After Major Cyberattack, Election Commission Still Vulnerable

January 2, 2014 Updated: January 2, 2014

Chinese hackers took the government shutdown in October as an opportunity to attack the Federal Election Commission (FEC) and brought the department to a standstill. A new audit shows that the gaps in the FEC security used by the hackers remain open.

The Chinese state and its military organs are known to run a sophisticated overseas hacking network, focused on gaining government intelligence, diplomatic information, and business secrets. Such information can be used by the regime to push for advantage in negotiations with the United States, or deploy American technology in its own industry. 

A report from the Center for Public Integrity said the Chinese hackers crashed FEC computers that “publicly disclose how billions of dollars are raised and spent each election cycle by candidates, parties, and political action committees.” Information about U.S. elections and their financing could be potentially valuable for Chinese intelligence services. 

The audit that revealed continued gaps in security was conducted by Leon Snead & Company under a contract from the Office of Inspector General. It was released Dec. 30.

It states the department uses the same, simple and “relatively intuitive” password for all its encrypted laptops assigned to contractors.

Even though the FEC was told of the vulnerability in a 2010 audit from the Office of Inspector General, which said the passwords “could be easily guessed or ‘hacked,’” the recent audit notes the FEC is still using the same passwords.

It also finds the department lacks a strong Internet Technology (IT) department to meet the government’s minimum security requirements.

“As a result, FEC’s information and information systems have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency, while FEC continues to remain at high risk for future network intrusions,” it states.

It also said the FEC, “unlike other federal agencies that are exempt from the Federal Information Security Management Act,” had declined to use IT security controls and techniques from the National Institute of Standards and Technology.

The recent audit comes on the heels of a Dec. 17 report from the Center for Public Integrity, which exposed that Chinese hackers had breached the FEC during the government shutdown. It cites FEC leaders calling it the most serious act of sabotage in the department’s 38-year history.

The Federal Information Security Management Act of 2002 requires federal agencies to implement and document security systems to guard against cyberattacks and breaches. The program is assigned to the National Institute of Standards and Technology and the Office of Management and Budget.

The FEC submits its reports to the Office of Management and Budget. The FEC was created by Congress in 1975 to enforce laws on the financing of federal elections.

Epoch Times confirmed the attacks with a S.Y. Lee, a Department of Homeland Security (DHS) representative. Lee said in an email on Dec. 17 the investigation into the attacks were ongoing, but noted, “There are no indications that any sensitive information or other personal data was compromised.”

Cyberattacks are common fare for U.S. government departments. A DHS official told Epoch Times in an email that in fiscal year 2013, federal agencies, critical infrastructure, and industry partners of the DHS had more than 228,700 “cyberincidents.”

Follow Joshua on Twitter: @JoshJPhilipp