First-ever cyberattack on US election points to broad vulnerabilities
Experts have confirmed that a fraudulent online request for 2,500 ballots in Florida last year was the first known cyberattack against a US election. And it could be just the tip of the iceberg.
Over a 2-1/2 week period last July, more than 2,500 online “phantom requests” for absentee ballots were made to Miami-Dade County election headquarters, marking the first known cyberattack on a US election.
The fake requests for ballots targeted the Aug. 14 statewide primary and included requests for Democratic ballots in one congressional district and Republican ballots in two state House districts, according to a recent Miami Herald report.
The fake requests were done so clumsily that they were red-flagged and did not foul up the election. In any case, they would not have been enough to change the outcome. But now confirmed as the first cyberattack aimed at election fraud, the incident is further evidence that the vote-counting process is vulnerable, particularly as elections become more reliant on the Internet.
“This is significant because it’s the first time we’ve seen a very well documented case of attempted computer election fraud in the US,” says J. Alex Halderman, a cybersecurity researcher at the University of Michigan who focuses on election-system vulnerabilities. “This should be a real wakeup call because it illustrates the sort of computer voting attacks that many scientists have been warning were possible for years.”
Florida officials “were lucky” that the attacks were so clumsy, he says. The requests poured into the voter headquarters in clumps, much faster than normal, and in many cases the clumps arrived from the same handful of computer IP addresses. At this point, it is unknown what the attackers wanted to achieve.
But if they had been only slightly more sophisticated – distributing the requests across a larger number of IP address, for instance – the attack would have been much harder to detect.
“We’ve seen very sophisticated attacks against US corporations,” Dr. Halderman says. “If that level of sophisticated attack were directed against these election systems it could have been disastrous.”