What Illinois Has Learned About Election Security Since 2016

Sep 17, 2018
Originally published on September 19, 2018 11:11 am

AUDIE CORNISH, HOST:

I'm Audie Cornish with a look at election security in All Tech Considered.

(SOUNDBITE OF ULRICH SCHNAUSS' "NOTHING HAPPENS IN JUNE")

CORNISH: One out of 3 Americans says a foreign country is likely to change the vote in this year's midterm elections - more on that in a bit. First, when Russia began targeting American election infrastructure in 2016, one of the first salvos landed in a former grocery store in Springfield, Ill. That's where the state board of elections is headquartered. As Illinois Public Radio's Brian Mackey reports, officials did not realize at first that they were on the frontlines of a geopolitical conflict.

BRIAN MACKEY, BYLINE: That's because the attack began slowly, quietly, like that old fable about how to boil a frog. The story really begins halfway around the world in a suburb of Moscow where, according to federal prosecutors, an officer with Russian military intelligence was probing the website of the Illinois State Board of Elections. He found a vulnerability in a voter registration form. The Russians used it to launch what's called a SQL injection attack. They quietly poked around for a few weeks. Then things intensified.

MATT EMMONS: Yeah. If (laughter) we were a bear, they went from poking it, to, like, beating it over the head with a stick repeatedly.

MACKEY: Matt Emmons is the IT director at the Illinois State Board of Elections.

EMMONS: Either they didn't know what they were doing, or they wanted us to find out, because it would be impossible to miss.

MACKEY: You might think ground zero for a Russian attack on America might be an exciting place, but to look at? Not so much.

(SOUNDBITE OF BEEP)

MACKEY: This is one of the board's server rooms.

EMMONS: It's loud. It's cold. It's dark.

MACKEY: And when there's a hack, it's not like "Star Trek." There's no red alert klaxon.

EMMONS: There would be no way to know. It would look and it would sound exactly like this. It's only through the software and the human factor that you notice anything.

MACKEY: And that's what finally happened on July 12, 2016, when the Russians went from poking to beating with a stick.

EMMONS: What they did is they basically hit the button to start pulling back data and then walked away.

MACKEY: A colleague came up to Emmons and said the database had ground to a halt. The IT staff soon shut it down and fixed the vulnerability, but not before private information was taken from 76,000 voters, including names, addresses and driver's license numbers. Within a couple months, there was widespread reporting that Russia was behind the hacking. Then, this summer, the Department of Justice weighed in.

(SOUNDBITE OF ARCHIVED RECORDING)

ROD ROSENSTEIN: The indictment charges 12 Russian military officers by name for conspiring to interfere with the 2016 presidential election.

MACKEY: That indictment mentions an unnamed state board of elections, which Illinois State Board of Elections spokesman Matt Dietrich says is almost certainly a reference to Illinois. He says the board is now using the best cybersecurity practices it can.

MATT DIETRICH: All you can do is try to stay a step ahead of the hackers. We think we are doing that now. However, I'm sure that Equifax thought that, and Target thought that and Sony thought that.

MACKEY: And you thought that in June of 2016.

DIETRICH: And in June of 2016, we thought we were doing everything we could to employ excellent cybersecurity. As it turns out, it was a mistake on our part. It was us, you know, leaving a window open.

MACKEY: But Dietrich says hacking might not even be the biggest threat to American elections. He emphasizes that in 2016, no voter information was changed or deleted. And the hacked database has nothing to do with actually counting votes, which in Illinois happens in 108 local jurisdictions. Dietrich says a likelier threat comes from another prong of the Russian offensive - social media.

DIETRICH: There's a tweet out there that says that the polls have closed or that lines are around the block at the polling places, trying to get voters to not go out. This is something that we're trying to think about and be prepared for.

MACKEY: Illinois is investing a few million dollars in federal money to help some of the state's smaller voting jurisdictions secure their data and equipment. Some counties don't even have their own IT staff. But officials here are less worried about hardware and software. They're more concerned that even a modest breach could undermine voter confidence in the machinery of our elections. For NPR News, I'm Brian Mackey in Springfield, Ill. Transcript provided by NPR, Copyright NPR.