The Department of Homeland Security today confirmed that "election-related systems" in 21 states were targeted by hackers during the 2016 campaign.
There is no evidence that the votes themselves were changed, but election-related networks, including websites, in 21 states were "potentially targeted by Russian government cyber actors," Jeanette Manfra, Acting Director of the National Protection and Programs Directorate at DHS, told the Senate Intelligence Committee today.
"A small number of networks were successfully compromised, there were a larger number of states where attempts to compromise networks were unsuccessful, and there were an even greater number of states where only preparatory activity like scanning was observed," Manfra said in her prepared testimony.
Arizona and Illinois have already acknowledged they are two of the 21 states; Manfra declined to name the other 19, citing the importance of protecting their confidentiality.
Sen. Mark Warner of Virginia, ranking member of the committee, was skeptical of this approach. "I do not believe our country is made safer by holding back this information," he told Manfra. Too often in cyber-security cases, "people try to sweep [breaches] under the rug," he argued.
Manfra also declined to publicly reveal how many states had data stolen, or ex-filtrated, saying only that election officials in affected states were aware of the problem. Sen. Warner quizzed Manfra on whether all local officials in a state were aware of any intrusions—"You could have registrars...that would not know?"—but Manfra suggested it was on state officials to disseminate that information.
The hearing comes after Bloomberg earlier this month reported that voter registration databases in 39 states were compromised during the 2016 election cycle.
If vote tallies were not changed in the election, why hack these systems?
Bill Priestap, Assistant Director of the FBI's Counterintelligence Division, said the information is useful for a variety of reasons, some of which he was unable to disclose in an unclassifed setting. But the Russians might be interested in it simply to "understand what it consisted of" so they could "plan accordingly...in regards to possibly impacting future elections and/or targeting of particular individuals," Priestap said.
No matter the intent, "Russia's 2016 Presidential election influence effort was its boldest to date in the United States," Priestap told the committee.
"Moscow employed a multi-faceted approach intended to undermine confidence in our democratic process. Russia's activities included efforts to discredit Secretary Clinton and to publicly contrast her unfavorably with President Trump," Priestap said. "This Russian effort included the weaponization of stolen cyber information, the use of Russia's English-language state media as a strategic messaging platform, and the mobilization of social media bots and trolls to spread disinformation and amplify Russian messaging."
Former DHS Secretary Weighs In
Former DHS Secretary Jeh Johnson echoed that sentiment when he appeared before the House Intelligence Committee, also this morning.
The scale and scope of Russian interference last year was unprecedented, Johnson told the committee. The US not only saw infiltration of systems, but "saw efforts to dump information into the public space for the purpose of influencing the political campaign"—a reference to the DNC emails posted online by WikiLeaks.
Johnson was criticial of the DNC for rejecting the assistance of DHS after the hack was revealed. After the breach was reported, "I was anxious to know whether our folks were in [the DNC] and their response was, 'the FBI had spoken to [the DNC], they don't want our help, they have [security firm] Crowdstrike."
As this was "fresh off" the 2015 hack of the Office of Personnel Management (OPM), DHS was eager to help the DNC make sure its systems were clear, as it did with OPM, Johnson said.
"I recall very clearly that I was not pleased that we were not in there, helping [DNC] patch this vulnerability, [but] DHS does not have the power to get a search warrant and patch their vulnerabilities over their objections," he said.
Johnson was repeatedly quizzed about whether US officials did enough to warn the public about Russia's attempts to interfere in the 2016 election. He pointed to four statements he issued in September and October 2016, particularly the Oct. 7 joint statement from DHS and the Office of the Director of National Intelligence, in which both agencies said they were"confident" the Russian government was behind hacks of US political organizations like the DNC.
Asked why President Obama didn't address the situation himself, Johnson said the administration was "very concerned that we not be perceived as taking sides in the election...injecting ourselves into a very heated campaign, or taking steps to...undermine the election process."
What's Next?
In the weeks leading up to the 2016 election, DHS offered state election boards "cyber 'hygiene' scans of internet-facing systems" as well as risk and vulnerability assessments if officials requested them.
Today, Johnson said DHS "had a dialogue with all but maybe one or two states," and there were 36 states, as well as counties and cities, that signed up for agency assistance. When asked why the feds didn't force the holdouts to submit to an audit, Johnson argued that not everyone likes a visit from Uncle Sam.
"State election officials are very sensitive about what they perceive to be federal intrusion into their process," he said. "I heard that over and over." DHS was also "not interested in a federal takeover."
Related
- Russia's US Election Hacks: Worse Than We ThoughtRussia's US Election Hacks: Worse Than We Thought
The Senate committee, for example, heard testimony today from Indiana Secretary of State Connie Lawson, who said her state "did not take the opportunity to do our cyber cleaning because we felt we were in better shape than what [DHS] could provide for us."
This is not a new phenomenon; the feds ran into similar issues with 2002 Help America Vote Act, which was put in place to fix problems that cropped up in the controversial 2000 election. "We made some progress [there], but this is something where I think that a carrot over stick approach is best," Johnson said today.
Johnson suggested grants that state election officials could use to implement minimum cyber-security standards. Ideally, this would happen in a non-election year; "raise awareness when the temperature is down," he suggested.