Top election officials in two states say the Department of Homeland Security gave them faulty information last week when it said Russian hackers scanned their election systems last year.
The accusations underscore the persistent barriers in information sharing as the federal government and states try to respond to hacking in last year’s election. DHS informed election officials in 21 states on Friday that Russian hackers had tried to access voter information, the first time many states found out they had been targeted. DHS has faced criticism for being slow to share information with states.
Now election officials in Wisconsin and California say DHS has provided them with additional information showing that Russian hackers actually scanned networks at other state agencies unconnected to voter data. In Wisconsin, DHS told officials on Tuesday that hackers had scanned an IP address belonging to the Department of Workforce Development, not the Wisconsin Elections Commission.
California Secretary of State Alex Padilla (D) said in a statement Wednesday that DHS gave his office additional information saying hackers had attempted to target the network of the California Department of Technology’s statewide network and not the secretary of state’s office.
“Last Friday, my office was notified by the U.S. Department of Homeland Security (DHS) that Russian cyber actors ‘scanned’ California’s Internet-facing systems in 2016, including Secretary of State websites. Following our request for further information, it became clear that DHS’ conclusions were wrong,” Padilla said in a statement. “Our notification from DHS last Friday was not only a year late, it also turned out to be bad information. To make matters worse, the Associated Press similarly reported that DHS has reversed itself and ‘now says Russia didn’t target Wisconsin’s voter registration system,’ which is contrary to previous briefings.”
Scott McConnell, a DHS spokesman, said in a statement the agency stood by its assessment that 21 states were targeted by Russian hackers last year. He suggested hackers still could have targeted election records, even if they did not target the IP addresses of the state’s election body.
“This assessment was based on a variety of sources, including scanning detected from malicious IP addresses and intelligence information that cannot be publicly disclosed,” McConnell said in the statement. “While we defer to each state whether to disclose the circumstance surrounding their networks, it’s important to point out that discussions of specific IP addresses do not provide a complete picture of potential targeting activity. The Department stands by its assessment that Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure.”
“In the majority of the 21 states targeted, only preparatory activity like scanning was observed,” McConnell said in a follow-up statement on Thursday. “In some cases, this involved direct scanning of targeted systems. In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.”
Hackers can look broadly for a vulnerability to access the information they want, said Candice Hoke, the founding co-director of Center for Cybersecurity and Privacy Protection at the Cleveland-Marshall College of Law.
“The key point here is that hackers are quite knowledgeable about network configuration blunders that allow access to a sought system or resource — like election operations — via a less valuable asset that is internet facing or less well defended,” she wrote in an email. “Unquestionably, hackers will attempt to gain access to election and other mission critical governmental systems through systems having no connection to elections. They often are simply exploring to see what’s possible, what network architecture mistakes can be exploited.”
While 21 states were targeted last year, DHS has said almost all of the attempts were unsuccessful, and state election officials have compared the effort to a burglar checking the locks on doors. Only in Illinois did hackers access voter information.
DHS says there’s no evidence any votes were changed because of hacking.
President Donald Trump has downplayed Russia’s efforts to influence last year’s election, only saying that the country was “probably” behind those attempts. U.S. intelligence agencies have said they’re certain Russia was behind attempted breaches.
The 21 states DHS said were targeted last year are: Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington state and Wisconsin.
This story has been updated with a follow-up statement from Scott McConnell.