State Officials Criticize DHS Response to Election Hacking Attempts

Secretaries of state are voicing their frustration with the Department of Homeland Security, saying the agency has not shared basic information with relevant officials after confirming that at least 21 state election systems were targeted by hackers in the months leading up to the 2016 presidential election.

State officials contacted by Morning Consult said a lack of communication and transparency by DHS has left them largely out of the loop regarding what states were targeted — much less what the targeting entailed. Secretaries of state and staffers in 13 states said they haven’t received any indication whether their systems were targeted, and that they haven’t received notification from DHS regarding targeted election systems.

“DHS notified only the elections systems vendors that were impacted, not the state election officials, so we have no confirmation of whether or not Maine is among those 21 states,” said Kristen Schulze Muszynski, director of communications for Maine’s secretary of state.

During a Senate Intelligence Committee hearing on June 21, DHS official Jeanette Manfra said foreign hackers targeted 21 election systems — more than previously reported.

Only two states — Arizona and Illinois — have publicly confirmed that their election systems were targeted. There were almost 150,000 attempts in South Carolina on Election Day to penetrate the state’s voter-registration system, according to a state government report.

In a June 26 letter obtained by Morning Consult, Sens. Richard Burr (R-N.C.) and Mark Warner (D-Va.) — chairman and vice chairman of the Intelligence Committee, respectively — reached out to U.S. state election officials and asked them “to consider proactively informing its voting public on whether it has been a victim of malicious cyber activity.”

Vermont Secretary of State Jim Condos (D) told Morning Consult, “We were not hacked or compromised during the 2016 election.” He also passed along the letter he sent in response to Burr and Warner.

“We have heard about breaches second hand through the news media and have only received a trickle of unclassified information about threats and alleged state victims,” Condos, an elected official, wrote in his June 28 letter to the senators. “It is imperative that chief state election officials across the U.S. receive security clearances as quickly as possible in order to receive timely and specific threat information in order to protect our state systems.”

Even when DHS officials have worked to communicate with state officials, their messaging has come across to some as muddled and even contradictory to the department’s overall assessment and perspective.

At the National Association of Secretaries of States’ convention in Indianapolis last week, Robert Kolasky, DHS deputy undersecretary for national protection and preparedness, participated in a panel discussion with secretaries of state about election hacking concerns and responses. Alabama Secretary of State John Merrill (R), who attended the discussion, said he was concerned by lack of transparency by DHS with state officials about which election systems were targeted.

“If there’s been a breach in any state, they have not told the chief elections official in any state that their state was directly impacted,” Merrill said in an interview last week. “And if they have indicated at the local level that it occurred, they have informed those people not to share that information with anybody else in the state. And I told the guy, I said ‘Let me tell you something. If that’s the attitude that you all are going to take, and if that’s the direction that you’re going, then what you’re doing is of no value to us and of no value to you.’”

Merrill added that Alabama did not have an election vendor whose system had been hacked or compromised, but said he couldn’t definitively say whether the state’s election systems was targeted.

“I can tell you that we have not been notified of a threat or a compromise, and we’re not aware of any that has occurred because none has been introduced to us,” he said.

Manfra said in an interview that local and state officials who are aware of any election targeting are welcome to disclose that information to anyone.

“The states are free to disclose whatever they would like to about it,” Manfra, who was recently named assistant secretary for cybersecurity and communications at DHS, said in an interview Monday. “It’s more on us to protect the confidentiality of our stakeholders.”

She said that while it’s the agency’s policy not to release the identities of victims of cyber crimes, state officials are more than welcome to make that determination. Most of the targeting DHS saw was “scanning activity,” she said, or efforts by hackers to find and exploit weaknesses in state election systems.

“Targeting in this context largely meant an actor that was scanning their systems for vulnerabilities,” Manfra said.

She said DHS was working to improve the information-sharing process with state election directors and secretaries of state, and that some issues in communication had arisen because DHS was dealing with “a very different set of stakeholders” than it typically engages.

“We’re going back through and ensuring that all of the appropriate people are aware,” she said, adding that part of that includes declassifying relevant information for secretaries of state, who currently do not have security clearances to view classified material.

In a follow-up interview, Merrill said DHS’s Kolasky suggested at the Indianapolis conference that local election officials should not share details on whether their systems had been hacked.

“That’s what DHS told us at the meeting,” Merrill said. “They were told not to tell it to anybody. That’s what we were told. I only know what we were told.”