Department of Homeland Security (DHS) officials said three months ago that people linked to the Russian government had attempted to hack election-related sites and information in 21 states. But on Sept. 22, DHS made it official, contacting election officials in those states to more formally notify them of having been targeted.
Only one, the state of Illinois, was deemed as having been "breached," according to a Washington Post analysis that pointed to the previously revealed exposure of personal information belonging to "tens of thousands of voters."
With its next election about six weeks away, a top Washington state elections official said the agency will soon embark on a three-month federal pilot aimed at improving cybersecurity, and officials are optimistic the electoral cycle will be uneventful and appear largely unchanged to voters.
In a Sept. 22 statement, Washington Secretary of State Kim Wyman confirmed hearing from DHS as did officials in Florida, California and Ohio.
“As we’ve stated before, we continue to work cooperatively with DHS – including during the election last year. The security protocols we already have in place made us aware of these attempted intrusions by Russian IP addresses throughout the course of the 2016 election. There was no successful intrusion and we immediately alerted the Federal Bureau of Investigation of the activities,” Wyman said.
On Monday, Sept. 25, Lori Augino, Washington state’s director of elections, said her agency is poised to embark on a three-month pilot with DHS and the Multi-State Information Sharing & Analysis Center (MS-ISAC) to immediately improve its four times-a-year elections process.
Washington state's next election, she said, is on Nov. 7.
“We are always working to expand what we’re doing to ensure that our systems are secure, whether from cyberthreats or physical threats. And so, we’ll be looking at making some immediate improvements to what we’re already doing,” Augino said, describing the effort as a “pilot where we can partner with them in a more ramped up way.”
It will likely center on “ramping up some of the cybersecurity protections that are already in place and trying to identify new things we can do,” she added.
MS-ISAC’s mission is to help state and local governments improve cybersecurity through focused threat prevention, protection, response and recovery.
In a statement, the Florida Department of State (DOS) indicated it, too, had been notified by DHS of an unsuccessful hacking attempt last year.
“This attempt was not in any way successful and Florida’s online elections databases and voting systems remained secure,” DOS said.
The Ohio Secretary of State’s (SOS) office said much the same — indicating DHS “informed us of what we already knew — there was no breach of Ohio’s election system in 2016.”
The office described it as “an attempt to find a weakness in our system” which lasted less than one second and failed.
“DHS’ internet security contractors considered it to be a non-event and did not report it to Ohio officials at the time,” the office said, emphasizing: “Bottom line — Ohio’s elections system was not compromised.”
California Secretary of State Alex Padilla also said in a statement, issued Sept. 22, that he’d been notified by DHS of “scanning” in 2016 of the state’s “Internet-facing systems.”
He described scanning as “an unauthorized attempt to identify weaknesses in a computer or network” like a burglar trying to find an unlocked door, and said his office actively monitors scanning “as part of our routine cyber security protocols.”
“We have no information or evidence that our systems have been breached in any way or that any voter information was compromised,” Padilla said.
He emphasized it was the first time his office had been informed of an issue by DHS — and detailed his concern that in June 2017, Jeanette Manfra, Acting Undersecretary for Cybersecurity and Communications at DHS had told a U.S. Senate Intelligence Committee that “the owners of the systems within those 21 states have been notified.”
This, Padilla said, was “simply not true and DHS acknowledged they failed to contact us and ‘two or three’ other states.” He called it “completely unacceptable” that DHS had taken more than a year to inform his office “despite our repeated requests for information.”
A member of the DHS Office of Public Affairs referred Government Technology to its National Protection and Programs Directorate Office (NPPD). There was no response to a message seeking a statement or comment left for NPPD public affairs.
Augino said that since Washington state has been “very vocal,” federal officials have “been very responsive.”
“We’re just always paying attention because we’re just always in elections mode,” she said in reference to the state’s election security posture. “I think it’s going to take a continued partnership and to continue communication, to talk about what we need to help us to be better.”
Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor's degree in Newspaper Journalism and a Master's in History, both from California State University, Long Beach.
NEW ON THE PODCAST