Iranian Hackers Indictment Shows Vulnerability of Online Voter Registration

COMMENTARY Election Integrity

Iranian Hackers Indictment Shows Vulnerability of Online Voter Registration

Nov 30, 2021 3 min read
COMMENTARY BY
Hans A. von Spakovsky

Election Law Reform Initiative Manager, Senior Legal Fellow

Hans von Spakovsky is an authority on a wide range of issues—including civil rights, civil justice, the First Amendment, immigration.
Eileen Weitzman, a volunteer with Brooklyn Voters Alliance, registers a New York resident to vote September 26, 2020 in New York City. Robert Nickelsberg / Getty Images

Key Takeaways

The Justice Department unsealed a federal indictment of two Iranian hackers that shows how the system provides cyber-criminals a pathway into election systems.

The hackers targeted 11 state voter registration and voter information websites. They managed to get into one state and download information on 100,000 voters.

On Nov. 4, they tried to access the system to “modify and create content…for further disseminating false claims concerning the election.”

Anyone inclined to downplay the risks involved in states allowing online, Internet-based voter registration, take note: Last week, the Justice Department unsealed a federal indictment of two Iranian hackers that shows how the system provides cyber-criminals–and foreign governments–a vulnerable pathway into state databases and our election systems.

The U.S. Attorney for the Southern District of New York charged the two with participating in a “coordinated and multi-faceted, cyber-enabled campaign to intimidate and influence American voters, and otherwise undermine voter confidence and sow discord” in the 2020 presidential election. Both of the hackers were contractors for Eelyanet Gostar, an Iranian company that provides cybersecurity services for the Iranian government.

>>> Democracy’s Digital Defenses

According to the indictment, in September and October of 2020, the hackers targeted 11 state voter registration and voter information websites. They managed to get into one of the states (not identified in the indictment) and download information on 100,000 voters.

Next, the hackers used social media platforms to send emails and Facebook messages to Republican senators and representatives, individuals in President Trump’s presidential campaign, White House advisors, and members of the media, claiming that the Democratic Party was planning on exploiting “serious security vulnerabilities” in state voter registration websites to “edit mail-in ballots or even register non-existent voters.” The hackers masqueraded as a “group of Proud Boys volunteers.”

They then created a false video that supposedly showed someone hacking into a state voter registration website and creating fraudulent absentee ballots through the Federal Voting Assistance Program for military and overseas American voters. They again made it look like the Proud Boys had obtained the surreptitious video.

Using the stolen voter registration information, as well as other sources, the hackers sent emails supposedly from the Proud Boys to tens of thousands of registered Democrat voters, threatening them “with physical injury if they did not change their party affiliation and vote for President Trump”—something that would be more likely to make voters angry and give them even more incentive to turn out to vote for Democratic candidates, including Joe Biden.

Finally, the hackers “obtained unauthorized access to the computer network of an American media company” (that the indictment does not identify), which had a management system for the content of “dozens of newspapers and other publications.” On Nov. 4, they tried to access the system to “modify and create content…for further disseminating false claims concerning the election.” They were not able to get into the computer network because the media company had detected their earlier intrusion and, with the help of the FBI, “mitigated the conspirators’ unauthorized access and their log-in attempts failed.”

The Iranian hackers are being charged with violating numerous federal statutes, including computer intrusion, transmitting programs and codes that damaged computers “used in interstate and foreign commerce,” voter intimidation, and the transmission of interstate threats. The indictment has been filed in New York because some of the “False Election Messages,” as the indictment terms them, were sent to individuals, including journalists, located in the Southern District of New York.

These defendants are entitled to a presumption of innocence until they plead guilty or the Justice Department proves its case and obtains a conviction. However, either scenario is unlikely since the U.S. cannot force Iran, designated as a state sponsor of terrorism by the U.S. State Department, to hand them over.

These two defendants may not have been alone in this conspiracy. Consider that the Treasury Department’s Office of Foreign Assets Control has designated their company and four other employees of it subject to sanctions under Executive Order 1384, “Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.” The State Department has offered a reward of up to $10 million for more information about the activities and location of these defendants.

>>> “Our Broken Elections”: Who Broke Them and Why, and How to Fix Them

The most important points about these indictments are 1) the vulnerability of online voter registration systems and 2) the misuse of social media platforms. There simply is no reason for states to implement online voter registration.

Americans did not have any problems registering to vote using traditional registration methods. What could be easier than simply filling out the one-page voter registration form that all states use and mailing it in or hand-delivering it? Or registering when you get your driver’s license? That system avoids the security problems inherent in providing an Internet gateway–that can be compromised–into a state’s election systems.

It also highlights the other problem inherent in the Internet that we all experience every day as we are bombarded with false, fraudulent, and fake emails and social media postings. If that is the only place where you are getting your information on politics, you are making a big mistake.

This piece originally appeared in The Washington Times