A Department of Homeland Security official on Wednesday told the Senate Intelligence Committee that Russian government-backed hackers targeted as many as 21 states during the 2016 presidential election.
Hackers attempted to penetrate Internet-connected systems related to the elections in up to 21 states, but they were successful only in a small number of them, said Samuel Liles, acting director of the cyber division of the DHS Office of Intelligence and Analysis.
The targeted states were not named, but Arizona and Pennsylvania previously had been identified as states where hackers successfully accessed election systems.
The Russians are continuing to probe state and local systems, and there are persistent vulnerabilities that could lead to some of those systems being compromised, DHS and other officials warned.
Due to the disparate methods of voting and cybersecurity enforcement in different parts of the U.S., the risk to computer-related systems varies from county-to-county. A variety of devices are used to cast votes, and there is little uniformity of processes across polling stations.
Review and Warning
The House Intelligence Committee on Wednesday also conducted a hearing focusing on the impact of Russian hacking on the 2016 elections.
Members of that committee heard testimony from former DHS Secretary Jeh Johnson (pictured above), who was in charge of the department when the actual hacking took place during the final months of the Obama administration.
During that hearing, Johnson reiterated that Russian President Vladimir Putin had ordered the hacking with the intent of influencing the outcome of the U.S. elections. However, he said that no hard votes actually were manipulated at the ballot box level.
When Ranking Member Adam Schiff, D-Calif., asked why the Obama administration had not put out a more forceful warning about potential Russian hacking of the election, Johnson said there were concerns about revealing sources and methods, and that the administration did not want to appear to be taking sides in the November election.
One of then-candidate Donald Trump’s constant themes was that the election was “rigged,” he noted.
State officials have serious concerns about the federal government’s lack of information-sharing about potential threats to state and local voting systems, said Indiana Secretary of State Connie Lawson, president-elect of the National Association of Secretaries of State, in testimony before the Senate hearing.
Those concerns were heightened by threats referenced in a leaked NSA report, she said.
Local Risks
DHS failed to share critical information with states about specific threat information that needed to be acted upon, such as the Russian hackers’ targeting of 21 states, said Kay Stimson, spokesperson for the NASS.
“The general feedback we received from today’s hearing,” she told the E-Commerce Times, “is that state officials are very interested in receiving documented threat intelligence information from DHS so they can use that to protect their systems.”
The lesson from the 2016 election is that even though there have been past attempts to hack into election systems, the latest activities are not the work of “run of the mill” adversaries, said Ken Menzel, general counsel at the Illinois State Board of Elections.
Local officials will have to work with the federal government to step up their game, he told the E-Commerce Times.
“We’re certainly concerned with all the attention on this that [Russia] or somebody else is going to want to get in [to U.S. voting systems] in the future,” Menzel said.
In terms of the mechanics of a democratic voting infrastructure, there is always a balance to be struck between using automation versus manual efforts, according to Mark Nunnikhoven, vice president of cloud research at Trend Micro.
“The automation is there to speed up the counts and increase accuracy, while manual efforts provide verification against mass manipulation and increase voter confidence in the system,” he told the E-Commerce Times.
The biggest step that can be taken is to establish national cybersecurity standards for elections and election-related systems, Nunnikhoven argued.
That approach is partially in place through the National Institute for Standards and Technology, a physical science lab inside the U.S. Department of Commerce, he said, but there’s a need for additional verification and educational efforts at the district level.