The compromise of a highly classified report by an NSA contractor is serious enough, but the poor security measures were worse
The recent disclosure of a document leak from the National Security Agency that contains details about the Russian hacking attempt on a vendor of voter registration software has the making of a spy thriller, even including a perpetrator with a name that might be right out of a James Bond spy thriller.
But as bad as that leak was, the ease with which the Russians penetrated the voter registration software company’s security was worse. Worse yet was the ease at which the Russians penetrated some of the state election officials’ defenses.
The theft of the top secret report on Russian hacking by a former NSA contractor with the unlikely name of Reality Winner is something that the intelligence agency always tries to prevent. But there are some things that even the best security can’t stop and bad faith on the part of a trusted individual is one of them.
The U.S. Justice Department announced on June 5 that it had charged Winner with mailing a classified document that contained details of the Russian hack on a voter-registration system known as EViD to “The Intercept,” news website.
It’s easy to criticize the NSA for allowing Winner to have access to such files, but in reality employees and contractors need access to classified information to do their jobs. Every now and then, there’s a failure in the system, which is what happened here.
Last fall, however, a series of other system failures put the integrity of the 2016 election at risk. While it’s not clear that the Russians were able to were actually able to tamper with election results, the fact that they got access so easily is deeply troubling.
There were two types of failings that gave the Russian hackers access. The first was a phishing attack against a vendor of voter registration software, VR Systems of Tallahassee, Florida. Someone in the targeted company clicked on a link that provided the hackers with access to a database containing the contact information of election officials in several states.
The second attack was another phishing attack, this time with a payload of purported Microsoft Word files. Those emails were crafted to appear to be from the vendor of the voter registration software. The apparent goal was to provide access to voter registration records in several states and then to alter them in a way to create chaos on election day.
Had the software vendor or the states involved had adequate security, the cyber-attack launched by the Microsoft Word files would not have been successful, which is apparently the case in at least some of the states. This may have been partly because the bogus emails used to approach the states were so blatantly phony that state officials recognized them as such and complained to the software vendor.