The Department of Homeland Security contacted election officials in 21 states Friday to notify them that they had been targeted by Russian government hackers during the 2016 election campaign.
Three months ago, DHS officials said that people connected to the Russian government tried to hack voter registration files or public election sites in 21 states, but Friday was the first time that government officials contacted individual state election officials to let them know their systems had been targeted.
Officials said DHS told officials in all 50 states whether their systems had been attacked or not.
“We heard feedback from the secretaries of state that this was an important piece of information,” said Bob Kolasky, acting deputy undersecretary for DHS’s National Protection and Programs Directorate. “We agreed that this information would help election officials make security decisions.”
He said it was important that the states shore up their systems now “rather than a few weeks before” the 2018 midterm elections.
Kolasky said that DHS will henceforth “have a bias to get information to [the states] as quickly as we can, and we are building protocols to notify them in a timely fashion.”
DHS left it to individual states to decide whether to make public whether they had been targeted.
In only a handful of states, including Illinois, did hackers actually penetrate computer systems, according to U.S. officials, and there is no evidence that hackers tampered with any voting machines.
In Arizona, the Russian hackers did not compromise the state voter registration system or even any county system. They did, however, steal the username and password of a single election official in Gila County, state officials said.
Friday’s notifications were made after state elections officials and some federal lawmakers expressed frustration that Homeland Security had not yet disclosed the extent of the Russian attempts to infiltrate voter registration systems.
“It’s unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I’m relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election,” said Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee.
State elections officials in Alabama, Colorado, Connecticut, Iowa, Maryland, Minnesota, Ohio, Oklahoma, Pennsylvania, Virginia, Wisconsin and Washington were told Friday they were targeted, according to officials and a tally by the Associated Press.
“What this boils down to is that someone tried the door knob and it was locked,” said Reid Magney, a spokesman for the Wisconsin Elections Commission.
In June, Samuel Liles, the Department of Homeland Security’s acting director of the Office of Intelligence and Analysis Cyber Division, testified that 21 states had been affected by the Russian hacking and said that vote-tallying machines were unaffected. He told the Senate Intelligence Committee that the hackers seemed to be looking for vulnerabilities, an exercise that he compared to walking down the street and looking at houses to see who might be inside.
In the phone calls Friday, DHS officials were explicit about who they think was behind the attempted intrusions: agents of the Russian government, according to people familiar with the briefings. While most state systems were not breached, the widespread attempts underscore the breadth of Russia’s attempted meddling in the 2016 race, officials said.
“This successful defense of the integrity of our online voter registration system is good news for Connecticut, but it underlines the threat posed by foreign agents seeking to disrupt U.S. elections and sow the seeds of doubt in the integrity of our electoral process,” Connecticut Secretary of the State Denise Merrill said in a statement. “It is clear that Congress needs to act swiftly, both to investigate and publicize Russian interference in the 2016 presidential election, and to appropriate the necessary funds so that our state and local governments have the resources they need to adequately protect our election infrastructure.”
Until Friday, only a handful of the 21 states were publicly known. While some state officials had already received indications from federal officials that their systems were among those targeted, others — including Wisconsin’s — said Friday’s call came as a surprise.
Matt Zapotosky contributed to this report.