Scope of Russian Election Hacking Remains Unclear
Volume one of a long-awaited Senate report on Kremlin targeting of election systems finds all 50 states may have been targeted.
After two and a half years of investigation by U.S. Senate staffers, the exact scope of Russian attacks on U.S. election infrastructure in 2016 remains a mystery, according to a report released Thursday by the Senate Intelligence Committee.
Only a day after former special counsel Robert Mueller told lawmakers that Russian interference in U.S. politics continues and is likely to target upcoming elections, the committee released the first volume of its long-awaited assessment of Russian meddling in the 2016 presidential election and painted a dire picture of the state of U.S. election security.
According to the report, the Russian effort involved attacks on U.S. election infrastructure, which include voting systems and the state government agencies that administer U.S. elections. All this was part of a stealthy campaign to sow division among the American electorate in an effort to vault then-candidate Donald Trump into the Oval Office.
Senate investigators determined that 21 states were targeted by the Russian attacks on voting systems, which began in 2014 and continued into at least 2017. In one case, those attacks succeeded in breaching a state voter database, and investigators also gathered evidence that all 50 states may have been targeted. But whether that actually occurred remains unknown.
“In 2016, the U.S. was unprepared at all levels of government for a concerted attack from a determined foreign adversary on our election infrastructure,” Sen. Richard Burr, the Republican chairman of the Senate Intelligence Committee, said in a statement. Since then, the Department of Homeland Security and state and local officials have significantly improved their information sharing and shored up vulnerabilities, but “much work … remains to be done,” Burr cautioned.
The Senate Intelligence Committee’s investigation of Russian meddling represents the most thorough effort to examine what happened during the 2016 election. The Mueller probe focused mainly on Russian interference as it related to alleged contacts with the Trump campaign. And unlike Mueller’s investigation and a parallel probe in the House of Representatives, the Senate investigation has managed to avoid getting mired in partisan differences.
With efforts to establish a post-9/11 style probe of the 2016 meddling all but dead, the Senate investigation will provide the public with the first, definitive examination of a campaign that some observers argue was pivotal in Trump’s surprise election victory.
Trump has long maintained that Russian meddling never succeeded in changing the tally of votes, and the report released on Thursday backs up that claim, finding no evidence that Russian hackers succeeded in fudging vote counts.
But the report also provides reason to be cautious about the extent to which the Russian hacking activity will ever be fully understood. The report remains reliant on state election authorities for information about what transpired on their computer systems, and with state election officials intensely suspicious of the federal government’s efforts to improve computer security, it is not clear that investigators were able to obtain a full picture.
According to the committee’s findings, Russian hackers targeted the election-related computer systems of 21 states around the time of the 2016 election. Kremlin operatives succeeded in accessing a voter registration database in Illinois and made off with data about an unknown number of state voters. They also succeeded in penetrating the election infrastructure of a second state not named in the report. (A 2016 FBI bulletin linked the Illinois election breach to another in Arizona.)
By August 2016, White House officials had privately concluded that all 50 states were targeted, even if they didn’t have hard evidence to support that conclusion at the time. “My professional judgment was we have to work under the assumption that they’ve tried to go everywhere, because they’re thorough, they’re competent, they’re good,” Michael Daniel, President Barack Obama’s top cybersecurity advisor, told Senate investigators.
Whether Daniel was right about that conclusion represents a key open question in the investigation. Immediately following Daniel’s statement, the report notes that “[i]ntelligence developed later in 2018 bolstered Mr. Daniel’s assessment that all 50 states were targeted.”
The next six paragraphs—which presumably evaluate the intelligence collected “later in 2018,” by which time Daniel had left office—are redacted.
It also unclear whether the federal government was able to collect the data that it needed to make firm conclusions about the nature of Russian hacking. “Law enforcement and the intelligence community is going to be significantly reliant on what the holders and owners and operators of the infrastructure sees on its system and decides to raise their hand,” Lisa Monaco, Obama’s top homeland security advisor, told investigators.
Monaco’s skepticism about whether the state and local governments that operate American elections would provide a full picture about Russian hacking is well founded. The Senate report describes a dysfunctional relationship between the Department of Homeland Security and state election officials.
In 2016, many states viewed the federal government’s attempts to improve security as a federal takeover of election administration. And after the Department of Homeland Security first said in 2017 that Russian hackers targeted the election systems of 21 states, some state election officials were later shocked to find out that they had been among those targeted.
The relationship between the Department of Homeland Security and state authorities has since improved, but there is lingering suspicion among some state officials that the federal government is plotting to take over the administration of elections, according to the Senate report.
With intelligence officials warning that Russia is likely to repeat its 2016 campaign of meddling, the report finds that American election infrastructure is highly vulnerable to computer attack. “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking,” the report concludes. “Despite the focus on this issue since 2016, some of these vulnerabilities remain.”
In one particularly alarming example, state election officials in an unidentified state found in a 2017 test of a set of decommissioned electronic voting machines that a voter could have accessed the system in supervisor mode by entering the default password “ABC123.” Once in supervisor mode, the attacker could “do enough damage to call the results into question,” a state IT director told Senate investigators.
The machines in question were in use by at least two other states at the time.
These widespread vulnerabilities and the fear of a repeat Russian attack are fueling calls on Congress for election security reform, but so far Senate Majority Leader Mitch McConnell has refused to bring any of a number of such bills with bipartisan support to the floor for a vote.
“If there was ever a moment when Congress needed to exercise its clear constitutional authorities to regulate elections, this is it,” Sen. Ron Wyden, an Oregon Democrat and a member of the intelligence committee, wrote in the report. “We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016 and it will fail again.”