Washington – A Department of Homeland Security official on Wednesday said 21 state electoral systems were targeted by the Russians for hacking. Although Connecticut’s system was not among them, the state did ask for federal help in shoring up its cybersecurity defenses before last year’s election.
On Wednesday, during testimony before the Senate Intelligence Committee as part of its probe of Russia’s interference in the election, Jeannette Manfra, DHS undersecretary for cybersecurity and communications, said, “We have evidence of election-related systems in 21 states that were targeted.”
Manfra declined to identify the 21 states, or which actually had data — such as voter registration lists — removed from their systems, saying it was important to protect the confidentiality of those who were victimized.
Patrick Gallahue, spokesman for Connecticut Secretary of State Denise Merrill, said DHS never notified the state it was a target of Russian hacking, but accepted the agency’s help to strengthen protections of the state’s election system.
Russia has repeatedly denied hacking into the U.S. election system.
But in a separate hearing before the House Intelligence Committee Wednesday, former Homeland Security Secretary Jeh Johnson testified Russia’s meddling was “unprecedented, the scale and the scope of what we saw them doing.”
Besides testing voting systems for vulnerabilities, congressional intelligence committees have said Russian hackers engineered the release of emails last summer from the Democratic National Committee and Hillary Clinton campaign chairman John Podesta.
“In retrospect, it would have been easy for me to say I should have brought a sleeping bag and camped out in front of the DNC in the late summer,” Johnson testified.
Johnson said that on August 15, he “convened a conference call with secretaries of state and other chief election officials of every state in the country” proposing that the state election systems be designated as federally protected “critical infrastructure.”
“I told state officials that we must ensure the security and resilience of election infrastructure, and offered DHS’s assistance to the states in doing that. I also reiterated the idea of designating election infrastructure as critical infrastructure. To my disappointment, the reaction to a critical infrastructure designation, at least from those who spoke up, ranged from neutral to negative.”
He said that those state officials who “expressed negative views” said running elections in this country was the sovereign and exclusive responsibility of the states “and they did not want federal intrusion, a federal takeover, or federal regulation of that process.”
He said that in October DHS determined “malicious cyber actors” had scanned a “large” number of state systems, “which could be a preamble to attempted intrusions.
“In a few cases, we have determined that malicious actors gained access to state voting-related systems,” Johnson said.
CT accepts federal help
By Election Day on Nov. 8, Johnson said, many states had accepted DHS help.
“A large number of state and local election officials did in fact respond to our offers of cybersecurity assistance,” he said. “More specifically, almost every state contacted DHS about its services, and 33 states and 36 cities and counties used DHS tools to scan for potential vulnerabilities and/or sought mitigation advice from us.”
Connecticut was among those 33 states, Gallahue said.
Federal help to the states that asked for it included “cyber hygiene scans,” conducted remotely, that provided state and local officials with reports on vulnerabilities on systems connected to the Internet, such as online voter registration systems, election-night reporting systems, and other Internet-connected election management systems.
Johnson said there was no evidence the Russian government “through any cyber intrusion” altered ballots, ballot counts or reporting of election results.
But he added that he was “not in a position to know whether the successful Russian government-directed hacks of the DNC and elsewhere did in fact alter public opinion and thereby alter the outcome of the presidential election.”
In a recent statement, Connecticut Secretary of the State Denise Merrill said, “I have yet to see any evidence that either vote tallies were tampered with or registrations purged.”
“If that is not the case I certainly want to know and urge federal law enforcement to share that information with elections officials,” she said. “That said, these reported attempts to penetrate our elections systems are an urgent reminder of the need to get more cybersecurity expertise and resources into the hands of state and local officials. We need to get resources to those who need them.”
The Connecticut electoral system uses paper ballots and optical scanners and tabulators.
The results are stored on memory cards that the secretary of the state says are “locked behind a tamper-proof seal,” and the cards are audited before and after every election to look for any signs of tampering.
In Connecticut, residents can register to vote online. But Gallahue said voting registration information is not put on the Internet, but on an internal computer system instead. The names and other information about Connecticut voters are made public.
A Republican voter data firm, Deep Root, accidentally left the data of 198 million citizens exposed online earlier this month. The information did not include highly sensitive information like Social Security numbers, and much of it was publicly available voter-registration data provided by state government officials.
But the exposed database combined people’s personal information and political inclinations, which could be mined to target and influence voters during an election.