Not Just Ballots: Tennessee Hack Shows Election Websites Are Vulnerable, Too

May 17, 2018 at 06:54AM
via Technology : NPR

Voters are escorted to voting machines on Election Day Tuesday, Nov. 8, 2016, in Nashville, Tenn.

Mark Humphrey/AP


hide caption

toggle caption

Mark Humphrey/AP

Voters are escorted to voting machines on Election Day Tuesday, Nov. 8, 2016, in Nashville, Tenn.

Mark Humphrey/AP

When a WWE wrestler, especially one known for his demonic antics and a move called the "tombstone piledriver," runs for mayor of your county, you know your election is going to get more attention than usual. But in Knox County, Tenn., it wasn't the fact that Glenn Jacobs, also known to wrestling fans as Kane, was running for mayor that gained national attention on the county primary day, May 1.

It was that the county's election website, at the time the site was supposed to begin posting election results, came under attack.

Malicious cyber actors shut down the county website and broke into the web server, according to county officials and a report done by the cyber security firm Sword and Shield.

The episode didn't have an effect on the outcome of the election, but it shut down the website for an hour and illustrated how malicious actors in the cyber-sphere can have an impact on democracy without actually affecting vote tallies.

The Senate Intelligence Committee said earlier this month that at least six states had their elections websites attacked by Russian operatives leading up to the 2016 election.

While a lot of attention is given to ballot security, the issue of election websites, which many voters rely on to find out results, is also a key voter security concern heading towards the 2018 midterms. Public-facing sites are naturally more vulnerable targets. Experts say affecting election result pages, and even social media accounts that report results, could sow chaos and discord among a public — if it creates doubt about who actually won an election.

"Any web server by definition, is connected to the internet, so it's directly vulnerable to attacks from the internet," said Doug Jones, an elections cyber security expert at the University of Iowa.

It's unclear who conducted the attack in Tennessee, or why. IP addresses related to the attack were mapped back to computers in the United Kingdom and Ukraine, but Jones says attackers are adept at masking the actual location they're attacking from by breaking into remote computers and using them nefariously.

Elections websites can be especially vulnerable targets in voting districts that are more rural than Knox County, Jones says, because those counties often don't have the resources to adequately monitor and secure their sites.

"It's really unlikely that there isn't some vulnerable county out there and the first thing an attacker would do would be start probing all the county election offices and finding the ones that are weak," Jones said, before adding that elections are often far down the priority list for governments.

"If you're a county administrator and you have a county-run public health program, and a county election office and you have a choice between funding a homeless shelter and funding an election office, which are you going to do?" Jones said."

In cases like Knox County, a breach of the website does not have an effect on who actually wins the election. Tennessee's coordinator of elections, Mark Goins, said if he had to pick an area to be attacked, he'd prefer it be on a website than on a registration system or ballot-tabulating system, since the website is in no way connected to the system that actually determines who wins or loses the election.

Votes are tabulated separately and then input to the server for the public to view.

"There's really nothing on that server that's not public information anyway, it's quite isolated from anything else we have," said Dave Ball, the deputy IT director for Knox County. "But the bad guys don't necessarily know that."

Chris Davis, the assistant administrator of elections in Knox County, says maintaining a secure website is more an issue of maintaining voters' trust that the entire elections system is safe.

"It's from a public perception standpoint as much as anything," Davis said. "We want to make sure all of this data is secure and that if someone logs onto our website that they can trust that that data, that information is correct."

The race for the U.S. senate seat in Tennessee held now by Republican Sen. Bob Corker looks, at this point, to be competitive. The campaign for former Gov. Phil Bredesen, the Democratic nominee for seat, said earlier this year that it also feared it was hacked.

"If something happens in Nebraska, it's one thing, but if it happens in your backyard, then it's like — this can happen," Davis said. "If this can happen in little old Knox County, Tennessee, then it can happen anywhere."