Springfield (ECWd) -
At a time when the national focus is on our election system and how foreign entities, in this case, Russia, have clearly accomplished destroying the integrity, security, and confidentiality of our data systems, there is one more accomplishment those hackers can now take credit for, destroying citizen's trust in their local government on multiple fronts.
We recently outlined what appeared to be a laundry list of red flags being waived at the State Board of Elections by their Information Technology (IT) person in regards to the security of our personal data in their computer system. We urge the reading of that article to better grasp the magnitude of this situation as its much bigger than just our personal data being hacked.
In that article, we referenced how Federal Authorities took steps to protect the citizens after a breach took place where citizens private information was potentially gathered. We mentioned that because after the State Board of Elections finally noticed after twenty days of being hacked and anywhere from 70,000-500,000 people's private information was compromised, they have failed to do their job as required by law.
815 ILCS 530/10 - Notice of a Breach - "(a) Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system."
The Legislature appears to have seen the importance of integrity, security, and confidentiality of the data system and the notification to the people. It's focused on ensuring "We The People" trust our information being in the hands of our government.
The SBE said in 2016, “Due to the ambiguous nature of the attack we may never know the exact number of affected voters”. Two years later and after the recent Federal Indictment on this matter, the Federal Authorities point to 500,000 as the actual number of peoples information being hacked, as found in this report.
Once that was exposed, the SBE now says: ".....The figure 500,000 referred to in the indictment may have been arrived at using a different methodology prescribed under federal criminal code. As part of our review of the indictment, we will be contacting federal law enforcement to obtain more information on the number referenced in the indictment."
In that same press release, they cite 76,000 Illinois voters registration data may have been viewed.
So which is it?
May never know the exact number of affected voters, 76,000 voters, or is it 500,000?
Considering the language of the press release uses the non-committal language, "may have been viewed", and there is a huge discrepancy in the actual number of those being affected, one thing appears to be true, there are enough unknowns that we can't trust our data system to protect our information.
Regardless, the number of people's personal information being hacked triggers certain obligations. Obligations that are designed for a purpose. That purpose is to restore the integrity, security, and confidentiality of the data system, which is how the public's trust is established and maintained.
We mentioned in our first Article on this matter that we would submit a Freedom of Information Act request to determine if the SBE followed the law. Sadly, the response confirmed our suspicion.
When the SBE fails to comply with the mandated law, trust is broken!
815 ILCS 530/12 - Notice of breach; State agency. -(d) If a State agency is required to notify more than 1,000 persons of a breach of security pursuant to this Section, the State agency shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notices.
Even though the law mandates reporting the breach to consumer reporting agencies without unreasonable delay, here we are more than two years after the breach and once again we have another State Agency that has failed to follow the law.
A key element to the success of a Constitutional Republic, which is what this country is, is trust. When our elected and appointed public servants fail to follow the law on matters directly relating to our personal information being hacked by foreign powers, we lose a ton of trust. That loss of trust is not just in the system that was hacked but in those officials who failed to follow the law, which most would agree a ten-year-old could comprehend.
I had hoped with our first article on this the SBE would have taken steps to comply with that notification but such hope was short-lived.
Can it get worse?
Recognizing a cybersecurity threat, our legislature passed Public Act 100-0587 but for now, you won't find it in the Compiled statutes as someone has failed to update our online laws. A screen capture confirms, there is no 1A-55 section found. The law went into effect June 4th, 2018.
So on the surface, we think, great, they are taking steps to ensure our voter data system is protected. Is that the case when we once again telegraph to the world what our cybersecurity plans are going to be discussed and established in public hearings?
The SBE issued a public hearing notice that did a great job telegraphing to the world, as in any foreign entity who is paying attention, what their rules are going to be as it relates to our cybersecurity. Having been through a few courses when I was in the Military on what foreign entities look for to breach our security, I see several points of concern in the Public Hearing notice. I highlighted those items that appear to point to very specific points of interest to any cyber hacker to focus on.
A glaring failure in this plan was the fact there is no mention of how they are going to protect our data from so many different "people" who are going to have access to information. Part of cyber security must consider the human factor and if a bad actor can't hack the system at a state level, the next best thing is a job at the County Clerk's office where they can access that information as part of their daily job at the local level.
Our data is only better protected when we have taken steps to ensure we only have properly vetted people having access to our systems and proper securing of those systems. I have yet to see anything to protect us from the good old fashion human intelligence gathering methods. That should make us all very concerned.
- Telegraphed the problem for over a year
- Did little to nothing to listen to the people warning us
- Hacked for twenty days before anyone knew
- Unable to identify with any certainty how many people impacted
- Failure to follow the law and notify credit reporting agencies to ensure people are better protected
- Telegraph the very plans on how to fix what has been identified
- Failure to pay any attention to the human factor of intelligence gathering when impementing a fix
Wake up People, We ARE under attack!
Paper Ballots anyone?