Election hacking in Florida, municipality hacking in Baltimore, and President Donald Trump’s handing of classification authorities to Attorney General William Barr share some characteristics. Our strategies lag behind the realities of dealing with information in the age of the internet. We need to start thinking differently about how we handle information; when to withhold it and when to share it.
I’ll write three posts on ways to think about those situations. We have to find better ways to deal with information and its misuses.
It has taken some time for the story of voter record hacking in Florida to come out, and we still don’t have most of it.
Russian hackers accessed voter data in two Florida counties, but, according to federal authorities, did not change the vote count itself. They may have taken data on voters, which seems to be public. The method of attack was spear phishing, in which an email contains links that install a trojan horse on the target computer. (Reminder: Don’t click on links in suspicious email.)
On May 14, federal officials briefed Florida Governor Ron DeSantis on the hacking. DeSantis says that he had to sign a nondisclosure agreement that prohibits naming the counties. This is not unusual when someone without a clearance is allowed access to classified information.
But why is this information classified, and what exactly is classified?
If Florida election officials are to provide a secure election next year, they need to know
- which parts of their system were accessed and how
- what the hackers did with their access
- how hackers might affect vote totals
- what steps to take to avoid these problems
This information will be useful to election officials in other states too. And the general public has a right to know what happened in 2016 and may be happening today.
There are two reasons for not making that information public. First, it is likely part of the counterintelligence investigation complementing Robert Mueller’s investigation into the 2016 election and may need to be kept quiet to protect that investigation. Second, the FBI and DHS, the investigating agencies, claim that making it public will impact their sources and methods. This is a common claim of intelligence agencies, probably too common. More on that later.
A leak says that Washington County was one of the counties hacked by Russia’s GRU, the military intelligence agency. It’s likely that we will hear about the other. A strong statement from the investigating agencies on what they found would be the best way to bolster confidence in the electoral system. Legislators have expressed concern about the secrecy, and we can hope that they will press for more information to be made public.
Making this information public could also serve as a warning to the hackers: We know what you are doing and are watching out for you. This message is in the news already, but giving specifics would make it more credible.
Cross-posted to Nuclear Diner.
Yutsano
Calling it now: one of the counties is going to be Broward.
Another call: enough shenanigans will be revealed to call the whole election into question.
lumpkin
@Yutsano:
Yep. That’s trump’s ace in the hole. If he loses in spite of all the cheating we can expect, he will refuse to accept the result. I have no idea where we go from there.
waspuppet
@Yutsano: As Charlie Pierce has been saying, they keep drawing lines and saying “Well, yeah, but [fill in the blank] didn’t happen.” And it always turns out it did. Always.
Yutsano
@lumpkin: He gets evicted on January 21st, 2021. It doesn’t necessarily have to be smooth. Also: when he loses on Election Night, Melania immediately goes back to New York.
@waspuppet: Pennsylvania, Michigan, and Wisconsin are smelling really dicey now. Granted we get rid of their voter suppression tactics it won’t matter as much. How that happens in Wisconsin now is anyone’s guess.
waspuppet
@Yutsano: I don’t know whether he’ll have to be evicted, but I’m positive he won’t go to the inauguration. Which sounds meaningless, but it isn’t.
O. Felix Culpa
This is true in many arenas where technology has outpaced needed behavioral and attitudinal changes.
Princess
If you have access to the voter data, can you change the voter data?
Here’s why I ask: We’re in Illinois. Russia hacked our voting records, and this was known before the election. When my husband and I went to early vote, he was told he had already voted. He hadn’t. They didn’t tell him what was wrong but they told him to come back in a few days, and he was able to vote then — I think they told him he had been confused with someone else of the same name. I have always wondered if the Russian hackers had changed his voter information — if they had swapped data between people with similar or the same names. That could mean that a lot of people they had switched wold be unable to vote. If my husband had gone to vote on election day, instead of early on, he would not have been able to vote except provisionally, and if they had not discovered the hack, or had discovered it later, they might not have been able to fix what had happened to my husband. If you mess around with enough voter data in Chicago and leave downstate alone, that could be the difference in a close election. IL was not close this time, but cold this have been proof of concept for hacking elsewhere?
Roger Moore
@waspuppet:
And even if you accept that they haven’t seen any evidence of voting totals being changed, that’s the most they can say: they haven’t seen any evidence. It’s very difficult to prove that the totals haven’t been changed, only that we can’t prove that they were changed. It’s always possible that the voting totals were hacked but the hackers were able to cover their tracks successfully. This kind of thing is why it’s so important to have a paper trail (paper ballots!) and routinely audit the vote totals even when there’s no particular reason to suspect anything happened. It’s the only way to have real confidence that the counts haven’t been messed with.
SiubhanDuinne
@waspuppet:
I’ve been thinking exactly this for quite a while. And the transition is going to be epic clusterfuck goat rodeo.
Honus
Maybe some new laws with severe penalties for election hacking, and funding to enforce them. Oh yeah, that’ll get passed in a Republican senate.
Cheryl Rofer
@Princess: This is part of what we need to know more about.
Mary G
Jennifer Cohn has been banging the drums on Twitter about how skeevy some of the voting machine companies are, owned by Republicans and being open to the web, etc. Ivana even got trademarks of voting machines from China. It’s worrying.
Mike in NC
Fat Bastard has made it perfectly clear he thinks he can reject the results of any election that he doesn’t find acceptable. The White House is now officially a Trump property to be retained by the family.
Honus
@Mary G: it’s also weird that during the 2004 election there were a number of voting machine failures and glitches. I remember reading at the time that every one- that is 100%- of the irregularities favored republicans.
I don’t recall the source, but as a lawyer I’m a fairly critical reader and I remember that the source and research were credible.
Duane
@Honus: Someone from the government could address the nation and explain what’s happening to our elections, and what’s being done to stop it. A real president would do that, but not Trumpov the Coward.
Immanentize
Although they have tried to keep it out of the news, and have been fairly successful at that, the Massachusetts Public Defender Office (CPCS for Committee for Public Counsel Services) was ransomware attacked and basically brought down the organization for a month. Bad.
Roger Moore
@Duane:
I think Trump has explained what’s being done to safeguard our elections: he’s gotten Putin to pinkie swear he won’t mess with them. That’s very reassuring to the fraction of the population who are satisfied with everything we did to safeguard the last presidential election.
Cheryl Rofer
@Immanentize: That’s gonna be the topic of my next post on the subject. Thanks for noting Massachusetts.
Redshift
@Princess:
Maybe, but not necessarily. Best practice would be that the ability to change data is restricted to only a few people, but since government is chronically underfunded, and tech and voting systems are chronically underfunded even compared to the rest of government, it’s all too likely that access would mean the ability to change data.
J R in WV
Also, like stricter punishments for election fraud will matter to officers of the Russian GRU, who are operating from inside Russia rather than from Miami.
Really?
Nope…
germy
Surely Trump won’t blame Russia for hacking the 2020 elections.
He’ll say China interfered, because they wanted the Democrat to win.
Immanentize
Think about voter hacking this way — What is your goal?
You could spend a very large and technically complicated effort changing votes at the margin which might be detected.
You could just scrub names from the voter rolls making people either quit their vote or end up voting provisionally.
Or, you might be able to screw up vote counting without manipulating any vote so that it is obviously a hacked election.
The last strategy would favor Trump.
tokyokie
@Mike in NC: You know, I really won’t mind if der Trumpenführer is outfitted with leg chains and handcuffs and is led out of the White House by a squadron of military personnel.
debbie
@Honus:
Glitches were rampant in Ohio in 2004. The entire student body of OSU had only one working voting machine. Students sat for hours waiting for that turn. In addition, Ohio is the home of the voting machine manufacturer Diebold, whose CEO promised Bush 2 a victory.
When they show you who they are…
Immanentize
@germy: He will say the Democrats did the hacking. Or the FBI traitors. Duh!
germy
tokyokie
@debbie: I recall that voting machines in Detroit were not functioning properly all Election Day. There’s your margin in Michigan right there.
germy
Sab
@debbie: Also the not glitches. My parents in Ohio voted at the same school a block from their house from 1966 until 2008. After that their voting location changed every two years, always to a different place a couple of miles away, often not even in their same ward. So suddenly they had to drive, often to a building they had never been to before. I don’t know how the non-drivers managed. Probably they didn’t.
Spanky
Putin’s goal is to destroy the institutions of democracy. I doubt he really gives a shit whether Trump is reelected or not. The goal here is to destroy faith in the voting process.
I ain’t saying he hasn’t got allies in the GOP. I don’t think Rove’s epic meltdown on election night 2012 was delusion meeting reality. He really expected the fix to be in.
debbie
@Sab:
I’m in a pretty blue area, and I’ve had a couple different polling places. It’s enough to get me to just vote early, even though I love the ritual.
Cameron
The situation in FL imay be bigger than the two counties. I heard recently that, in order to keep track of voters moving around the state, every county supervisor of elections has access to voter data from all the other counties.
Sab
@debbie: I’m in a pretty blue city. Early voting has become it’s own fun ritual, but I miss seeing the usual guys at the old voting place.
Ohio Dad
@Immanentize: My understanding is that the computers that hold the voter registration databases in at least three Florida counties were hacked and back doors installed when workers in these counties responded to Phishing attacks. The back doors give the perpetrators full control over these computers. I have seen no indication that the 2018 election was affected by these penetrations, but if no action is taken by 2020, voters in these counties will be removed from the rolls. They may be able to cast provisional ballots, but the governor and legislature will likely make this difficult.
It is a trivial matter to correct a system so compromised, as long as the system is identified. Hiding these systems is probably the reason for DeSantis’s secrecy.
SiubhanDuinne
@Spanky:
Yes, and not only the voting process. He is also happy to see the destruction of the American public’s confidence in the press, the Constitutional separation of powers, the reverence for centuries of law and civic tradition, and a respect for civil discourse — all gone in what seems the twinkling of an eye (although I agree it has really been a long time a-building and what we are living through now is effect, not cause).
I think you’re right that Putin doesn’t give a big rat’s ass who wins the U. S. Presidency in 2020. He couldn’t care less about the woman or man seated at the Resolute desk. As long as things here are
fucked up and shitdestabilized, he’ll be satisfied.Immanentize
@Ohio Dad:
Not sure I am following — are you saying DeSantis wants the counties hackable?
Bill Arnold
@germy:
Yeah, that’s been looking like the intended play for a while now. I hate it when they’re so transparent ’cause they might be doing red-herring technique. All the clumsy second-hand noise from D.J. Trump about the Chinese being the big players, the Huawei ban (are they the only handsets the Five Eyes can’t root at will? :-), etc.
It doesn’t help that the Chinese (or rather Chinese machines) engage in so much of what could be called hacking activity. I mainly notice the irritating low level stuff, e.g. the Chalubo botnet is still active, and subverting devices all over the world (I have no reason to believe the botnet is Chinese), and while the subverted IPs doing ssh login attempts on my residential ip are worldwide, Chinese and US ips are the top two positions, with China typically in the lead. To be clear, this is just automated self-replicating doorknob-jangling-basic-lock-picking traffic from Chinese IPs, nothing sophisticated, and probably just a combination of rotten attention to security in China combined with a large number of devices and a large population. The net though is that a lot of the doorjob jangling sources from Chinese IPs, which could be spun as an actual threat and swallowed by the ignorant.
(About 100 distinct IPs per day currently, peaked at about 600 per day, rate limiting via fail2ban. This looks to be going for badly configured embedded devices of various sorts that have a SSH port open, though I’ve just done small-sample poking at the originating ips.)
My Side of Town
Curtail all immigration from Russia. Round up all immigrants from Russia and deport them. Cancel all visas from Russians and deport them. Freeze internet tubes from Russia to the USA. Cancel all trade agreements with Russia.
Mary G
Also, the Supreme Court’s working as the other side intended. They overruled the lower court’s ruling that the gerrymandered districts must be redrawn as the voters decided. Same with Florida using a poll tax to minimize their voters’ decision to allow ex-prisoners to vote.
Bill Arnold
@Immanentize:
More like doesn’t want to be caught having fraudulently won the 2018 election. Independent audits are needed. (Perhaps they’re happening; haven’t payed attention to FL election fraud chatter recently; India is still a big question.)
This is not saying that there was fraud, just that both DeSantis and especially Rick Scott were making suspicious and clumsy noises about election fraud after the 2018 election. Perhaps they believed it (because they were huffing right-wing bubble gas), perhaps they were worried that it was real, and perhaps they were directly involved in it.
SiubhanDuinne
@Immanentize:
Only the ones he votes in.
Cheryl Rofer
@Ohio Dad: Can you give me a link on that?
Duane
@germy: Those pictures of Hicks and the Papadopoulos’s are the statement of our diseased democracy. Jail time doesn’t scare them, it’ll just make the grifters rich on wingnut welfare.
Ohio Dad
@Cheryl Rofer: I’m not sure what you want a link to. The WaPo had a number of articles about the hacking of Florida county voter registration systems about two months ago. These articles confirmed that malware resulting from Phishing had opened back doors in these systems, and that the state government refused to identify the affected counties. The articles did claim that Florida vote tallies were not affected. There was no mention of Florida voters being turned away at the polls in 2018, and I didn’t hear about this particular exploit elsewhere.
The idea of Florida not wanting to repair the compromised systems is just my paranoid idea. It is consistent, however, with Republicans nationally not wishing to take any actions against Russian hacking.
Ohio Dad
@Immanentize: Yes, I suspect that Florida Republicans may want to keep these systems hacked. This is consistent with the national Republican response to Russian interference.
Ruckus
@debbie:
I lived in Gahanna for the 2004 vote and we had 2 machines for I believe 6 precincts, while for 2000 we had 4 with only 4 precincts. I waited 4 hrs to vote, many didn’t/couldn’t. So we were screwed in a couple of ways. Gotta insure that vote, otherwise it’s likely that republicans wouldn’t be able to screw the entire nation for their paymasters.
Feathers
I’m sorry (not sorry), but the articles of impeachment need to include not working to secure the 2020 election. I know that is not directly tied to Trump people, but I’m sure it is at some level.
Also, model laws need to be drawn up fast, and proposed in every state. There needs to be an active push to safeguard the elections. We are way past worrying about getting people alarmed.
Another Scott
@Ohio Dad: Am I misremembering those stories? I thought the contracting companies that ran the voting machines had their internal networks hacked by the spearphishing e-mails, but that the actual voting machines/networks themselves (supposedly) weren’t?
(It’s important to get these details correct.)
Cheers,
Scott.
Ohio Dad
I checked out the AP stories I had seen in the WaPo and NYT, and it turns out that I had quite a faulty recollection of the story, which actually was exactly as Cheryl Rofer recounted: It was the FBI, not DiSantis, that was not allowing the identification of the counties to be released. My apologies to all, especially Cheryl and Imanentize. I still question the dedication of many to act against election fraud when it works in their favor, but the Floridians do seem to want to be serious and transparent about addressing this attack.
Procopius
@Redshift:
Government underfunding is certainly part of the problem, but a lot of government rules governing computer technology, acquisition, software, etc. are written by people who really don’t know much about digital technology. This is why the Navy is still using Windows XP on their ships. Federal agency rules about passwords are not well designed, for example. I think it’s a case of market failure. There’s no easy way to tell if the cyber-security consultant you’re hiring (your brother-in-law’s nephew) is competent or not, and often they are not. That’s one of the reasons I don’t trust CrowdStrike’s report on the “hacking” of the DNC server.
Another Scott
@Procopius: Too simplistic, IMHO.
Slate (from 2018):
Remember that there are sometimes only a handful of systems of a particular type out there (there are, what, 12 carriers these days?). Systems that were designed 20+ years ago, by people who may have retired, or changed jobs, or … It’s not a simple problem. And the new system has to work correctly from the get-go – lives depend on it.
Similarly, password rules that are decided are good (15 characters, yada, yada, yada; unique to each site, changed every 60 days, but DO NOT WRITE IT DOWN!!1) are impractical for humans, but it took a while for the PTB to figure that out. XKCD taught us that there are better ways, and hardware keys are even better.
My $0.02.
Cheers,
Scott.
Hob
@debbie:
This may be nitpicking, but I feel like the various Ohio/Diebold stories have gotten a little garbled over the years, and that sentence is a little misleading. The Diebold machines people were suspicious of were of the touch-screen kind, and such things were very rare in Ohio; the state was mostly using punch cards. The company and its products were still of course terrible and probably did cause trouble elsewhere, and it wasn’t a good thing for their CEO to be a Bush campaign organizer. But the fact that Diebold’s corporate headquarters was in Ohio isn’t really relevant— the location of their main office doesn’t give them special powers over the state.
Cheryl Rofer
@Ohio Dad: Well, the whole thing. If you recall WaPo articles, then presumably there are links to them. I’ve been working through Google and found what may be some of what you’re referring to, maybe even linked the articles in the top post. I was particularly curious about this
which is a great deal more than I’ve seen in any article. The most common claim seems to have been that the capability was read-only, but we just don’t know as far as I can tell.
ETA: Reading along a bit further, I appreciate Ohio Dad‘s apology.
Procopius
@Another Scott: Now that’s interesting, and thank you for the reminder. You’re right, I was being too simplistic. I still say that much of upgrade problem is due to archaic and dysfunctional procurement regulations forcing the acquisition of software from dubiously qualified vendors. I wish I could find the article from 2011 that explained how the vendor who developed the Obamacare web site is now much better placed to sell software projects to the government because they have the history of receiving a huge IT contract, even though that particular project was a spectacular failure (to be fair it was an enormously difficult task, with moving targets, and the failure was partial).