DHS officials confirmed for the first time that Russian hackers tried to penetrate voting systems in 21 different states in the run-up to the 2016 election, but said the hacking did not affect election results.
According to Department of Homeland Security officials, Russian hackers probed election-related systems in 21 different states in the run-up to the 2016 election. The officials said they could not disclose the states on that list, other than Arizona and Illinois, which have made their own public disclosures.
Samuel Liles, the acting director of DHS's Office of Intelligence and Analysis Cyber Division, told the Senate Intelligence Committee on June 21 that the probing was akin to walking down a street to see who is home.
He added that in some cases the hackers got inside the door, but what the Russians compromised had no connection to vote tallying.
In January DHS declared election systems to be critical infrastructure that the department must prioritize, but the hearing showed there are still questions and concerns about what that exactly entails.
Jeanette Manfra, DHS's acting deputy under secretary for cybersecurity and communications in the National Protection and Programs Directorate, said the department has been in contact with the "owners" of the affected systems in the 21 states, but could not confirm that all state and local election officials in the targeted states have been made aware that their systems were probed.
"We are currently working with state election officials to ensure communication between the local and the state officials," she said.
Manfra stated it is DHS policy to maintain the privacy of victims of cyberattacks, which is why it cannot disclose which states were affected.
She acknowledged that DHS has not historically engaged with secretaries of state and election officials and they are working through that process. She said DHS is working with states to develop incident response playbooks and is focusing on information sharing to minimize the potential of future hacks.
"We are identifying additional resources, prioritizing our engagement with [states] through information sharing products, identifying... those communication protocols, how do we ensure that we can declassify information quickly should we need to and get it to the individuals who need it," she said.
Manfra added that DHS has yet to conduct forensic analysis on affected systems and is working through the process to do so. She did state that DHS provided warnings to all 50 states before the election to scan their systems for vulnerabilities or signs of intrusion, and that the department provided voluntary technical assistance to some states before the election.
Later in the hearing, however, state officials raised concerns about the information sharing and stated that so far no secretary of state has been authorized to receive classified threat data from DHS. They also echoed concerns raised by state officials when DHS first designated election systems as critical infrastructure, stating that there are no clear parameters for what DHS oversight would actually entail.
"If I have one major request to Congress and the administration other than rescinding the critical infrastructure designation for elections or placing clear parameters on the Executive Order, it would be to help election officials get access to classified information-sharing," said Connie Lawson, Indiana's Secretary of State and president-elect of the National Association of Secretaries of State.
She added that any federal regulations that reduce the diversity and autonomy of state voting systems could actually increase the risk of cyber attacks affecting the outcome of elections.
She said that Indiana did not accept help from DHS in the run-up to the election because the state felt it had a better grasp of its systems and technical needs.
Alex Halderman, a professor of computer science and engineering at the University of Michigan, said that despite assurances from DHS that voting machines and systems are difficult to hack and that any systemic attempt to change votes would be detected, manipulating machines and the outcome of an election is actually quite easy -- because he has routinely hacked voting machines as part of his research.
As FCW reported prior to the November 2016 election, Halderman confirmed that machines are highly vulnerable and that targeting a few machines in a swing county could change the results of a state or national election.
"The key lesson from 2016 is that these threats are real," he said. "Attacking vendors and municipalities could have put Russia in a position to sabotage equipment on election day…successful infiltration of election IT systems also could have put the Russians in a position to spread an attack to the voting machines and potentially steal votes."
Halderman said there are three main steps the U.S. should take to protect elections: update voting machines to modern optical scanners that use paper ballots; conduct regular "risk-limiting audits" to ensure computer results are correct; and apply "cybersecurity best practices to the design of voting equipment and the management of elections."
"If Congress works closely with the states, we can upgrade our election infrastructure in time for 2018 and 2020," he said. "But if we fail to act, I think it's only a matter of time until a major election is disrupted or stolen in a cyberattack."