Illinois – (ECWd) –
Illinois news publications are buzzing about the Federal charges filed against Russian nationals related to the hacking of the Illinois State Board of Elections computers. See more on those stories at Illinois News Network, Chicago Tribune, Chicago Sun-Times.
Was passage of SB172 the first step to what may be the largest voter information breach in our State and possibly our Country? In January of 2013, Senator Cullerton filed a bill which became law in January of 2015.
Provides that the State Board of Elections shall enter into an agreement with the Electronic Registration Information Center effective January 1, 2016, for the purpose of maintaining a statewide voter registration database.
It appears to have been a two-year battle and a major overhaul of the election code as it relates to electronic data sharing of voter information. The full text of the bill that shows what was taken out of the law (line stricken in the law) and added (underlined text in the law), can be found at this link. Vote results for that bill reflect 70 Democrats in favor and 44 Republicans against in the House while the Senate appears to be down the same party line pattern, 35 Democrats in favor and 14 Republicans opposed.
For those watching, that bill telegraphed that we were going to centrally locate voter registration information.
Office of Management and Budget: “The total fiscal impact of this bill cannot be determined at this time.”
Without getting too far off the point, why do we keep passing bills that we have no clue what the fiscal impact is going to be? The fiscal impact to the State is one thing, fiscal impact and personal privacy protection to the citizens of the state is another! This state is filled with incompetence and we believe the pattern leading up to this breach and even after are yet more examples of incompetence on many levels.
The State Board of Elections (SBE) issued this press release yesterday. In that press release is a report dated August 26, 2016. The SBE became aware of the breach July 12, 2016, noting that the breach began June 23, 2016. How much data be captured in 20 days when it’s being targeted 5 times a second, 24 hours a day? Why was the breach not discovered for 20 days?
Of interest in that report from 2016 is the fact they claim: “Due to the ambiguous nature of the attack we may never know the exact number of affected voters.”
The actual press release points to 76,000 voters being notified that their information “may” have been “viewed” and advised them to contact the Illinois Attorney General’s Office if they noticed suspicious activity involving the use of their voter registration information.
When a similar data breach of confidential information from the National Archives and Records Administration took place, the NARA authorized (see page 5) sending as many as 175,000 letters to potentially-affected individuals notifying them of the breach and offering free credit monitoring through Experian.
In another example, NARA notification letters were sent to approximately 15,750 individuals whose names and social security numbers were found on the hard drive, and they offered them one year of free credit monitoring.
No such monitoring has been offered to the residents of Illinois who had their data breached. Of interest, is the fact the SBE makes no mention of notifying the consumer reporting agencies, which they are required to do for a breach of this volume. We have filed an FOIA to determine if such mandated notification was complied with.
During the August 26, 2016 meeting, the minutes reflect an update was provided regarding SB172. It’s clear, they identify what was not captured during the breach but are unable to tell us what was breached and the actual level. More concerning is the praise for a programmer.
“Mr. Turner added that we have on staff a 35+ year experienced programmer who has written incredible programs”.
Incredible from what perspective? With the Federal Authorities citing over 500,000 citizens data being breached and the State telling us “Due to the ambiguous nature of the attack we may never know the exact number of affected voters”, most would not see such programming that let this happen as being incredible, assuming this person actually is responsible for its writing.
A timeline of reports to the SBE Board members after the passage of the law may be an indicator regarding the Breach. The reports appear to point to a pattern of financial and equipment related concerns related to compliance with SB172.
Were the IT people raising the flag of concern?
- March 2015 -“An expansive list of modifications to the local Election Management Systems and IVRS are necessary to reach the mandated requirements of SB172“
- April 2015 – “Kevin Turner added that work will continue on IT projects as long as there is funding for those projects”
- May 2015 – “Mr. Turner indicated that IT staff are doing their best to implement the other technical portions of Senate Bill 172. He is in the process of securing two contractual employees to assist with the project through the end of FY15. He noted that at this time FY16 funding was not available for the contractual employees.”
- June 2015 – “Mr. Turner added that only two weeks are left in the FY15 budget and work will continue as long as there is funding.”
- July 2015 – “He indicated that the election authorities were also in need of hardware and software to support the updated POVA system and they could seek reimbursement through the next IVRS State Grant, depending on FY16 funding.”
- September 2015 – “There are also other concerns such as network security, data breaches, privacy of personal information and possible lawsuits if unauthorized persons were to access sensitive information as a result of a credit card transaction.”
- October 2015
– “Kevin Turner, Director of Information Technology, indicated that the agencies that are required by SB 172 to link with the IVRS system are adversely impacted by a lack of a budget. In addition,
the lack of a budget makes it impossible for the Board to reimburse smaller jurisdictions that cannot afford the new hardware that is required to run the core of the system.”
- November 2015 – “He (Mr. Turner) also noted that a lack of a state budget is impacting the three contractual employees working on the project. They have been working without pay since July 1 and are depleting their own personal funds to pay their companies. Mr. Turner emphasized that the possible loss of the contractual employees will have an impact on the progress of Senate Bill 172.”
- December 2015
– “Kevin Turner, Director of Information Technology acknowledge the status of progress on SB172 as “going as best as we can.”
His concern is that two contractual employees have not been paid
since July 1st.”
- January 2016 -“Meetings with the Secretary of State’s IT department continue to clarify details relating to data they will submit to staff.”
- February 2016 “Mr. Turner noted that a lack of a state budget is impacting the three contractual employees working on the project who have been working without pay since July 1.” – “The Executive Director reported that the Governor’s office issued an executive order which would consolidate Information Technology divisions in state agencies under the Governor’s purview into one central agency.”
- April 2016 – “Mr. Turner then added that he was able to secure 8 scanners from a company who will accept payment when a budget is approved.”
- May 2016 – “Kevin Turner said that one staff member was dedicated to ERIC and successfully uploaded voter files and SOS data files to ERIC.”
- June 2016 – “Mr. Turner advised the Board that progress on SB172 may be impacted as we received word that the Vendor Assistance Program has been suspended. Since we have no FY16 budget, IT contractual staff had taken advantage of this program to receive partial payment for hours worked since July 1st.
Everything from the passage of the law without knowing the cost to the routine updates to the SBE has telegraphed potential target points for a cyber attack. The very month before the attack began, they telegraphed in public that voter information has been successfully uploaded. Was that the green light at the drag strip for the race to steal our data? Each and every issue of concern raised during the months prior to the breach are a potential vulnerability for a cyber warfare targeting.
It was clear from these minutes, Mr. Turner was firing off flares of concerns regarding compliance with SB172 but by all indications, no one was really listening with any concern. Considering the size of the breach, we were ill prepared to protect our citizen’s personal data and passage of that bill may well have been the first flag to those well skilled in cyber warfare.
- October 2016 – “The board was assured that the breach was plugged the same day it was found.”
- November 2016 – “Mr. Thomas presented the Senate Bill 172 update and said, in the past, Anchor Computing was contracted to perform the required matching with the Statewide Database and the National Change of Address information. Now that the SBE is a member of ERIC, they will provide the matching service for us as a member benefit and that is scheduled to be completed on December 1. Mr. Turner said staff continues work on the AMVA portion of the website and its connectivity with Washington D.C. to access social security information.”
- February 2017 – “Kevin Turner, IT Director spoke to the difficulty of running IT without money, the inability to replace old equipment, and without updated equipment, the IT Division will be in trouble. He indicated that he has been unable to pay the yearly licenses which is now in the tens of thousands of dollars.”
- March 2017 – “Mr. Turner reported that he compiled a listing of areas of IT that are in jeopardy as a result of the lack of a state budget and Ms. Cray planned to deliver it today to the Chairman of said committee.
- April 2017 – Lack of a budget continues to affect the IT equipment.
- May 2017 – If a budget is not in place by the first day of filing, staff will not be able to file and scan petitions immediately due to network issues and lack of equipment. Furthermore, the MacAfee antivirus license expires on September 4, 2017. Mr. Turner was unsure if the vendor would even provide a bid since the agency has been in payment arrears for two years. If the license is not renewed, Mr. Turner said it is possible that the agency will have to disconnect from the internet to prevent virus and malware infiltration.
- August 2017 – “Kevin Turner indicated that progress continues on the mandates set forth by SB172 and he is anticipating the changes that will need to be implemented once SB1933 is signed. Since no supplemental appropriation will be received staff will do the best they can to comply with those requirements as they have for implementation of SB172.”
- September 2017 – Turner noted that orders are now being processed for software and hardware needs and he hoped to be current in the near future.
- October 2017 – “Mr. Turner also reported that many websites with the Cisco platform are vulnerable to hacking.”
- November 2017 – “Next on the agenda was the IVRS/IT update and Mr. Thomas reported that staff drafted the technical specifications for the AVR bill for the data exchange with the Secretary of State. Changes have begun for the auto updates portion which will be used for ERIC reports and passed to the election authorities through the statewide database.”
From identifying other potential targets for a cyberattack to signaling vulnerability because of funding, it appears the real problem may not be fixed.
Three years after passage of SB172, approximately two years after the breach:
- February 2018 – “Kevin Turner reported that a meeting was scheduled for tomorrow with the Department of Homeland Security to discuss the on-site vulnerability of the agency systems.”
- May 2018 -“Mr. Turner reported that Department of Homeland Security (DHS) ran a risk vulnerability assessment remotely from Washington, D.C. the week of April 30 thru May 4 and will run another assessment on-site in the Springfield office the week of May 7th. A full report with the results of the assessments is expected to be received within a couple of weeks.”
A discussion on vulnerability appears to be a good step to ensuring the public’s private information is protected. Although we appreciate a remote vulnerability assessment being done in April/May of this year, can we ask why was this not done after the claim the breach was plugged in October 2016?
We have requested a copy of the risk vulnerability assessment, however, suspect they will refuse to provide us a copy. I am betting that we were still at risk and suspect it is going to tie back to the fact we are lacking in up to date equipment and technology due to our Legislature and Governor’s inability to address this State’s financial crisis.
The press release the SBE issued yesterday closed with this statement:
“In addition to measures taken after the 2016 incident, the State Board of Elections currently is involved in establishing a Cyber Navigator Program funded with a federal grant from the U.S. Election Assistance Commission that will greatly enhance cybersecurity both at SBE and among all 108 local election jurisdictions in Illinois.”
Did they just telegraph that our State is in such trouble financially that we can’t properly protect our voter data without funding from a federal grant from the US Election Assistance Commission? Note that we are two years after the breach and they are currently involved in establishing….
Establishing means it is not in place!