As the rest of the nation’s citizens sit on on pins and needles about who will win the presidential election — Barack Obama or Mitt Romney — information security pros are even more anxious in their wait to see whether this is the year that hackers find a way to subvert or disrupt the increasingly electronic-voting process. According to security experts, the situation is ripe for the bad guys to strike.
Hacktivist groups like Anonymous and LulzSec have perfected their crowdsourced attack methods, and nation-state hackers have more resources than ever to carry out complicated attacks. Meanwhile, voter databases are increasingly interconnected within complex and often insecure local and state IT infrastructure, while the electronic voting systems many states depend on are plagued with vulnerabilities that the security community has been warning citizens about for the better part of a decade.
“If big, Internet-based companies like Yahoo, LinkedIn, or Sony can fall to hackers, then, yeah, big government databases and local authorities who actually administer the election process can be hacked,” says Stephen Cobb, security evangelist for ESET. “I’m somewhat surprised it hasn’t happened yet.”
First on some security experts’ watch list is the potential for hacking online or networked voter databases. Some experts expressed worry that thieves could steal these databases for financial gain, but as Rob Rachwald, director of security strategy for Imperva, put it, “Most voter databases don’t contain a whole lot of sensitive data; they typically contain your name and address, which isn’t terribly private.”
However, if bad actors were able to make changes in the database, that’s where the real trouble would start. If attackers can gain access to these databases to switch addresses for the sake of disenfranchising certain select groups of voters who’d find themselves missing from precinct list on election day, or to institute wide-scale mail-in voter fraud, then they could still affect an election’s outcome.
Such scenarios are hardly far-fetched or improbable, numerous experts warned. And with states like Washington and Maryland opening up data voter registration online, the potential threat surface only increases.
“Any system that is networked, especially to the Internet, is inherently vulnerable to attacks on its availability, and the confidentiality and integrity of its data,” says Steve Santorelli, director of global outreach for the security research group Team Cymru.