Federal government notifies 21 states of election hacking

The federal government on Friday told election officials in 21 states that hackers targeted their systems before last year’s presidential election.

The notification came roughly a year after U.S. Department of Homeland Security officials first said states were targeted by hacking efforts possibly connected to Russia. The states that told The Associated Press they had been targeted included some key political battlegrounds, such as Florida, Ohio, Pennsylvania, Virginia and Wisconsin.

The AP contacted every state election office to determine which ones had been informed that their election systems had been targeted. The others confirming were Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Iowa, Maryland, Minnesota, North Dakota, Oklahoma, Oregon, Texas and Washington.

Being targeted does not mean that sensitive voter data was manipulated or results were changed. A hacker targeting a system without getting inside is similar to a burglar circling a house checking for unlocked doors and windows.

Even so, the widespread nature of the attempts and the yearlong lag time in notification from Homeland Security raised concerns among some election officials and lawmakers.

For many states, the Friday calls were the first official confirmation of whether their states were on the list — even though state election officials across the country have been calling for months for the federal government to share information about any hacks, as have members of Congress.

“It is completely unacceptable that it has taken DHS over a year to inform our office of Russian scanning of our systems, despite our repeated requests for information,” California Secretary of State Alex Padilla, a Democrat, said in a statement. “The practice of withholding critical information from elections officials is a detriment to the security of our elections and our democracy.”

U.S. Sen. Mark Warner, of Virginia, the top Democrat on a committee that’s investigating Russian meddling in last year’s election, has been pushing the department for months to reveal the identities of the targeted states. He said states need such information in real time so they can strengthen their cyber defenses.

“We have to do better in the future,” he said.

Homeland Security said it recognizes that state and local officials should be kept informed about cybersecurity risks to election infrastructure.

“We are working with them to refine our processes for sharing this information while protecting the integrity of investigations and the confidentiality of system owners,” it said in a statement.

The government did not say who was behind the hacking attempts or provide details about what had been sought. But election officials in several states said the attempts were linked to Russia.

The Wisconsin Election Commission, for example, said the state’s systems were targeted by “Russian government cyber actors.” Alaska Elections Division Director Josie Bahnke said computers in Russia were scanning election systems looking for vulnerabilities.

A spokeswoman for Indiana Secretary of State Connie Lawson, the president of National Association of Secretaries of State, said Lawson requested a list of the states where there were hacking efforts. In most cases, states said they were told the systems were not breached.

Federal officials said that in most of the 21 states the targeting was preparatory activity such as scanning computer systems.

The targets included voter registration systems but not vote tallying software. Officials said there were some attempts to compromise networks but most were unsuccessful.

Only Illinois reported that hackers had succeeded in breaching its voter systems.

Other states said their cybersecurity efforts turned back efforts to get to crucial information.

“There are constant attempts by bad actors to hack our systems,” Iowa Secretary of State Paul Pate, a Republican, said in a statement. “But we continue to deflect those attempts.”
Colorado said the hacking wasn’t quite a breach.

“It’s really reconnaissance by a bad guy to try and figure out how we would break into your computer,” said Trevor Timmons, a spokesman for the Colorado secretary of state’s office.

“It’s not an attack. I wouldn’t call it a probe. It’s not a breach, it’s not a penetration.”

Earlier this year, a leaked National Security Agency report detailed that hackers obtained information from a company that provided software to manage voter registrations in eight states. The May report said hackers sent phishing emails to 122 local election officials just before the November 2016 election in an attempt to break into their systems.

The latest disclosure to the states comes as a special counsel investigates whether there was any coordination during the 2016 presidential campaign between Russia and associates of Donald Trump.

Trump, a Republican who defeated Democrat Hillary Clinton in the presidential election, has called the Russia story a hoax. He says Russian President Vladimir Putin “vehemently denied” the conclusions of numerous American intelligence agencies.

For states that were told they were not targets, the news brought relief.

“This is one time we like being at the bottom of the list,” said Lisa Strimple, a spokeswoman for Nebraska’s secretary of state.