05.08.18

Senate Intel Committee Releases Unclassified 1st Installment in Russia Report, Updated Recommendations on Election Security

WASHINGTON, D.C. – Today, Senator Richard Burr (R-NC), Chairman of the Senate Select Committee on Intelligence, Senator Mark Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, and Senators Susan Collins (R-ME), Martin Heinrich (D-NM), and James Lankford (R-OK), members of the Senate Select Committee on Intelligence, released the Committee’s unclassified summary of the first installment of the Committee’s Russia Report, including updated recommendations on election security and findings regarding Russian targeting of election infrastructure. In parallel, the Committee has prepared a comprehensive, classified report on threats to election infrastructure. The classified report will be submitted for declassification review, and the Committee anticipates releasing it to the public when that process is completed.

“I’m pleased to be able to release this summary of our findings and recommendations on election security to the American public,” said Senator Richard Burr. “Today’s primaries are the next step toward the 2018 midterms and another reminder of the urgency of securing our election systems. Our investigation has been a bipartisan effort from day one, and I look forward to completing the Committee’s work and releasing as much of it as possible.  We are working tirelessly to give Americans a complete accounting of what happened in 2016 and to prevent any future interference with our democratic process.”

“Elections at all levels are central to our democracy, to our institutions, and to our government's legitimacy, and I remain concerned that we as a country are still not fully prepared for the 2018 midterm elections. That’s one reason why we, as a Committee, have decided that it is important to get out as much information as possible about the threat, so that governments at every level take it seriously and take the necessary steps to defend ourselves,” said Senator Mark Warner. “I am proud of the bipartisan work our Committee members have done on this issue, and I look forward to continuing in a bipartisan way to investigate what happened in 2016, and prevent future interference in our elections.”

“While our investigation remains ongoing, one conclusion is clear: the Russians were relentless in attempting to meddle in the 2016 election, and they will continue their efforts,” said Senator Susan Collins.  “The findings and recommendations we are releasing today are a major step forward in our effort to thwart any attempt to meddle in our elections.  With the 2018 election fast approaching, the need to act now is urgent.  We must provide states the assistance they need to strengthen the security of their voting systems.”

“Our democracy hinges on Americans' ability to fairly choose our own leaders. With primary elections underway, and as we approach the midterm elections and the next presidential election cycle, we need to act quickly to protect the integrity of our voting process,” said Senator Martin Heinrich. “I am proud of how our whole Committee, under the leadership of Chairman Burr and Vice Chairman Warner, has taken on the task of getting to the bottom of Russia's interference in our election. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign intervention, our nation's democratic institutions will remain vulnerable to attack.”

“During the 2016 election, Russian entities targeted presidential campaign accounts, launched cyber-attacks against at least 21 state election systems, and hacked a US voting systems software company,” said Senator James Lankford. “We must proactively work to ensure the security of our election infrastructure for the possibility of interference from not just Russia, but possibly another adversary like Iran or North Korea or a hacktivist group. After 18 months of investigations and interviews, this bipartisan report underscores the importance of efforts to protect our democracy from foreign attacks on our elections.”

The Committee’s unclassified summary of this chapter of the Russia Report – Election Security Findings and Recommendations are embedded below and available here:

Russian Targeting of Election Infrastructure During the 2016 Election:

Summary of Initial Findings and Recommendations 

May 8, 2018


Overview

In 2016, cyber actors affiliated with the Russian Government conducted an unprecedented, coordinated cyber campaign against state election infrastructure. Russian actors scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database. This activity was part of a larger campaign to prepare to undermine confidence in the voting process.  The Committee has not seen any evidence that vote tallies were manipulated or that voter registration information was deleted or modified.

  • The Committee has limited information about whether, and to what extent, state and local officials carried out forensic or other examination of election infrastructure systems in order to confirm whether election-related systems were compromised. It is possible that additional activity occurred and has not yet been uncovered.

Summary of Initial Findings

  • Cyber actors affiliated with the Russian government scanned state systems extensively throughout the 2016 election cycle. These cyber actors made attempts to access numerous state election systems, and in a small number of cases accessed voter registration databases.
  • At least 18 states had election systems targeted by Russian-affiliated cyber actors in some fashion.[1] Elements of the IC have varying levels of confidence about three additional states, for a possible total of at least 21. In addition, other states saw suspicious or malicious behavior the IC has been unable to attribute to Russia.
  • Almost all of the states that were targeted observed vulnerability scanning directed at their Secretary of State websites or voter registration infrastructure. Other scans were broader or less specific in their target.
  • In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting-related websites.[2]
  • In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.
  • The Committee found that in addition to the cyber activity directed at state election infrastructure, Russia undertook a wide variety of intelligence-related activities targeting the U.S. voting process. These activities began at least as early as 2014, continued through Election Day 2016, and included traditional information gathering efforts as well as operations likely aimed at preparing to discredit the integrity of the U.S. voting process and election results.
  • The Committee’s assessments, as well as the assessments of the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), are based on self-reporting by the states. DHS has been clear in its representations to the Committee that the Department did not have perfect insight into these cyber activities. It is possible that more states were attacked, but the activity was not detected. In light of the technical challenges associated with cyber forensic analysis, it is also possible that states may have overlooked some indicators of compromise.
  • The Committee saw no evidence that votes were changed and found that, on balance, the diversity of our voting infrastructure is a strength. Because of the variety of systems and equipment, changing votes on a large scale would require an extensive, complex, and state or country-level campaign. However, the Committee notes that a small number of districts in key states can have a significant impact in a national election.

[1] These numbers only account for state or local government targets. DHS did not include states which may have witnessed attacks on political parties, political organizations, or NGOs. In addition, the numbers do not include any potential attacks on third-party vendors.

2 In the majority of these instances, Russian government-affiliated cyber actors used Structure Query Language (SQL) injection - a well-known technique for cyberattacks on public-facing websites.

Actors and Motive

  • The Committee concurs with the IC that Russian government-affiliated actors were behind the cyber activity directed against state election infrastructure.
  • While the full scope of Russian activity against the states remains unclear because of collection gaps, the Committee found ample evidence to conclude that the Russian government was developing capabilities to undermine confidence in our election infrastructure, including voter processes.
  • The Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action, or whether they were merely gathering information and testing capabilities for a future attack. Regardless, the Committee believes the activity indicates an intent to go beyond traditional intelligence collection.

DHS Efforts to Bolster Election Security

  • The Committee found that DHS’s initial response was inadequate to counter the threat. In the summer of 2016, as the threat to the election infrastructure emerged, DHS attempted outreach to the states, seeking to highlight the threat for information technology (IT) directors without divulging classified information.  By the fall of 2016, as the threat became clearer, DHS attempted a more extensive outreach to the states with limited success.
  • At the outset, DHS was not well-positioned to provide effective support to states confronting a hostile nation-state cyber actor.
  • In addition, members of the Obama administration were concerned that, by raising the alarm, they would create the very impression they were trying to avoid––calling into question the integrity of election systems.
  • DHS and FBI alerts to the states in the summer and fall of 2016 were limited in substance and distribution.  Although DHS provided warning to IT staff in the fall of 2016, notifications to state elections officials were delayed by nearly a year.  Therefore, states understood that there was a cyber threat, but did not appreciate the scope, seriousness, or implications of the particular threat they were facing.
  • Many state election officials reported hearing for the first time about the Russian attempts to scan and penetrate state systems from the press or from the public Committee hearing on June 21, 2017.  DHS’s notifications in the summer of 2016 and the public statement by DHS and the ODNI in October 2016 were not sufficient warning.
  • It was not until September of 2017, and only under significant pressure from this Committee and others, that DHS reached out directly to chief election officials in the targeted states to alert the appropriate election officials about the scanning activity and other attacks and the actor behind them.  (However, the Committee notes that in the small number of cases where election-related systems had been compromised, the federal government was in contact with senior election officials at the time the intrusion was discovered.)
  • The Committee found that DHS is engaging state election officials more effectively now than in the summer of 2016.  Although early interactions between state election officials and DHS were strained, states now largely give DHS credit for making tremendous progress over the last six months.
  • States have signed up for many of the resources that DHS has to offer, and DHS has hosted meetings of the Government Coordinating Council and Sector Coordinating Council, as required under the critical infrastructure designation. Those interactions have begun to increase trust and communication between federal and state entities.
  • DHS hosted a classified briefing for state chief election officials and is working through providing security clearances for those officials.
  • An Election Infrastructure Information Sharing and Analysis Center has been established, focused on sharing network defense information with state and local election officials.

Ongoing Vulnerabilities

Despite the progress on communication and improvements to the security of our election process, the Committee remains concerned about a number of potential vulnerabilities in election infrastructure.

  • Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.
  • Paperless Direct Recording Electronic (DRE) voting machines––machines with electronic interfaces that electronically store votes (as opposed to paper ballots or optical scanners)––are used in jurisdictions in 30 states and are at highest risk for security flaws.  Five states use DREs exclusively.
  • Many aspects of election infrastructure systems are connected to and can be accessed over the internet.  Furthermore, systems that are not connected to the internet, such as voting machines, may still be updated via software downloaded from the internet.
  • These potentially vulnerable systems include some of the core components of U.S. election infrastructure, including systems affiliated with voter registration databases, electronic poll books, vote casting, vote tallying, and unofficial election night reporting to the general public and the media.  Risk-limiting audits are a best practice to mitigate risk.
  • Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target for malicious cyber actors.  State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for security, abiding by those guidelines is currently voluntary.

Summary of SSCI Recommendations 

The Senate Select Committee on Intelligence has examined evidence of Russian attempts to target election infrastructure during the 2016 U.S. elections.  The Committee has reviewed the steps state and local election officials have taken to ensure the integrity of our elections and agrees that U.S. election infrastructure is fundamentally resilient.  The Department of Homeland Security, the Election Assistance Commission, state and local governments, and other groups have already taken beneficial steps toward addressing the vulnerabilities exposed during the 2016 election cycle, including some of the measures listed below, but more needs to be done.  The Committee recommends the following steps to better defend against a hostile nation-state who may seek to undermine our democracy:                   

1. Reinforce States’ Primacy in Running Elections

  • States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

2. Build a Stronger Defense, Part I: Create Effective Deterrence

  • The U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.  
  • The Federal government, in particular the State Department and Defense Department, should engage allies and partners to establish new international cyber norms.

3. Build a Stronger Defense, Part II: Improve Information Sharing on Threats

  • The Intelligence Community should put a high priority on attributing cyberattacks both quickly and accurately.  Similarly, policymakers should make plans to operate prior to attribution. 
  • DHS must create clear channels of communication between the Federal government and appropriate officials at the state and local levels.  We recommend that state and local governments reciprocate that communication.
  • Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.
  • DHS should expedite security clearances for appropriate state and local officials.
  • The Intelligence Community should work to declassify information quickly, whenever possible, to provide warning to appropriate state and local officials.

4. Build a Stronger Defense, Part III: Secure Election-Related Systems

  • Cybersecurity should be a high priority for those managing election systems. 
  • The Committee recommends State and Local officials prioritize the following:
    • Institute two-factor authentication for state databases.
    • Install monitoring sensors on state systems.  One option is to further expand DHS’s ALBERT network.
    • Identify the weak points in the network, including any under-resourced localities, and prioritize assistance towards those entities.
    • Update software in voter registration systems.  Create backups, including paper copies, of state voter registration databases. Include voter registration database recovery in state continuity of operations plans.
    • Consider a voter education program to ensure voters check registration well prior to an election.
    • Undertake intensive security audits of state and local voter registration systems, ideally utilizing an outside entity.
    • Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems. 
  • The Committee recommends DHS take the following steps:
    • Working closely with election experts, develop a risk management framework that can be used in engagements with state and local election infrastructure owners to document and mitigate risks to all components of the electoral process.
    • Create voluntary guidelines on cybersecurity best practices and a public awareness campaign to promote election security awareness, working through the U.S. Election Assistance Commission (EAC), the National Association of Secretaries of State (NASS), and the National Association of State Election Directors (NASED).
    • Maintain and more aggressively promote the catalog of services DHS has available for states to help secure their systems, and update the catalog as DHS refines their understanding of what states need. 
    • Expand capacity to reduce wait times for DHS cybersecurity services.
    • Work with GSA to establish a list of credible private sector vendors who can provide services similar to those provided by DHS.

5. Build a Stronger Defense, Part IV: Take Steps to Secure the Vote Itself

  • States should rapidly replace outdated and vulnerable voting systems.  At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability.  If use of paper ballots becomes more widespread, election officials should re-examine current practices for securing the chain of custody of all paper ballots and verify no opportunities exist for the introduction of fraudulent votes.
  • States should consider implementing more widespread, statistically sound audits of election results.  Risk-limiting audits, in particular, can be a cost-effective way to ensure that votes cast are votes counted.  
  • DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.

6. Assistance for the States

  • States should use federal grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services, among other steps. Funds should also be available to defray the costs of instituting audits