In-brief: a story claiming more than 100,000 hack attempts on South Carolina’s election systems raises more questions than it answers about efforts to tamper with the U.S.’s voting systems.
The Wall Street Journal and other publications ran with an ALL CAPS story today on hacking attempts targeting South Carolina’s election system that argued the state was a “microcosm” of U.S. election hacking by Russia and (potentially) other adversaries.
That’s scary stuff…or is it? I think there’s an argument to be made for shelving this particular election hacking story, even as we absolutely should not disregard the larger problem of insecurity in the vote collection, tabulation and reporting systems of the various states.
“Attempts to Penetrate” – Fight or FUD?
First, the story. I love the Journal (though maybe not their paywall). But if you’ve been covering cyber security for a while, you read the warnings about “attempts to penetrate” and roll your eyes. These are the equivalent of “old chestnuts” on the information security beat. They are stories that have been popping up for years, without much consequence: feeding off of undifferentiated data from firewalls, security gateways or intrusion detection systems and (more often than not) confusing the reading public. (If you don’t believe me, consider this 2012 “US Nukes face 10 million cyber attacks daily” story from US News, or a dozen others like it, dating back to the Millennium.)
The problem with these stories is that they purport to tell readers how prevalent are hacking attempts, but do nothing of the sort. For example: the key piece of data that birthed this story can be found in this document from the South Carolina Election Commission which documents “the number of blocked attempts to penetrate the firewall of the statewide voter registration system hosted at the Department of Administration Division of Technology (DTO) on the second Tuesday of each month between November 2016 and April 2017.”
The key phrase in that report is “attempts to penetrate.” Security or information technology professionals would refer to this by more mundane terms like “port scans” or probes. The kinds of undifferentiated scans that the report is talking about are the Internet equivalent of people driving slowly past your house. Sure, it’s kind of unnerving behavior. But you actually don’t know if the slow rollers are scoping you out to rob you, admiring your landscaping or searching for your house number because they’re lost. Any (and all) of those are likely explanations. Calling all the slow driving cars “attempted robberies” is a stretch.
In the same sense, some of those “attempts to penetrate” the elections system may well be “hacking attempts” carried out by cyber criminal or even nation-state actors. More are likely automated attempts to connect to open communications ports. This kind of activity is a nuisance and background noise on the Internet. Its indicative of suspicious and maybe even malicious activity, but not necessarily determined efforts to hack election systems – a far more rare and troubling phenomenon.
Beyond the questions about the “penetration” attempts, the story itself raises questions that demand answers. First, South Carolina, the articles note, isn’t a swing state (it reliably votes Republican) and wouldn’t be on the list of states that a sophisticated actor would target. Sure, the South Carolina data could indicative of a broader campaign against state election systems – and possibly more concerted efforts in swing states. That is, in fact, implied in coverage of the South Carolina incident. But without data from other states to compare the South Carolina data to, it’s hard to know if that’s real or speculation.
Second, the sources of the probes hitting the South Carolina systems are described as “bots.” That may be – or not. But “bots” is a kind of omnibus term that warrants more explanation. Do South Carolina elections officials mean to say merely that it is automated traffic, or is there a specific botnet or botnets targeting election-related infrastructure?
Third, the “penetration attempts” data that is the foundation of the South Carolina Election Commission story is a muddle. For one thing, it’s a sampling of data, not a comprehensive record. And it’s an odd sample, also: a measurement taken on “the second Tuesday of each month between November 2016 and April 2017.” What the heck??! Why ask for a data sample that provides no visibility into patterns of attacks leading up to the November vote, when most nation-state, hacktivist or cyber criminal actors would be the most active, but lots of visibility after the vote, when any actor interested in tampering with the election would have accomplished their task and moved on?
Finally, the sample they got lends credence to the idea that the “penetration attempts” data reported by the SC Election Commission isn’t clean. The spike in “penetration attempts” on election day, Tuesday, November 8, 2016 is interpreted as a jump in aggressive efforts to hack into election systems on the day of the Presidential Election. But wouldn’t we expect to see a spike in traffic to the state’s voter registration systems on voting day? The answer is “yes.” And that suggests that at least some reported “penetration attempts” on Election Day might just be explained as legitimate election-related traffic from non-hostile systems that’s running into the DTO firewalls for one reason or another. In other words: ‘false positives.’
Bots or Bears?
The problem with lumping all these “hacking attempts” in the same breath as you talk about sophisticated and targeted attacks on the Clinton Campaign, the DCCC and successful penetration of some state election boards is that it dramatically distorts the nature and scope of the threat to the U.S. election system which – again – is very real.
There has been plenty written about the sophisticated, global game of cyber espionage that is now being played. That encompasses attacks leveled at the Clinton campaign, political insiders, the DCCC and at state election officials. The Department of Homeland Security warned about Russian efforts to compromise election systems in 21 states. Bloomberg reported that the real number was 39 states and included on targeted and sophisticated efforts to compromise voter rolls and the networks of firms that make voting equipment, as well.
This is a story that demands thoughtful and pointed reporting that can explore (and explode) efforts by foreign actors to subvert the U.S. vote and thus its democracy. That’s especially true in an environment in which regulators and elected officials seem strangely incurious about such incidents and disinclined to investigate them.
But that task requires members of the press – like a good SOC analyst – to be able to filter out the noise and zero in on the signal in election hacking. But it also means flagging reports that take us off the path or down dead ends. We all need to redouble our efforts on that score and we here at Security Ledger plan to do so.