State IT and elections officials struggled to communicate, says Senate report on 2016 Russian hacking
The Senate Intelligence Committee on Thursday released the first volume of its report on the Russian government’s attempts to interfere with states’ voting infrastructure during the 2016 presidential election, following more than two years of investigations.
The 67-page document lays out how hackers affiliated with Russia’s Main Intelligence Directorate, or GRU, used a variety of hacking methods to attempt to gain access to states’ voter registration databases and election results websites in nearly two dozen states. It also shows how election officials were not always sufficiently informed about cyberthreats aimed at the systems they operate and that communications between states’ information technology leaders, their elections chiefs and the U.S. Department of Homeland Security were often lacking.
The Senate report, which was compiled from hearings, staff interviews with state officials and DHS reports, removes the names of most states, though the particulars of many of the cyberattacks listed in the document have been detailed previously. Of the 21 states known to have had their voter registration databases probed in 2016, only Illinois, where the GRU succeeded in getting access, is named.
“Russian cyber actors were in a position to delete or change voter data, but the Committee is not aware of any evidence that they did so,” the report reads.
Elsewhere around the country, the GRU continued to use a variety of methods to attempt to penetrate states’ election systems, including spearphishing email campaigns, SQL injections and vulnerability scans using commercially available software. In one state, identified in the report only as “State 6,” the GRU used a vulnerability scanner called Acunetix to probe the entire state’s IT infrastructure, and targeted the websites and web applications operated by the secretary of state’s office, including the sites that post unofficial vote counts on election days, which are relied on by the public to learn the outcomes of races.
Another state, referred to as “State 10,” was subjected to 1,500 SQL injection attacks from IP addresses based in Poland, plus several more from linked to IP addresses in the Netherlands and the United States. Officials in State 10 said those attempts were “very loud,” but that an IT contractor they retained to investigate linked the attack to Russia, calling it a “sneak in the back.” The descriptions for the cyberattacks against most of the other states’ election infrastructure go on to say the hacking attempts were “blocked” or otherwise unsuccessful.
Communication breakdown
While the Intelligence Committee report lists the GRU’s many attempts to breaching U.S. election systems, more unsettling may be its numerous descriptions of shoddy communications between the Department of Homeland Security, election officials and the state IT agencies that may have had the expertise to help repel malicious cyber activity.
In particular, the report states that an October 2016 alert from the Multi-State Information Sharing and Analysis Center, which serves as a clearinghouse for state IT agencies for information about the latest cyberthreats, about a list of specific IP addresses scanning government websites, did not specify the Russian threat, and thus was not widely shared with election officials.
“At no time did MS-ISAC or DHS identify the IP addresses as associated with a nation-state actor,” the Senate report says. “Given the lack of context, state staff who received the notification did not ascribe any additional urgency to the warning; to them, it was a few more suspect IP addresses among the thousands that were constantly pinging state systems. Very few state IT directors informed state election officials about the alert.”
The committee also flagged DHS for often contacting state IT agencies but not elections officials, which proved problematic as IT workers did not see the special nature of cyberthreats against the voting process.
“[T]he IT professionals contacted did not have the context to know that this threat was any different than any other scanning or hacking attempt, and they had not thought it necessary to elevate the warning to election officials,” the report says. In fact, the report goes on, many states’ elections chiefs did not find out they had been specifically targeted by the GRU until DHS convened a September 2017 conference call.
Individual states told the Intelligence Committee instances of other failures to communicate effectively about threats they faced. In “State 13,” DHS went directly to a county elections authority to let it know it had been targeted, but did not tell statewide officials. And “State 16” said it found one of the IP addresses listed in the MS-ISAC’s October 2016 alert lurking around its systems, but never got a response after it sent its logs to the information-sharing center for analysis.
‘Unprecedented coordination’
The relationships between state election officials, IT agencies and DHS have rapidly matured since the events detailed by the Intelligence Committee, notably through the federal designation of elections systems as critical infrastructure and the creation of the Elections Infrastructure Information Sharing and Analysis Center, which has nearly 2,000 member organizations between states, local jurisdictions and voting-technology vendors.
State chief information officers have also started to heighten their concern for safeguarding IT systems used in the voting process. In January, Delaware CIO James Collins, the president of the National Association of State Chief Information Officers, said he and his colleagues are starting to understand that their expertise will be critical as elections officials — most of whom do not have technology backgrounds — continue to face online threats.
“This is kind of a new fight for the elections folks. But it’s a fight we’ve been in for a very long time,” Collins said at the time.
In Iowa, for instance, Secretary of State Paul Pate has teamed up with the with the CIO’s office to offer weekly vulnerability scans and regular training exercises to the 99 county auditors that run elections in that state, plus malware protection and intrusion detection services for county auditors who request it.
The National Association of Secretaries of State signed on to a joint statement from DHS’s Government Coordinating Council and Sector Coordinating Council for elections, which praised the EI-ISAC’s quick growth and recent collaborations between federal, state and local officials.
“The 2018 midterm elections saw unprecedented levels of coordination between all levels of government and the private sector election companies, and the 2020 election will improve on that effort,” the statement said.