Two years after Russia's wave of cyberattacks against American democracy, a Senate committee investigating election interference says those hackers hit harder than previously thought in several states.
The committee also added that it still doesn't know with complete certainty exactly how much of U.S. voting infrastructure was compromised.
The report summary released this week by the Senate intelligence committee gives an overview of initial findings focused on how Russian government operatives affected U.S. elections systems. The full report is undergoing a review to check for classified information.
"U.S. election infrastructure is fundamentally resilient," the Senate report said.
Committee members also said that they uncovered no evidence that any vote tallies were manipulated or that any voter registration data was deleted or changed, a finding that is similar to what the intelligence community and other lawmakers have said consistently since 2016.
Some of the report's other findings also are familiar: Russian cyberattackers targeted or scanned the elections systems in at least 21 states, and the Department of Homeland Security was slow in reaching out to the correct officials in those states to let them know.
New details about cyberattacks
But the report also says that in at least six of those states, the Russian-affiliated cyber operatives "went beyond scanning and conducted malicious attempts on voting-related websites" — a detail that had not been previously reported.
In most of those cases, the Russian cyberattackers attempted to use a "SQL" injection, which involves using special characters on a public-facing website to gain access and to either read or manipulate data.
The report says that in "a small number of states," the Russian operatives were in a position to alter or delete voter registration data. DHS has previously said that Russian hackers broke into the voter registration system only in Illinois but that there is no indication any records were altered.
While the security of state election websites isn't tied to the security of vote tallying — they are separate systems — displaying the results of an election correctly is key to maintaining voter trust.
In detailing an election hacking worst-case scenario at a Senate intelligence committee hearing in March, Sen. Marco Rubio, R-Fla., mentioned hacking a state election website that posts results as a way of sowing doubt among the voting population.
Imagine an Election Day on which officials counted ballots correctly but lost control of the official website on which they had intended to announce the results. It could display the name of the loser as the winner or serve as some other kind of avenue for mischief.
The reporting issue
NBC News reported earlier this year that the intelligence community had evidence in 2017 that Russian operatives compromised the voting systems of seven states, including in some cases, their public websites. The Department of Homeland Security responded by slamming the report as "factually inaccurate and misleading."
In response to an inquiry by NPR about the number of states that had their websites attacked, a DHS spokesperson declined comment but referred back to Senate testimony given last summer by Jeanette Manfra, the chief cybersecurity official at DHS. The testimony does not detail how many states specifically had their websites attacked in the way the Senate intelligence committee report says — but it also does not contradict the finding.
DHS Secretary Kirstjen Nielsen told the Senate intelligence committee in March that DHS won't reveal specific information about cyberattacks and the states because of fears they will stop reporting. Nielsen's agency depends on the states to volunteer what has happened to them; she cannot compel them to talk or detect many attacks on her own.
"Unfortunately, throughout the last 15 years at DHS, when it comes to this situation, the victims stop reporting," Nielsen said. "When they stop reporting, we're just not aware of the attacks."
The Senate report also spotlighted this reporting issue.
Although it says "the diversity of our voting infrastructure is a strength," because it makes a large coordinated attack on vote tallies almost impossible, it also means neither Congress nor the Department of Homeland Security get an unimpeded look at the security of state voting systems.
"[They] are required to notify no one" about attacks, said Joseph Lorenzo Hall, a cybersecurity expert with the Center for Democracy and Technology.
Because of that, the Senate committee says that "it is possible that additional activity occurred and has not yet been uncovered."
"In light of the technical challenges associated with cyber forensic analysis, it is also possible that states may have overlooked some indicators of compromise."
For example, an attack on Alaska's election website in 2016 just became public this week because the Anchorage Daily News made a public records request that revealed emails about the event. A website called Cyberwar News had also previously reported the incident, but Alaska only acknowledged it this week.
The hacker, who Alaska officials told the Daily News was unrelated to the Russian scans of the 21 states, posted a photo on Nov. 8, 2016, of an administrator's view of the Alaska elections website on Twitter.
Despite bragging about "ballot administrator access," the user wasn't actually able to view any confidential information nor affect any data. The state deemed the threat as "election disinformation" and did not disclose it because the elections process wasn't "impeded" by the event, according to the Daily News.
Elections experts such as Hall viewed the Alaska event as a positive because it showcased how many layers a hacker would have to break through to actually affect an elections system. Hall compared the event to an intruder breaking through a home's screen door but not being able to get any further into the house.
He said he wished the state had been more proactive in talking about the issue, rather than hiding it because of worries about voter confidence. Many elections officials argue that announcing each individual hacker could embolden them.
"I think it's more of a success story that I would have loved to seen detailed earlier," Hall said.