I. In Focus This Week
There’s no there there
NASS releases facts and findings on cybersecurity in 2016 electio
By M. Mindy Moretti
Rigged! Hacked! Tampering! Fraud!
Even before one vote was cast in the 2016 election, rumors swirled about the integrity of the election. The cacophony of misinformation and innuendo has not stopped since the election and all of this has caused some Americans to lose faith in the electoral system.
In the days leading up to the election a survey by The Associated Press-NORC Center for Public Affairs Research found that only 4 in 10 Americans had a high degree of confidence that their votes would be counted correctly nearly a third of all who responded thought there was a great deal of voter fraud in the country despite the lack of evidence.
This week, the National Association of Secretaries of State released the State Election Officials Report Facts & Findings on Cybersecurity and Foreign Targeting of the 2016 U.S. Election.
The report is an effort by NASS to help improve voter confidence and show for a fact that the election was not “hacked”.
As Congress examines the impact of Russian involvement in the November 2016 election, it is important to provide the clearest and most accurate public record possible regarding election cybersecurity and foreign targeting of U.S. election infrastructure. The following findings are based on all unclassified documentation and evidence available to the National Association of Secretaries of State (NASS):
The November 2016 election was NOT HACKED.
The voting process was not hacked or subject to manipulation in any way. No credible evidence of hacking, including attempted hacking of voting machines or vote counting, was ever presented or discovered in any state, including during recount efforts that took place after the election. A joint DHS-DNI report details the foreign cyberattacks that took place against U.S. government, political and private sector entities that were attributed to Russia.2 Election officials remain concerned by unfounded conjecture that a lack of such tangible evidence indicates that hacking might have been overlooked or hidden from discovery, despite collaborative efforts with our intelligence services, cybersecurity firms, network defenders and state and local officials.
Russian intrusions into state and local election boards in 2016 were limited to TWO INCIDENTS that did not involve systems used in vote tallying.
The U.S. Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS), along with state officials, are aware of two confirmed intrusions into government-owned voter registration databases that took place in summer 2016. The FBI has confirmed that foreign-based hackers attempted to mine data from voter registration systems in Arizona and Illinois, but no voter registration data was modified or deleted.4 In Arizona, a hacker attempted to probe voter registration data via a county-level infiltration, but was blocked from doing so by the system’s controls. In Illinois, hackers were able to access publicly-available voter files. These incidents prompted the FBI to warn state election offices to increase their election security measures for the November 2016 election.
Additional state voter registration systems were targeted by cyber hackers, but NO ADDITIONAL SYSTEMS were accessed or breached.
U.S. intelligence agencies have confirmed that Russian-based “cyber scanning or probing activities” were discovered against state voter registration systems, but this targeting does not equate to gaining access or actual breaches. Claims that twenty or more states experienced Russian-led hacks or intrusions into their election systems are false and inaccurate. Furthermore, while it is theoretically possible to disrupt an election via networked systems, compromising voter registration systems would not affect election results. Election registration databases are not linked to vote counting.
Just OVER HALF of all states took advantage of voluntary cybersecurity assistance provided by the U.S. Department of Homeland Security.
The U.S. Department of Homeland Security confirmed to NASS that 33 states and 36 county jurisdictions had taken advantage of the agency’s voluntary assistance and services by Election Day on November 8, 2016. NASS and DHS also achieved a joint goal of ensuring that all 50 states were notified of the federal government resources that were available to them upon request. DHS services included cyber hygiene scans on Internet-facing systems, risk and vulnerability assessments and resources identifying recommendations to improve online voter registration systems, election night reporting systems and other Internet-connected systems. Those states that did not seek to utilize DHS assistance received similar or more comprehensive support from their own state networks.
Our highly-decentralized, low-connectivity elections process provides BUILT-IN SAFEGUARDS against large-scale cyberattacks; however, states are strengthening their systems for future elections.
Our national intelligence agencies concurred with secretaries of state in concluding that our diverse and locally–run election process presents serious obstacles to carrying out large-scale cyberattacks to disrupt elections, and that standalone, disconnected voting systems present a low risk. States are now working together to reinforce their preparedness against future cyber threats, most notably by replacing aging voting equipment. To assist in these efforts, the NASS Election Cybersecurity Task Force will advance collaboration on the unique priorities and challenges that exist regarding election cybersecurity. NASS is also supportive of a thorough accounting and resolution of documented instances of unauthorized scanning against several states’ election networks that has been attributed to IP addresses utilized by the U.S. Department of Homeland Security.
- Next >>