By MARY CLARE JALONICK
CHRISTINA A. CASSIDY
WASHINGTON (AP) — The United States still doesn’t know — and may never know — the extent of Russian interference in state election systems in 2016, according to bipartisan findings released Tuesday by the Senate intelligence committee. Lawmakers say they do know the U.S. is still vulnerable to such an attack. The Senate committee made the findings public ahead of the panel’s full election security report, which is expected to be released in the coming weeks. The document provides new details about the level of Russian activity during the last presidential election.
The committee found that in at least six states “Russian-affiliated cyber actors” conducted “malicious access attempts on voting-related websites” that went beyond routine scanning previously reported. In a majority of those cases, the Russians used a common hacking technique to attack the states’ public-facing election websites. The committee didn’t identify the six states. The findings were released as votes were counted in four states that held election primaries Tuesday. “Today’s primaries are the next step toward the 2018 midterms and another reminder of the urgency of securing our election systems,” said North Carolina Sen. Richard Burr, the chairman of the panel.
The Department of Homeland Security has previously said there were attempts to hack into the election systems of 21 states, but the extent of the hacking has been unclear in some cases. The Senate report echoes repeated government claims that there is no evidence that vote tallies or voter registration information was manipulated. But the document says hackers successfully penetrated voter registration databases in a handful of cases.
“In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals,” the Senate report says.
Illinois is the only state publicly known to have been breached. The document does not list which other states senators are referring to. The senators make it clear that there are still many unknowns about what happened in 2016. “The committee has limited information about whether, and to what extent, state and local officials carried out forensic or other examination of election infrastructure systems in order to confirm whether election-related systems were compromised,” the findings say. “It is possible that additional activity occurred and has not yet been uncovered.” The findings also issue a stern warning: Russians could have been testing for a future attack.
Election infrastructure is vulnerable in many ways, the document says, noting that many voting systems are outdated and there are a limited number of vendors for voting machines.
In a March hearing, senators on the committee chided the current and former secretaries of Homeland Security for not more strongly warning the American public about the intrusions into election systems and for a lack of urgency to protect balloting this year. The senators also previewed some of its recommendations at that hearing, including urging states to make sure voting machines have paper audit trails and aren’t capable of being connected to the internet.
Lawmakers in both chambers have also pushed for better communication among the various U.S. intelligence agencies and federal, state and local governments about cyber threats and vulnerabilities in computer systems. The Senate report also urges state and local officials to take advantage of Homeland Security Department resources, such as comprehensive risk assessments and remote scanning of their networks to spot vulnerabilities. But Homeland Security is still working through a backlog of requests for the risk and vulnerability assessments, which typically take two weeks and include an onsite visit. So far, just nine of 17 states have had the security reviews since the 2016 election.
And the number of states requesting them is likely to grow. Election officials in 28 states said they wanted Homeland Security to conduct the risk assessments of their election systems, according to a recent 50-state survey by The Associated Press. The Senate report says the department was slow to act in 2016 but “states now largely give DHS credit for making tremendous progress” over the last six months. The committee recommends DHS “expand capacity” to reduce wait times for its cybersecurity services, and the agency has pledged to complete every risk assessment that is requested before November. The top Democrat on the intelligence panel, Virginia Sen. Mark Warner, says he is still concerned the country is unprepared.
“That’s one reason why we, as a committee, have decided that it is important to get out as much information as possible about the threat, so that governments at every level take it seriously and take the necessary steps to defend ourselves,” Warner said. The intelligence panel is one of several congressional committees investigating Russian interference in the 2016 election. The committee is expected to put out several other reports, including a review of the intelligence community’s assessment of the interference, a look at Russian efforts to influence U.S. voters through social media and an analysis of whether President Donald Trump’s campaign colluded with Russia.