• United States



Russian hackers targeted election systems in 21 U.S. states

Sep 25, 20174 mins
CyberattacksHackingInternet Security

The Department of Homeland security notified 21 U.S. states about Russia trying to hack their election systems before the 2016 election.

07 vote
Credit: Thinkstock

The Department of Homeland Security (DHS) finally notified election officials in 21 U.S. states about Russia trying to hack their election systems before the 2016 election.

“It is completely unacceptable that it has taken DHS over a year to inform our office of Russian scanning of our systems, despite our repeated requests for information,” said California Secretary of State Alex Padilla. “The practice of withholding critical information from elections officials is a detriment to the security of our elections and our democracy.”

Padilla pointed out that DHS lied to the U.S. Senate Intelligence Committee when the agency testified in July, saying “the owners of the systems within those 21 states have been notified.” In Padilla’s words, “This was simply not true, and DHS acknowledged they failed to contact us and ‘two or three’ other states.”

Although DHS did not release a list of what states the agency notified, the Associated Press reported the 21 states targeted by Russian hackers included Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington and Wisconsin.

DHS told most of the states that “Russian government cyber actors” targeted and scanned the systems — including voter registration systems — but not vote tallying software. Illinois admitted hackers had breached its voter system. Arizona admitted hackers stole a username and password of a Gila County election official, but no voter registration system was compromised.

According to statements released by state officials, the other 19 states were targeted but allegedly not compromised. The Washington Post pointed out that Maryland and North Dakota have yet to comment about “the success or failure of any cyber attack.”

DHS told TechCrunch it is up to each state to decide if it wants to make the information public.

Sen. Mark Warner (D-Va.), vice chairman of the Senate Select Committee on Intelligence, also found it to be “unacceptable that it took almost a year after the election to notify states that their elections systems were targeted.”

Warner’s public statement added, “While I understand that DHS detects thousands of attempted cyber attacks daily, I expect the top election officials of each state to be made aware of all such attempted intrusions, successful or not, so that they can strengthen their defenses — just as any homeowner would expect the alarm company to inform them of all break-in attempts, even if the burglar doesn’t actually get inside the house.”

Elsewhere, California Congressman Adam Schiff, the top Democrat on the House Intelligence Committee, tweeted, “DHS in future must notify states of attempted election hacking in real time, not a year later. And all states must fortify election systems.”

Remember when states accused DHS of trying to hack their election systems?

Back in June, DHS cybersecurity official Jeanette Manfra admitted that DHS discovered in early October “that internet-connected election-related networks, including websites, in 21 states were potentially targeted by Russian government cyber actors.”

If DHS was aware of this in October 2016, then it seems that when the department was accused of trying to hack election systems in several states, that would have been a perfect time to explain why.

Instead, DHS issued denials about running any “cyber hygiene scan prior to the election” without first obtaining permission. A DHS spokesman said, “When DHS conducts a cybersecurity scan of a network or system, we do so only with the cooperation and consent of the system owner.”

However, Indiana, for example, said it did not give DHS permission, yet “the attempted hacks occurred tens of thousands of time over a period of 46 days.” Indiana Secretary of State Connie Lawson said, “Between November 1 and December 16, we were scanned with about 14,800 scans, nearly 15,000 different times.”

Although similar DHS-tried-to-hack-us accusations were made by Idaho, Georgia, West Virginia and Kentucky, none of those states were among the 21 informed that Russia had targeted their election systems.

More on the 2016 election hacking:

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.