Leaked NSA hacking report ratchets up pressure on local election officials

Despite new evidence from a leaked NSA report that Russian hackers sought to compromise state and local election technology, the officials in charge are still vigorously opposing the federal designation of their polling systems as critical infrastructure.

“It’s unclear how this situation would change anyone’s opinions about the [critical infrastructure] designation,” Kay Stimson of the National Association of Secretaries of State told CyberScoop. NASS represents the state-level officials responsible for certifying statewide election results. Stimson added that officials didn’t get any additional resources to defend their networks as a result of the January 2017 announcement by the Department of Homeland Security, which many saw as a federal power grab. Federal officials have stressed that state or local participation in any DHS programs is voluntary, and suggested that DHS expertise might be able to help election officials secure themselves against online attacks.

Stimson said officials had asked DHS for a briefing about the leaked information. The document, leaked to The Intercept, is an NSA intelligence report dated May 5. It outlines efforts by hackers described as “actors” of the Russian GRU intelligence agency to compromise the online accounts and computers of companies providing state and local governments with voter registration technology. The hackers also then targeted local government election officials themselves just days before the election.

In a statement, NASS urged federal agencies to notify local election officials about the hacking attempts, which the newly leaked documents show the NSA knew about by April of this year.

Stimson said she didn’t understand why local officials hadn’t been warned already, especially as the ability to share exactly that kind of intelligence warning had been touted as one of the main advantages of the critical infrastructure designation.

Election Assistance Commission Chairman Matthew V. Masterson issued a warning to state and local election administrators. “While phishing attacks are common across all sectors of our society and there is no evidence that this attack targeted voting machines involved in vote tallying of the 2016 Federal Election, this report provides a timely reminder that officials must remain vigilant about election system security,” the warning reads. FBI and DHS are “currently notifying the officials who were targeted by the attack and are coordinating the incident response.”

In a statement issued separately to the newsmedia, Masterson urged “federal agencies that have specific intelligence or resources that could help election officials better secure the election process to share that information with state and local officials as soon as possible.”

Homeland Security Secretary John Kelly said Tuesday that his predecessor’s designation of voting systems in 8,000 jurisdictions across the country as a vital industry — like banking, telecommunications or the power grid — is getting so much pushback, he might reconsider his original decision to go along with it.

“We’re looking at that,” Kelly told a Senate Homeland Security and Governmental Affairs committee hearing, “I’ve had a large amount of pushback on that from states and many members of Congress.”

Kelly will meet Monday with state homeland security advisers and will ask them about the designation, he said.

“I will put that question to them: Should we back off on that?” he said. “I don’t believe we should, but should we back off? Do you see us as partners and helpers in this … to help you make sure your systems are protected?”

State officials, including especially many conservative Republicans who harbored deep suspicions about what they saw as the imperial ambitions of the Obama presidency, regarded the designation as  a federal power grab. Other critics wondered why DHS hadn’t consulted elections officials more before making a decision; why they had included all the physical polling infrastructure in the designation, if the threat was to IT systems; and whether any real benefits would accrue to state and local governments as a result.

In January, U.S. intelligence agencies, in a rare public moment, announced their finding that hackers working for the GRU had sought to interfere in the U.S. election by hacking the emails of Democratic officials and releasing them through WikiLeaks and the hacker persona known as Guccifer 2.0. The hackers also “obtained and maintained access” to the computer networks of “multiple U.S. state or local electoral boards,” the agencies concluded, but added that “the types of systems Russian actors targeted or compromised were not involved in vote tallying,” meaning that they couldn’t have impacted the election results.

But the NSA report shows for the first time that the GRU hackers also targeted the systems of at least one company selling voter registration technology.  Some of the company’s devices are advertised as having wireless internet and Bluetooth connectivity, The Intercept observed, “which could have provided an ideal staging point for further malicious actions.”

“We thought these were cognitive attacks,” said Kenneth Geers, senior research scientist at Comodo, and a former NSA analyst, “attempts to influence votes’ minds… If these reports are correct, Russian hackers were much closer to the central nervous system of our democracy … in the gears and levers of the polling process itself … That is very different.”