Russian-linked hackers had the ability to alter or delete voter registration information in a handful of states during the 2016 election, but there’s no evidence they did so, according to a Senate report released Tuesday.
The Department of Homeland Security has previously publicly acknowledged that Russians scanned systems in 21 states and were able to “penetrate” a handful. But cybersecurity experts say the report Tuesday from the Senate intelligence committee offers new details on what exactly Russian-backed hackers could have done once they got inside election systems.
“In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting-related websites. In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure,” the report says. “In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.”
The report, part of the Senate intelligence committee’s inquiry into Russian interference in the 2016 election, says the committee saw “no evidence” any votes or voter registration information was altered or changed.
“The report paints a clearer picture of the overall Russian cyber campaign than I’ve previously seen, leaving no doubt that the voter registration system attacks are just the beginning of what we can expect,” J. Alex Halderman, a computer science professor at the University of Michigan, wrote in an email. He added that the report notes the attacks may have been a practice run for more sophisticated attacks in the future.
“If jurisdictions are not prepared for this kind of thing, it could lead to long lines and lost votes.”
“We knew that there was an actual breach of the Illinois voter registration system (but apparently no success in altering registration data),” Lawrence Norden, deputy director of the Democracy Program at the Brennan Center for Justice, noted in an email. “I am not aware of any other state that has acknowledged cyber actors gained access to restricted elements of the election infrastructure.”
Altering voter registration could mean a number of things, including potentially removing people from the voter rolls.
“If jurisdictions are not prepared for this kind of thing, it could lead to long lines and lost votes,” he said. States can take steps to mitigate confusion, he added, by regularly auditing their rolls, backing up information and having a contingency plan in place on Election Day.
The Senate report says that the Russians undertook “a wide variety of intelligence-related activities targeting the U.S. voting process” beginning at least as early as 2014 and continuing to Election Day. Those activities included “operations likely aimed at preparing to discredit the integrity of the U.S. voting process and election results.”
The report is based on information self-reported by the states as well as assessments from DHS and the FBI. The committee conceded there were “collection gaps” in its assessment of Russian activity and that there may have been more undetected activity. Halderman said he believes the gaps “very likely” included attacks on vendors who supply vital election infrastructure to the states.
A National Security Agency document leaked last year said Russians likely hacked one election vendor. The company denies it was breached. The Senate report expresses concern that the companies that provide actual election equipment to different jurisdictions could be a ripe target for hacking.
“State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for Security, abiding by those guidelines is currently voluntary,” the report says.
In the lead-up to Election Day, DHS inadequately responded to the cyberthreat, the report said, and the agency was “not well-positioned” to assist states in responding to a cyberthreat from Russia. While it attempted to contact state information technology officials about the general election security threat, the agency was unable to convey its specificity and severity. The report notes that the agency was caught in a kind of Catch-22 ― it wanted to inform states about a very real threat without creating the impression that U.S. election infrastructure is vulnerable to a breach.
The report notes that DHS and the states have made improvements and are working together more effectively now to address election security. Congress also recently approved $380 million for election security in states.
The committee also offered a series of recommendations to enhance security, including improving information sharing between states and DHS, conducting risk-limiting audits, installing monitoring sensors on state election systems and requiring that any voting machine purchased in the future have no Wi-Fi capabilities and leave a paper trail.
Candice Hoke, a co-founder of the Center for Cybersecurity and Privacy Protection at Ohio’s Cleveland-Marshall College of Law, said Americans should now presume that hostile adversaries know where vulnerabilities are in U.S. election infrastructure.
“They may use this info strategically in 2018,” she wrote in an email, “or could test disruptive activities in 2019 in preparation for 2020.”