Federal Officials Say There’s No Evidence State Votes Were Hacked

WASHINGTON — Acting officials from the U.S. Department of Homeland Security expressed confidence Wednesday in the 2016 election’s integrity to the U.S. Senate Intelligence Committee, despite an admission the agency has not conducted forensics on voting machines in any state for evidence of Russian hacking.

Elections-related systems were targeted by Russia in 21 states, said Acting Deputy Undersecretary of Cybersecurity Jeanette Manfra, who insisted none were involved in vote tallying and declined to publicly name those that had data exfiltrated.

Arizona and Illinois are the only states to confirm intrusions, but Manfra said the “owners of elections systems” in all 21 had been notified—sometimes local election officials or vendors. The committee’s chairman, North Carolina Republican Richard Burr, suggested sending the 19 undisclosed states a confidential letter requesting they go public, which DHS officials took under advisement.

As many as 39 states were targeted by Russian hackers, according to a recent Bloomberg report, aspects of which DHS called into question.

“The ability, as has been demonstrated by security researchers, to access remotely a voting machine to manipulate that vote and then to be able to scale that across multiple, different voting machines made by different vendors would be virtually impossible to occur in an undetected way within our current election system,” Manfra said, assuring the committee all of Russia’s targets had been identified.

University of Michigan computer science professor Alex Halderman refuted that notion in subsequent testimony, pointing out it took a team of his less than 48 hours to change all the votes in a simulated election in 2010 without being caught.

Indiana Secretary of State Connie Lawson, the Republican president-elect of the National Association of Secretaries of State, also argued the diversity of elections systems in use serves as a check on hackers. But security experts note the heterogeneity of computers in the world is much greater than that of voting systems manufactured by consolidated vendors, and that hasn’t deterred Russian hackers.

“They have the resources of a nation-state,” Halderman said. “Their capabilities would significantly exceed mine.”

FBI Assistant Director of Counterintelligence Bill Priestap declined to comment publicly on whether Russia successfully planted vote-altering malware in any state or local elections systems, with Burr mentioning the committee would hold a private briefing on the agency’s open investigations.

Illinois State Board of Elections Executive Director Steve Sandvoss said the agency hadn’t even been definitively told by the FBI that the intrusion in his state had originated from Russia, underscoring NASS’s concern that no state or local elections officials are authorized to receive confirmed threat intelligence from DHS in a timely manner.

“I find it a little strange that they have not relayed that information to you,” said U.S. Sen. Mark Warner, a Virginia Democrat, adding the previous panel had made no secret of Russia’s culpability. Warner wrote Defense Secretary John Kelly on Tuesday urging him to work more closely with state and local elections officials.

Manfra maintained DHS serves a “support” role with respect to state and local elections, offering cyber hygiene for internet-facing systems most vulnerable to cyberattacks and on-site risk and vulnerability assessments. Indiana declined such assistance because the state felt it was better off than DHS, Lawson said.

DHS has discussed conducting joint forensics with voting machine vendors, Manfra said, but in the meantime 35 states require some level of technology certification prior to use. Many of those states don’t ensure election system compliance with federal standards, which are themselves outdated, Halderman later testified.

“We don’t have a national election. What we have are 50 state elections,” said U.S. Sen. Angus King, a Maine Independent. “And each election in the states can depend upon a certain number of counties. There are probably 500 people within the sound of my voice who could tell you which 10 counties in the United States will determine the next presidential election, and so a sophisticated actor could hack a presidential election simply by focusing on particular counties.”

Manfra recommended risk-limiting audits of paper ballots comparing them to the electronic vote tally as a backstop, and U.S. Sen. Ron Wyden, an Oregon Democrat, praised his state’s paper-based vote-by-mail system and U.S. Sen. James Lankford, an Oklahoma Republican, his state’s optical scan of paper ballots.

Perhaps to their dismay, Halderman said only Colorado and New Mexico’s audits could currently detect vote manipulation. He cosigned a letter with 100 other leading computer scientists urging states to upgrade obsolete voting machines and use paper to ensure computer results are correct as “a common sense quality control.” Risk-limiting audits, Halderman estimated, would cost the country an additional $20 million a year for complete assurance of elections integrity.

“I’m certainly not opposed to that if that’s what states want to do,” said U.S. Sen. Roy Blunt, a Missouri Republican, highlighting yet another challenge to the security of elections: states’ rights.

Illinois may have reported the intrusion it experienced to the FBI, but there’s no legal requirement that other states do the same—even though a rapid response to vote tampering is necessary.

Many top state elections officials don’t like the idea of the federal government meddling in their processes.

“If I have one major request for you today, other than rescinding the critical infrastructure designation for elections, it is to help election officials get access to classified information sharing,” Lawson said.

When pressed as to what changed when the Obama administration labeled elections critical infrastructure in early January, Lawson responded: “Nothing has negatively happened, but also nothing positive has happened.”

NASS passed a hotly debated, bipartisan resolution in February challenging the designation as unilateral and vague.

“Elections in America are widely viewed around the world as being the most crazy, screwed-up elections you can imagine. We’re using Baroque technology in manifold ways to run the entire thing,” Joe Kiniry, Free & Fair principled CEO and computer scientist, told Route Fifty prior to Wednesday’s Senate hearing. “That mess has been compounded in that there’s this conflict between the state level folks and federal level folks, particularly in red states, about elections oversight.”

Help states fund risk-limiting audits, and there wouldn’t be as big a fight, he added. More money was spent on the rollout of state portals registering people for Obamacare than on elections security in the past 20 years.

Kiniry is of the mind that hackers may have changed some votes in the last election simply to see if the action would raise any red flags, if only DHS was actively looking. The window to forensically audit voting machines is rapidly closing because they’re being reset and reprogrammed for special elections like Tuesday’s in Georgia and the 2018 midterm elections.

In Georgia’s case, the election was paperless and run on voting machines last certified 12 years ago, Kiniry said. The state’s Republican secretary of state, Brian Kemp—who’s running for governor—rejects the notion that emailed ballots can be hacked and the need for auditing.

A lawsuit seeking to run the election with paper balloting, filed by computer scientists, was tossed because it lacked standing, meaning the most expensive election in U.S. history for a contentious seat can’t be verified against possible hacking.

“I will hold zero confidence in the outcome of that election, regardless of which way it goes,” Kiniry said prior to the vote.