Russia Targeted Election Infrastructure in All 50 States in 2016: Senate Intel Report

“My professional judgment was we have to work under the assumption that they’ve tried to go everywhere, because they’re thorough, they’re competent, they’re good,” Daniel told the committee.

Only two years later the official intelligence community’s assessments concluded that he was right.

Daniel’s position at the White House has since been eliminated by John Bolton, the president’s national security adviser.

The report warns that vulnerability persists heading into the 2020 campaign.

Mixed Signals from Congress, President
Also on Thursday, Senator Mitch McConnell (R-Kentucky), the Senate Majority Leader, again blocked consideration of election security legislation put forward by Democrats. McConnell has argued that it would be a mistake to give the federal government a greater role in elections which are run by the states. He has also argued that Congress has done enough by passing $380 billion worth of grants for states to update and secure their election systems, and by supporting executive branch agencies in their efforts to help make elections more secure.

Cybersecurity and election security experts, and lawmakers (Democrats more publicly, Republicans privately) have argued that securing American elections has not progressed as far and as fast as it could and should have because of the absence of presidential leadership to galvanize the nation and the government behind the cause of thwarting foreign interference in U.S. democracy. President Trump has refused to acknowledge that Russia has interfered in the 2016 election, and has publicly accepted President Vladimir Putin’s denial of Russia’s meddling, while rejecting the findings and unanimous conclusions of the seventeen agencies comprising the U.S. intelligence community.

Trump has denigrated the intelligence community as “politically motivated.” The leaders of all seventeen agencies, and the Director of National Intelligence Dan Coats, are all Trump appointees.

Aides to the president, and cabinet members, have been advised not to raise the subject of Russian interference in Trump’s presence so as not to upset him.

The Report
The Times notes that even after a two-and-a-half-year investigation, the Committee conceded that “Russian intentions regarding U.S. election infrastructure remain unclear.” Moscow’s intelligence may have “intended to exploit vulnerabilities in the election infrastructure during the 2016 elections and, for unknown reasons, decided not to execute those options.”

More worrisome, the report suggested that the Russian efforts in 2016 might have been cataloging options “for use at a later date” — a possibility that officials of the National Security Agency, DHS, and the FBI said was their biggest worry.

Thursday’s installment builds upon the unclassified summary findings on election security released by the Committee in May 2018. This was the first volume completed “due to the fundamental importance and urgency of defending our democratic elections,” the Committee said. 

As part of its investigation, the Committee will also release final volumes examining the Intelligence Community Assessment (ICA) of Russian interference, the Obama administration’s response to Russian interference, the role of social media disinformation campaigns, and remaining counterintelligence questions. The Committee has submitted its volume on social media for declassification review and intends to release the remaining installments in fall 2019.

Over the last two and half years, the Committee’s investigation has spanned more than 15 open hearings, more than 200 witness interviews, and nearly 400,000 documents.

Burr said: “In 2016, the U.S. was unprepared at all levels of government for a concerted attack from a determined foreign adversary on our election infrastructure. Since then, we have learned much more about the nature of Russia’s cyber activities and better understand the real and urgent threat they pose. The Department of Homeland Security and state and local elections officials have dramatically changed how they approach election security, working together to bridge gaps in information sharing and shore up vulnerabilities. The progress they’ve made over the last three years is a testament to what we can accomplish when we give people the opportunity to be part of a solution.

“There is still much work that remains to be done, however. I am grateful to the many states that provided their points of view, which helped inform our recommendations. It is my hope that the Senate Intelligence Committee’s bipartisan report will provide the American people with valuable insight into the election security threats still facing our nation and the ways we can address them.”

Warner said: “When the Russians attacked elections systems in 2016, neither the federal government nor the states were adequately prepared. Our bipartisan investigation identified multiple problems and information gaps that hindered our ability to effectively respond and defend against the Russian attack in 2016. Since then – and in large part as a result of the bipartisan work done on this issue in our Committee – the intelligence community, DHS, the FBI, and the states have taken steps to ensure that our elections are far more secure today than they were in 2016. But there’s still much more we can and must do to protect our elections. I hope the bipartisan findings and recommendations outlined in this report will underscore to the White House and all of our colleagues, regardless of political party, that this threat remains urgent, and we have a responsibility to defend our democracy against it.”

Volume I: Russian Efforts Against Election Infrastructure is available for downloading here.

Key Findings and Recommendations

·   The Russian government directed extensive activity against U.S. election infrastructure. The Committee found the activity directed at the state and local level began in at least 2014 and carried into at least 2017. The Committee has seen no evidence that any votes were changed or that any voting machines were manipulated.

·  Russian efforts exploited the seams between federal authorities and capabilities, and protection for the states. The Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) are, by design, limited in domestic cybersecurity authorities. State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.

·  DHS and FBI warnings to the states in the late summer and fall of 2016 did not provide enough information or go to the appropriate people. The Committee found that while the alerts were actionable, they provided no clear reason for states to take the threat more seriously than other warnings.

·  DHS has redoubled its efforts to build trust with the states and deploy resources to assist in securing elections. Since 2016, DHS has made great strides in learning how election procedures vary across states and how to best assist those states. The Committee determined DHS’s work to bolster states’ cybersecurity has likely been effective but believes more needs to be done to coordinate efforts.

·  Russian activities demand renewed attention to vulnerabilities in U.S. voting infrastructure. Cybersecurity for electoral infrastructure at the state and local level was sorely lacking in 2016. Despite increased focus over the last three years, some of these vulnerabilities, including aging voting equipment, remain. As states look to replace machines that are now out of date, they should purchase more secure voting machines. At a minimum, any machine purchased going forward should have a voter-verified paper trail.

·  Congress should evaluate the results of the $380 million in state election security grants allocated in 2018. States should be able to use grant funds provided under the Help America Vote Act (HAVA) to improve cybersecurity in a variety of ways, including hiring additional IT staff, updating software, and contracting vendors to provide cybersecurity services. When those funds are spent, Congress should evaluate the results and consider an additional appropriation to address remaining insecure voting machines and systems.

·  DHS and other federal government entities remain respectful of the limits of federal involvement in state election systems. America’s decentralized election system can be a strength against cybersecurity threats. However, the federal government and states should each be aware of their own cybersecurity limitations and know both how and when to obtain assistance. States should remain firmly in the lead on running elections, and the federal government should ensure they receive the necessary resources and information.

·  The United States must create effective deterrence. The United States should communicate to adversaries that it will view an attack on its election infrastructure as a hostile act and respond accordingly. The U.S. government should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator.

Wyden’s Dissent
Senator Ron Wyden (D-Oregon), disagree with Burr and Warner, appending a dissent to the report, arguing that the committee did not go far enough. “The committee report describes a range of cybersecurity measures needed to protect voter registration databases,” he wrote, “yet there are currently no mandatory rules that require states to implement even minimum cybersecurity measures. There are not even any voluntary federal standards.”

He added:

If there was ever a moment when Congress needed to exercise its clear constitutional authorities to regulate elections, this is it. America is facing a direct assault on the heart of our democracy by a determined adversary. We would not ask a local sheriff to go to war against the missiles, tanks and planes of the Russian Army. We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016 and it will fail again.

The federal government’s response to this ongoing crisis cannot be limited to offers to provide resources and information, the acceptance of which is voluntary. If the country’s elections are to be defended, Congress must also establish mandatory, nation-wide cybersecurity requirements.

Wyden’s minority views to the report begin on page 62 of the report, which is available here.

The House of Representatives has already passed strong election security legislation, on a bipartisan basis, to set mandatory election security requirements for all federal elections and a companion measure was introduced in the Senate this week.