States want more from DHS after confusing update on 2016 election hacking activity
U.S. states targeted by Russian hackers last year are pushing back after the Department of Homeland Security provided what they say is inaccurate information about attempts to breach their election systems prior to Election Day.
The election administrative offices in California, Wisconsin and Texas said this week that the information provided to them by DHS failed to prove that Russian hackers had either attempted or were successful in breaching state election systems, which includes products sold by contractors and used by states for voter registration and vote tabulation.
People familiar with the matter told CyberScoop that the information provided by DHS last week is in fact accurate, but clearly incomplete. The evidence provided to states failed to give the necessary context needed to explain how certain activities aimed at adjacent, interconnected internet systems could impact election-related technology.
A DHS spokesperson confirmed the department had in recent days provided clarifications to states about this information, indicating that the original briefing left out some explanatory details.
“DHS has made an effort to respond quickly to questions and requests for further information from states following Friday’s calls, and we have provided additional information and clarity to a number of states,” said spokesperson Scott McConnell. “DHS’s assessment was based on a variety of sources, including scanning detected from malicious IP addresses and intelligence information that cannot be publicly disclosed.”
Some of the evidence collected by the government, which is relevant to state officials, remains secret.
“In the majority of the 21 states targeted, only preparatory activity like scanning was observed. In some cases, this involved direct scanning of targeted systems. In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target,” said McConnell.
Texas, one of the targeted states, found issue with the agency’s evidence. The Texas Secretary of State Office reacted by issuing a public statement.
“DHS initially informed our office that our public-facing web site (sos.texas.gov, which contains no voter information and is not connected to any of our state’s elections systems) was targeted in October of 2016,” said Sam Taylor, a spokesperson for the Texas Secretary of State Office. “It turned out that another agency’s web site, which is unrelated to elections altogether, was scanned but not infiltrated in July of 2016.”
Another state, Ohio, was less critical of DHS.
“The Department of Homeland Security (DHS) informed us of what we already knew – there was no breach of Ohio’s election system in 2016. Last summer, there was an attempt to find a weakness in our system. It lasted less than a second and failed,” said Ohio Secretary of State spokesperson Sam Rossi. “DHS’ internet security contractors considered it to be a non-event and did not report it to Ohio officials at the time.”
“Bottom line – Ohio’s elections system was not compromised,” Rossi stated.
The misunderstanding highlights a broader frustration for state and local government officials who say they have not been properly briefed on all of the malicious cyber activity that occurred in the 2016 presidential campaign cycle.
This disappointment has prompted a search for answers.
Some state election officials asked for evidence from the government after several senior U.S. officials stated publicly earlier this year that more than 20 states were targeted by Russia, people familiar with the exchanges told CyberScoop on condition of anonymity to discuss private conversations.
For some state officials, it was not until Sept. 22 that additional details came from Washington, including the publicly available comprehensive list of the targeted states by name.
On Wednesday, acting Homeland Security Secretary Elaine Duke told lawmakers that her department would work to better coordinate the sharing of valuable intelligence concerning cyberattacks against state election-related systems in the coming year.
Although state governments are primarily responsible for defending their own election infrastructure, they can and are often encouraged to request help directly from federal agencies, specifically from DHS and FBI. Duke told lawmakers Wednesday she hoped to see more states proactively reach out to DHS and the broader federal government for assistance in the coming months.
There is no publicly available evidence to suggest that 2017 presidential election results were significantly altered as a result of Russia’s hacking efforts. Preparations are already beginning, in D.C. and across the country, to ensure that the 2018 congressional campaign season is free of meddling hackers.
Zaid Shoorbajee contributed to this report