Only about half the states whose voter registration systems were probed by Russian hackers ahead of the 2016 election have asked for additional information about the attacks, the Department of Homeland Security has told BuzzFeed News.
DHS notified the 21 states for the first time in September that they'd been subject to the Russian probing, a delay that had angered members of Congress as well as state officials. But since that notification, few of the affected states have asked for further information, according to DHS spokesperson Scott McConnell.
McConnell declined to be more specific about which states had not sought more information. Doing so could violate DHS policy against publicly identifying victims of a cyberattack, he said.
The lack of ongoing contact between the states and DHS raises questions about how closely DHS and the states are working together to defend US voting systems against hacking attempts ahead of next year's mid-term elections. Relations between DHS, which has responsibility for ensuring the integrity of US computer systems, and some state elections officials were tense before the 2016 presidential vote, with some local officials declining a DHS offer to scan their computer systems for signs of intrusions before the voting. Others were resentful of DHS for waiting nearly a year to confirm that their systems had been scanned by Russian hackers.
Most states contacted declined to discuss why they had not sought more information. One, Florida, said it didn't feel the need for a follow-up conversation. “We had the call with DHS in September, and there was just no follow-up,” a spokesperson for the Florida secretary of state told BuzzFeed News. “They gave us the information, we had the information, there was no follow-up.”
Another, Connecticut, said its state election director, Peggy Reeves, sought clarification from DHS to make certain that the hacking attempt DHS detected was being blamed on the Russian government and not simply a "bad actor who just happens to live in Russia." The response from DHS assured her that the Russian government was believed to have been behind the attempt.
Russian hackers successfully breached voter databases in Arizona and Illinois in summer 2016, though they are not thought to have altered any data. The attempts on the other 19 states' systems are thought to have been unsuccessful. Those states, according to an AP survey, are Alabama, Alaska, California, Colorado, Connecticut, Delaware, Florida, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington, and Wisconsin.
More than a year after the attempted hackings, government officials still don't know why the computer systems were being probed. It's unclear if the hackers were conducting a routine probe or had tried to steal or change voter registration information as part of a larger scheme.
Speaking last week at a Council on Foreign Relations event, Sen. Richard Burr of North Carolina, chair of the Senate Intelligence Committee, said “we don’t know” the intent of the attacks.
The Russians’ actions consisted of seeing whether databases were vulnerable to what's known as an SQL injection, a hacking trick so unsophisticated and easy to perform that a former DHS senior official told BuzzFeed News that the agency initially assumed the probe wasn’t the work of a government. SQL is a popular database management language.
The script DHS used in September to inform the states that their computer systems had been probed, a copy of which was obtained by BuzzFeed News, indicates that there were many details lacking in what DHS told the state officials. The one-page script, for example, doesn't include information on how DHS came to the conclusion that the hackers were affiliated with the Russian government.
It suggests state officials who want more information should talk to local voting officials who'd been contacted by DHS earlier.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.