A week after the Department of Homeland Security called 21 states to tell them they’d been targeted by Russian hackers, miscommunication and distrust are still rampant between the two sides.
Instead of being seen as a welcomed bit of transparency from the federal agency charged with protecting government offices from cyber intrusions, the DHS notification, a full year after the intrusions were first detected and months after DHS officials had testified before Congress, has led to two states openly bickering with the agency and others saying they still have not been given the details of what took place.
Mark Weatherford, who was DHS's deputy under secretary for cybersecurity from 2011 to 2013, said he's "a little perplexed" about how DHS has handled telling the states that it believes Russian hackers tried to penetrate their systems.
“To say with 100% certainty that a certain actor did a certain deed on the internet is not trivial,” Weatherford told BuzzFeed News. “Transparency is a good thing. But to go and tell Congress without telling the states seems like an odd way to go about this.”
According to DHS’s account, Russian probes of state election systems began in the late summer and early fall of 2016. At the time, DHS said only that an “actor” was scanning election-related systems in nearly half the states; it only later attributed the effort to Russian hackers.
By policy, DHS only informs direct victims of a cyberattack. At the time, DHS adhered to a strict interpretation of that policy, and so no information was passed to the states' top elections officials, but only to third-party vendors and individual county government employees whose systems had been targeted. It’s unclear which third-party vendors DHS alerted in 2016.
With a few exceptions, it’s not clear that the activity ever amounted to serious danger. But state elections officials grew testy as DHS continued to reference the attacks — at a June 21 Senate Intelligence Committee hearing and again a few weeks later at the annual meeting of the National Association of Secretaries of State — without saying which states were affected.
One point of contention was the lack of specificity in DHS's description of what took place, referring to “probing” or “scanning,” something Agnes Kirk, the Washington state's chief information security officer, told BuzzFeed News happens nearly constantly to government systems that are accessible from the internet.
Scanning a system, however, is not the same as breaching it, Kirk pointed out. “People scan our networks all the time,” she said, noting that there was no evidence that any elections systems in her state were breached.
California and Wisconsin have both said that after DHS called them a week ago, they received a follow-up notice that the networks DHS believed were probed weren’t actually related to election systems. For California, it was the state Department of Technology website, which is distinct from the secretary of state's office. For Wisconsin, it was actually the Department of Workplace Development.
Both states lashed out, with a Wisconsin Election Commission Chair Mark Thomsen telling the Associated Press, “Either they were right on Friday and this is a cover-up, or they were wrong on Friday and we deserve an apology.” California Secretary of State Alex Padilla was similarly annoyed. “Our notification from DHS last Friday was not only a year late, it also turned out to be bad information,” he said.
A DHS spokesman, Scott McConnell, told BuzzFeed News that DHS stands by its initial assessment for each state, indicating DHS's belief that scanning nonelection networks was part of a larger operation.
“Malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target,” he explained.
DHS has information sharing relationships with US spy agencies that deal in highly classified information, like the FBI, CIA, and National Security Agency, which McConnell indicated can make it difficult to fully convey the details of what those Russian probes implied. “This assessment was based on a variety of sources, including scanning detected from malicious IP addresses and intelligence information that cannot be publicly disclosed,” he said.
In August, DHS invited each state's election chief to begin the process of acquiring a security clearance. It takes about a month to get an “interim” clearance.
After DHS’s response, California declined to comment. Thomsen, however, issued a follow-up statement for Wisconsin on Friday, now saying “In 2016, Russian government cyber actors unsuccessfully targeted Wisconsin’s voter registration system,” adding that DHS had actually aided the state’s Division of Enterprise Technology.
“Because DHS did not previously inform DET or WEC of its conclusions, we were surprised by the DHS notification last Friday, and the resulting confusion over the past week has been an unnecessary distraction,” Thomsen said.
Some state government employees confirmed to BuzzFeed News that they'd been contacted by DHS last year, often through the Multi-State Information Sharing and Analysis Center, a nonprofit that partners with DHS to alert states of cyberthreats. Those state employees said they weren’t aware at the time that their state was part of a larger Russian government operation.
“In the summer of 2016, we received the first set of info from MS-ISAC, FBI, DHS: a specific set of 13 or 16 IP addresses,” Trevor Timmons, a spokesman for the Colorado Department of State, told BuzzFeed News. A second notice from the FBI, he said, came as Election Day neared, and gave more than 600 additional indicators, including IP addresses, domain names, and attack patterns to watch for.
“We feel very confident that nothing beyond scanning was seen,” Timmons said. “We got to looking at specific indicators they were providing. Even before that was concluded, we blocked those IP addresses.”
Officials in Connecticut tell a similar story.
“A half-dozen members of our security services division got the security alert on Oct. 6, 2016,” said Jeffrey Beckham, counsel at the Connecticut Department of Administrative Services. MS-ISAC sent an alert to the Secretary of State’s IT department, not specifying the Russian government, he said, but it warned of a particular IP address.
Connecticut’s security, Beckham said, “was able to discern that all traffic by that group was detected and blocked by our own intrusion and prevention systems.”
While DHS has said there is no evidence vote tallies were changed — though it's also admitted it’s never conducted a formal survey to confirm the assertion — it did say that hackers were able to breach voter registration databases in several states.
Two states, Illinois and Arizona, have acknowledged their registration systems were breached, though they say no files were altered. A hacker who gained access to voter rolls could affect the outcome of an election by marking, for example, every few citizens in a closely contested county as having already voted. But there is no evidence that such an effort took place.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.