Within the Federal Government, DHS, through I&A and NPPD’s National Cybersecurity and Communications Integration Center (NCCIC), began coordinating robustly with the Election Assistance Commission, the IC, and law enforcement partners. Among non-Federal partners, NPPD and I&A engaged state and local officials, as well as relevant private sector entities, to assess the scale and scope of malicious cyber activity potentially targeting the U.S. election 3 infrastructure. In addition to working directly with state and local officials, we partnered with stakeholders like the Multi-State Information Sharing and Analysis Center (MS-ISAC) to analyze relevant cyber data, the National Association of Secretaries of State, and the National Association of State Election Directors. We also leveraged our field personnel deployed around the country, inclusive of Intelligence Officers deployed in state and major urban area fusion centers, Cybersecurity Advisors and Protective Security Advisors located across the country, and Department of Justice field personnel, to help further facilitate information sharing and enhance outreach. Throughout September, that engagement paid off in terms of identifying suspicious and malicious cyber activity targeting the U.S. election infrastructure. A body of knowledge grew throughout the summer and fall about suspected Russian government cyber activities, indicators, and understanding that helped drive collection, investigations, and incident response activities.
One comprehensive intelligence report published by I&A in early October cataloged suspicious activity we observed on state government networks across the country. This initial look, largely based on suspected malicious tactics and infrastructure, helped inform a body of reporting directly related to election infrastructure. While not a definitive source in identifying individual activity attributed to Russian government cyber actors, it established that Internetconnected election-related networks, including websites, in 21 states were potentially targeted by Russian government cyber actors. Although we’ve refined our understanding of individual targeted networks, supported by classified reporting, the scale and scope noted in that October 2016 report still generally characterizes our observations: a small number of networks were successfully compromised, there were a larger number of states where attempts to compromise networks were unsuccessful, and there were an even greater number of states where only preparatory activity like scanning was observed.
With respect to our processes, the IC has noted before that the nature of cyberspace makes attribution of cyber operations difficult, but not impossible. In partnership with members of the IC, DHS applied IC analytic tradecraft techniques to reach a series of judgments about whether these events were isolated incidents, who was the likely perpetrator, that perpetrator's possible motivations, and whether a foreign government had a role in ordering or leading the operation. Using the Department's distinctive view of domestic information and intelligence reporting, our final assessment is based on an evaluation of each incident by the capabilities and tactics employed, the infrastructure used by malicious cyber actors, characteristics of the victimized networks, and adversary capability and intent.
In September, our products at the classified and unclassified levels reported that we had no indication that adversaries or criminals were planning cyber operations against the US election infrastructure that would change the outcome of the coming US election. Further, we assessed that multiple checks and redundancies in US election infrastructure — including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results — make it likely that cyber manipulation of U.S. election systems intended to change the outcome of a national election would be detected.
During that period, we assessed that cyber operations targeting election infrastructure could be intended or used to undermine public confidence in electoral processes and potentially the outcome. This analysis supported an October 7, 2016, statement from then Secretary of Homeland Security and Director of National Intelligence that highlighted Russian cyber activities. This triggered further outreach to share threat information and offer voluntary services to assess cybersecurity of election infrastructure and processes.
The declassified January 2017 IC Assessment, “Assessing Russian Activities and Intentions in Recent U.S. Elections,” captured our assessment of the Russian activity, identifying that “Russian intelligence obtained and maintained access to elements of multiple U.S. state or local electoral boards.” Additionally, “DHS assesse[d] that the types of systems Russian actors targeted or compromised were not involved in vote tallying.”1 As we continue to judge any and all newly available information, DHS has not altered any of those prior assessments.
Looking ahead to future election cycles, with a recognition that the work to enhance election infrastructure security and resiliency is already under way, we assess that multiple elements of election infrastructure remain potentially vulnerable to cyber intrusions, and that multiple cyber actors may have an interest in targeting such infrastructure. The risk to U.S. computer-enabled election systems varies from county to county, between types of devices used, and among processes used by polling stations.
We continue to assess that mounting widespread cyber operations against U.S. voting machines at a level sufficient to affect a national election would require a multiyear effort with significant human and information technology resources available only to a nation-state. The level of effort and scale required to change the outcome of a national election, however, would make it nearly impossible to avoid detection.
As with other developments in the overall cyber environment, the propagation of disruptive technologies has the ability to disrupt electoral processes. For example, targeted intrusions against individual voter registration databases remain possible. With illicit access, manipulation of voter data or disruptions to their availability may impact a voter’s ability to vote on Election Day. Most but not all jurisdictions, however, still rely on paper voter rolls or electronic poll books that are not connected in real-time to voter registration databases, which limited the possible impacts in 2016.
Whether a cyber operation intended to disrupt or alter the vote is successful or not, DHS remains concerned that cyber operations targeting election infrastructure could be intended to undermine public confidence. For instance, although we assess the impact of an intrusion into a vote tabulation system would likely be contained to the manipulation of unofficial Election Night reporting results and not impact the certified outcome, such an operation could undermine public confidence in the results.
Three major elements of DHS’s intelligence operations were key to enhancing our awareness and understanding of the threat: integration of intelligence with operational components, collaboration with IC members, and partnership with state and local governments. I&A’s co-location of intelligence personnel with the NCCIC was key to enhancing the quality of information shared with customers and partners. Robust collaboration with other members of the IC helped appropriately coalesce domestic and foreign intelligence issues – a collaboration that continues to pay dividends across analysis of threats to US critical infrastructure. Finally, the ability to use deployed field staff to leverage already established relationships also aided in gathering key information that shaped I&A’s understanding of the threat environment.
More Articles
- US Department of Justice: "From Nuremberg to Ukraine: Accountability for War Crimes and Crimes Against Humanity”
- Update: Examining the January 6 Attack on the U.S. Capitol, Part II Joint Full Committee Hearing, Part II, March 3rd
- *GAO Reports on Testing Security Screening at US Airports: TSA Has Limited Assurance that Security Operations is Targeting the Most Likely Threats
- Another Powerful Woman and First to Lead Either Party In Charge of House Appropriations Committee, Rep. Nita Lowey
- Updated - Voting 2018: New Election Security Funds are Breakthrough for Democracy
- Updated: HHS Establishing Medical Shelter to Aid Those Affected by Hurricane Harvey: "Do Not Go To The Attic: Go To The Roof"
- An Expert Assesses Personal Security in An On-edge America
- Bills Introduced and Defeated: Denying Firearms, Child Protection, Women's Health Care, Eating Disorders, Family and Medical Leave
- In Wake of Paris, How Prepared Are US States, Cities?
- Homeland Security Grants to States Gutted