rules and trying to think, ‘How will people use this for bad things?’ We could solve a lot of problems.”

The hacks came to light after Yahoo News reported Monday on an Aug. 18 FBI Cyber Division alert to “need to know” recipients that said the agency had received information about two separate IP addresses trying to hack board of election websites in two states. The alert does not name the states, but Yahoo’s Michael Isikoff reported that “sources familiar with the document” confirmed Arizona and Illinois were the states.

The FBI bulletin encouraged states to “contact their Board of Elections and determine if any similar activity to their logs, both inbound and outbound, has been detected. Attempts should not be made to touch or ping the IP addresses directly.”

The FBI declined to comment on the alert, saying in an e-mailed statement Monday only that it “routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems’ administrators guard against the actions of persistent cyber criminals.”

Roberts said the only damage from the assault on the state’s system was the leak of credentials used by county elections employee to access the system.

He said the office has not found further evidence of malware in its voter registration system, but is looking to implement a “two-factor authentication” before people can access the system.

“I log in to the system using a password, and then I’m e-mailed or texted a different authentication password,” Roberts said of the change being considered. “You can’t just log in by yourself without a second level of security ensuring that you are who you are trying to say you are.”