Hack Pointless? Or State of Denial?

Earlier this week Secretary of the State Denise Merrill, ROVAC President Melissa Russell  and the Manchester CT Registrars of voters talked to NBC Connecticut.  We add some annotation to the transcript,  in [Brackets].

NBC Connecticut
CT Election Officials Say a Hack Nearly Pointless
By Max Reiss
CT Election Officials Say a Hack Nearly Pointless
(Published Monday, Aug. 29, 2016)

After the FBI notified election officials nationwide of a hack on election databases in Arizona and Illinois, many went on alert, on the lookout for specific IP addresses.  [A word to the wise: There are many IP addresses out there.  It is suspicious activity that needs to be guarded against, not particular IP addresses.]

In Connecticut, state election officials said the IP addresses in question haven’t yet shown up on state servers, but added that the information obtained in Illinois, a list of more than 200,000 and their voting data like addresses and phone numbers, are already publicly available in Connecticut. [Yes, but they are available at a price.  We might question if Russians or other groups outside of Connecticut asked for a copy.  Also all the risks that concern Illinois are still there, if the data are available in a legitimate way, its just a bit easier in Connecticut to obtain.]
“I think someone said it was like hacking the phone book,” quipped Secretary of the State Denise Merrill.
She explained that Connecticut has perhaps the most decentralized voting and registration system in the country with 169 cities and towns that act as their own districts. Built into that system is an entirely paper based trove of voter cards, ballots, and backups. [There are advantages to decentralization, and some downsides.  Its much harder to mount a general attack systems across the state. Yet, it is easier to compromise local systems.  Local officials are much less capable of protecting systems.  Local insider attacks are easier to accomplish.  Let us remember that partisan officials have at least as much motivation as the Russians to change results – and local officials have more opportunity.  Most election officials are of high integrity, yet they are not immune to the same forces that have landed Connecticut Governors, Mayors, Legislators, and Police in jail.]

“When you go into vote and you go to register on the list, it’s all still on paper so there is no simple database that’s containing all of the information,” Merrill said. [Actually its called the Centralized Voter Registration Database (CVRS).  It is vital on election day to accomplish Election Day Registration and check voters who might have been incorrectly registered.  That paper list in the polling place is only as good as the CVRS was a few days before the election, when the list was printed.  An attack on the CVRS could involve changing many registrations so voters are not registered on election day, or sent absentee ballots to false addresses to be voted illegally.  Addresses could have been changed without hacking the CVRS by Online Registration.  To do online registration requires a voter’s CT Driver ID.  That Driver ID could be obtained by hacking the DMV database, if it is not in the CVRS. (Has anyone checked the security of the DMV database?]

Voter lists themselves are already public records and campaigns purchase lists from the Secretary of the State every year.

Local registrars, like Jim Stevenson and Tim Becker in Manchester, wonder what a hacker could really get from a hack of even a local election computer. [The answer, known for years is: Even amateurs could change the result printed by the scanner.  One method is the widely know Hursti Hack. UConn has articulated others.  We are left to wonder why NBC did not interview anyone with expertise to answer the registrars questions, to satisfy that wonder. ]
“They would get, you know, name, address, phone number, DMV information such as license number, which is already made available if someone wanted to come in through Freedom of Information,” said Stevenson, the Democratic Registrar of Voters. [I doubt Driver ID is FOIable. If it is, we have problems for voter registration and other reasons.  Once again, NBC could/should have asked experts.]

Even the machines used to digitally tabulate election results aren’t connected to the internet in cities and towns.
Melissa Russell, a Bethlehem Registrar of Voters, with the Registrars of Voters Association of Connecticut reiterated the point that physical record keeping in Connecticut places the state at an advantage. [Not having voting systems connected to the Internet is definitely an advantage. Yet, not so much against local insider attacks, especially when local officials and their leaders are so confident (overconfident?)]
We also have the advantage of a paper ballot system, where we can look at every vote cast in the case of any discrepancy to make sure our elections equipment has performed accurately. [They CAN.  Candidates and the public cannot. The record of officials in looking carefully during post-election audits is quite questionable <See the Citizen Audit Reports> ]
Becker, the GOP registrar in Manchester, explained how state law mandates that each town keep individual paper records for voters, meaning altering results or hacking, would be a tall task.
“They would have to destroy the fire proof cabinets in 169 cities and towns to actually mess with our voter list.” [As we said before, they could alter the CVRS records and the paper records used at the polls would be wrong.  The registrar’s office usually uses the online system first, so they would have to be concerned in a particular case to check the paper voter registration record. If there was a mass attack it would disrupt the whole election day to have each polling place call the registrars office to check the paper for each  voter.  Once again, an insider attack on those paper records would be relatively simple.]
Published at 10:26 PM EDT on Aug 29, 2016
Source: CT Election Officials Say a Hack Nearly Pointless | NBC Connecticut
Follow us: @nbcconnecticut on Twitter | NBCConnecticut on Facebook


Leave a Reply

You must be logged in to post a comment.