On Friday, the Department of Homeland Security (DHS) notified the election officials of 21 states that hackers targeted their systems last year. DHS had previously told the Associated Press (AP) that more than 20 states were targeted by hackers believed to be Russian agents before the 2016 elections. Many of the states did not know until Friday that their systems were targeted.
“It is completely unacceptable that it has taken DHS over a year to inform our office of Russian scanning of our systems, despite our repeated requests for information,” California Secretary of State Alex Padilla (D) said in a statement. “The practice of withholding critical information from elections officials is a detriment to the security of our elections and our democracy.”
State election offices in Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, Ohio, Oklahoma, Oregon, Pennsylvania, Virginia, Washington, and Wisconsin verified to the AP that they were among those targeted. Among these, Florida, Ohio, Pennsylvania, Virginia, and Wisconsin are considered swing states.
The DHS did not specify the identity of the hackers, but in most cases, the states were told their systems were not breached. In most of the states, the targeting involved preparatory activity, like scanning computer systems. Targets included voter registration systems but not vote tallying software.
Only Illinois reported that hackers had succeeded in breaching its voter systems. Other states reported that their cybersecurity efforts turned back efforts to get to crucial information.
Election officials in three states did tie the attacks to Russia.
The Wisconsin Election Commission said the state’s systems were targeted by “Russian government cyber actors.” Alaska Elections Division Director Josie Bahnke alleged that computers in Russia were scanning election systems.
“There are constant attempts by bad actors to hack our systems,” Iowa Secretary of State Paul Pate (R) said in a statement. “But we continue to deflect those attempts.”
A spokesman for the Colorado secretary of state was hesitant to label the cyber attack attempts. “It’s not an attack. I wouldn’t call it a probe. It’s not a breach, it’s not a penetration,” Trevor Timmons said. “It’s really reconnaissance by a bad guy to try and figure out how we would break into your computer.”
DHS admitted that state and local officials should be informed about cybersecurity risks to election systems. “We are working with them to refine our processes for sharing this information while protecting the integrity of investigations and the confidentiality of system owners,” the agency said.
A report leaked from the National Security Agency (NSA) in May revealed that hackers obtained information from a company that provided software to manage voter registrations in eight states. The report said hackers sent phishing emails to 122 local election officials before the November election in an attempt to break into their systems.
Election officials in Georgia, Kansas, Kentucky, Louisiana, New Mexico, and North Carolina told NPR their states were not targeted by hackers.
“This is one time we like being at the bottom of the list,” Lisa Strimple, a spokeswoman for Nebraska’s secretary of state, said in a statement.
There is still a great deal more to be revealed in this story, and it is likely far less simple than the Trump-Russia narrative suggests.