Our Election Security Is Lacking
New York State’s 2018 voter database was leaked and posted for free on a well-known forum about a week ago. The database included full name, physical address, previous addresses, date of birth, gender, voter ID, voter status, and voter history.
Voter databases alone are not a huge threat. If a state or city’s database is leaked, the first question is usually “was it FOIA-able information?” (FOIA means Freedom of Information Act). Most of the information in a voter database is close to public already. It depends on the state, but if you were an institution and had a good reason for looking at that information, you could request it.
How Voter Databases Could Be Weaponized
What no one seems to realize is that voter databases combined with other information being sold or distributed on the dark web could be dangerous. A malicious actor could take account information from a combolist on the dark web and combine it with personal information from the voter database to steal someone’s identity. There are reportedly 8.7 billion identity related records on the surface, deep, and dark web. That’s one case scenario.
8.7 billion raw-identity records are on the surface, deep, and dark web. See if yours are now!
Another scenario: a malicious actor could use account information to pose as someone and sabotage their voter profile which could make it hard or impossible to vote. In New York, changing your voter profile is as easy as resubmitting the registration form with the changed information. The only identity verification the form allows is either a DMV number or the last four digits of a SSN. That kind of information is pretty easily available on the dark web. A few days ago I saw a vendor on Wall St. Market offering a “ten pack” of DMV numbers, SSNs, full names, addresses, and a manual for how to cash out.
Election Meddling is an Increasing Threat
Sabotaging voter profiles en masse would amount to voter suppression—an increasingly concerning threat. Twitter has suspended hundreds of millions of accounts on suspicion of election influence (misinformation, generally). Facebook shut down 32 false pages in August for involvement in a disinformation campaign. Just to name a couple of popular stories. GroupSense sees election meddling a lot. In August of this year, we released the Sharks Report detailing how 9.5 million social accounts and emails were hijacked by Russian operators running a disinformation campaign. The Washington Post covered our research in “The Strange Birth, Death, and Rebirth of a Russian Troll Account called ‘AllforUSA’“. As you can see, most of the time election meddling is driven by social media or digital content–not hacking voting machines.
It’s true, however, that local and federal government have come a long way in securing elections. Numerous protocols are in place to ensure the security of election technology and even to demonstrate its integrity to the public. Some states have instituted multi-factor authentication for government officials across the board. And the Secure Elections Act aims to increase security as well.
Election Monitoring is a Powerful Solution
But there are still basic gaps in election security. Just look at the news stories of election influence. Are hacked voting machines the problem? Not generally. The real problem is misinformation and disinformation campaigns which are waged over social media and chat servers, or campaigns being hacked by credential stuffing tactics (which only work because employees reuse passwords).
Securing voting machines only addresses a small part of the problem. When the problem is credential stuffing and disinformation campaigns, a security solution that makes sense is election monitoring. Actively monitoring social media platforms, chat servers, and the dark web for any suspicious posts or behavior related to a specific election could potentially streamline security spending, reduce response times for incidences, and eliminate numerous threats before they’re realized.
What You Can Do About It
Get in touch with us now to integrate election monitoring into your election security program, or send this blog to someone who can. Fill out our form by clicking “get in touch,” or email us at “email@example.com”.