CISA and the FBI have released a joint statement to reassure the public that the agencies have seen no cyberattacks on voter registration databases this year, following news reports about Michigan voter data appearing on a Russian hacking forum.
As technology is increasingly integrated into our lives, it can be potentially life-threatening if it is able to be misused by an attacker. For example, earlier this year, news broke around a smartwatch vulnerability where the attacker could send false messages regarding medication intake and therefore, cause an accidental overdose. Imagine all the equipment you are using or will be using in the future that is connected to a network, if not directly to the internet itself. All this equipment, if developed carelessly, could cause harm or even death. Therefore, I understand why we would no longer simply issue financial penalties, but extend this to jail time as well. However, I do not believe that the idea is as cut and dry as saying that one has to go jail and that’s it. There needs to be supporting guidelines on what adequate development practices are and what is expected to be followed, in order to satisfy these security standards. I not only believe that this will be needed but also welcomed by many companies struggling today on the security compliance front. It will also be welcomed by users who will feel more secure knowing that the software or devices they use are developed under some sort of formalized standard.
Fortunately, the FBI and CISA didn’t find signs of a compromise in this instance, but registered voters will still need to be on the lookout for bad actors attempting to use the information gleaned from these publicly available databases to obtain even more information about their targets. It is sad to believe that in this day and age that simply registering to exercise your right to vote can make you the target of hackers.
It\’s remarkably easy to get one\’s hands on voter databases in most states. Many of them are available to the public, including Michigan. However, even though there are rules about how the data can be used, rules can be broken. Those who legitimately request voter data are responsible for securing it, and not everyone has the same standards of security. I wouldn\’t be surprised if we see more voter databases in the hands of foreign threat actors before the 2020 general election.
Every election network should be instrumented with a network security monitoring platform that creates an audit record of all activity on the wire. It\’s not enough to install security devices that only try to stop malicious activity or create alerts on suspicious activity. It\’s also important to have a neutral record of how the election network was used, not only for analysis at the time of the election, but as evidence to prove in the future that the elections were not subjected to tampering.