A group of former top intelligence and cybersecurity officials warned Tuesday that President Donald Trump’s voter fraud probe was creating a database of voters’ personal information that was a ripe target for hackers and could contain serious security vulnerabilities.
Over the summer, Kansas Secretary of State Kris Kobach, the Republican who is leading the probe, sent a letter to election officials in all 50 states requesting all publicly available voter information, including, if possible, the last four digits of social security numbers. It’s not entirely clear yet what the commission plans to do with the information, but officials have expressed interest in comparing the voter information against various federal databases ― such as a Department of Homeland Security list of non-citizens ― to try to identify people who are on the rolls illegally. Experts are skeptical that that would be a reliable way to find voter fraud, which several studies have shown is not a widespread problem.
Most of the signers of the brief were former Obama administration officials, including James Clapper, the former director of national intelligence. They filed the brief in a lawsuit against the commission warning that compiling a vast set of personal information on all Americans was extremely dangerous and would create a “treasure trove” for hackers and likely be targeted by hostile nations. DHS has determined Russian hackers scanned voting systems in 21 states during the 2016 election.
“A database that contains large volumes of [personally identifiable information] is an extremely attractive target for cyberattacks. Hackers seek to exploit this type of information for a number of reasons, ranging from ordinary criminal profiteering (e.g., to commit identity theft or to sell the information on the black market for others to commit identity theft) to intelligence collection by hostile nation states or non-state actors. The bigger the database, the greater the payoff from a potential breach,” they wrote in the brief.
The commission has not been consistent in saying how it plans to store the information. It initially said it would store the data on a secure Department of Defense server, but after that raised legal questions, it reversed course and said only the White House would handle the information and store the data.
The intelligence officials said it was unclear what safeguards were in place to protect the data in the White House system.
“This new platform is effectively being tested for the first time through the ingestion of millions of data points about American voters. Additionally, the White House’s Information Technology staff does not have the same technical resources at its disposal to maintain large-scale databases as the Department of Defense,” the brief says.
Charles Christopher Herndon, the director for White House information technology, has said only a limited number of staff would have contact with the server, but the security experts said vast resources were needed to work on a system that is frequently the subject of cyberattacks.
“There is no indication that the Commission has taken the appropriate additional measures, and allocated the necessary additional resources, to fortify its database against these risks,” the brief says. “Given that attempted attacks against White House unclassified networks are regularly reported in the media (and therefore should be well known to the Commission), this suggests an overall lack of attentiveness to the magnitude and gravity of the cybersecurity risks posed.”
In addition to Clapper, the former officials who signed the brief included Andrew Grotto, a former senior director of cybersecurity policy at the White House from 2016 until 2017; Nancy Libin, the chief privacy officer at the Department of Justice from 2009 until 2012; and Paul Rosenzweig, a former deputy assistant secretary for policy at DHS from 2006 to 2009.
In an October court filing, the commission disclosed it had received data from 19 states. Andrew Kossack, a federal official charged with running the operations of the commission, said in a different legal filing that the commission’s staff wasn’t currently doing anything with the data because it faced multiple lawsuits.
The Public Interest Legal Foundation, which is run by J. Christian Adams, a member of the probe who is close to Kobach, suggested in a tweet the security concerns in the brief were overblown.
The brief was filed in support of a lawsuit brought by Common Cause, a left-leaning watchdog group. The suit argues the commission violated the 1974 Privacy Act, which says agencies can “maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity.” In August, a federal judge denied a request by Common Cause to halt the commission’s work while the litigation was pending.