Global Weekly Executive Summary, 21 MAY 2018

Tennessee County Elections Targeted by Cyberattacks

A Tennessee county elections website was the target of a cyberattack that crashed the site on primary election night while a network intrusion was quietly taking place at the same time.

A vote total reporting website in Knox County was targeted by a distributed denial of service (DDoS) attack that brought down the website for an hour after the polls closed during a recent primary election, but this DDoS attack acted as a distraction while a second more sophisticated attack, a network intrusion, occurred simultaneously.

A Knox News article reports that Knox County IT director Dick Moran and deputy director David Ball and Moran believe that “all of the disruption… was an effort to distract the county while another, simultaneous attack was happening behind the scenes accessing county information.”

Ball say that the intrusion affected a county server that contained only publicly available information. No personal or confidential information was present on the server. “It was not an attempt to actually change any data or put anything onto our servers; it was an attempt to take things off of our servers, to read what was there … they were looking to get things, not give things,” Ball said.

An Associated Press article quotes Ball as writing “there was a proven malicious attack from a foreign source occurring simultaneously with an apparent deliberate DOS attack.” Ball concluded that “given the circumstantial evidence[,] especially the simultaneous proven malicious intrusion from a Ukraine IP address[,] I think it is reasonable to at least hypothesize that it was an intended event.”

A Knox News article reports that Moran as said that “the [DDos] cyberattack had no effect on vote tallies. It only prevented officials from displaying election results to the public through the Knox County Election Commission’s website.” Ball added that their voting machines are “not networked in any way.”

The cybersecurity company hired to investigate the attack, Sword & Shield, stated in their report that IP address from 65 countries were involved in the DDoS attack, including a Ukraine IP address that was involved in the server intrusion.

In the AP article dated May 12th, a spokesperson for the FBI in Knoxville said that the county had not reached out to the FBI for assistance in the investigation, nearly two weeks after the attack took place. A more recent May 17th Knox News article says that both the FBI and the Department of Homeland Security are now assisting in the investigation.

Significance

Cyberattacks targeting elections could be used by foreign state actors to disrupt the democratic process and damage public confidence in their results.

This event was a small scale cyberattack that did not affect vote tallies and caused no lasting damage, but it is significant because it highlights the important role that local elections officials and local IT workers play in US election security. Smaller county elections are now targets for cyberattacks, and we must be prepared to defend the election process starting at the local level.

Local, state, and federal officials and policy makers will have to work closely with IT administrators and workers and the information security community to secure elections. Local and state officials should be aware of the resources and assistance that can be provided by federal organizations. The federal government, federal organizations, and policy-makers can, in turn, provide clear guidance, sufficient funding, and timely, effective assistance to the local officials and IT workers who are also working toward the same goal of securing our US elections.

Sources

Associated Press, Ukraine computer involved in Tennessee elections attack, 12 May 2018

Knox News, Cyberattack crashes Knox County election website; votes unaffected, 1 May 2018

Knox News, Knox County election night cyberattack was smokescreen for another attack, 17 May 2018