Appearing before the House Intelligence Committee task force investigating the Russian attack on the 2016 election, former Homeland Security Secretary Jeh Johnson had a troubling message: During that campaign, he had a tough time convincing state election officials that they needed federal help to fend off Moscow’s assault on the US elections system. While Johnson was testifying, Department of Homeland Security and FBI officials told the Senate Intelligence Committee that Russian cyber operatives had targeted 21 state election systems, although they didn’t provide details on what those attacks entailed. For his part, Johnson described how he became worried about this secret Russian operation and found it difficult to work with state officials to defend the voting systems.
Johnson recounted all this in his opening statement:
As summer 2016 progressed, my concerns about the possibility of a cyberattack around our national election grew. I probed with the cybersecurity experts at DHS what more we could and should be doing. We developed a plan to engage state election officials to offer our cybersecurity assistance to them. My staff also suggested to me that I could, under my existing authorities, declare election infrastructure to be “critical infrastructure” in this country. There are 16 infrastructure sectors—e.g., financial services, dams, transportation, government facilities, the defense industrial base—that are already considered critical infrastructure. By adding election infrastructure to that list, for cybersecurity purposes it would principally mean two things: (1) that election officials, upon request, would be a top priority for the receipt of DHS’s services, and (2) that, as part of critical infrastructure, election infrastructure would receive the benefit of various domestic and international cybersecurity protections.
On August 3, 2016, in an on-the-record session with reporters, I publicly floated the idea of designating election infrastructure in this country as critical infrastructure.
Twelve days later, on August 15, I convened a conference call with secretaries of state and other chief election officials of every state in the country. I told state officials that we must ensure the security and resilience of election infrastructure, and offered DHS’s assistance to the states in doing that. I also reiterated the idea of designating election infrastructure as critical infrastructure.
To my disappointment, the reaction to a critical infrastructure designation, at least from those who spoke up, ranged from neutral to negative. Those who expressed negative views stated that running elections in this country was the sovereign and exclusive responsibility of the states, and they did not want federal intrusion, a federal takeover, or federal regulation of that process. This was a profound misunderstanding of what a critical infrastructure designation would mean, which I tried to clarify for them.
But, based on what I heard on the call, my team and I decided that a critical infrastructure designation at that time, during the election season, would be counterproductive. I remained convinced it was a good idea, but we put the idea on the back burner. Instead, and more importantly in the time left before the election, we encouraged the states to seek our cybersecurity help. Prior to the election, encouraging the horses to come to the water had to be the primary objective.
At around the same time we were engaging state election officials, my staff and I began to see and hear very troubling reports of scanning and probing activities around various state voter registration databases. This was obviously a matter of great concern. In the latter half of August, the FBI issued an alert to the states about these activities, which included the IP addresses of those associated with the attempted hacks.
Both publicly and privately, my staff and I repeatedly encouraged state and local election officials to seek our cybersecurity assistance.
But Johnson insisted that things did work out in the end:
By election day on November 8, a large number of state and local election officials did in fact respond to our offers of cybersecurity assistance. More specifically, almost every state contacted DHS about its services, and 33 states and 36 cities and counties used DHS tools to scan for potential vulnerabilities and/or sought mitigation advice from us. Overall, DHS proactively provided election-related mitigation advice and cyber threat indicators/information for network defense to likely hundreds, if not thousands, of state and local officials.
On election day, DHS assembled a crisis response team to rapidly address any reported cyber intrusions into the election process.
To my current knowledge, the Russian government did not through any cyber intrusion alter ballots, ballot counts or reporting of election results. I am not in a position to know whether the successful Russian government-directed hacks of the DNC and elsewhere did in fact alter public opinion and thereby alter the outcome of the presidential election.
Johnson, who said the Democratic Party rebuffed offers of help from DHS after being breached, testified that it was obvious things could have been done differently. “With the benefit of hindsight, perhaps I should have camped out at the front door of the headquarters of DNC,” he said. “None of us knew how this was going to come out.”
Johnson added, “Cyberattacks of all manner and from multiple sources are going to get worse before they get better.”