Skip to main content

Cyberattack on Florida election raises questions

Cybersecurity experts say we have now witnessed the first documented attack on a U.S. election.
Cybersecurity experts say we have now witnessed the first documented attack on a U.S. election.
STORY HIGHLIGHTS
  • A grand jury report outlines problems in an August 14, 2012, primary election in Florida
  • Someone created a computer program that made 2,500 bogus requests for absentee ballots
  • It's the first documented attack on a U.S. election, said computer scientist David Jefferson
  • Jefferson: "It's clear that the attackers knew what they were doing"

(CNN) -- It's a fear that keeps cybersecurity experts up at night: an attack on an online election system.

Apparently, it's now come to pass.

According to a grand jury report about problems in an August 14, 2012, primary election in Miami-Dade County, Florida, "someone created a computer program that automatically, systematically and rapidly submitted to the County's Department of Elections numerous bogus on-line requests for absentee ballots."

It's the first documented attack on a U.S. election, said computer scientist David Jefferson, who is on the board of the Verified Voting Foundation and the California Voter Foundation, in an interview with CNN.

America under cyberattack
Hackers taking aim at celebrities

The report notes that 2,500 fraudulent requests were submitted. (For perspective, Miami-Dade mailed out 139,047 absentee ballots last July and another 174,919 in October.)

With voting by mail increasing, the fact that the system was challenged is worrisome for cybersecurity experts.

"The computer scientists have been saying for many years now that this is going to be possible, and one of the counters to us has been, 'How come it hasn't happened?' We always say, we don't know if it's happened, because it might happen without leaving any evidence," said Avi Rubin, a Johns Hopkins computer science professor who is an expert in cybersecurity. "And now we're finally starting to see proof that it actually does happen."

Jefferson, who classified the attack as "weak," nevertheless highlighted several reasons to be concerned.

"It's clear that the attackers knew what they were doing, did it deliberately (and) tried to cover their tracks -- they were deliberately hiding their actions," he said. Moreover, he added, "It is not at all clear what their motives were."

According to the report, Miami-Dade's online ballot request system had "very low" security, with no user-specific logins or passwords. A concerned election vendor noted the influx of requests and flagged them, said the report.

"The vendor hired by Election officials ... became suspicious when it appeared that an extraordinary number of absentee ballot requests 1) appeared to be submitted from the same group of computers; and 2) were being submitted at a rate that was not humanly possible if the data on the screen was being entered by a person," the report said.

The requests came from IP addresses primarily located overseas, the report added, "although there was at least one fraudulent request from inside the United States."

The grand jury report is dated December 19, 2012. Its findings were reported last month by the Miami Herald, although they did not receive widespread national attention until now.

Florida, of course, is no stranger to electoral snafus. In 2012 alone, the state endured long lines, chaotic polling places and disputes over legislative actions that shortened the number of days and hours for early voting. But Jefferson says that, in terms of online issues, the state is far from the worst.

He said he and his colleagues in the cybersecurity community found two states that had "serious vulnerabilities" in their online registration systems: Washington and Maryland.

"Those dangers were so severe because it would not take a lot of skill to change the registrations of thousands of voters, online, while sitting in, say, Bulgaria," he said.

With hackers getting increasingly sophisticated, Rubin expects there will be more cyberattacks in the future. Indeed, even putting elections aside, reports of denial-of-service attacks, stolen passwords and other cases of Internet invasion are regular occurrences in the news -- and they've affected major corporations, government agencies and even security companies, Jefferson observes.

That doesn't mean we have to revert back to dropping paper ballots in an old wooden box. Rubin believes that election authorities "do a pretty good job at understanding their threats." It's just that voting is such a sensitive issue that they should have to plan for the worst -- and be prepared to handle it.

"The first thing to do is have a realistic understanding of the threat, so that before you offer a service on the Internet you know how you're going to respond when you're attacked -- and I say 'when' and not 'if' you're attacked," he said.

Indeed, Jefferson hopes that the Miami-Dade report serves as a wake-up call for authorities who have scoffed at computer scientists' concerns.

"For me, of course, this is no surprise. I've seen this and much worse in many circumstances," he said. "But because this is the first real documented attack in a U.S. election, it has outsized importance. We can now say we do have an example in a U.S. election of a bona fide cyberattack. You don't have to believe us -- we didn't write that grand jury report. Read it."

Cyberthreats getting worse, House intelligence officials warn

Alan Brill, senior managing director for Kroll Advisory Solutions, is optimistic that the wake-up call will be received promptly.

"If you look back, 20, 25 years, (legislators) had no real understanding of computers. But over time, it's kind of a rising tide" of comprehension, he says. "As you get more specialists in a field like this, I think the risks become more evident, and it becomes more urgent for them to do something about it."

ADVERTISEMENT
Part of complete coverage on
September 30, 2014 -- Updated 1550 GMT (2350 HKT)
Experts believe that ISIS may be using a Spanish enclave to bring jihad to Europe.
September 30, 2014 -- Updated 1300 GMT (2100 HKT)
With an efficient subway, inexpensive taxis and a good public bus system, Hong Kong is normally an easy city to navigate ...
September 28, 2014 -- Updated 2332 GMT (0732 HKT)
CNN's Ivan Watson was in the middle of a pro-democracy protest in Hong Kong when things got out of hand.
September 30, 2014 -- Updated 2012 GMT (0412 HKT)
The world's animal population has halved in 40 years as humans put unsustainable demands on Earth, a new report warns.
September 30, 2014 -- Updated 1249 GMT (2049 HKT)
Every day, refugees and migrants risk their lives as they seek a new life. Now, a new report puts a figure to the number of victims.
September 30, 2014 -- Updated 1442 GMT (2242 HKT)
Mainstream commentators must promote positive role models to Muslims feeling victimized, writes Ghaffar Hussain.
September 29, 2014 -- Updated 0613 GMT (1413 HKT)
Two men familiar with inside knowledge of ISIS speak with CNN's Arwa Damon.
Explore CNN's interactive that explains ISIS' roots, what it controls, and where its support comes from.
September 25, 2014 -- Updated 2010 GMT (0410 HKT)
In his first-ever interview as the Emir of Qatar, Sheikh Tamim bin Hamad Al-Thani defended his country against allegations of funding terrorism.
September 27, 2014 -- Updated 1503 GMT (2303 HKT)
The North Korean leader hasn't been seen for weeks, leading to speculation that he is in poor health.
September 24, 2014 -- Updated 0154 GMT (0954 HKT)
Haider al-Abadi hopes airstrikes don't lead to "of another terrorist element" instead of ISIS.
September 25, 2014 -- Updated 1319 GMT (2119 HKT)
The United States couldn't do it on its first try. Neither could the Soviets.
September 24, 2014 -- Updated 1529 GMT (2329 HKT)
CNN's Nima Elbagir reflects on a harrowing trip to Liberia where she covered the deadliest Ebola outbreak in history.
September 26, 2014 -- Updated 1423 GMT (2223 HKT)
Contrary to public opinion, rats can actually save lives -- Apopo's rats have actually saved thousands.
September 30, 2014 -- Updated 1336 GMT (2136 HKT)
Each day, CNN brings you an image capturing a moment to remember, defining the present in our changing world.
Browse through images from CNN teams around the world that you don't always see on news reports.
ADVERTISEMENT