Additional reporting by Sam Thielman
It’s been more than three months since the Department of Homeland Security made the shocking revelation that election systems in 21 states were “potentially targeted” by Russian hackers. Yet, understanding what happened where and why some state officials were kept in the dark is still quite convoluted.
The DHS took a major step forward, about a week and a half ago, in bringing about some transparency, by officially notifying the 21 states that had been “targeted.” But even the way that disclosure went down was messy, and prompted some states — some rightfully, some in a bit of posturing — to publicly bash the DHS for the unneeded confusion.
“We spent a lot of time unnecessarily trying to figure out who knew what when,” Reid Magney, a spokesperson for Wisconsin Elections Commission, told TPM Friday, after the commission said in a statement that the DHS had “incorrectly claimed” that Wisconsin had previously been aware of the Russians’ attempted hack.
California’s Secretary of State Alex Padilla issued a blistering statement Friday slamming the DHS for being “a year late” and giving the state “bad information.” Texas Secretary of State Rolando Pablos, on the same day, sent DHS a letter calling for it to “correct its erroneous notification.”
Even Sen. Mark Warner (D-VA), one of the lawmakers leading Senate Intel’s Russian investigation joined the pile-on last week, telling reporters he found it “very disappointing that it took until last Friday for the Department of Homeland Security to identify the 21 states that the Russians tried to interfere with in terms of our electoral systems.”
Beneath the pissing match were legitimate issues that federal officials faced, as well as the typical bureaucratic ham-handedness that stands to get even more twisted up when dealing with an issue as complex as cybersecurity.
The DHS said that its assessment was at least partially based on “intelligence information that cannot be publicly disclosed.” State officials said there was miscommunication among their contacts in the federal government about who on their staffs had and should have been notified about the potential Russian instructions. There’s some disagreement about whether certain types of cyber activity should actually be called attempted hacking—and sensational headlines written by media outlets that have very little information to work off of didn’t necessarily help sort through those nuances.
Warner and the chair of the Senate Intel Committee, Sen. Richard Burr (R-NC), have been asking for more transparency about what officials know about attempted Russian cyber-intrusion since the June hearing in front of their committee. The key testimony came from a top cyber official at DHS, Samuel Liles, who said that by “late September , we determined that internet-connected election-related networks in 21 states were potentially targeted by Russian government cyber actors.”
The hearing also included some state elections officials who had seen attempted hacks on their systems. But even then, after Liles’ announcement, state officials said they were unaware that Russians had been the perpetrators. Some states reached out directly to the DHS after the hearing to find out if they were among the 21. A Connecticut official says they were told at the time that the information was classified.
Other states took to heart what another DHS cyber analysis official, Jeanette Manfra, said in the June Senate Intel hearing: “All of the system owners within those states are aware of the targeting.”
“They said, ‘if you were one of the targeted ones, we already told you,'” Wisconsin’s Magney told TPM. “And then everybody asks us and says ‘Were you targeted?’ And we say, ‘We haven’t heard anything, so we assume we were not!'”
It turns out that Russians were in fact, behind an unsuccessful attempt to breach Wisconsin’s system through an ad that appeared on a state employee’s computer. But Wisconsin, like other states who also had been previously aware of suspicious activity, only found out last month that that activity was among what DHS had determined to be Russian targeting.
For some states, the way DHS went about informing them also added to the confusion. That Thursday, Sept. 21, the DHS held a conference call with officials from states across the country giving them the heads up that the 21 states would be notified that Friday. According to some of the state officials, concerns were raised on the call about the time it would take to call each state one-by-one, and the possibility of some of the disclosures getting out before all of the states were informed.
DHS, it appears, tapped multiple department officials to make the phone calls, so the notifications could go out somewhat simultaneously. A number of state officials told TPM that the message they were delivered sounded like it was read off a script and that if they had extensive follow up questions, they had to get in touch with others at the DHS.
In Wisconsin’s case, it was a claim the DHS had made that the state had already been notified in 2016 of the Russian targeting that needed clarifying. There had been some previous communications about suspicious activity between the DHS and Wisconsin’s technology department, Magney said, but “it never got to the level of saying ‘These are the Russian hacking attempts that we’re talking about.’”
An Arizona official also told TPM last week that the state wasn’t sure if the alert they received from DHS last month was related to a previously known cyber-theft of a local election official’s username and password. Arizona Secretary of State Michele Reagan is meeting with DHS officials this week for more clarification, according to her spokesperson Matt Roberts.
“DHS has made an effort to respond quickly to questions and requests for further information from states following Friday’s calls, and we have provided additional information and clarity to a number of states,” DHS spokesperson Scott McConnell said in a statement. Other state officials praised the DHS for being helpful and responsive in conversations since the Friday call.
As alarming as the DHS findings were, the cyber activity that the bulk of the targeted states experienced is so common, that some state officials were surprised that it was even being described as attempted cyber targeting. The activity is called “scanning” and, as Liles noted, it’s the equivalent of burglar just looking at the windows and doors to see what potential vulnerabilities exist.
“We were not aware that they considered scanning as symptomatic of targeting,” Trevor Timmons, Colorado’s director of technology and information services, told TPM last week. A spokesperson for Iowa’s secretary of state described seeing 6,000 scans or attempted scans each day. The spokesperson for Oklahoma’s secretary of state said that state had half a million scans a year.
“We need to be clear, too, here about exactly what happened here and the fact that these scans were so routine that this particular activity—nothing was breached and they weren’t even knocking on the right doors,” Bryan Dean, the spokesperson for the Oklahoma State Election Board.
There was also some quibbling over whether a scan of statewide networks – as opposed to election-specific networks– should have put a state on the DHS’ list of election systems targeted by Russians. This seems to be the hair that California is splitting in its statement bashing the DHS last Friday, since the scanning occurred on a statewide network. It’s unclear if that sort of logic is why Texas also claimed on Friday that DHS’ conclusions were “erroneous.” TPM’s multiple inquiries to the state went unanswered.
The DHS, in its statement, said that the “Department stands by its assessment that Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure.”
Regardless, steps are being taken on both sides to smooth the lines of communication. In some states’ elections offices, they’ve sought a security clearance for at least one of their staffers to speed up the disclosure process in the future. And the recent fracas has generally been seen as a learning process.
“I hate to sound like the father at the end of a 1960’s sitcom, but we’ve all learned some very important lessons here. Nobody lost an eye. And going forward we’re in a good place,” Magney said.