DHS notified 21 states Friday that hackers targeted state voting systems ahead of the election
California on Wednesday joined Wisconsin in saying DHS had been incorrect in its initial assessment
Tension between state election officials and the Trump administration is only growing after two states say they were misinformed by the Department of Homeland Security about Russian government-linked hacking, further prolonging a months-long dispute over delayed information from the federal government.
California and Wisconsin say DHS was incorrect in its initial assessment that their states’ systems connected to election administration were targeted by Russian hackers.
The latest flap started September 22, when the Department of Homeland Security sought to notify state election officials on whether their states were among those targeted during last year’s presidential election. DHS previously said that 21 states’ election-related systems had been targeted – but had never said which ones were on the list.
By Wednesday, DHS had to revise its alerts to both California and Wisconsin.
California Secretary of State Alex Padilla issued a statement Wednesday announcing that information initially provided by DHS that his state’s election systems had been targeted was actually incorrect – saying a state system completely separate from elections was impacted.
“Russian scanning activity occurred on the California Department of Technology statewide network, not any Secretary of State website,” Padilla said in a statement.
Wisconsin was in a similar situation, saying Tuesday it was misinformed by DHS.
“The hackers may have thought they were scanning Wisconsin’s elections systems, but they were actually scanning Wisconsin’s Department of Workforce Development,” Reid Magney, spokesman for the Wisconsin Elections Commission, told CNN. “It appears that DHS believed the scanning was of Wisconsin’s election system because scanning activity from the same IP address was directed at elections authorities in other states.”
Despite the statements from Wisconsin and California, DHS says it stands by its assessment that 21 states were affected.
“The department stands by its assessment that Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to US election infrastructure,” said spokesman Scott McConnell.
“In the majority of the 21 states targeted, only preparatory activity like scanning was observed,” he added. “In some cases, this involved direct scanning of targeted systems. In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.”
But a DHS official in June had explicitly said election-related systems were involved in each state.
“By late September (2016), we determined that Internet-connected, election-related networks in 21 states were potentially targeted by Russian government cyber actors,” Samuel Liles, DHS’s acting director of the cyber division of the department’s Office of Intelligence and Analysis, said during congressional testimony.
One thing has remained consistent – DHS has said the targeting activity mainly consisted of efforts to “scan” election systems for vulnerabilities, only a small number of networks were compromised, and those were not vote-counting systems. No vote tallies were altered or deleted. Liles said of the 21 states, many were targeted unsuccessfully for an intrusion, “as if someone rattled the door knob and was unable to get in,” and only in a few instances “they made it through the door.”
But DHS in June and since has declined to identify the states publicly – and state officials have complained that the lack of private notifications for months left them unable to respond to questions from the public.
DHS has a policy against publicly sharing information about victims of cybercrimes, which could explain why the agency hasn’t publicly announced which states were targeted. McConnell also said DHS determined which states Russia tried to target based on a collection of different sources, including classified intelligence information that “cannot be publicly disclosed.”
But frustration among states continued to bubble this week.
“Our notification from DHS last Friday was not only a year late, it also turned out to be bad information. To make matters worse … DHS has reversed itself and ‘now says Russia didn’t target Wisconsin’s voter registration system,’ which is contrary to previous briefings,” Padilla said, referencing Wisconsin as California’s counterpart in navigating DHS’s notification reversals.
States that were targeted
CNN surveyed all 50 states and the District of Columbia, and all 21 states have confirmed their inclusion on the list of states impacted: Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Washington, Wisconsin, and Virginia – though California and Wisconsin have followed up with their discrepancies.
Two states – New Hampshire and Wyoming – and DC have not returned requests for comment.
Here’s what the states said:
Alabama: “DHS and MS-ISAC observed suspicious traffic from IP addresses on Alabama state networks, but those IP addresses were thwarted from conducting any successful breach,” Secretary of State John Merrill said in a statement.
Alaska: “Internet security protocols followed by the State of Alaska successfully protected our system and the attempted probe had no effect on Alaska’s Voter Registration and Election Management Database or outcome of the election,” State Elections Director Josie Bahnke said in a statement.
Arizona: A spokesman for Secretary of State Michele Reagan tweeted: “To be clear these were attacks on voter registration systems, not election equipment.”
California: “Last Friday, my office was notified by the U.S. Department of Homeland Security (DHS) that Russian cyber actors ‘scanned’ California’s Internet-facing systems in 2016, including Secretary of State websites. Following our request for further information, it became clear that DHS’ conclusions were wrong,” Secretary of State Alex Padilla said in a statement. “DHS confirmed that Russian scanning activity had actually occurred on the California Department of Technology statewide network, not any Secretary of State website. Based on this additional information, California voters can further rest assured that the California Secretary of State elections infrastructure and websites were not hacked or breached by Russian cyber actors.”
Colorado: In a statement, Secretary of State Wayne Williams said “according to Homeland Security, we were not attacked, probed, breached, infiltrated or penetrated.”
Connecticut: “I am happy to report, with great pride in the hard work and dedication of our IT security professionals, that DHS confirmed that the attempted Russian intrusion into our online voter registration database was stopped by our intrusion detection system,” Secretary of State Denise Merrill said in a statement.
Delaware: “[Delaware] was one of the states that was targeted, however, it was unsuccessful,” Delaware State Election Commissioner Elaine Manlove told CNN in an email.
Florida: “This attempt was not in any way successful and Florida’s online elections databases and voting systems remained secure. Ensuring the security and integrity of Florida’s elections remains our top priority,” state Director of Communications Sarah Revell told CNN in a statement.
Illinois: “We told the feds we were hacked more than a year ago. We’ve been in the news about it since then. I’m guessing that the Illinois server logs were a large part of the feds figuring out who else got probed,” Ken Menzel, general counsel for the Illinois State Board of Elections, told CNN via email.
Iowa: “Iowa’s elections system was successful in blocking attempted outside intrusions,” Secretary of State Paul Pate said in a statement.
Maryland: “While confirming that one of Maryland’s online systems was targeted, the Department’s representatives stated that there no evidence that the system – the online voter registration and ballot request system – was breached,” State Administrator Linda H. Lamone told CNN in a statement.
Minnesota: “DHS confirmed to my office that there was no breach and no attempt to breach Minnesota’s election system,” Secretary of State Steve Simon said in a statement released Friday. “The entities scanned IP addresses associated with the Secretary of State’s website for vulnerabilities, but attempted no further action.”
North Dakota: “Security measures in place to protect these systems have proven to be effective, and we continue to update cybersecurity protections as new potential means of targeting are identified,” said Secretary of State Al Jaeger. “For security purposes and confidentiality requirements, our office is unable to comment on the nature of the attempt or the specific systems targeted.”
Ohio: “Last summer, there was an attempt to find a weakness in our system,” Sam Rossi, press secretary for Secretary of State Jon Husted, confirmed to CNN Monday. “It lasted less than a second and failed. DHS’s internet security contractors considered it to be a non-event and did not report it to Ohio officials at the time. Bottom line – Ohio’s elections system was not compromised.”
Oklahoma: Bryan Dean, spokesman for the Oklahoma State Election Board, told CNN that “No vulnerabilities were found, no penetration was made into any system and no further activity occurred. The scan targeted the state computer network, not the election board’s network.”
Oregon: “We are proud of our team. The fact that DHS confirmed that we had no Russian intrusions is a testament to the strength of the network security program we have in place,” Secretary of State Dennis Richardson said in a statement.
Pennsylvania: “We have been notified by DHS that we are one of the 21 states involved. There is no evidence of a breach,” Wanda Murren, press secretary for the Pennsylvania Department of State, told CNN.
Texas: Sam Taylor, spokesman for Secretary of State Rolando Pablos, told CNN Monday that “no systems containing election software or information were targeted,” later adding, “there was an attempt to find a vulnerability on our agency’s public-facing web site, which contains no voter information, but no vulnerabilities were found, according to DHS.”
Virginia: “So this issue [DHS] explained was actually something we were already aware of, which is, there was a scanning of our public-facing website by IP addresses that trace back to the Russians,” Virginia Department of Elections Commissioner Edgardo Cortés told CNN.
Washington: “The security protocols we already have in place made us aware of these attempted intrusions by Russian IP addresses throughout the course of the 2016 election,” said Washington Secretary of State Kim Wyman.
Wisconsin: “The hackers may have thought they were scanning Wisconsin’s elections systems, but they were actually scanning Wisconsin’s Department of Workforce Development,” Reid Magney, spokesman for Wisconsin Elections Commission, told CNN Wednesday. “It appears that DHS believed the scanning was of Wisconsin’s election system because scanning activity from the same IP address was directed at elections authorities in other states.”
CNN’s Sasha Zients and Marshall Cohen contributed to this report.