On July 12, 2016, Illinois learned that its voter registration database had been hacked by someone using a SQL (pronounced “sequel”) injection—a technique through which hackers inject malware. In the Illinois case, the hackers squirmed into the system and absconded with information for over seventy thousand residents, which included driver's license numbers, names, dates of birth, and other vital information.1
There's a reason they are called hackers—they find holes in your system to hack into. In Illinois, the database had a glitch in the online system where residents could apply to register to vote. That is what Kevin Turner, the internet technology (IT) director for the Illinois State Board of Elections, and Kyle Thomas, director of voting and registration systems, called “the hole in the dike.”2 I wanted to interview Turner and Thomas because they were among the unlucky few state election officials whose systems had been breached. Their vulnerability became a cautionary tale for states across the country leading up to the 2016 election.
Pegues: The hackers found a weakness in the system and exploited it?
Turner: Correct. There are many ways that intruders can get into a system. In the case of Arizona, it was a breach through email, which is apples and oranges compared to what happened to us.
In our case, the intruders found the hole in the dike. We discovered that hole as soon as we discovered this degradation of database performance. We found the hole very quickly and obviously immediately plugged the hole. That was on July 12. On July 13, we thought it best to shut the system down, to analyze, “What exactly is going on? What did they get?”
This hack differed from what happened in Arizona because the Illinois State Board of Elections wasn't notified by the government.
Pegues: It was something that you call an anomaly in the system, right? It raises red flags. At that point do you go to DEFCON 5? Did you know at the time—did you have warnings from the Department of Homeland Security (DHS)—that the Russians were breaching some of these systems?
Turner: Absolutely not.
Pegues: So, you didn't know what it was?
Turner: Correct.
Thomas: No, we had no idea. There was no outreach by anybody. We still have not been officially told by anyone, other than reading news reports or watching hearings, that the Russians had any involvement with our breach.
Turner: So, therefore, we have never stated that. We, the [Illinois] State Board of Elections, have never stated that it was the Russians. I mean, that's because nobody has ever officially told us. This is an ongoing investigation with the FBI.
Pegues: Still, to this day?
Both Turner and Thomas answered yes.
RECONNAISSANCE
After finding the intrusion, Illinois election officials began the process of reconnaissance. This included letting folks know their information had been stolen. They took their database off-line for two weeks. Illinois had kept logs about the database. The logs allowed them to ascertain details about when the injection entered the system.3
Turner: What we discovered on the back end was that the intruders had begun looking at our system on June 23 [2016]. We had no idea they were in the system. You know, it was like a very slow drip of water. There was nothing, no red flag raised to alert us to any issues whatsoever.
It was on July 12 that they went from zero to one hundred as far as impact to our database. They were in at a two, and then on July 12 it went up to one hundred.
Pegues: Is there a reason why they may have gone to one hundred on that date?
Turner: There is nothing regarding that date that we can associate [the intrusion] with. I think they had done all their sniffing around, and apparently at that point they thought, “We're just going to go for whatever we can get.” So, they sent in literally millions of database queries.
Pegues: What did they get?
Turner: Names, addresses, in some cases phone numbers, and birth dates. In some cases, the last four digits of social security numbers. In some cases, driver's license numbers.
In each election jurisdiction in the state there are a number of different vendors that the local election authorities use for their local election systems—VR, voter registration systems. The local number is unique to that jurisdiction. However, it is not unique across the state. So, in other words, John Jones in southern Illinois in jurisdiction A may have the same local election number—the same voter ID—as Jim Smith in northern Illinois, as far as the local ID number goes.
In our statewide voter registration database, everyone has a unique number in addition to that local number. We keep track of the local number, but we also have a unique ID so that in our database, no voter in the state has the same state voter ID as anyone else. They're unique. The number that these actors used was the local voter ID. That's why the information they got back, we can't be 100 percent certain to the nth degree as to exactly whose information they got.
Thomas: The bottom line of that is, as best we could tell, we came up with roughly about seventy-six thousand voters who were breached. Again, we don't know with 100 percent certainty in each of those cases exactly how much information they got.
In Illinois, we have what's called a PIPA, the Personal Information Protection Act, which required us to within—I believe it was—five days [to] notify our legislature of the breach. And there are rules set forth in that act as to how to identify or, rather, how to contact potential victims of the breach. There's a threshold in there, and if it was above five hundred thousand suspected individuals who are breached, then the entity that was breached can simply publish a press release.
Turner: A press release indicating that they had been breached. Because we fell well below that threshold, it was on us to, as best we could, contact individually each of the voters whose information was breached.
We spent several weeks doing this. We composed a letter to the suspected victims, and they were given information to contact the state attorney general's office if they suspected they were victims of identity theft. To this date, we have no evidence of anyone's identity being stolen as a result of our breach.
The hackers weren't able to manipulate or delete information. Neither election official has any idea what the hackers hoped to find in the database.
NOT A SOPHISTICATED ATTACK
I asked them if these attacks were carried out by sophisticated hackers.4
Turner: We've been told by the FBI and DHS that, first of all, the tool the hackers used is a common tool that intruders use to attempt to get into databases.
These kinds of tools are available on the internet. If you have a criminal mind-set and are out to do this kind of thing, it's not difficult to obtain these tools. It's just a question of finding vulnerabilities and finding holes in dikes, so to speak. And they found a hole in ours.
Pegues: If you're saying that anyone could have done this, what does that say about election system security?
Thomas: This was a vulnerability that our system had that no longer exists. And it's not something that's common. It was a programming error that allowed this one field to be unprotected. Our systems are now scanned every week. DHS offers a scanning service where they use basically the same types of tools that hackers would use to scan public websites to find vulnerabilities. DHS is now performing that [scan] for us on a weekly basis. And since that time, they've never found any vulnerabilities within our system.
Prior to the 2016 election the DHS was not offering that service to state election officials. The Russian intrusions changed everything. It exposed weaknesses in voter databases across the country. But Illinois election officials emphasized that the voting machines themselves were not connected to the internet.
Turner: I will state though there seems to be a misunderstanding that voting machines and vote tabulation systems are connected to the internet, and are tied into voter registration systems. That is absolutely not true. In Illinois, they are two totally separate things. The voter registration database—the centralized database—at our level, and all of the databases at the local level, which feed into our database for registrations, [are different things].
Pegues: As the clock ticks toward the next election, given what happened in 2016 in terms of these voter databases—some being breached, some being scanned—are you feeling the pressure to get this right? Are you feeling the pressure for 2018?
Turner: We're doing the best we can to keep security in place. This breach was an education on our part. This was a programming error that, in one field of a public-facing website, allowed intruders to get in. We sealed that hole.
We have found no other evidence of any vulnerabilities. The DHS has, to this date, found no other evidence of any vulnerabilities. Now, I'd be a fool to sit here and say that I'm 100 percent confident that our system is totally safe. No one can state that. If they do, I guarantee you, as the FBI told us, it's not a question of if; it's a question of when.