Don’t believe everything you see
The easiest way to hack an election in our media-intense age is not to hack the election itself — but merely to hack the results. Specifically, the appearance of results. Imagine if official government websites were hacked on election night to display vote tallies showing the losing candidate had won. Even if the error were corrected, it’s easy to see the kind of chaos that would ensue.
In 2018, I spent a month with Alia Tavakolian at Spoke Media working on a podcast about the various ways foreign powers could hack the U.S. vote; this ‘hacking the results’ scenario seemed the most likely to me. This week brought news focusing more attention on this potential chaos attack.
On Tuesday, the FBI and other federal agencies warned about foreign agents muddying the waters around election day. Soon after — perhaps a coincidence, perhaps not — a little-known firm that provides election software to local governments around the U.S. disclosed that it has been hacked.
Tyler Technologies, a Texas firm with tentacles into all sorts of local government functions, hasn’t said much about the hack yet. Its website has been replaced with a warning that it is responding to “a security incident involving unauthorized access to our internal phone and information technology systems.”
But Tyler is involved in election services.
Election security expert Harri Hursti said Tyler is “one of the big three” vendors in election results reporting systems. He also pointed me to archived versions of the firm’s website, where it had described some of the ways local governments use its “Socrata” tool. From the site:
Ahead of the Nov. 3 presidential election, we wanted to share a few examples of innovative uses of elections-related data powered by Tyler’s open data solution, Socrata….
Absentee voting topped headlines earlier this year as elections officials grappled with hosting in-person primary voting and minimizing the public’s exposure to COVID-19. These discussions are ramping up again as the general election nears.
Fulton County, Georgia, created an absentee voting statistics dashboard for its August runoff election to share with the public information on absentee ballot applications and statistics of ballot return. The data includes whether ballot applications were delivered by mail or drop box, were rejected, or when they were processed….
Ramsey County, Minnesota, for example, shares elections data through the county’s open data portal, and highlights information around primary and general election voter turnout, absentee voting, voter engagement, election judges, and seasonal staffing.
Similar to Iowa, Ramsey County publishes data in its elections results dashboard as a data story, using Socrata Perspectives. The story gives the county the ability to add text and background information, as well as easy-to-navigate charts that link back to the underlying source data.
Counting votes, keeping track of voter registration data, selecting electronic voting machines and keeping them safe — these might seem like relatively simple technology problems. They are not.
“Election IT infrastructure consists of a myriad of systems,” Hursti, head of Nordic Innovation Labs, said. “A major source of security issues is that counties rely heavily on outsourcing to contractors. These contractors become single points of failure for multiple jurisdictions.“
While BleepingComputer has not obtained the ransom note, we found an encrypted file uploaded to VirusTotal today related to this attack.
This encrypted file has an extension of ‘.tylertech911-f1e1a2ac,’ which includes Tyler Technologies’ name and is the same format used in other RansomExx attacks.
Tyler’s software is used in a far-ranging set of government functions. The cached version of its website mentions courts, land records, taxes, and schools — with this Tweet suggesting the firm touches 1 in 4 school districts around the country. So it would be an obvious target for a ransomware gang simply out for money. But the timing of the attack, particularly so close to the FBI warning, has the attention of experts like Hursti.
The FBI and the Cybersecurity and Infrastructure Security Agency are clearly worried. Tuesday’s warning is quite specific:
Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.
So is the agency’s instruction to the voting public:
The FBI and CISA urge the American public to critically evaluate the sources of the information they consume and to seek out reliable and verified information from trusted sources, such as state and local election officials. The public should also be aware that if foreign actors or cyber criminals were able to successfully change an election-related website, the underlying data and internal systems would remain uncompromised.