Advertisement

SKIP ADVERTISEMENT

Russia Targeted Election Systems in All 50 States, Report Finds

A voter casting his ballot in the midterm elections last year in Medina, N.D.Credit...Hilary Swift for The New York Times

WASHINGTON — The Senate Intelligence Committee concluded Thursday that election systems in all 50 states were targeted by Russia in 2016, an effort more far-reaching than previously acknowledged and one largely undetected by the states and federal officials at the time.

But while the bipartisan report’s warning that the United States remains vulnerable in the next election is clear, its findings were so heavily redacted at the insistence of American intelligence agencies that even some key recommendations for 2020 were blacked out.

The report — the first volume of several to be released from the committee’s investigation into Russia’s 2016 election interference — came 24 hours after the former special counsel Robert S. Mueller III warned that Russia was moving again to interfere “as we sit here.”

While details of many of the hackings directed by Russian intelligence, particularly in Illinois and Arizona, are well known, the committee described “an unprecedented level of activity against state election infrastructure” intended largely to search for vulnerabilities in the security of the election systems.

It concluded that while there was no evidence that any votes were changed in actual voting machines, “Russian cyberactors were in a position to delete or change voter data” in the Illinois voter database. The committee found no evidence that they did so.

In his testimony to two House committees on Wednesday, Mr. Mueller had sought to highlight the continued threat that Russia or other adversaries would seek to interfere in the 2020 elections. He said many more “countries are developing capability to replicate what the Russians have done.”

While the Senate Intelligence Committee’s findings were bipartisan, they came on a day when Senator Mitch McConnell, Republican of Kentucky and the majority leader, moved again to block consideration of election security legislation put forward by Democrats.

Mr. McConnell has long opposed giving the federal government a greater hand in an institution of American democracy typically run by the states.

And despite the warnings about the Russia threat, he argues that Congress has already done enough — passing $380 million worth of grants for states to update their election systems and supporting executive branch agencies as they make their own changes. Some administration officials have suggested that the issue is not getting enough high-level attention because President Trump equates any public discussion of malign Russian election activity with questions about the legitimacy of his victory.

“It’s just a highly partisan bill from the same folks who spent two years hyping up a conspiracy theory about President Trump and Russia and who continue to ignore this administration’s progress at correcting the Obama administration’s failure on this subject,” Mr. McConnell said of the Democratic bill.

Mr. McConnell has held fast to his position despite withering criticism from Democrats, and agitation from some in his party who want the Senate to move more modest, bipartisan legislation. The Democratic proposal, already passed by the House, would have given the states hundreds of millions of dollars in grants, mandated the use of backup paper ballots and required risk-limiting postelection audits.

Image
Even key findings at the beginning of the report were heavily redacted.

“This is not a Democratic issue, a Republican issue,” said Senator Chuck Schumer of New York, the Democratic leader. “This is not a liberal issue, a moderate issue, a conservative issue. This is an issue of patriotism, of national security, of protecting the very integrity of American democracy, something so many of our forbears died for.”

“And what do we hear from the Republican side?” he said. “Nothing.”

While the report is not directly critical of either American intelligence agencies or the states, it described what amounted to a cascading intelligence failure, in which the scope of the Russian effort was underestimated, warnings to the states were too muted, and state officials either underreacted or, in some cases, resisted federal efforts to offer help.

Even today, after a two-and-a-half-year investigation, the committee conceded that “Russian intentions regarding U.S. election infrastructure remain unclear.” Moscow’s intelligence agencies — chiefly the G.R.U., Russia’s main military intelligence unit — may have “intended to exploit vulnerabilities in the election infrastructure during the 2016 elections and, for unknown reasons, decided not to execute those options.”

But more ominously, the report suggested that it might have been cataloging options “for use at a later date” — a possibility that officials of the National Security Agency, the Department of Homeland Security and the F.B.I. said was their biggest worry.

The report also hinted at some intriguing new findings — but their effect was muted by the scope of the deletions demanded by intelligence agencies. For example, the report noted that the State Department was aware that Russian officials had requested to send election observers to polling places in the 2016 election — just as the United States often seeks to send observers to elections in foreign nations, including Russia.

That was of concern to the committee because testimony about election machines, which are disconnected from the internet, suggested the most efficient way to alter votes was with physical access to the machines or computers rather than programming them with ballots.

Given the potential for further incursions into the election system, the move by the intelligence agencies to redact large portions of the public version of the report touched off behind-the-scenes battles with members of the committee.

The deletions were so substantial that even the committee’s recommendations for the future were not spared: The section heading on the final recommendation read “Build a Credible,” but the remainder of the heading, and two paragraphs that follow, were blacked out.

The report, black lines and all, is titled, “Russian Efforts Against Election Infrastructure.” It is the first volume the committee has publicly released, after more than 200 witness interviews and the collection and review of nearly 400,000 documents. Subsequent volumes will deal with Russia’s effort to use social media to influence voters — an area where Russian interference may have changed minds, and thus votes — and the 200 or so contacts between Russia and members of the Trump campaign.

In a statement, Senator Richard M. Burr, Republican of North Carolina and the chairman of the committee, described the events of 2016 as one in which the United States was blindsided.

“In 2016, the U.S. was unprepared at all levels of government for a concerted attack from a determined foreign adversary on our election infrastructure,” Mr. Burr wrote. “Since then, we have learned much more about the nature of Russia’s cyberactivities and better understand the real and urgent threat they pose.”

The committee’s recommendations ranged from the concrete — ensure a paper trail for voter machines and paper backups for registration systems — to the strategic, like adopting a doctrine of how to deter different kinds of cyberattacks.

While the committee suggested holding “a discussion with U.S. allies and others about new cybernorms,” it did not say what those norms should be — nor did it say election manipulation should be off limits for all nations. One reason for that hesitance, some government officials acknowledge, is the debate inside the administration over how much the United States itself is willing to forgo the option of using its own cyberabilities abroad.

Image
One section on recommended action was almost completely redacted.

Suggestions on how to “improve information gathering and sharing on threats” are redacted, making them useless for most state officials, who do not hold security clearances.

But the solutions appear distant. Some states, like New Jersey, appear not to have the money to fix a voting machine infrastructure that has no paper backup to its balloting process, making a truly reliable audit impossible.

Other states still have highly vulnerable registration databases, federal officials say. Those vulnerabilities are so sensitive that the Intelligence Committee did not reveal by name which states were the most heavily compromised — referring to the states only by number to protect their identities.

In one case study, titled, “Russia Access to Election Infrastructure: State 2,” the only unredacted line reads, “Separately, G.R.U. cyberactor breached election infrastructure in State 2,” with all details eliminated.

Mr. Burr argued that the Department of Homeland Security and state and local elections officials had since “dramatically changed how they approach election security,” showing progress that served as “a testament to what we can accomplish when we give people the opportunity to be part of a solution.”

But Senator Ron Wyden, Democrat of Oregon, appended an impassioned dissent to the report, arguing that the committee did not go far enough. “The committee report describes a range of cybersecurity measures needed to protect voter registration databases,” he wrote, “yet there are currently no mandatory rules that require states to implement even minimum cybersecurity measures. There are not even any voluntary federal standards.”

The committee found that the Department of Homeland Security and the F.B.I. warned states in the late summer and fall of 2016 of the threat of Russian interference. But they did not provide election officials with “a clear reason” to take the threat more seriously than other warnings that are regularly issued, the report said.

The first public warning was issued Oct. 7, 2016, but within an hour, it was washed away by the revelation of a tape in which Donald J. Trump was heard making comments about how he would grab women, and by the release by WikiLeaks of excerpts from emails hacked from the account of John D. Podesta, Hillary Clinton’s campaign chairman.

Even at that time, the report makes clear, the agencies did not understand the scope of the Russian effort. It noted that Michael Daniel, President Barack Obama’s cybersecurity coordinator, had been convinced that the Russians had gone after all 50 states — because they are thorough. But it was only two years later that official intelligence assessments concluded that he was right.

Mr. Daniel’s position at the White House has since been eliminated by John R. Bolton, the national security adviser.

While the report praised the steps the agencies have since taken to assist in securing elections, the committee found that concerns about aging voting equipment remain.

“As states look to replace machines that are now out of date, they should purchase more secure voting machines. At a minimum, any machine purchased going forward should have a voter-verified paper trail,” a summary of the report said, while adding that “states should remain firmly in the lead on running elections.”

The states say they do not have the money to conduct a replacement program by November 2020.

A correction was made on 
July 26, 2019

An earlier version of this article misstated the amount of funding allocated to states for election security. It is $380 million, not $380 billion.

How we handle corrections

Nicholas Fandos contributed reporting.

A version of this article appears in print on  , Section A, Page 1 of the New York edition with the headline: Russians Hunted Election Defects In All 50 States. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT