COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY 116TH CONGRESS SENATE 1st Session REPORT II6-XX REPORT OF THE SELECT COMMITTEE ON INTELLIGENCE UNITED STATES SENATE ON RUSSIAN ACTIVE MEASURES CAMPAIGNS AND INTERFERENCE IN THE 2016 U.S. ELECTION VOLUME 1: RUSSIAN EFFORTS AGAINST ELECTION INFRASTRUCTURE WITH ADDITIONAL VIEWS I COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY CONTENTS I. (U)INTRODUCTION II. (U)FINDINGS III. (U)THE ARC OF RUSSIAN ACTIVITIES IV. (U) ELEMENTS OF RUSSIAN ACTIVITIES A. (U)Targeting Activity 3 3 5 10 10 B. (U)'Russian Access to Election Infrastructure 21 1. (U^ussian Access to Election Infrastructure: Illinois Russian Access to Election Infrastructure: 22 24 C. ^^^^^ussian Efforts to Research U.S. Voting Systems,Processes, and Other Elements of Votin^tafrastructure 28 D.^^H^Russian Activity Directed at Voting Machine Companies 29 E. ^^^^Russia^Efrbrt^^bservePollingP^ 30 F. .^^2 G.^mRussian Actm^^ossibl^Relate^^^Misinformation Campaign on Votel^^^ 32 H. (U)Two Unexplained Events 1. (U)Cyber Activity in State 22 2. (U)Cyber Activity in State 4 33 33 34 V. (U)RUSSIAN INTENTIONS 35 VI. (U)NO EVIDENCE OF CHANGED VOTES OR MANIPULATED VOTE TALLIES.... 38 VII. (U)SECURITY OF VOTING MACHINES 40 VIII. (U)THE ROLE OF DHS AND INTERACTIONS WITH THE STATES 46 A. (U)DHS's Evolution 46 B. (U)The View From the States 49 C. (U)Taking Advantage ofDHS Resourees IX. (U)RECOMMENDATIONS COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY 52 54 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY Russian Efforts Against Election Infrastructure I. (U)INTRODUCTION (U)From 2017 to 2019, the Committee held hearings, conducted interviews, and reviewed intelligence related to Russian attempts in 2016 to access election infrastructure. The Committee sought to determine the extent of Russian activities, identify the response of the U.S. Government at the state, local, and federal level to the threat, and make recommendations on how to better prepare for such threats in the future. 1 he Committee received testimony from state election officials, Obama administration officials, and those in the Intelligence Community and elsewhere in the U.S. Government responsible for evaluating threats to elections. II. (U)FINDINGS U The Russian govemment directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against U.S. election infrastructure' at the state and local level. The Committee has seen no evidence that any votes were changed or that any voting machines were manipulated.^ 2. '(U)The Department of Homeland Security(DHS)defines election infrastructure as "storage facilities, polling places, and centralized vote tabulation locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf ofstate and local governments,"according to the January 6, 2017 statement issued by Secretary of Homeland Security Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector, available at https://www.dhs.gov/news/2017/10/06/statementsecretary-johnson-designation-election-infrastructure-crilical. Similarly, the Help America Vote Act(HAVA),Pub. L. No. 107-252, Section 301(b)( 1) refers to a functionally similar set ofequipment as "voting systems," although the definition excludes physical polling places themselves, among other differences, 52 U.S.C. §21081(b). This report uses the term election infrastructure broadly, to refer to the equipment, processes, and systems related to voting, tabulating, reporting, and registration. The Committee has reviewed the intelligence reporting underlying the Department of Homeland Security(DHS)assessment from early 2017 ■I I I The Committee finds it credible. (U) The names of the states the Committe^poKH^iav^eer^^laced with numbers. DHS and some slates asked the Committee to protect state names before providing the Committee with information. The Committee's goal was to get the most information possible, so state names are anonymized throughout this report. Where the report refers to public testimony by Illinois state election officials, that state is identified. 3 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTHH SENSITIVE - RUSSIA INVESTIGATION ONLY 3. (U) While the Committee does not know with confidence what Moscow's intentions were, Russia may have been probing vulnerabilities in voting systems to exploit later. Alternatively, Moscow may have sought to undermine confidence in the 2016 U.S. elections simply through the discovery oftheir activity. 4. (U) Russian efforts exploited the seams between federal authorities and capabilities, and protections for the states. The U.S. intelligence apparatus is, by design, foreign-facing, with limited domestic cybersccurity authorities except where the Federal Bureau of Investigation (FBI)and the Department of Homeland Security(DHS)can work with state and local partners. State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor. 5. (U) DHS and FBI alerted states to the threat of cyber attacks in the late summer and fall of2016, but the warnings did not provide enough information or go to the right people. Alerts were actionable, in that they provided malicious Internet Protocol (IP) addresses to information technology(IT) professionals, but they provided no clear reason for states to take this threat more seriously than any other alert received. 6. (U) In 2016, officials at all levels of government debated whether publicly acknowledging this foreign activity was the right course. Some were deeply concerned that public warnings might promote the very impression they were trying to dispel—that the voting systems were insecure. 7. (U) Russian activities demand renewed attention to vulnerabilities in U.S. voting infrastructure. In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking; for example, voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016,some of these vulnerabilities remain. 8. (U) In the face of this threat and these security gaps, DHS has redoubled its efforts to build trust with states and deploy resources to assist in securing elections. Since 2016, DHS has made great strides in learning how election procedures vary across states and how federal entities can be of most help to states. The U.S. Election Assistance Commission (EAC),the National Association of Secretaries of State(NASS),the National Association of State Election Directors(NASED),and other groups have helped DHS in this effort. DHS's work to bolster states' cybersecurity has likely been effective, in particular for those states that have leveraged DI IS's cybeisecurily assessments for election infrastructure, but much more needs to be done to coordinate state, local, and federal knowledge and efforts in order to harden states' electoral infrastructure against foreign meddling. 9. (U) To assist in addressing these vulnerabilities, Congress in 2018 appropriated $380 million in grant money for the states to bolster cybersecurity and replace vulnerable 4 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMl riEE SENSiTiVE - RUSSIA IN VES i lUA I ION ONLY voting machines/ When those funds are spent. Congress should evaluate the results and consider an additional appropriation to address remaining insecure voting machines and systems. 10.(U) DHS and other federal government entities remain respectful of the limits of federal involvement in state election systems. States should be firmly in the lead for running elections. The country's decentralized election system can be a strength from a cybersecurity perspective, but each operator should be keenly aware of the limitations of their cybersecurity capabilities and know how to quickly and properly obtain assistance. III. (U)THE ARC OF RUSSIAN ACTIVITIES In its review of the 2016 elections, the Committee found no evidence that vote tallies were altered or that voter registry files were deleted or modified, though the Committee and IC's insight into this is limited. Russian government-affiliated cyber actors conducted an unprecederit£dJeycl_ofjictm state election infrastructure in the run-up to the 2016 U.S. elections^ Throughout 2016 and for several years before, Russian intelligence services and government personnel conducted a number of intelligence-related activities targeting the voting process. the Committee found ample evidence to suggest that the Russian government was developing and implementing capabilities to interfere in the 2016 elections, including undermining confidence in U.S. democratic institutions and voting processes.^ ^(U)Consolidated Appropriations Act, 2018, Pub. L. No. 115-141, 132 Stat. 348, 561-562. ' (U)The Committee has limited information on the extent to which state and local election authorities carried out forensic evaluation of registration databases. These activities are routinely carried out in the context of private sector breaches. FBI LHM.I Ifbi LHM, DHS Homeland (ntelligence Briel FBI LHM, COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY Evidence ofscanning of state election systems first appeared in the summer prior to the 2016 election. In mid-July 2016, Illinois discovered anomalous network activity, specifically a large increase in outbound data, on a Illinois Board of Elections' voter registry website.'" Working with Illinois, the FBI commenced an investigation.' The attack resulted in data exfiitration from the voter registration database. (U) On Augu^lS,2016, FBI issued an unclassified FLASH'^ to state technical-level experts on a set of^m^ identified from the attack on lilinois's voter registration databases. The FLASH product did not aitribute the attack to Russia or any otherpaScuIa^cto^ FBI Electronic C('mnninicaiion. (U)DHS briefing for SSCi staff, March 5, 2018. '/(U)SSCI Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21. 2017, p. 1 13. IS a )According to the United States Computer Emergency Readiness Team (US-CERT), an SQL injection echnique that attempts to subvert the relationship oetween a webpage and its supporting database, typically in order to trick the database into executing malicious code." (U)DHS IIR 4 0050006 17, An IP Address Targeted Multiple U.S. Slate Government's to Include Election Syfttpms October 4,2016 'Hi )DHS briefing for SSCI staff, March 5,2018. J (U)FBI FLASH alerts are notifications of potential cyber threats sent to local law enforcement and private industry so that administrators are able to guard their systems against the described threat. FLASHs marked TLP: AMBER are considered sharable with members of the recipients own organization and those with direct need to know. lumber T-LD1004-TT, TLP-AMBER, (U)Ibid. (U)Ibid wned COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY After the issuance of the August FLASH,the Department of Homeland Security(DHS)and the Multi-State-Information Sharing & Analysis Center(MS-ISAC)-- asked states to review their log files to determine if the IP addresses described in the FLASH had touched their infrastructure. This request for voluntary self-reporting, in conjunction with DHS analysis of NetFlow activity on MS-ISAC internet sensors, identified another 20 states whose networks had made connections to at least one IP address listed on the FLASH. DHS was almost entirely reliant on states to self-report scanning activity. Former Special Assistant to the President and Cybersecurity Coordinator Michael Daniel said, "eventually we get enough of a picture that we become confident over the course of August of2016 that we're seeing the Russians probe a whole bunch of different state election infrastructure, voter registration databases, and other related infrastructure on a regular basis."-^ Dr. Samuel Liles, Acting Director of the Cyber Analysis Division within DHS's Office of Intelligence and Analysis (I&A), testified to the Committee on June 21, 2017, that "by late September, we determined that internet-connected election-related networks in 21 states were potentially targeted by Russian government cyber actors."-^ "(I') Hie MS-ISAC is a DHS-suppei tcd grinip dedieuied lo sharing information between state, local, tribal, and territorial(SLTT)government entities, it serves as the central cybersecurity resource for SLTT governments. Entities join to receive cybersecurity advisories and alerts, vulnerability assessments, incident response assistance, and other services. DHS IIR 4 005 0006, An IP Address Targeted Multiple U.S. Stale Governments to Include Election ^ys/emT^^ber 4, 2016; DHS briefing for SSCl staff, March 5,2018. (U)SSCl Transcript of the Interview with John Brennan, Former Director, CIA, held on Friday, June 23, 2017, p. 41. (U)SSCl Transcript of the Interview with Michael Daniel, Former Special Assistant to the President and Cybersecurity Coordinator, National Security Council, held on August 31, 2017, p. 39. (LI) SSCl Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June21,2017,p. 12. 7 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY fU^H^jn^BI issued a second FI ASH and a Joint Analysis Report in October that flagged suspect IP addresses, many unrelated to Russia.-"' DHS briefers told the Committee that they were intentionally over-reporting out of an abundance of caution, given their concern about the seriousness of the threat. DHS representatives told the Committee,"We were very much at that point in a sort of duty-to-warn type of attitude ... where maybe a specific incident like this, which was unattributed at the time, wouldn't have necessarily risen to that level. But... we were seeing concurrent targeting of other election-related and political figures and political institutions ...[which] led to what would probably be more sharing than we would normally think to do."~^ DHS assessed that the searches, done alphabetically, probably included all 50 states, and consisted of research on "general election-related web pages, voter ID information, election system software, and election service companies."^' FBI FI.ASH. Alert NiimherT-l.ni005-TT. TLP-AMBER, I; DHS/FBl JAR-16-20223, Threats to Federal. Shiie. tiiul l.ocdl (.iovcnunL'iu (X'tobcr 14,2016. ^^(U)SSCl interview with DHS and CTIIC. February 27. 2018. p. 9-10. FBI LHM.I DI IS Hotnekind Intclliiicnce Brief. NSA ^^^HNSA^^^^^^^^HDIRNSA^^a^^O 17. This information was not available to the U.S. governinont iitiiil April 2017 3^ (U)NS DIRNSA. May5,2017. COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI T! EH SENSITIVE - RUSSIA INVESTIGATION ONLY The Russian Embassy placed a formal request to observe the cicclions witfuheDepartm^t of State, but also reached outside diplomatic channels in an attempt to secure permission directly from state and local election officials." In objecting to these tactics, then-Assistant Secretary of State for European and Eurasian Affairs Victoria Nuland reminded the Russian Ambassador that Russia had refused invitations to participate in the official OSCE mission that was to observe the U.S. elections.^^ "(U)FB1IIR FBI IIR (U)Ibid. i^^(LI) DTS 2018-2152, SSCI Interview with Andrew McCabe, Former Deputy Director ofthe FBI, February 14 20^ pp. 221-222. Email, sent November 4,2016;from^^^^^H: to: Subject: Kislyak Protest of FBI Tactics ^Mt)NSA ^Uin/hUL DIRNSA, May s! 2017. COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI l IHH ShNSITIVE - RUSSIA INVESTIGATION ONLY (U) The Committee found no evidence of Russian artors attempting to manipulate vote tallies on Election Day, though again the Commillee and IC's insight into this is limited. In the years since the 2016 election, awareness of the threat, activity by DHS,and measures at the state and local level to better secure election infrastructure have all shown considerable improvement. The threat, however, remains imperfectly understood. In a briefing before Senators on August 22, 2018, DNI Daniel Coats, FBI Director Christopher Wray, thenDHS Secretary Kirstjen Nielsen, and then-DHS Undersecretary for the National Protection and Programs Division Christopher Krebs told Senators that there were no known threats to election infrastructure. However, Mr. Krebs also said that top election vulnerabilities remain, including the administration of the voter databases and the tabulation ofthe data, with the latter being a much more difficult target to attack."^" Relatedly, several weeks prior to the 2018 mid-term election, DHS assessed that "numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election.'"''' IV. (U)ELEMENTS OF RUSSIAN ACTIVITIES A. (U)Targeting Activity Scanning of election-related state infrastructure by Moscow was the most widespread activity the IC and DHS elements observed in the run up to the 2016 election.'"' 111^^ In an interview with the Committee, Mr. Daniel stated:"What it mostly looked like to us was reconnaissance.... I would have characterized it at the time as sort of conducting the reconnaissance to do the network mapping, to do the topology mapping so (IJ)^^^ 2018-3275,Summary of 8/22/2018 All Senators Election Security Briefing, August 28.20)8. Homeland Security intelligence Assessment: Cyber Actors Continue to Engage in Influence Activities and Targeting of Election Infrastructure, October 11,2018. ^(U)DTS 2019-1368, NIC 2019-01, Intelligence Community Assessment: A Summary of the Intelligence Community Report on Foreign Interference as Directed by Executive Order 13848, March 29, 2019. p. 2-3. (U)Ibid. (U)SSCI interview of representatives from DHS and CTIIC, February 27,2018, p. 12. 10 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITl th ShNSI riVK - RUSSIA INVESTIGATION ONLY that you could actually understand the network, establish a presence so you could come back later and actually execute an operation.'"''^ (U) Testifying before the Committee, Dr. Liles characterized the activity as "simple scanning for vulnerabilities, analogous to somebody walking down the street and looking to see if you are home. A small number ofsystems were unsuccessfully exploited, as though somebody had rattled the doorknob but was unable to get in .. .[however] a small number of the networks were successfully exploited. They made it through the door."^^ DHS and FBI assessments on the number of affected states evolved since 2016. In ajoinl FBl/DHS intelligence product published in March 2018, and coordinated with the Central Intelligence Agency(CIA), the Defense Intelligence Agency (DIA), the Department of State, the National Intelligence Council, the National Security Agency(NSA), and the Department of Treasury, DHS and FBI assessed that Russian inteiliaence services conducted activit> DHS arrived at their initial assessment by evaluating whether the tactics, techniques, and procedures(TTPs) observed were consistent with previously observed Russian TTPs, whether the actors used known Russian-affiliated malicious infrastructure, and whether a state or local election system was the target. (U) The majority of information examined by DHS was provided by the states themselves. The MS-ISAC gathered information from states that noticed the suspect IPs pinging their systems. In addition, FBI was working with some states in local field offices and reporting back FBI's findings. (U) Ifsome slates evaluated their logs incompletely or inaccurately, then DHS might have no indieation of whether they were scanned or attacked. As former-Homeland Security Adviser Lisa Monaco told the Committee,"Of course, the law enforcement and the Intelligence community is going to be significantly reliant on what the holders and '•'(U)SSCI Transcript ofthe Interview of Michael Daniel. Former A.ssistant to the President and Cybersecurity Coordinator, National Security Council, August 31, 2017, p. 44. (U)SSCI Transcript of the Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21. 2017. p. 13. DHS FBI Homeland Intelligence Brief. (Li)See chart, infra, tor information on successful breaches. (U)DHS did not count attacks on political parties, political organizations, or NGOs. For example, the compromise of an email affiliated with a partisan State 13 voter registration organization was not included in DHS's count. 11 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI I THH SENSITIVE - RUSSIA INVESTIGATION ONLY owners and operators of the infrastructure sees on its system [sic] and dooidcs to raisL their hand."^"^ However, both tjig^IC and the Committee in its own review were unable to the states, (U) Mr. Daniel told the Committee that by late August 2016, he had already personally concluded that the Russians had attempted to intrude in all 50 states, based on the extent of the activity and the apparent randomness of the attempts. "My professional judgment was we have to work under the assumption that they've tried to go everywhere, because they're thorough, they're competent, they're good."^^ Intelligence developed later in 2018 bolstered Mr. Daniel's assessment that all 50 states were targeted. (U)SSCI Transcript ofthe Interview with of Lisa Monaco, Former Homeland Security Advisor, August 10, 2017, p. 38. "(U)SSCI Transcript ofthe Interview with Michael Daniel, Former Assistant to the President and Cybersecurity Coorditiaior, National Security Council, August 31, 2017, p. 40. [DllS I BI Homeland intelligence Bulletin,! '• (IJ) Ibi^ (L)DHS briefing for SSCI staff, March 5, 2018. (li) SSCI interview of representatives from DHS and CTIIC, February 27,2018, pp. 11-12. (U)DHS briefing for SSCI staff, March 5,2018. 12 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) However, IP addresses associated with the August 18, 2016 FLASH provided some indications the activity might be attributable to the Russian government, particularly the GRU: One of the Netherlands-based I "exhibited the same behavior from the same node over a period of lime. ... It was behaving like ... the same user or group of users was using this to direct activity against the same type of targets," according to DHS staff.^^ (U)Ibid. "(U)Ibid. "(U)Ibid, "^'^'^ibid. FR R "(L)) Cyber Threat Intelligence Integration Center(CTIIC)Cyber Threat Intelligence Summary, October 7, 2016. "(U)Ibid. (t)SSCl interview of representatives from DHS and CTIIC, February 27,2018, p. 13. 13 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY The IC's confidence level aboul the attribution oflhe attacks evolved over 2017 and into 20 18 The Committee reached out to the 21 states that DHS first identified as targets of scanning activity to leam about their experiences. Election officials provided the Committee (U) DHS Electronic Communication, December 19. 2016, email from: DHS/NCCIC: to: CIA. 7( DHS Intelligence Assessment, Hostile Russian Cyber Targeting ofElcciion Infrasiniciure in 2016: Probable Non-Stale Actors Attempt Disruption, May 3, 2017. (II)Ibid. (E^SCI interview ofrepresentatives from DHS and CTIIC, February 27, 2018, p. 13. DHS arrived at their initial assessment of21 states affected by adding the eleven plus seven states, plus the three where scanning activity appeared directed at less specifically election-focused infrastructure. (U)SSCl conference call with DHS and FBI, March 29, 2018. 14 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY details about the activity they saw on their networks, and the Committee compared that acLuunling to UHS's reporting of eveiils.^'^ Where those accounts differed is noted below. The scanning activity took place from approximately June through September 2016. STATE Illinois State 2 OBSERVED ACTIVITY^ (U) See infra. "Russian Access to Election-Related Infrastructure" for a detailed description. (U) See infra. "Russian Access to Election-Related Infrastructure" for a detailed description. (U) According to State 3 officials, cyber actors using infrastructure identified in the August FLASH conducted scanning activity.^® State 3 officials noticed State 3 "abnormal behavior" and took action to block the related IP addres.ses.^' m DHS reported GRU scanning attempts against two separate domains related to election infrastructure. State 4 (U) See infra,"Two Unexplained Events" for a detailed description. (U) Cyber actors using infrastructure identified in the August FLASH scanned "an old website and non-relevant archives," according to the State 5 Secretary of State's office.^^ The following day, State 5 took action to block the IP address. State 5 DHS, however, reported GRU scanning activity on two separate State 5 Secretary of State websites, plus targeting of a District Attorney's office^^ in a particular city.^'' Both the websites appear to be current addresses for the State 5 Secretary of State's office. (U) According to State 6 officials, cyber actors using infrastructure identified in State 6 the August FLASH scanned^' the entire state IT infrastructure, including by using the Acunetix tool, but the "affected systems" were the Secretary of State's (U)DHS briefed Committee staff three times on the attacks, and staff reviewed hundreds of pages of intelligence assessments. (U)Slight variation between what states and DHS reported to the Committee Is an indication of one of the challenges in election cybersecurity. The system owners—in this case, state and local administrators—are in the best position to carry out comprehensive cyber reviews, but they often lack the expertise or resources to do so. The federal government has resources and expertise, but the IC can see only limited information about inbound attacks because of legal restrictions on operations inside the United States. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 3], December 8,2017. (U)Ibid (U)DHS briefing for Committee staff on March 5,2018. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 5], December 1,2017. "(U)Ibid (f'flU)Briefers suggested the "most wanted" list housed on the District Attorney's website may have in some way been connected to voter registration. The exact nature of this connection, including whether it was a technical network connection or whether databases of individuals with felony convictions held by the District Attorney's office had voting registration implications, is unclear. (U)DHS briefing for Committee slalT on March 5, 2018. (U)State 6 officials did not specify, but in light of the DHS assessment, they likely meant SQL injection. 15 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMM 1 EE SENSlnVE - RUSSIA INVESTIGATION ONLY web application and the election results wcbsitc.^^ If the penclialiun liad been successful, actors could have manipulated the unofficial display of the election tallies.'^'^ State officials believed they would have caught any inconsistency quickly.*^'^ State 6 became aware of this malicious activity and alerted partners.^' DHS reported that GRU actors scanned State 6, then unsuccessfully attempted many SQL injection attacks. State 6 saw the highest number of SQL attempts of any state. (U) According to State 7 officials, cyber actors using infrastructure identified in the August FLASH scanned public-facing websites, including the "static" election site.^- It seemed the actors were "cataloging holes to come back later," State 7 according to state election offlcials.^^ State 7 became aware of this malicious activity after receiving an FBI alert. DHS reported GRU scanning attempts against two separate domains related to election infrastructure.^"' (U) According to State 8 officials, cyber actors using infrastructure identified in the August FLASH scanned a State 8 public election website on one day.^^ State 8 officials described the activity as heightened but not particularly out of the ordinary. State 8 became aware of this malicious activity afiter receiving an alert. State 8 u State 9 k (U) According to State 9 officials, cyber actors using infrastructure identified in an October MS-ISAC advisory'^' scanned the statewide voter registration (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 6], November 17,2017. (U)Ibid ^(U)Ibid "(U)Ibid (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 7], January 25,2018. (U)Ibid ^(U)Ibid (U)DHS briefing for Committee staff on March 5,2018. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 8], February 2,2018. (U)Ibid (U)Ibid (U)DHS briefing for Committee staff on March 5,2018. (U)Ibid (IJ) While the Committee was unable to review the specific indicators shared with State 9 by the MS-ISAC in October, the Committee believes at least one of the relevant IPs was originally named in the August FLASH because of technical data held by DHS which was briefed to the Committee. 16 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVHS i lGA I ION ONLY sysTem. Officials used the analogy of a thief casing a parking lot: they said the car thief"didn't go in, but we don't know why.""^^ State 9 became aware of this malicious activity after receiving an alert. DHS reported GRU scanning activity on the Secretary of State domain. (U) According to Stale 10 officials, cyber actors using infrastructure identified in the August FLASH conducted activity that was "very loud," with a threepronged attack: a Netherlands-based IP address attempted SQL injection on all fields 1,500 times, a U.S.-based IP address attempted SQL injection on several fields, and a Poland-based IP address attempted SQL injection on one field 6-7 times. State 10 received relevant cybersecurity indictors from MS-ISAC in early August, around the same time that the attacks occurred. State lO's IT contractor attributed the attack to Russia and suggested that the activity was reminiscent of other attacks where attackers distract with lots of noise and then State 10 "sneak in the back.""^^ (U) State 10, through its firewall, blocked attempted malicious activity against the online voter registration system and provided logs to the National Cybersecurity and Communications Integration Center (NCCIC)'"'^ and the U.S. Computer Emergency Readiness Team (US-CERT).'"' State 10 also brought in an outside contractor to assist.''' DHS confirmed GRU SQL injection attempts against State lO's voter services website on August 5 and said that the attack was blocked after one day by State lO's firewall. (U) According to State 11 officials, they have seen no evidence of scanning or attack attempts related to election infrastructure in 2016."^ While State 11 State officials noted an IP address "probing" state systems, activity which was "broader than state election systems," State 11 election officials did not provide specifics on which systems."'' '"2(U)Memorandum for the Record, SSCI Staff, Conference Call with [State 9], November 17, 2017. (U)Ibid. (L)Ibid (I)) DHS briefing for Committee staff on March 5, 2018. '"^(U) Memorandum for the Record, SSCI Staff, Conference Call with [State 10], November 29, 2017. (U)Ibid (U)Ibid (II) NCCIC is DHS's cyber watch center. ^'°(li)Ibid ' (U)DHS briefing for Committee staff on March 5,2018. (U)Memorandum for the Record, SSCI Staff, Conference Call vdth [State 11], December 8,2017. ^'*iV)Ibid. 17 COMMITTFF SFN'SITIVF - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY DHS reported GRU scanning activity on the Secretary of State domain.' (U) Cyber actors using infrastructure identified in the August FLASH conducted scanning activity that "lasted less than a second and no security breach occurred," according to State 12 officials."^ State 12 became aware of this malicious activity after being alerted to it. State 12 DHS reported that because of a lack of sensor data related to this incident, they relied on NetPIow data, which provided less granular information."^ DHS's only clear indication of GRU scanning on State I2's Secretary of State website came from State 12 self-reporting information to MSISAC after the issuance of the August FLASH notification."*^ (U) According to State 13 officials, they have seen no evidence of scanning or attack attempts related to state-wide election infrastructure in 2016.'-" State 13 State 14 IP address used by the GRU at the time and the State 14 election commission webpage, but no indication of a compromise. In addition, DHS was informed of activity relating to separate IP addresses in the August FLASH, (U)DHS briefing for Committee staff on March 5, 2018. ' (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 12], December 1,2017. ' (U)DHS briefing for Committee staff on March 5, 2018. (U)Memorandun^Mh^ecord,SSCI Staff, Conference Call with [State 13], December 1,2017. (U)FBI DHS briefing for Committee staff on March 5. 2018. 122 1; DHS briefing for Committee staff on March 5,2018. For more information on decisions by DHS to exclude certain activity in its count of21 states, vt'c tcxl box, infra,"DHS Methodology for Identifying States Touched by Russian Cyber Actors." DHS'FBI Homeland Intelligence Brief.] [; DHS briefing for Committee staff on March 5, 2018. 18 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI i TEE SENSITIVE - RUSSIA INVESTIGATION ONLY including attempted Domain Name System (DNS)lookups and potentially malicious emails, some dating back to January 2016.'-'* (U) State 15 officials were not aware that the state was among those targeted until they were notified.'-^ State 15's current lead election official was not in place during the 2016 election so they had little insight into any scanning or attempted intrusion on their systems. State 15 officials said that generally they State 15 viewed 2016 as a success story because the attempted infiltration never got past the state's four layers of security. DHS reported broad GRU scanning activity on State 15 government domains. (U) According to State 16 officials, cyber actors using lnfra,structure identified in the October FLASH conducted scanning activity against a state government State 16 network.'-^ ^^^^DHS reported information on GRU scanning activity based on a selfreport from State 16 after the issuance of the October FLASH. (U) State 17 officials reported nothing "irregular, inconsistent, or suspicious" leading up to the election.'-^ While State 17 IT staff received an MS-ISAC State 17 notification, that notification was not shared within the state government. DHS reported GRU scanning activitv on an elecrinn-related domain (U) State 18 election officials said they observed no connection from the IP addresses listed in the election-related notifications.'^State 18 DHS reported indications of GRU scanning activity on a State 18 government domain. State 19 (U) According to State 19 officials, cyber actors using infrastructure identified in October by MS-ISAC conducted scanning activity. State 19 claimed this activity was "blocked," but did not elaborate on why or how it was blocked.'^'* DES IIR 4 019 0012 17, Cyber Activity Targeting [State 14] Government Networksfrom Internet Protocol Addresses Associated with Targeting State Elections Systems, October 21,2016. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 15], March 12,2018. (U)DHS briefing for Committee staff on March 5, 2018. '2'(LI) Memorandum for the Record, SSCI Staff, Conference Call with [State 16], December 1,2017. (U)DHS briefing for Committee staff on March 5, 2018. '^'(U) Memorandum for the Record, SSCI Staff, Conference Call with [State 17], January 25, 2018. (U)/A/V. (U)DHS briefing for Committee staff on March 5,2018. (II) Memorandum for the Record, SSCI Staff, Conference Call with [State 18], December 8,2017. (U)DHS briefing for Committee staff on March 5,2018. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 19], December 1,2017. 19 COMMITTEE SENSITIVE - RllSSIA INVESTIGATION ONLY COMMI1 1 hE SENSrnVE - RUSSIA INVESTIGATION ONLY Di IS reported indications of GRU scanning activity on two separate State 19 government domains. (U) According to State 20 officials, cyber actors using infrastructure identified in October by MS-ISAC were "knocking" on the state's network, but no State 20 successful intrusion occurred. 1^^^ DHS reported GRU scanning activity on the Secretary of State domain. (U) State 21 officials received indicators from MS-ISAC in October 2016. They said they were not aware the state was among those targeted until notified. State 21 DHS reported GRU scanning activity on an election-related domain as well as at least one other government system connected to the voter registration system. Neither DHS nor the Committee can ascertain a pattern to the states targeted, lending credence to DHS's later assessment that all 50 states probably were scanned. DHS representatives told the Committee that "there wasn't a clear red state-blue state-purple state, more electoral votes, less electoral votes" pattern to the attacks. DHS acknowledged that the U.S. Government does not have perfect insight, and it is possible the IC missed some activity or that slates did not notice intrusion attemi or re ort them 40 (U)DHS briefing for Committee staff on March 5, 2018. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 20], November 17,2017. (U)DHS briefing for Committee staff on March 5,2018. Memorandum for the Record, SSCI Staff, Conference Call with [State 21], November 17,2017. (U)DHS briefing for Committee staff on March 5, 2018. ''"'(U) SSCI interview uiih DI IS and CTIIC. Februarv 27. 2018. p. 25. (L))SSCI interview witli DHS and CTilC, February 27,2018, p. 21. 20 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY election Intelligence Assessment reported the following: looking for evidence of threats to An October 2018 DHS Wejudge that numerous actors are regularly targeting election infrastructure, likelyfor different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election. We are aware ofa growing volume ofmalicious activity targeting election infrastructure in 2018, although we do not have a complete baseline ofprior years to determine relative scale of the activity. Much ofour understanding ofcyber threats to election infrastructure is due to proactive sharing by state and local election officials, as well as more robust intelligence and information sharing relationships amongst the election community and within the Department. The observed activity has leveraged common tactics—the types oftactics that are available to nation-state and non- state cyber actors, alike—with limited success in compromising networks and accounts. We have not attributed the activity to anyforeign adversaries, and we continue to work to identify the actors behind these operations. At this time, all these activities were either prevented or have been mitigated. ) Specifically: Unidentified cyber actors since at least April 2018 and as recently as early October continue to engage in a range ofpotential elections-related cyber incidents targeting election infrastructure using spear-phishing, database exploitation techniques, and denial ofservice attacks, possibly indicating continued interest in compromising the availability, confidentiality, and integrity ofthese systems. For example, on 24 August 2018, cybersecurity officials detected multiple attempts to illegally access the State of Vermont's Online Voter Registration Application (OLVR), which serves as the state's resident voter registration database, according to DHS reporting. The malicious activity included one Cross Site Scripting attempt, seven Structured Query Language (SQL)injection attempts, and one attempted Denial ofService(DoS)attack. All attempts were unsuccessful. In summarizing the ongoing threat to U.S. election systems, DHS further said in the same product,"We continue to assess multiple elements of U.S. election infrastructure are potentially vulnerable to cyber intrusions." B. (U)Russian Access to Election Infrastructure DHS, Homeland Security Intelligence Assessment, Cyber Actors Continue to Engage in Influence Activities and Targeting ofElection InJ'rastructure, October 1 1, 2018. (U)Ibid. 21 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMi n EH SENSITIVE - RUSSIA IN VES I IUA I ION ONLY (U) The January 6, 2017 Intelligence Community Assesbinent(IL'A),"Assessing Russian Activities and Intentions in Recent U.S. Elections," states: Russian intelligence obtained and maintained access to elements ofmultiple U.S. state or local electoral boards. DHS assesses that the types ofsystems Russian actors targeted or compromised were not involved in vote tallying. Based on the Committee's review of the ICA,the Committee concurs with this assessment. The Committee found that Russian-affiliated cyber actors gained access to election infrastructure systems across two states, including successful extraction of voter data. However, none of these systems were involved in vote tallying. 1. (U)Russian Access to Election Infrastructure: Illinois (U) In June 2016, Illinois experienced the first known breach by Russian actors of state election infrastructure during the 2016 election. As of the end of2018, the Russian cyber actors had successfully penetrated Illinois's voter registration database, viewed multiple database tables, and accessed up to 200.000 voter registration records. The compromise resulted in the exfiltration of an unknown quantity of voter registration data. Russian cyber actors were in a position to delete or change voter data, but the Committee is not aware of any evidence that thev did so. • assesses with high confidence that the penetration was carried out by Russian actors.'^" )The compromised voter registration database held records relating to 14 million registered voters. The records exfiltrated included information on each voter's name, address, partial social security number, date of birth, and either a driver's license number or state identification number. (U)Intelligence Community Assessment, Assessing Russian Activities and Intentions in Recent U.S. Elections, Januar^6^017, p. iii. (LJjjjjj^^) DHS IIR 4 005 0006, An IP Address Targeted Multiple U.S. State Government's to Include Election Systems. October 4,2016; DHS briefing for SSCI staff. March 5, 2018. (L)"Illinois election ofllclals say hack yielded information on 200,000 voters,"[Local Newspaper], August 29, 2016. (LI) DHS IIRI^ SCI open Hearing on June 21,2017, p 110 (U)State Board of Elections, Illinois Voter Registration System Records Breached, August 31, 2016. As reflected elsewhere in this report, the Committee did not undertake its own forensic analysis ofthe Illinois server logs to corroborate this statement; SSCI interview with DHS and CTllC, February 27, 2018, p. 24. (U)See infra,"Russian Scanning and Attempted Access to Election-Related Infrastructure" for a complete discussion on attribution related to the set of cyber activitv linked (o die infrastructure used in the Illinois breach. ''' FBI IIrI DHS intelligence Assessment, May 3, 2017,0144-17, COMMITTTT SLNSTTIVF - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY DHS staff further recounted to the Committee that "Russia would have had the ability to potentially manipulate some ofthat data, but we didn't see that." Further, DHS staff noted that "the level of access that they gained, they almost certainly could have done more. Why they didn't... is sort of an open-ended question. I think it fits under the larger umbrella of undermining confidence in the election by tipping their hand that they had this level of access or showing that they were capable of getting it."'^^ • (U) According to a Cyber Threat Intelligence Integration Center(CTIIC)product, Illinois officials "disclosed that the database has been targeted frequently by hackers, but this was the first instance known to state officials of success in accessing it."'^"^ (U) In June 2017, the Executive Director ofthe Illinois State Board of Elections(SEE), Steve Sandvoss, testified before the Committee about Illinois's experience in the 2016 elections. He laid out the following timeline: • (U) On June 23, 2016, a foreign actor successfully penetrated Illinois's databases through an SQL attack on the online voter registration website. "Because ofthe initial low-volume nature ofthe attack, the State Board of Election staff did not become aware of it at first." • (U) Three weeks later, on July 12, 2016,the IT staff discovered spikes in data flow across the voter registration database server. "Analysis ofthe server logs revealed that the heavy load was a result of rapidly repeated database queries on the application status page of our paperless online voter application website." • (U) On July 13, 2016, IT stafftook the website and database offline, but continued to see activity from the malicious IP address. • (U) "Firewall monitoring indicated that the attackers were hitting SEE IP addresses five times per second, 24 hours a day. These attacks continued until August 12"^ [2016], when they abruptly ceased." (U)SSCI interview with DHS and CTIIC, February 27,2018, p. 14. (U)CTIIC Cyber Threat Intelligence Summary, August 18, 2016. (U)SSCI Open Hearing on June 21, 2017. The Committee notes that, in his testimony, Mr. Sandvoss said Illinois still had not been definitively told that Russia perpetrated the attack, despite DHS's high confidence. The Committee also notes that DHS eventually provided a briefing to states during which DHS provided further information on this topic, including the DHS high-confidence attribution to Russia. Ibid.,-p.m. (U)Ibid. Ibid., p. 111. (U)Ibid. 23 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI ITEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) On July 19, 2016, the election staff notified the Illinois General Assembly and the Attorney General's office. (U) Approximately a week later, the FBI contacted Illinois.'®^ (U) On July 28, 2016, both the registration system and the online voter registration became fully functional again. 2. (U)Russian Access to Election Infrastructure: State 2 Separately, GRU cyber actors breached election infrastructure in State 2. p. 113. (U)Ibid., p. 112. (U FBI Electronic Communication.j in hid 164 (U)FBI Briefing on [State 2] Election Systems, June 25,2018. (U)DHS briefing for SSCl staff, March 5,2018. (D)Ibid. ' Vtlil DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25,2018, p. 16. (li) SSCl interview with DHS and CTIIC, February 27, 2018, compartmented session. 24 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMl I 'l HH SENSITIVE - RUSSIA INVESTIGATION ONLY (U)FBI and DHS Interactions with State August 18, 2016 (U) FBI FLASH notification identified IP addresses targeting election offices. August 24, 2016 (U) State 2 Department of State received the FLASH from National Association of Secretaries of State. August 26, 2016 (U) State 2 Department of State forwarded FLASH to counties and advised them to block the IP addresses. Separately,H^^^HP^etennir^ one ofthe listed IP addresses scanned its systemU^^^^^^^H subsequently discovered suspeeted intrusion activity and contacted the FBI.'^'* "2(U)Ibid. (L)ibid. DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25, 2018, pp. 7. ibid. 5'ee o/so EB-0004893-LED (^^^1 interview with DHS and CTllC, February 27, 2018, p. 42. ' DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25. 2018, pp. 7. (II) FBI KLASI I. Alert NumberT-LD1004-TT, TLP-AMBER,I DI S 2018-2416; FBI Briefing on [State 2] Election Systems, June 25,2018, p. 4. '8-(u775^.,pp. 4-5. (\})lbid.,^. 5. (U)Ibid. 25 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY August 31, 2016 FBI opened its investigation on and "conducted outreach to State 2 county election oflicials to discuss individual security postures and any suspicious activity."'®^ FBI outreach reveals that one State 2 county—County A—was scanned. September 30, 2016 FBI held a conference call with county election officials to advise of the attempt to probe County A. FBI also notified state and local officials of available DHS services. October 4, 2016 October 14,2016 December 29, 2016 June 2017 County B's IT administrator contacted FBI regarding a potential intrusion. According to the FBI,"Of particular concern, the activity included a connection to a county voting, testing, and maintenance server used for poll worker classes." (U) FBI shared County B indicators by issuing a FLASH. (U) DHS and FBI released a Joint Analysis Report(JAR)on the "GRIZZLY STEPPE" intrusion set; report represents the first IC attribution of state election-related systems to the Russians. (U) DHS notified State 2 counties of a possible intrusion "as part of a broader notification to 122 entities identified as spearphishing victims in an intelligence report."'^'* DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25,2018, p. 5. iV)Ibid,pp. 5-6. '®®(U)/6W.,p. 6. (U)Ibid (U)Ibid I-)! FBI FLASH, Alert Number T-LD1005-TT. TLP-AMBER, (U)DHS/FBl, Joint Analysis Report, JAR-16-20296A7grTzZLY STEPPE - Russian Malicious Cyber Activity, Decemtw 29, 2016. DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25, 20!8, p. 7. ^'^{V)Jbid 26 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY July 2017 November 2017 (U) FBI published a FLASH report waiiiiiig of possible spearphishing.'"^'' (U) FBI and DBS participated in the first meeting of the State 2 elections task force. February 2018 (U) FBI requested direct engagement with Counties B, C, and D, including a reminder of available DBS services. March 2018 (U) FBI reports that "our office engaged" the affected counties through the local FBI field office. The FBI could not provide any further detail on the substance ofthese engagements to the Committee. May 29, 2018 FBI provided a SECRET Letterhead Memo to DBS "fomi^ly advising of our investigation into the intrusion the reported intrusion at County B,and suspected compromises of Counties C and D." June 11,2018 (U) FBI reports that as of June 11, 2018, Counties A, B, C, and D had not accepted DBS services.^®® (11) FBI FLASH, Alert Number EB-000083-LD. TLP-AMBER.j I. 5cvDTS20]8-3[74. DTS 2018-2416; FBI Briefing on [State 2] Election Systems, June 25,2018, p. 7. •'''(U)Ibid., p. 6. "«(lJ)/6/W.,p. 34. '''(lJ)/6/bci espionage.. ..[They will] scrape up all the information and the experience they possibly can," and "they might not be effective the first time or the fifth time, but they are going to keep at it until they can come back and do it in an effective way."^^"^ Mr. Daniel told the Committee: While any one voting machine isfairly vulnerable, as has been demonstrated over and over again publicly, the ability to actually do an operation to change the outcome ofan election on the scale you would need to, and do it surreptitiously, is incredibly difficult. A much more achievable goal would be to undermine confidence in the results ofthe electoral process, and that could be done much more effectively and easily. ... A logical thing woidd be, ifyour goal is to undermine confidence in the U.S. electoral system— which the Russians have a long goal ofwanting to put themselves on the same moral plane as the United States ... one way would be to cause chaos on election day. How could you start to do that? Mess with the voter registration databases. I Ms. Monaco further echoed that concern: Well, one ofthe things I worried about—and I wasn't alone in this—is kind ofworst-case scenarios, which would be things like the voter registration databases. So ifyou 're a state and local entity and your voter registration database is housed in the secretary ofstate's office and it is not encrypted and it's not backed up, and it says Lisa Monaco lives at Smith Street and I show up at my[pollingplace] and they say 'Well we don V have Ms. Monaco at Smith Street, we have her at Green Street,'now there's diffiiculty in my voting. And ifthat were to happen on a large scale, I was worried about confusion at polling places, lack ofconfidence in the voting system, anger at a large scale in some areas, confusion, distru.st. So there was a whole sliding scale of 2"(U)SSCI interview with DHS and CTIIC, February 27, 2018, p. 15. (U)DTS 2018-2152, SSCI Transcript ofthe Interview with Andrew McCabe, Former Deputy Director of the FBI, February 14, 2018, pp. 224-225. (U)SSCI Transcript ofthe Interview with Michael Daniel, Former Assistant to the President and Cybersecurity Coordinator, National Security Council, August 31,2017, pp. 27,34. 36 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY horriblesjust when you're talking about voter registration databases?^^ (U) Chaos on Election Day: Three Scenarios Mr. Daniel said that in the early fall of2016, a policy working group was looking at three scenarios: One was, could the Russians do something to the voter registration databases that could cause problems on Election Day? An example ofthat would be, could you go in andflip the digits in everybody's address, so that when they show up with their photo ID it doesn 't match what's in the poll book? It doesn 't actually preventpeoplefrom voting. In most cases you 'II still get a provisional ballot, but ifthis is happening in a whole bunch ofprecinctsforjust about everybody showing up, it gives the impression that there's chaos. A second one was to do a variant ofthe penetrating voting machines, except this time what you do is you do a nice video ofsomebody conducting a hack on a voting machine and showing how you could do that hack and showing them changing a voting outcome, and then you post that on YouTube and you claim you've done this 100,000 times across the United States, even though you haven't actually done it at all. Then the third scenario that we looked at was conducting a denial ofservice attack on the Associated Press on Election Day, because pretty much everybody, all those nice maps that everybody puts up on all the different news services, is infact actually based on Associated Press stringers at all the differentprecincts and locations. ... It doesn't actually change anything, but it gives the impression that there's chaos. V (U)SSCI Transcript ofthe Interview with Lisa Monaco,Former Homeland Security Advisor, August 10,2017, p. 28. 267 (U)SSCI Transcript ofthe Interview with Michael Daniel, Former Assistant to the President and Cybersecurity •Coordinator, National Security Council, August 31,2017, p. 33. (U)Ibid., pp. 34-35. 2^°(U)/dW.,p.35. 37 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMi ri HE SENSITIVE - RUSSIA INVESTIGATION ONLY VI. (U)NO EVIDENCE OF CHANGED VOTES OR MANIPULATED VOTE TALLIES (U) In its review, the Committee has seen no indications that votes were changed, votetallying systems were manipulated, or that any voter registration data was altered or deleted, although the Committee and IC's insight is limited. Pol! workers and voting monitors did not report widespread suspicious activity surrounding the 2016 election. DHS Assistant Secretary Jeanette Manfra said in the Committee's open hearing in June 2017 that "1 want to reiterate that we do have confidence in the overall integrity of our electoral system because our voting infrastructure is fundamentally resilient." Further, all three witnesses in that hearing—Ms. Manfra, Dr. Files, and FBI Assistant Director for Counterintelligence Bill Priestap—agreed that they had no evidence that votes themselves were changed in any way in the 2016 election. • (U) Dr. Files said that DHS "assessed that multiple checks and redundancies in U.S. election infrastructure, including diversity ofsystems, non-internet connected voting machines, pre-election testing and processes for media, campaign and election officials to check, audit, and validate the results—all these made it likely that cyber manipulation of the U.S. election systems intended to change the outcome of the national election would be detected. He later said "the level of effort and scale required to change the outcome of a national election would make it nearly impossible to avoid detection."^'^ • (U) States did not report either an uptick in voters showing up at the polls and being unable to vote or a larger than normal quantity of provisional ballots. (U) The Committee notes that nationwide elections are often won or lost in a small number of precincts. A sophisticated actor could target efforts at districts where margins are already small, and disenfranchising only a small percentage of voters could have a disproportionate impact on an election's outcome. (U) Many state election officials emphasized their concern that press coverage of, and increased attention to, election security could create the very impression the Russians were seeking to foster, namely undermining voters' confidence in election integrity. Several insisted that whenever any official speaks publicly on this issue, they should state clearly the difference between a "scan" and a "hack," and a few even went as far as to suggest that U.S. officials stop (U)SSCl Transcript of the Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday. June 21,2017. (U)SSCL Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21,2017, p. 13. (t)Ibid., p. 47. 38 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI I I KE SENSITIVE - RUSSIA INVESTIGATION ONLY talking about the issue altogether. One state official said,"Wc need to walk a fine line between being fortheoming to the public and protecting voter eonfidenee."-^'' (U) Mr. Brennan described a similar concern in IC and policy discussions: JVe know that the Rtissians had already touched some ofthe electoral systems, and we know that they have capable cyber capabilities. So there was a real dilemma, even a conundrum, in terms ofwhat do you do that's going to try to stave offworse action on the part ofthe Russians, and what do you do that is going to . ..[give] the Russians what they were seeking, which was to really raise the specter that the election was not going to befair and unaffected.275 (U) Most state representatives interviewed by the Committee were confident that they met the threat effectively in 2016 and believed that they would continue to defeat threats in 2018 and 2020. Many had interpreted the events of 2016 as a success story: firewalls deflected the hostile activity, as they were supposed to, so the threat was not an issue. One state official told the Committee,"I'm quite confident our state security systems are pretty sound. Another state official stated,"We felt good [in 2016]," and that due to additional security upgrades,"we feel even better today."-^' (U) However, as of 2018, some states were still grappling with the severity of the threat. One official highlighted the stark contrast they experienced, when, at one moment, they thought elections were secure, but then suddenly were hearing about the threat.-^^ The official went on to conclude,"I don't think any of us expected to be hacked by a foreign government."-^'^ Another official, paraphrasing a former governor, said,"If a nation-state is on the other side, it's not a fair fight. You have to phone a friend."-^" (U) In the month before Election Day, DHS and other policymakers were planning for the worst-case scenario of efforts to disrupt the vote itself. Federal, state, and local governments created incident response plans to react to possible confusion at the polling places. Mr. Daniel said of the effort: "We're most concerned about the Russians, but obviously we are also concerned about the possibility for just plain old hacktivism on Election Day. ... The incident response plan is actually designed ... to help us [plan for] what is the federal government going to do if bad things start to happen on Election Day?" Mr. Daniel added that this was the first opportunity to exercise the process established under Presidential Policy Directive-4I. "We asked the various agencies with lead (U)Memorandum for the Record, SSCI Staff Conference Call with [State 8], February 2,2018. (t)SSCI Transcript of the Interview with John Brennan, Former Director, CIA, held on Friday, June 23,2017, p. 54. (U) Memorandum for the Record, SSCI Staff Conference Call with [State 6], November 17, 2017. (LI) Memorandum for the Record, SSCI Staff, Conference Call with [State 8], February 2, 2018. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 20], November 17,2017. (L)ibid. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 9], November 17,2017. 39 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMTiTEH SENSITIVE - RUSSIA INVESTIGATION ONLY responsibility, all right, give us your Election Day plan." That led to the creation of an Election Day playbook; steps included enhanced watch floor procedures, connectivity between FBI field offices and FBI and DEIS, and an "escalation path" if"we needed to get to Lisa [Monaco] or Susan [Rice] in a hurry" on Election Day.-^' VII. (U)SECURITY OF VOTING MACHINES (U) The Committee review of Russian activity in 2016 highlighted potential vulnerabilities in many voting machines, with previous studies by security researchers taking on new urgency and receiving new scrutiny. Although researchers have repeatedly demonstrated it is possible to exploit vulnerabilities in electronic voting machines to alter votes, some election officials dispute whether such attacks would be feasible in the context of an actual election. • (U) Dr. Alex Halderman, Professor of Computer Science at the University of Michigan, testified before the Committee in June 2017 that "our highly computerized election infrastructure is vulnerable to sabotage and even to cyber attacks that could change votes. Dr. Halderman concluded,"Voting machines are not as distant from the internet as they may seem."-^'^ • (U) When State 7 decommissioned its Direct-Recording Electronic(DRE) voting machines in 2017, the IT director led an exercise in attempting to break into a few of the machines using the access a "normal" voter would have in using the machines."^^ The results were alarming: the programmed password on some of the machines was ABC 123, and the testers were able to flip the machines to supervisor mode, disable them, and "do enough damage to call the results into question."-^^ The IT director shared the results with State 21 and State 24, which were using similiar machines."^' • (U) In 2017, DEFCON^®^ researchers were able to find and exploit vulnerabilities in five different electronic voting machines.-^^ The WinVote machines, those recently decertified by State 7, were most easily manipulated. One attendee said, "It just took us a couple of hours on Google to find passwords that let us unlock the administrative (U)Ibid., p. 82. (U)See also, infra, "Direct-Recording Electronic(DRE) Voting Machine Vulnerabilities." (ll) SSCI Transcript of the Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21, 2017, p. 117. (U)/A/rf., p. no. (U) Memorandum for the Record, SSCi Staff, Conference Call with [State 7], January 25,2018. (U)ibid. The machines used were WinVote voting machines. (U)Ibid. (U)DEFCON is an annual hacker conference held in Las Vegas, Nevada. In July 2017, at DEFCON 25, the conference featured a Voting Machine Hacking Village ("Voting Village") which acquired and made available to conference participants over 25 pieces of election equipment, including voting machines and electronic poll books, for generally unrestricted examination for vulnerabilities. (LI) Matt Blaze, et. al., DEFCON 25: Voting Machine Hacking Village: Report on Cyber Vulnerabilities in U.S. Election Equipment. Databases, and Infrastructure, September 2017, https://www.defcon.org/images/defcon25/DEF%20CON%2025%20voting%20report.pdf, pp. 8-13. 40 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMl 1 Tth SENSITIVE - RUSSIA INVESTIGATION ONLY functions on this machine."^^" A researcher was able to hack into the WinVote over WiEi within minutes using a vulnerability from 2003.-'^' Once he had administrator-level access, he could change votes in the database. Researchers also discovered available USB ports in the machine that would allow a hacker to run software on the machine.^^^ One said "with physical access to back [sic] of the machine for 15 seconds, an attacker can do anything.""^^ Hackers were less successful with other types of machines, although each had recorded vulnerabilities. (U) The 2018 DRFCON report found similar vulnerabilities, in particular when hackers had physical access to the machines. For example, hackers exploited an old vulnerability on one machine, using either a removable device purchasable on eBay or remote access, to modify vote counts. DHS briefed the Committee in August 2018 that these results were in part because the hackers had extended physical access to the machines, which is not realistic for a true election system. Undersecretary Krebs also disagreed with reporting that a 17year-old hacker had accessed voter tallies. Some election experts have called into question the DEFCON results for similar reasons and pointed out that any fraud requiring physical access would be, by necessity, small scale, unless a government were to deploy agents across thousands of localities. (U) ES&S Voting Systems disclosed that some of its equipment had a key security vulnerability. ES&S installed remote access software on machines it sold in the mid- 2000s, which allowed the company to provide IT support more easily, but also created potential remote access into the machines. When pressed by Senator Ron Wyden of Oregon,the company admitted that around 300 voting jurisdictions had the software. ES&S says the software was not installed after 2007, and it was only installed on election-management systems, not voting machines. More than 50 percent of voters vote on ES&S equipment, and 41 states use its products. (L)Elizabeth Wise,"Hackers at DefCon Conference Exploit Vulnerabilities in Voting Machines," USA Today, July 30,2017, https;//www.usatoday.coTn/story/iech/2017/07/30/hackers-defcon-conference-exploit-vulnerabilitiesvoting-machines/523639001/. (U) Matt Blaze, et. al., DEFCON 25: Voting Machine Hacking Village: Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure, September 2017, https://www.defcon.org/images/defcon25/DEF%20CON%2025%20voting%20report.pdf, p. 4. 2'^(U)Ibid., p. 9. 2'^(U)Ibid. Ibid., pp. 8-13. (U)Robert McMillian and Dustin Volz,"Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds," Wall Street Journal, September 27, 2018. The machine referenced is the ES«&S Model 650, vshich ES&S stopped making in 2008 but is still available for sale. (U)DTS 2018-3275, Summary of 8/22/2018 All Senators Election Security Briefing, August 28, 2018 (U)Hacks, Security Gaps And Oligarchs: The Business of Voting Comes Under Scrutiny. Miles Parks, NPR, September 21, 2018. 41 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) Advocates of electronic voting point out the flaws in paper ballots, like the potential for the introduction of fraudulent ballots or invalidated votes due to stains or extra marks. The Committee believes that any election system should be protected end-to-end, including against fraud. (U)Direct-Recording Electronic(ORE)Voting Machine Vulnerabilities (U) While best practices dictate that electronic voting machines not be connected to the internet, some machines are internet-enabled. In addition, each machine has to be programmed before Election Day, a procedure often done either by connecting the machine to a local network to download software or by using removable media, such as a thumb drive. These functions are often carried out by local officials or contractors. Ifthe computers responsible for writing and distributing the program are compromised,so too could all voting machines receiving a compromised update. Further, machines can be programmed to show one result to the voter while recording a different result in the tabulation. Without a paper backup, a "recount" would use the same faulty software to re-tabulate the same results, because the primary records of the vote are stored in computer memory. (U) Dr. Halderman said in his June 2017 testimony before SSCI: I know America's voting machines are vulnerable because my colleagues and I have hacked them repeatedly as part ofa decade ofresearch studying the technology that operates elections and learning how to make it stronger. We've created attacks that can spreadfrom machine to machine, like a computer virus, and silently change election outcomes. We've studied touchscreen and optical scan systems, and in every single cose wefound waysfor attackers to sabotage machines and to steal votes. These capabilities are certainly within reachfor America's enemies. Ten years ago, I was part ofthefirst academic team to conduct a comprehensive security analysis ofa DRE voting machine. We examined what was at the time the mo.st widely used touch-screen DRE in the country and spent several months probing it for vulnerabilities. What wefound was disturbing: we could reprogram the machine to invisibly cause any candidate to win.^^^ 2^8(L)"Some DREs also produce a printed record ofthe vote and show it briefly to the voter, using a mechanism called a voter-verifiable paper audit trail, or VVPAT. While VVPAT records provide a physical record of the vote that is a valuable safeguard against cyberattacks, research has shown that VVPAT records are difficult to accurately audit and that voters often fail to notice ifthe printed record doesn't match their votes. For these reasons, most election security experts favor optical scan paper ballots." Written Statement by J. Alex Halderman, June 21, 2017, citing S. Goggin and M. Byrne,"An Examination ofthe Auditability of Voter Verified Paper Audit Trail(VVPAT) Ballots," Proceedings ofthe 2007 USENIX/ACCURA TE Electronic Poling Technology Workshop, August 2007; B. Campbell and M. Byrne,"Now do Voters Notice Review Screen Anomalies?" Proceedings ojthe 2009 USENIX/ACCURA TE/IA PoSS Electronic Poling Technology Workshop. August 2009. (U)The machine was the Diebold AccuVote TS, which was still used statewide in at least one state as of2017. 42 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY Lybersecurity experts have stinJied a wide range of U.S. voting machines—including both DREs and optical scanners—and in every single case, they'vefound severe vulnerabilities that would allow attackers to sabotage machines and to alter votes. That's why there is overwhelming consensus in the cybersecurity and election integrity research communities that our elections are at risk. (U) In speaking with the Committee, federal government officials revealed concerns about the security of voting machines and related infrastructure. Former Assistant Attorney General for National Security John Carlin told the Committee: "I'm very concerned about... our actual voting apparatus, and the attendant structures around it, and the cooperation between some states and thefederal government."^"' Mr. Carlinfurther stated, "We've literally seen it already, so shame on us ifwe can 'tfix it heading into the next election cycles. And it's the assessment ofevery key intel professional, which I share, that Russia's going to do it again because they think this was successfid. So we 're in a bit ofa race against time heading up to the two-year election. Some ofthe election machinery that's in place should not be. (U)_Mr. McCabe echoed these concerns, and noted that, in the last months before the election, o FBI identified holes in the security of election machines, saying "there's some potential > X ^ lift VIIW ^WIV^IV VIJW ••303 there. (U) As of November 2016, five states were using exclusively ORE voting machines with no paper trail, according to open source information.^"*' An additional nine states used at least some ORE voting machines with no paper trail.^"^ • (U) State 20 has 21 -year-old DRE machines. While the state is in the process of replacing its entire voting system, including these machines, State 20 is aiming to have the updates ready for the 2020 elections. • (U) In State 21, 50 of67 counties as of November 2017 used DRE voting machines. (U)SSCI Transcript of the Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21,2017, pp. 116-1 17. (U)SSCI Transcript ofthe Interview with John Carlin, Former Assistant Attorney General for National Security, held on Monday, September 25, 2017, p. 86. '"2(U)ihici., pp. 86-87. (U)DTS 2018-2152, SSCI Interview with Andrew McCabe, Former Deputy Director ofthe FBI, February 14 2018, p. 221. (U)BallotPedia, Voting Methods and Equipment By State, https://balIotpedia.org/Voting_methods_and_equipment_by_state. (IJ) ibid. (U)Memorandum for the Record,SSCI Staff, Conference Call with [State 21}, November 17,2017. 43 COMMITTEE SENSITIVE - RUSSIA INVESTIGA'I ION ONLY COMMITTEE SENSITIVE^USSI^N^^IG^IoTOn^LY • (U) State 5 used paper-hacked voting in only about hair its machines and DRE voting machines without paper backup in the other half.^"' • (U) Some stales are moving to a hybrid model—an electronic voting machine with a paper backup, often in the form of a receipt that prints after the voter submits their vote. For example, State 12 uses some DREs, but all equipment is required to have a paper trail, and the paper ballot is the ballot of record. State 12 also conducts a mandatory state-wide audit. Similarly, State 13 uses some paper-based and some electronic machines, but all are required to have a paper trail. (U) The number of vendors selling voting machines is shrinking, raising concerns about a vulnerable supply chain. A hostile actor could compromise one or two manufacturers of components and have an outsized effect on the security of the overall system. • "My job," said Ms. Monaco when asked whether she was worried about voting machines themselves getting hacked,"was to worry about every parade of horribles. So : cannot tell you that that did not cross my mind. We were worried about who, how many makers. We were worried about the supply chain for the voting machines, who were the makers? ... Turns out I think it's just Diebold—and have we given them a defensive briefing? So to answer your question, we were worried about it all."^'' • Mr. McCabe pointed out that a small number of companies have "90%" of the market for voting machines in the U.S. Before the 2016 election. briefed a few of the companies on vulnerabilities,^'- but a more comprehensive campaign to educate vendors and their customers is warranted. (U) Voluntary Voting System Guidelines (U)Part of the voting reform implemented under The Help America Vote Act of2002 was a requirement that the Election Assistance Commission create a set ofspecifications and requirements against which voting systems can be tested, called the Voluntary Voting System Guidelines(VVSG). The EAC adopted the first VVSG in December 2005. The EAC then tasked the Technical Guidelines Development Committee, chaired by the National Institute of Standards and Technology(NIST)and including members from NASED, with updating the guidelines. In March 2015,the EAC approved VVSG 1.1; in January 2016, the EAC adopted (U) Memorandum for the Record, SSCl Staff, Conference Call with [State 5], December 1,2017. (U) Memorandum for the Record, SSCl Staff, Conference Call with [State 12], December 1,2017. (U)Ibid. (U) Memorandum for the Record, SSCl Staff, Conference Call with [Stale 13], December 1, 2017. (U)SSCl Transcript ofthe Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10. 2017, p. 31. (U)SSCl Transcript of the Interview with Andy McCabe, Deputy Director of the FBI, held on Wednesday, February 14,2018, pp. 220-221. 44 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY an implementation plan requiring that all new voting systems bo tested against the VVSG I. I beginning in July 2017. VVSG I.I has since been succeeded by version 2.0, which was released for a 90-day public comment period on February 15, 2019. The EAC will compile the feedback for Commissioners to review shortly thereafter.^'^ VVSG 2.0 includes the following minimum security guidelines: • (^) An error or fault in the voting system software or hardware cannot cause an undetectable change in election results. (9.1) • (U) The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities. (9.2) • (U) Voting system records are resilient in the presence of intentional forms of tampering and accidental errors. (9.3) • (U) The voting system supports strong, configurable authentication mechanisms to verify the identities of authorized users and includes multi-factor authentication mechanisms for critical operations. (11.3) • (U) The voting system prevents unauthorized access to or manipulation of configuration data, cast vote records, transmitted data, or audit records. (13.1) • (U) The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and by using other technical controls. (14.2) • (U) The voting system employs mechanisms to protect against malware. (15.3) • (U) A voting system with networking capabilities employs appropriate, well-vetted modem defenses against network-based attacks, commensurate with current best practice. (15.4) (U) As of March 2018, 35 states required that their machines be certified by EAC, but compliance with the VVSG standards is not mandatory. Secretary Nielsen testified before the Committee that the United States should "seek for all states" to use the VVSG standards. (U)EAC Commissioners Unanimously Vole to Publish VVSG 2.0 Principles and Guidelinesfor Public Comment: https://www.eac.gOv/news/2019/02/15/eac-commissioners-unanimously-vote-to-publish-vvsg-20-principles-andguidelines-for-public-comment/; February 15, 2019 '''•(U)SSCI Transcript ofthe Open Hearing on Election Security, held on March 21,2018, p. 47. 45 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY vm.(U)THE ROLE OF DBS AND IN l ERACTIONS WITH THE STATES (U) The federal government's actions to address election security threats evolved significantly from the summer of2016 through the summer of 2018. Contemporaneous with the Russian attacks, DHS and FBI were initially treating the situation as they would a typical notification of a cyber incident to a non-governmental victim. By the fall of2016, however, DHS was attempting to do more extensive outreach to the states. Then in the fall of2017, DHS undertook an effort to provide a menu of cyber support options to the states. A. (U)DHS's Evolution For DHS and other agencies and departments tasked with intelligence collection or formulating policy options through the interagency process, the full scope ofthe threat began to emerge in the summer of 2016. Secretary Johnson told the Committee that "I know I had significant concerns by[summer of2016] about doing all we could to ensure the cybersecurity of our election systems. Mr. Daniel said in his interview that by the end of July, the interagency was focused on better protecting electoral infrastructure as part of a "DHS and FBI-led domestic effort."^ B Policymakers quickly realized, however,that DHS was poorly positioned to d ofsupport states needed. Mr. Daniel said that interagency discussions about the threat "start[ed] a process of us actually realizing that, frankly, we don't actually have very much in the way of capability that we can directly offer the states"—a fact that the states themselves would later echo.^'^ • Monaco said that DHS initially found a "pretty alarming variance in the number of voting registration databases and lack of encryption and lack of backup for all ofthese things."^ Ms. Monaco added that "[i]n light of what we were seeing, in light of the intelligence we were getting briefed on, this was a very specific direction and decision to say we need to really accelerate this, put a significant push on resources and engagement at the senior-most levels."^ • Mr. Daniel and the working group identified DHS's cyber teams as possible assistance to the states. "DHS had teams that could go and provide that support to the private sector. We've been doing that. That's a program that existed for years for critical (L)SSCl Transcript ofthe Interview with Jeh Johnson, Former Secretary of Homeland Security, held on Monday, June 12, 2017, p. 10. (U)SSCl Transcript ofthe Interview with Michael Daniel, Former Special Assistant to the President and Cybersecurity Coordinator, National Security Council, held on Wednesday, August 31, 2017, p. 28. 3"(IJ)/6/rf.,p.38. (U)SSCl Transcript of the Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10, 2017, SSCl interview of Lisa Monaco, August 10, 2017, p. 19. p.2L 46 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMi n EH SENSn IVE - RUSSIA INVESTIGATION ONLY infrasli uclure companies. And we realized that we could repurpose [some of those teams], but we don't have that many ofthem ... four or five. It was not very many." (U) DHS attempted a nuanced outreach to the states on the threat. Ms. Monaco highlighted a delicate balancing act with the interactions with states: /know we tried very hard to strike a balance between engaging state and local officials andfederal officials in the importance ofraising cyber defenses and raising cybersecurity. .. and not sowing distrust in the system, both because, one, we believed it to be true that the system is infact quite resilient because ofwhat I mentioned earlier, which is the diffuse nature; and because we did not want to, as we described it, do the Russians' workfor them by sowing panic about the vulnerability ofthe election (U) In an August 15, 2016, conference call with state election officials, then-Secretary Johnson told states, "we're in a sort of a heightened state of alertness; it behooves everyone to do everything you can for your own cybersecurity leading up to the election." He also said that there was "no specific or credible threat known around the election system itself. I do not recall—I don't think, but I do not recall, that we knew about [State 4] and Illinois at that point."^-- The Committee notes that this call was two months af^er State 4's system was breached, and more than a month after Illinois was breached and the state shut down its systems to contain the problem. During this call, Secretary Johnson also broached the idea of designating election systems as critical infrastructure. (U) A number of state officials reacted negatively to the call. Secretary Johnson said he was "surprised/disappointed that there was a certain level of pushback from at least those who spoke up.... The pushback was: This is our—I'm paraphrasing here: This is our responsibility and there should not be a federal takeover of the election system."^-^ • (U) The call "does not go incredibly well," said Mr. Daniel. "I was not on the call, no, but all of the reporting back and then all of the subsequent media reporting that is leaked about the call shows that it did not go well." Mr. Daniel continued: "I was actually quite surprised ... in my head, there is this: yes, we have this extremely partisan election going on in the background; but the Russians are trying to mess with our election. To me, that's a national security issue that's not dependent on party or anything else."^^'* SSCI Transcript ofthe Interview with Michael Daniel, Former Special Assistant to the President and Cybersecurity Coordinator, National Security Council, held on Wednesday, August 31,2017, p. 41. (U)SSCI Transcript ofthe Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10, 2017, p. 29. (U)SSCI Transcript ofthe Interview with Jeh Johnson, Former Secretary of Homeland Security, held on Monday, June 12,2017, p. 13. Ibid., pp. 13-14. (U)Ibid, p. 48. 47 COVtMTTTFT SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) Ms. Monaco also related how DIIS icLcived significant push back from the states and decided to "focus our efforts on really pushing states to voluntarily accept the assistance that DHS was trying to provide."^-^ (U) States also reported that the call did not go well. Several states told the Committee that the idea of a critical infrastructure designation surprised them and came without context of a particular threat. Some state officials also did not understand what a critical infrastructure designation meant, in practical terms, and whether it would give the federal government the power to run elections. DHS also did not anticipate a certain level of suspicion from the states toward the federal government. As a State 17 official told the Committee,"when someone says 'we're from the government and we're here to help,' it's generally not a good thing."^-^ (V) Critical Infrastructure Designation (U) One of the most controversial elements of the relationship between DHS and the states was the decision to designate election systems as critical infrastructure. Most state officials relayed that they were surprised by the designation and did not understand what it meant; many also felt DHS was not open to input from the states on whether such a designation was beneficial. (U) Secretary Johnson remembers the first time he aired the possibility of a designation was on August 3, 2016. He went to a reporters' breakfast sponsored by the Christian Science Monitor and publicly "floated the idea of designating election infrastructure as critical infrastructure."^"^ Then, on August 15, 2016, Secretary Johnson had a conference call with election officials from all 50 states. "I explained the nature of what it means to be designated critical infrastructure. It's not a mandatory set of[regulations], it's not a federal takeover, it's not binding operational directives. And here are the advantages: priority in terms of our services and the benefit of the protection of the international cyber norm."^-^ Secretary Johnson continued:"I stressed at the time that this is all voluntary and it prioritizes assistance ifthey seek it."^^^ (U) Some states were vocal in objecting to the idea. In evaluating the states' response, DHS came to the conclusion that it should put the designation on hold, deciding it would earn more state trust and cooperation if it held off on the designation as critical infrastructure and perhaps sought more buy-in from the states at a later date.^^^ (U)SSCI Transcript of the Interview with Lisa Monaco, Former Homeland Security Advisor, held on Thursday, August 10, 2017, SSCI interview of Lisa Monaco, August 10, 2017, p. 25. "'■(U) Memorandum for the Record, SSCI Staff, Conference Call with State 17, January 25,2018. (U) SSCI Transcript of the Interview with Jeh Johnson, Former Secretary of Homeland Security, held on Monday, June 12, 2017, p. 10. (T) Ibid., p. 14. For additional information on the definition of critical infrastructure in a cybersecurity contexL see Executive Order 13636, Improving Critical Infrastructure Cybersecurity, February 12, 2013. (H) SSCI Transcript of the Open Hearing on Election Security, March 21,2018, p. 34. "°(U)M/f/.,p. 115. 48 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) After the election, Secretary Johnson decided the time had come to make the designation. He held a follow-up call with NASS on the critical infrastructure designation in January 2017: "I didn't tell them I'm doing this the next day, but I told them I was close to making a decision. I didn't hear anything further [along the lines of additional, articulated objections], so the same day we went public with the [unclassified] version of the report,^^' I also made the designation."^^^ (U) Mr. Uaniel summed up the rationale for proceeding this way:"I do believe that we should think of the electoral infrastructure as critical infrastructure, and to me it'sjust as critical for democracy as communications, electricity, water. If that doesn't function, then your democracy doesn't function To me that is the definition of'critical.'""^ (U) In interviews with the Committee in late 2017 and early 2018, several states were supportive ofthe designation and saw the benefits of, for example, the creation of the Government Coordinating Council. Others were lukewarm, saying they had seen limited benefits for all the consternation officials said it had caused. Still others remained suspicious that the designation is a first step toward a federal takeover of elections. B. (U)The View From the States (U) For most states, the story of Russian attempts to hack slate infrastructure was one of confusion and a lack of information. It began with what states interpreted as an insignificant event: an FBI FLASH notification on August 18, 2016,1 Then, mid-October, the MS-ISAC reached out to state IT directors with an additional alert about specific IP addresses scanning websites. At no time did MS-ISAC or DHS identify the IP addresses as associated with a nation-state actor. Given the lack of context, state staff who received the notification did not ascribe any additional urgency to the warning; to them, it was a few more suspect IP addresses among the thousands that were constantly pinging state systems. Very few state IT directors informed state election officials about the alert. (U)Secretary Johnson was referring to the declassified version of the Intelligence Community Assessment, Assessing Russian Aclivities and Intentions in Recent U.S. Elections. January 6,2017. "2(ii)/6/^.,p.46. (U)SSCI Transcript of the Interview with Michael Daniel, Former Special Assistant to the President and Cybersecurity Coordinator, National Security Council, held on Wednesday, August 31, 2017, p. 98. ^"^FBI FLA^AIen Number T-LDI004-TT,TLP-AMBER. FBI Fl.AStl, Alert Number T-L.D[UU5-TT, TLP-AMBER. ; DHS/FBI JAR-15-20223, Threats to Federal, State, and Local(Jovernment Systems. October 14, 2016. 49 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY • (II) State 1 1 had Q meeting witli DHS officials, including the regional DHS cyber advisor, in August 2016, but according to State 11 officials, DHS did not mention any specific threat against election systems from a nation-state actor. • (U) Stale 13 reported that DHS contacted an affected county at one point, but never contacted the state-level officials.^^' • (U) When they saw an IP address identified in the alerts had scanned their systems, State 6 and Stale 16 sent their logs to the MS-ISAC for analysis.^^*^ State 16 said it never received a response. (U) DHS,conversely, saw its efforts as far more extensive and effective. Ms. Manfra testified to SSCI that DHS "held a conference call where all 50 secretaries of state or an election director if the secretary of state didn't have that responsibility [participated], in August, in September, and again in October [of 2016], both high-level engagement and network defense products [sic]."^''^ Mr. Daniel reported that "by the time Election Day rolls around, all but one state has taken us up on the offer to at least do scanning [,] so I want to give people credit for not necessarily sticking to initial partisan reactions and ... taking steps to protect their electoral infrastructure."^'^' (U) States reported to the Committee that Election Day went off smoothly. For most state election officials, concerns about a possible threat against election systems dropped off the radar until the summer or fall of2017. Many state election officials reported hearing for the first time that Russian actors were responsible for scanning election infrastructure in an estimated 21 states from the press or from the Committee's open hearing on June 21, 2017. During that hearing, in response to a question from Vice Chairman Warner inquiring whether all affected states were aware they were attacked, Ms. Manfra responded that "[a]ll of the system owners within those states are aware of the targeting, yes, sir."^"*- However, when pressed as to whether election officials in each state were aware, the answer was less clear. • (U) In that hearing. Dr. Liles said DHS had "worked hand-in-hand with the state and local partners to share threat information related to their networks."^'" (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 11], December 8, 2017. "'(U) Memorandum for the Record, SSCI Staff, Conference Call with [State 13], December I, 2017. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 6], November 17, 2017; Memorandum for the Record, SSCI Staff, Conference Call with [State 16], December ), 2017. (U)Ibid. State 6 did not indicate whether they received feedback from DHS. SSCI Transcript of the Open Hearing on Russian Interference in the 2016 U.S. Elections, June 21, 2017, p. 74. (U)SSCI Transcript ofthe Interview with Michael Daniel, Former Special Assistant to the President and Cybersecurity Coordinator, National Security Council, held on Wednesday, August 31,2017, p. 49. (U)SSCI Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21,2017, p. 28. (IJ) Ibid., pp. 62-63. ^^(\})Ibid.,p. 12. 50 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY • (U) Ms. Manfra said,"The owners ofthe systems within those 21 states have been notified." Senator King then asked,"How about the election officials in those states?" Ms. Manfra responded,"We are working to ensure that election officials as well understand. I'll have to get back to you on whether all 21 states ....[crosstalk]. • (U) Given Ms. Manffa's testimony and the fact that some election officials did not get a notification directly to their offices, election officials in many states assumed they were not one ofthe 21; some even issued press releases to that effect. (U) The disconnect between DHS and state election officials became clear during Committee interactions with the states throughout 2017. hi many eases, DHS had notified state officials responsible for network security, but not election officials, ofthe threat. Further, the IT professionals contacted did not have the context to know that this threat was any different than any other scanning or hacking attempt, and they had not thought it necessary to elevate the waming to election officials. (U) After the hearing, and in part to respond to confusion in the states, DHS held a conference call with representatives from 50 states in September 2017. In that call, DHS said they would contact affected states directly. State 8 state election officials noted that the call became "somewhat antagonistic."^'^^ State 17 officials reported that the phone call "just showed how little DHS knew about elections. Several officials argued that all 50 states should be notified of who had been hacked. DHS followed up with one-to-one phone calls to states over the next several days. • (U) Officials from some states reported being shocked that they were in facfone ofthe states, and further surprised that their states had supposedly been notified. • (U) Most state officials found the conference calls lacking in information and were left wondering exactly what the threat might be. Several states said the DHS representatives could not answer any specific questions effectively. (U) Following this series of difficult engagements, DHS set about trying to build relationships with the states, but it faced a significant trust deficit. Early follow-up interactions between state election officials and DHS were rocky. States reported that DHS seemed to have little to no familiarity with elections. For example. State 6 said that the DHS representatives they were assigned seemed to know nothing about State 6, and, when pressed, they admitted they were "just reading the spreadsheet in front of[them]."^"^^ State 8 reported that"we are spending 62-63. (U)State 8 said they put out a press release because DHS had said publicly that they had notified the 21 states, and "if you were one ofthe 21, you would know." (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 8], February 2, 2018. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 17], January 25,2018. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 6], November 17, 2017. 51 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY a ton oftime educating outside groups on how elections are run."^^'' State 3 officials said,"DHS didn't recognize that securing an election process is not the same as securing a power grid."^^' (U) By early 2018, State officials gave DHS credit for making significant progress over the next six months. States began to sign up for many ofthe resources that DHS had to offer, and DHS hosted the first meeting ofthe Government Coordinating Council required under the critical infrastructure designation. Those interactions often increased trust and communication between the federal and state entities. For example, DHS has identified a list of contacts to notify if they see a threat; that list includes both IT officials and election officials. State 9 described it as "quite a turnaround for DHS," and further stated that the Secretaries of State had been disappointed with how slowly DHS got up to speed on election administration and how slowly the notifications happened, but DHS was "quick with the mea culpas and are getting much better." (U) Not all ofthe engagements were positive, however. State 13 in early December 2017 still reported continued frustration with DHS,indicating to the Committee that it had not seen much change in terms of outreach and constructive engagement. As ofsummer 2017, according to State 13,"the lack of urgency [at DHS] was beyond frustrating."^^^ C. (U)Taking Advantage of DHS Resonrces (U) As DHS has pursued outreach to the states, more and more have opened their doors to DHS assistance. DHS told the Committee that its goal has been relationship building and: In the partnerships with the states and secretaries ofstates, state election directors, and at the local level, we're trying to shift them to a culture ofmore information security management, where they can now accountfor the integrity of their system, or, ifsomething did happen . . . they know thefull extent ofwhat happened on their system. ... We're providing vulnerability assessments and trend analysis, in addition to connecting them to the threat intelligence that we can, in order to evolve their. . . cyber culture. (U) DHS's assistance can be highly tailored to need, and falls into roughly two buckets: remote cyber hygiene scans, which provide up to weekly reports, and on-site risk and vulnerability assessments. DHS also offers a suite of other services, including phishing campaign assessments. All these efforts seek to provide the states with actionable information to improve cyber hygiene, but DHS has been keen to avoid what could be perceived by the states as (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 8], February 2, 2018. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 3], December 8, 2017. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 9], November 17, 2017. (U)Memorandum for the Record, SSCI Staff, Conference Call with [State 13], December 1, 2017. (U)SSCI interview with DHS and CTIIC, February 27,2018, pp. 54-55. 52 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSI IIVE - RUSSIA INVESTIGATION ONLY unfunded mandates. Some stales icquesling more intensive services have also experienced significant delays before DHS could send a team to assist. • (U) By October 2018, DHS said 35 states, 91 local jurisdictions, and eight election system vendors had signed up for remote persistent scans.^^^ All the requests for these scans have been fulfilled. "They can be turned on basically within the week," according to DHS.^" • (U) DHSsaidthatasofOctober20I8,ithadcompIeted35 in-depth, on the ground vulnerability assessments: 21 states, 13 localities, and one election system vendor. These assessments are one week off-site remote scans followed by a second week on site.^^^ • (U) Two states who completed the in-depth assessments reported in late 2017 they had had a good experience. State 12 officials said the team was "extremely helpful and professional."^^^ State 10 said the review was a good experience, although DHS was somewhat limited in what it could do.^^'^ For example, DHS did a phishing email test that showed the training for employees had worked.^^' DHS gave "good and actionable recommendations." Although DHS "didn't really understand election systems when they came," they learned a lot.^^• (U) As of November 2017, State 6 and State 9 requested an on-site scan, but those scans were on track to be delayed past the August 2018 primaries.^^^ State 7 was expecting a four-to-six month delay.-^^'' State 8 signed up for a checkup in October 2017 and was due to get service the following February.^^^ As of January 2018, State 17 also had requested an on-site scan.^^^ (U) In a sign of improving relations between the states and DHS,two states that had elections in 2017 attempted to include DHS in the process more extensively than in the past. In State 17, a two-person DHS team sat with election officials during the 2017 special election and monitored the networks. Even though "their presence was comforting," they "really didn't do much." State 17 signed DHS's normal MOU, but also added its own clause to underscore the state's independence: a formal sunset on DHS's access to state systems, one week affer the 3»(U)Ibid, p. 60. Ibid., p. 57. 3"(U)DHS phone call with SSCI; October 16,2018. 358(L)Ibid 359(U)Memorandum for the Record, SSCI Staff. Conference Call with [State 12], December 1,2017. 360(IJ)Ibid. 3^'(L)Ibid. 3«(li)Ibid. 363((jj Memorandum for the Record, SSCI Staff, Conference Call with [State 6], November 17,2017; Memorandum for the Record, SSCI Staff, Conference Call with [State 9], November 17, 2017. 364 (jj) Memorandum for the Record, SSCI Staff, Conference Call with [State 7], January 25,2018. 3^5(U) Memorandum for the Record, SSCI Staff, Conference Call with [State 8], February 2,2018. 3^(U) Memorandum for the Record, SSCI Staff, Conference Call with [State 17], January 25,2018. 53 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMI ITBH SHNSITIVE - RUSSIA INVESTIGATION ONLY election. State 7 reported thcii experience with UHS during the 2017 statewide election was quite good. DHS sat with election officials all day, which meant State 7 could pass messages quickly to NCCIC. (U) In March 2018, Congress appropriated $380 million in funding for election security improvements. The funding was distributed under the formula laid out in the Help American Vote Act(HAVA)and was intended to aid in replacing vulnerable voting machines and improving cybersecurity. As of July 2018, 13 states said they intended to use the funds to buy new voting machines, and 22 said they have "no plans to replace their machines before the election—including all five states that rely solely on paperless electronic voting devices," according to a survey by Politico.^^' IX. (U)RECOMMENDATIONS 1. (U)Reinforce States' Primacy in Running Elections* (U) States should remain firmly in the lead on running elections, and the federal government should ensure they receive the necessary resources and information. 2. (U)Build a Stronger Defense, Part I: Create Effective Deterrence (U) The United States should communicate to adversaries that it will view an attack on its election infrastructure as a hostile act, and we will respond accordingly. The U.S. Government should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator. Ideally, this principle of deterrence should be included in an overarching cyber doctrine for the U.S. Government. That doctrine should clearly delineate cyberespionage, cybercrime, and cyber attacks. Further, a classified portion of the doctrine should establish what the U.S. Government believes to be its escalation ladder in the cyber realm—what tools does it have, what tools should it pursue, and what should the limits of cyber war be. The U.S. strategic approach tends to overmatch adversaries with superior technology, and policymakers should consider what steps the U.S. will need to take to outstrip the capabilities of Russia, China, Iran, North Korea, and other emerging hostile actors in the cyber domain. (U) U.S. cyber doctrine should serve as the basis for a discussion with U.S. allies and others about new cyber norms. Just as the international community has established norms and treaties about the use of technologies and weapons systems, the U.S. should lead a conversation about cyber norms and the limits of cyber activity with allies and others. 'The Committee's recommendation to "reinforce states' primacy in running elections" should be understood in reference to states' responsibility for election security, and not as pertaining to broader election issues, such as campaign finance laws or voting rights laws.' (U)States Slow to Prepare for Hacking Threats, Eric Geller, Politico, July 18,2018. 54 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY 3. (U)Build a Stiuuger Defense, Part II: Improve Information Gathering and Sharing on Threats The U.S. government needs to build the cyber expertise and capacity of its domestic agencies, such as DHS and FBI,and reevaluate the current authorities that govern efforts to defend against foreign cyber threats. NSA and CIA collection is, by law, directed outside the United States. The U.S. government should invest in capabilities for rapid attribution of cyber attacks, without sacrificing accurac:i However, the IC needs to improve its ability to provide timely and actionable warning. Timely and accurate attribution is not only important to defensive information sharing, but will also underpin a credible deterrence and response strategy. (U) The federal government and state governments need to create clear channels of communication two ways—down from the federal government to the state and local level, and up from the state and local officials on the front lines to federal entities. In 2016, DHS and FBI did not provide enough information or context to election officials about the threat they were facing, but states and DHS have made significant progress in this area in the last two years. For example, Secretary of Homeland Security Nielsen testified to the Committee in March 2018 that "today I can say with confidence that we know whom to contact in every state to share threat information. That capability did not exist in 2016."^^*^ (U) A key component of information sharing about elections is security clearances for appropriate officials at the state and local level. DHS and its partners can effectively strip classified information off of cyber indicators, which can then be passed to technical staff at the state level, but in order for those indicators to not get lost in the multitude of cyber threats those professionals see on a daily basis, senior officials at the state and local levels need to know the (U)SSCl Transcript ofthe Open Hearing on Election Security, held on March 21,2018, p. 16. 55 COMMITTEE SENSITIVE - RUSSIA INVESTIGA flGN ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY context surrounding the indicators. Stale officials need to know why a particular threat is of significant concern, and should be prioritized. That context could come from classified information, or states could come to understand that threat information DHS passes them is more serious than that received through other sources. DHS's goal is to obtain clearances for up to three officials per state."" Asof August 2018, DHS had provided a clearance to 92 officials"'; as of late 2017 all state election officials had received interim secret clearances or one-day readins for secret-level briefings."- DHS, along with ODNI and FBI, also hosted state and local election officials for a SECRET-level briefing on the sidelines of the biannual NASS and NASSED conferences in Washington, DC in February 2018. In March, Amy Cohen, Executive Director of NASS-ED testified in front ofthe Committee that,"It would be naive to say that we received answers to all our questions, but the briefing was incredibly valuable and demonstrated how seriously DHS and others take their commitment to the elections community as well as to our concerns.""^ The Committee recommends DHS continue providing such briefings and improve the quality of information shared. (U) Fundamental to meaningful information sharing, however, is that state officials understand what they are getting. New inductees to the world of classified information are often disappointed—they expected to see everything laid out in black and white, when intelligence is often very gray, with a pattern discemable only to those who know where to look and what conclusions to draw. Those sharing the intelligence should manage expectations—at the SECRET level, officials are likely to see limited context about conclusions, but not much more. (U) Federal officials should work to declassify information,for the purpose of providing warning to appropriate state and local officials, to the greatest extent possible. If key pieces of context could be provided at a lower classification level while still protecting classified information, DHS and its partners should strive to do so. 4. (U)Build a Stronger Defense, Part III: Secure Election-Related Cyber Systems (U) Despite the expense, cybersecurity needs to become a higher priority for election-related infrastructure. The Committee found a wide range of cybersecurity practices across the states. Some states were highly focused on building a culture of cybersecurity; others were severely under-resourced and relying on part-time help. (U) The Committee recommends State officials work with DHS to evaluate the security of their election systems end-to-end and prioritize implementing the following steps to secure voter registration systems, state records, and other pre-election activities. The Committee additionallv recommends that State officials: (U)SSCl Transcript of the Open Hearing on Election Security, held on March 21,2018, p.15. (U)DTS 2018-3275, Summary of 8/22/2018 All Senators Election Security Briefing, August 28, 2018. (U)SSCI Transcript of the Open Hearing on Election Security, held on March 21, 2018, p 15,26. "^(U)SSCI Transcript ofthe Open Hearing on Election Security, held on March 21, 2018, p.l 13. 56 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY • (U) Idcntif)' the weak points in their networks, like under-resourced localities. State 7 said they are not worried about locations like larger counties when it comes to network security, but they are worried about "the part-time registrar who is also the town attorney and the town accountant and is working out of a 17'^ century jail." • (U) Undertake security audits of state and local voter registration systems, ideally utilizing private sector entities capable of providing such assistance. State and local officials should pay particular attention to the presence of high severity vulnerabilities in relevant web applications, as well as highly exploitable vulnerabilities such as cross-site scripting and SQL injection. • (U) Institute two-factor authentication for user access to state databases. • (U) Install monitoring sensors on state systems. As of mid-2018, DHS's ALBERT sensors covered up to 98% of voting infrastructure nationwide, according to Undersecretary Krebs.^^^ • (U) Include voter registration database recovery in state continuity of operations plans. • (U) Update software in voter registration systems. One state mentioned that its voter registration system is more than ten years old, and its employees will "start to look for shortcuts" as it gets older and slower, further imperiling cybersecurity. • (U) Create backups, including paper copies, of state voter registration databases. • (U) Consider a voter education program to ensure voters check registration information well prior to an election. (U) DHS in the past year has stepped up its ability to assist the states with some of these activities, but DHS needs to continue its focus on election infrastructure and pushing resources to the states. (U) The Committee recommends DHS take the following steps: • (U) Create an advisory panel to give DHS expert-level advice on how states and localities run elections. The Government Coordinating Council, created as part of the critical infrastructure designation, could serve as a venue for educating DHS on what states do and what they need. (U) Memorandum for the Record, SSCI Staff, Conference Call with [State 7], January 25,2018. (U)DTS 2018-3275,Summary of 8/22/2018 All Senators Election Security Briefing, August 28,2018. 57 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY • (U) Create guidelines on cybersecurity best practices for elections and a public awareness campaign to promote election security awareness, working through EAC, NASS,and NASED, and with the advisory panel. • (U) Develop procedures and processes to evaluate and routinely provide guidance on relevant vulnerabilities associated with voting systems in conjunction with election experts. • (U) UHS has already created a catalog ofservices they can provide to states to help secure states' systems. DHS should maintain the catalog and continue to update it as it refines its understanding of what states need. • (U) Expand capacity so wait times for services, like voluntary vulnerability assessments, are manageable and so that DHS can maintain coverage on other critical infrastructure sectors. Robbing resources from other critical infrastructure sectors will eventually create unacceptable new vulnerabilities. • (U) Work with GSA to establish a list of approved private-sector vendors who can provide services similar to those DHS provides. States report being concerned about "vultures" —companies who show up selling dubious cyber solutions. That being said, some states will be more comfortable having a private sector entity evaluate their state systems than a federal agency. • (U) Continue to build the resources of the newly established EI-ISAC. States have already found this information sharing service useful, and it could serve as a clearinghouse for urgent threat information. As of August 2018,the El-ISAC had over 1,000 members with participants in all 50 states. • (U) Continue training for state and local officials, like the table-top exercise conducted in August of2018 that brought together representatives from 44 states, localities, and the federal government to work through an election security crisis. The complexity of the scenario encouraged state and local officials to identify serious gaps in their preparations for Election Day. 5. (U)Build a Stronger Defense, Part IV: Take Steps to Secure the Vote Itself (U) Given Russian intentions to undermine the credibility of the election process, states should take urgent steps to replace outdated and vulnerable voting systems. When safeguarding the integrity of U.S. elections, all relevant elements of the government—including at the federal, state, and local level—need to be forward looking and work to address vulnerabilities before they are exploited. (U)DTS 2018-3275, Summary of 8/22/2018 All Senators blection Security Briefing, August 28,2018. (U)DHS,Press release: DHS Hosts National Exercise on Election Security, August!5,2018. 58 COMMITTFE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY (U) As states look to replace HAVA-era machines that are now out of date, they should purchase more secure voting machines. Paper ballots and optical scanners are the least vulnerable to cyber attack; at minimum, any machine purchased going forward should have a voter-verified paper trail and remove(or render inert) any wireless networking capability. (U) States should require that machines purchased from this point forward are either EAC certified or comply with the WSG standards. State purchasers should write contracts with vendors to ensure adherence to the highest security standards and to demand guarantees the supply chains for machines are secure. (U) In concert with the need for paper ballots comes the need to secure the chain of custody for those ballots. States should reexamine their safeguards against insertion of fraudulent paper ballots at the local level, for example time stamping when ballots are scanned. (U) Statistically sound audits may be the simplest and most direct way to ensure confidence in the integrity ofthe vote."^ States should begin to implement audits of election results. Logic and accuracy tests of machines are a common step, but do not speak to the integrity ofthe actual vote counting. Risk-limiting audits, or some similarly rigorous altemative, are the future of ensuring that votes east are votes counted. State 8, State 12, State 21, State 9, State 2, State 16, and others already audit their results, and others are exploring additional pilot programs. However, as of August 2018, five states conducted no post-election audit and 14 states do not do a complete post-election audit.^^" The Committee recognizes states' concern about the potential cost ofsuch audits and the necessary changes to state laws and procedures; however,the Committee believes the benefit of having a provably accurate vote is worth the cost. (U) States should resist pushes for online voting. One main argument for voting online is to allow members ofthe military easier access to their fundamental right to vote while deployed. While the Committee agrees states should take great pains to ensure members (U)Election experts point out, however, that audits could create a new vector for election-related lawsuits. Complainants could allege that the audit was done improperly, or that the audit process reflected bias. fU)State 8 passed a law to audit starting in 2018, with random precinct sampling. State 12 does state-wide audits. State 21 audits 2% of ballots, randomly selected. State 9 picks 210 of4lOo precincts at random for an audit. State 2 hand-counts ballots in randomly selected precincts and uses automated software to test. A States law on ballot storage can't accommodate risk-limiting audits. Instead, they use ClearBallot software. They upload images of ballots to an external hard drive and send it to ClearBallot. ClearBallot is blind to who won and independently evaluates the results. In addition, the company can identify problems with scanners; for example, when a fold in absentee ballots recorded as a vote. Cybersecurity experts still doubt, however, that this type of procedure is secure. (U)DTS 2018-3275, Summary of8/22/2018 All Senators Election Security Briefing, August 28,2018. 59 COMMITTEE SENSITIVE - RUSSIA mVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY ofthe militai7 get to vote tor their elected olTicials, no system of online voting has yet established itself as secure. • (U) DHS should work with vendors of election equipment to educate them about the vulnerabilities in both the machines and the supply chains for the components oftheir machines. Idaho National Lab is already doing some independent work on the security of a select set of voting machines, developing a repeatabie methodology for independently testing the security of such systems. • (U) The Department of State should work with FBI and DHS to warn states about foreign efforts to access polling places outside normal channels in the future and remain vigilant about rejecting aberrant attempts. • (U) The Associated Press is responsible for reporting unofficial, initial election results on election night and is a critical part of public confidence in the voting tally. States and DHS should work with the AP and other reporting entities to ensure they are both secure and reporting accurate results. • (U) The Committee found that, often, election experts, national security experts, and cybersecurity experts are speaking different languages. Election officials focus on transparent processes and open access and are concerned about introducing uncertainty into the system; national security professionals tend to see the threat first. Both sides need to listen to each other better and to use more precise language. 6. (U)Assistance for the States (U) State officials told the Committee the main obstacle to improving cybersecurity and purchasing more secure voting machines is cost. State budgets are stretched thin by priorities that seem more urgent on a daily basis and are far more visible to constituents. (U) In March 2018, Congress appropriated $380 million in funds under the HAVA formula for the states. As of August 2018, states had begun to allocate and spend that money for items such as cybersecurity improvements. (U)The Committee recommends the EAC,which administers the grants, regularly report to Congress on how the states are using those funds, whether more funds are needed, and whether states have both replaced outdated voting equipment and improved (U)Dr. Halderman in his testimony before the Committee said, "I think that online voting, unfortunately, would be painting a bullseye on our election system. Today's technology just does not provide the level of security assurance for an online election that you would need in order for voters to have high confidence. And I say that having myself... hacked an online voting system that was about to be used in real elections, having found vulnerabilities in online voting systems that are used in other countries. The technology Just isn't ready for use."See SSCI Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21,2017, p. 152. 60 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY cybersecuritj. Muie funds may be needed, as the allocation under the HAVA formula did not prioritize replacing vulnerable electronic-only machines. • (U) States should be able to use grant funds to improve cybersecurity in a variety of ways, including hiring additional IT staff, updating software, and contracting with vendors to provide cybersecurity services. "Security training ftmded and provided by a federal entity such as the EAC or DHS would also be beneficial in our view,"382 an official from Illinois testified. (U) Funds should also be available to defray the cost of instituting audits. (U) States with vulnerable DRE machines with no paper backup should receive urgent access to funding. Dr. Halderman testified that replacing insecure paperless voting machines nationwide would cost $130 to $400 million dollars. Risk-limiting audits would cost less than S20 million a year.^^^ Build a Credible (U)ssci Transcript ofthe Open Hearing on Russian Interference in the 2016 U.S. Elections, held on Wednesday, June 21,2017, p. 114. 383 {\})lbid., p. 119. 61 COMMITTEE SENSITIVE - RUSSIA INVESTIGATION ONLY MINORITY VIEWS OF SENATOR WYDEN (U) The role of the federal government (U) The Committee report deseribes Russian attacks on U.S. election infrastructure in 2016 and lays out many ofthe serious vulnerabilities that exist to this day. These vulnerabilities pose a direct and urgent threat to American democracy which demands immediate congressional action. The defense of U.S. national security against a highly sophisticated foreign government cannot be left to state and covmty officials. For that reason,I cannot support a report whose top recommendation is to "reinforee[]state's primacy in running elections." (U) Congress's constitutional role in regulating federal elections is well-established. In response to an inquiry from the bipartisan leadership ofthe U.S. Senate, the General Aecormting Office (GAG)wrote that "[w]ith regard to the administration offederal elections. Congress has constitutional authority over both congressional and presidential elections."^ Indeed, pursuant to the Elections Clause ofthe U.S. Constitution,^ Congress's authority over congressional elections is "paramount to that ofthe states." As the GAG report details. Congress has repeatedly passed legislation related to the administration of elections on topics such as the timing offederd elections, voter registration, absentee voting requirements, disability access, and voting rights. (U) Ifthere was ever a moment when Congress needed to exercise its clear constitutional authorities to regulate elections, this is it. America is facing a direct assault on the heart of our democracy by a determined adversary. We would not ask a local sheriff to go to war against the missiles, planes and tanks ofthe Russian Army. We shouldn't ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia's cyber army. That approach failed in 2016 and it will fail again. The federal government's response to this ongoing crisis cannot be limited offers to provide resources and information, the aeeeptance of which is voluntary. If the country's elections are to be defended. Congress must also establish mandatory, nation-wide eyberseeurity requirements. (U) Security of voting machines (U) Experts are clear about the measures necessary to protect U.S. elections from cyber manipulation.^ Absent an accessibility need, most voters should hand-mark paper ballots. For voters with some kind of need, ballot marking devices that print paper ballots should be available. Risk-limiting audits must be also be required. Currently, however, only Virginia, Colorado and Rhode Island meet these requirements."^ These critical reforms must be adopted '"Elections. The Scope of Congressional Authority in Election Administration," General Accounting Office, March 2001, prepared in response to a joint inquiry from Senator Trent Lott, Republican Leader; Senator Tom Daschle, Democratic Leader; Senator Mitch McConnell, Chairman, and Senator Christopher Dodd, Ranking Member,ofthe Senate Committee on Rules and Administration. ^ Article I, Section 4, Clause 1 ^ Securing the Vote; Protecting American Democracy; National Academy of Sciences, Engineering and Medicine, September 2018 National Conference of State Legislatures, Post-Election Audits, January 3,2019. Verifiedvoter.org. The VerifierPolling Place Equipment-November 2018. Oregon requires paper ballots and the Oregon State Senate has passed a bill requiring risk-limiting audits. throughout the country, which is why, on June 27, 2019, the House of Representatives passed H.R 2722, the Securing America's Federal Elections(SAFE)Act. The security of the country's voting machines depends on this legislation being signed into law. (U) The Committee, in recommending basic security measures like paper ballots and audits, notes that there is currently "a wide range of cybersecurity practices across the states." Indeed, the data is deeply concerning and highlights the need for mandatory, nation-wide standards. For example, the Committee rightly highlights the vulnerabilities of Direct-Recording Electronic (DRE)Voting Machines, noting that, without a paper trail, there would be no way to conduct a meaningful "recount" and compromises would remain undetected. As of November 2018, however, there were still four states in which every single county relied on DREs without voter verified paper audit trail printers(VVPAT)and, in an additional eight states, there were multiple counties that relied on DREs without a VVPAT.^ Gaps in the deployment of VVPATs, which are far less secure than hand-marked paper ballots, demonstrate that even bare minimum security best practices are not being met in many parts of the country. (U) In addition, 16 slates have no post-election audits of any kind, while many others have insufficient or perfunctory audits. Only four states have a statutory requirement for risk-limiting audits, while two states provide options for counties to run different kinds of audits, one of which is a risk-limiting audit.^ Next year, a third state will provide that option. In other words, the vast majority of states have made no moves whatsoever toward implementing minimum standards that experts agree are necessary to guarantee the integrity of elections. (U) The Committee rightly identifies problems with vendors of voting machines, noting vulnerabilities in both the machines and the supply chains for machine components. Currently, however, the federal government has no regulatory authority that would require these vendors to adhere to basic security practices.^ Only general federal requirements that states and localities use paper ballots and conduct audits will ensure that the risk posed by voting machines provided by private vendors to states and localities can be contained. The stakes could not be more clear. As Homeland Secretary Kirstjen Nielsen testified to the Committee,"If there is no way to audit the election, that is absolutely a national security concem." ® (U) Registration databases and election night reporting websites (U) Two additional components of the U.S. election infrastructure require immediate, mandatory cybersecurity fixes. The first are voter registration databases. The Committee received testimony about successful Russian exfiltration of databases of tens ofthousands of voters.^ Expert witnesses also described the chaos that manipulated voter registration data could cause should voters arrive at the polls and find that their names had been removed from the rolls. ^ Verifiedvoter.org. The Verifier - Polling Place Equipment- November 2018. ^ The four states are Colorado, Nevada, Rhode Island, and Virginia. National Conference of State Legislatures, Post-Election Audits, January 3, 2019. ' Testimony of Homeland Security Secretary Kirstjen Nielsen, March 21, 2018. ® Testimony of Homeland Security Secretary Kirstjen Nielsen, March 21, 2018. ^ Testimony of Connie Lawson, President-elect, National Association of Secretaries of State, and Secretary of State, State of Indiana; testimony of Steve Sandvoss, Executive Director of Illinois State Board of Elections, June 21, 2017; Illinois Voter Registration System Database Breach Report. As one expert testified, this form of interference "could be used to sabotage the election process on Rlection Day."'® (U) The Committee report describes a range of cybersecurity measures needed to protect voter registration databases, yet there are currently no mandatory rules that require states to implement even minimum cybersecurity measures. There are not even any voluntary federal standards. (U) An additional component of the U.S. election infrastructure that requires immediate, mandatory cybersecurity measures are the election night reporting websites run by the states. I'he Committee heard testimony about a Russian attack on Ukraine's web page for announcing results. That attacked allowed the Russians to use misinformation that left Ukraine in chaos for days after the election. As the Committee's expert witness warned,"[w]e need to look at that playbook. They will do it to us."'' Like voter registration databases, election results websites are not subject to any mandatory standards. Both of these critical vulnerabilities, as well as vulnerabilities of voting machines, must be addressed by the U.S. Congress through the passage of S. 2238, the Senate version of the SAFE Act. (U) Given the inconsistent, and at times non-existent adherence to basic cybersecurity among states and localities, I cannot agree with the Committee's conclusion that "the country's decentralized election system can be a strength from a cybersecurity perspective." Until election security measures are required of every state and locality, there will be vulnerabilities to be exploited by our adversaries. The persistence ofthose vulnerabilities has national consequences. The manipulation of votes or voter registration databases in any county in the country can change the result of a national election. The security ofthe U.S. election system thus hinges on its weakest links - the least capable, least resourced local election offices in the country, many of which do not have a single full-time employee focused on cybersecurity. (U) Every American has a direct stake in the cybersecurity of elections throughout the country. Congress has an obligation to protect the country's election system everywhere. If there were gaps in the defense of our coastline or air space, members would ensure that the federal government close them. Vulnerabilities in the country's election cybersecurity require the same level of national commitment. (U) Cybersecurity vulnerabilities and influence campaigns (U) The cybersecurity vulnerabilities of the U.S. election system cannot be separated from Russia's efforts to influence American voters. As the January 2017 Intelligence Community Assessment(ICA)concluded, and as the Committee report notes, the Russians were "prepared to publicly call into question the validity of the results" and "pro-Kremlin bloggers had prepared a Twitter campaign,#DemocracyRIP, on election night in anticipation of Secretary Clinton's victory." This plan highlights an additional reason why nation-wide election cybersecurity standards are so critical. If Russia's preferred candidate does not prevail in the 2020 election, the Testimony of Alex J. Halderman, Professor of Computer Science and Engineering, University of Michigan, June 21,2017. "Testimony of Eric Rosenbach, Co-Director ofthe Belfer Center for Science and International Affairs, Harvard Kennedy School, March 21,2018. Russians may seek to delegitimize the election. The absence of any successful cyber intrusions, exfiltrations or manipulations would greatly benefit the U.S. public in resisting such a campaign. (U) While not formally part of the U.S. election infrastructure, the devices and accounts of candidates and political parties represent an alarming vulnerability in the country's overall election system. Russia's campaign of hacking the emails of prominent political figures and releasing them through Wikileaks, Gucifer 2.0, and DCLeaks was probably its most effective means of influencing the 2016 election. The Committee has received extensive testimony about these operations, the vulnerabilities that allowed them to occur, and the threat those vulnerabilities pose to the integrity of American democracy.'^ Yet little has been done to prevent it from happening all over again. S. 1569, the Federal Campaign Cybersecurity Assistance Act of 2019, addresses these vulnerabilities head on by authorizing political committees to provide cybersecurity assistance to candidates, campaigns and state parties. (U) These vulnerabilities extend to the U.S. Senate, most of whose members are or will be candidates for reelection or for other positions. As a November 2018 Senate report noted, there is "mounting evidence that Senators are being targeted for hacking, which could include exposure of personal data."'^ Private communications and information reside on personal accounts and devices. Passage of S. 890, the Senate Cybersecurity Protection Act, will authorize the Senate Sergeant at Arms to protect the personal devices and accounts of Senators and their staff and help prevent the weaponization of their data in campaigns to influence elections. (U) Assessments related to the 2016 election (U) I have also submitted these Minority Views to address assessments related to Russian activities during the 2016 election. According to the January 2017 ICA,DHS assessed that "the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying." An assessment based on observations is only as good as those observations and this assessment, in which DHS had only moderate confidence,^'* suffered from a lack of observable data. As Acting Deputy Undersecretary of Homeland Security for National Protection and Programs Directorate, Jeannette Manfra, testified at the Committee's June 21, 2017, hearing, DHS did not conduct any forensic analysis of voting machines. (U) DHS's prepared testimony at that hearing included the statement that it is "likely that cyber manipulation of U.S. election systems intended to change the outcome of a national election would be detected." The language of this assessment raises questions, however, about DHS's ability to identify cyber manipulation that could have affected a very close national election, particularly given DHS's acknowledgment of the "possibility that individual or isolated cyber See, for example, Committee hearing, March 30, 2017. Senators' Personal Cybersecurity Working Group Report, submitted by the Senators' Personal Cybersecurity Working Group, November 2018. Responses to Questions for the Record from Dr. Samuel Liles, Acting Director of Cyber Division, Office of Intelligence and Analysis; and Jeanette Manfra, Acting Deputy Undersecretary, National Protection and Programs Directorate, following Committee hearing, June 21,2017. intrusions into U.S. election infrastructure could go undetected, especially at local levels."'^ Moreover, DHS has acknowledged that its assessment with regard to the detection of outcomechanging cyber manipulation did not apply to state-wide or local elections.'^ (U) Assessments about manipulations of voter registration databases are equally hampered by the absence of data. As the Committee acknowledges, it "has limited information on the extent to which state and local election authorities carried out forensic evaluation of registration databases." Assessments about Russian attacks on the administration of elections are also complicated by newly public information about the infiltration of an election technology company. Moreover, as the Special Counsel reported, the GRU sent spear phishing emails to "Florida county officials responsible for administering the 2016 election" which "enabled the GRU to gain access to the network of at least one Florida county government."'^ (U) The Committee, in stating that it had found no evidence that vote tallies were altered or that voter registry files were deleted or modified, rightly noted that the Committee's and the IC's insight into this aspect of the 2016 election was limited. I believe that the lack of relevant data precludes attributing any significant weight to the Committee's finding in this area. (U) The Committee's investigation into other aspects of Russia's interference in the 2016 election will be included in subsequent chapters. I look forward to reviewing those chapters and hope that outstanding concerns about members' Committee staff access to investigative material, including non-compartmented and unclassified information, will be resolved. Responses to Questions for the Record from Dr. Samuel Liles, Acting Director of Cyber Division, Office of Intelligence and Analysis; and Jeanette Manfra, Acting Deputy Undersecretary, National Protection and Programs Directorate, following.Committee hearing, June 21, 2017. Responses to Questions for the Record from Dr. Samuel Liles, Acting Director of Cyber Division, Office of Intelligence and Analysis; and Jeanette Manfra, Acting Deputy Undersecretary, National Protection and Programs Directorate, following.Committee hearing, June 21, 2017. Report on the Investigation Into Russian Interference In The 2016 Presidential Election, Special Counsel Robert S. Mueller III, March 2019 ADDITIONAL VIEWS OF SENATORS HARRIS,BENNET,AND HEINRICH (U)The Russian government's attack on the 2016 election was the product of a deliberate, sustained, and sophisticated campaign to undermine American democracy. Russian military intelligence carried out a hacking operation targeting American political figures and institutions. The Internet Research Agency—an entity with ties to Russian President Vladimir Putin—^used social media to sow disinformation and discord among the American electorate, And, as this report makes clear, individuals affiliated with the Russian government launched cyber operations that attempted to access our nation's election infrastructure, in some cases succeedhig. (U)The Russian objectives were clear: deepen distrust in our political leaders; exploit and widen divisions within American society; undermine confidence in the integrity of our elections; and, ultimately, weaken America's democratic institutions and damage our nation's standing in the world. The Committee did not discover evidence that Russia changed or manipulated vote tallies or voter registration information, however Russian operatives undoubtedly gained familiarity with our election systems and voter registration infrastructure— valuable intelligence that it may seek to exploit in the future. (U)The Committee's report does not merely document the wide reach ofthe Russian operation; the report reveals vulnerabilities in our election infrastructure that we must collectively address. We do not endorse every recommendation in the Committee's report, and we share some of our colleagues' concems about the vulnerability that we face, particularly at the state level, where counties with limited resources must defend themselves against sophisticated nation-state adversaries. Nevertheless, the report as a whole makes an important contribution to the public's understanding of how Russia interfered in 2016, and underscores the importance of working together to defend against the threat going forward. (U)It is critical that state and local policymakers study the report's findings and work to secure election systems by prioritizing cybersecurity, replacing outdated systems and machines, and implementing audits to identify and limit risk. The Intelligence Community and other federal agencies must improve efforts to detect cyberattacks, enhance coordination wi& state and local officials, and develop strategies to mitigate threats. And, critically. Congress must take up and pass legislation to secure our elections. We must provide states the funding necessary to modernize and maintain election infrastructure, and we must take commonsense steps to safeguard the integrity ofthe vote, such as requiring paper ballots in all federal elections. (U)Our adversaries will persist in their efforts to undermine our shared democratic values. In order to ensure that our democracy endures, it is imperative that we recognize the threat and make the investments necessary to withstand the next attack.