Russia "exploited the seams" in U.S. election security defenses ahead of the 2016 presidential election, and federal officials failed to effectively raise the alarm to the right state and local officials about the threat they faced, according to a new Senate report.
The report said the committee found no evidence that any votes were changed or that any voting machines were manipulated, echoing past statements from Department of Homeland Security officials, but noted that the committee's and the intelligence community's "insight is limited" to the data they were able to evaluate.
The report also offered new details on how Russia allegedly targeted states and counties for cyber reconnaissance operations that still have U.S. officials on edge.
Published on Thursday, the 61-page report is the first in a series expected from a two-plus-year, bi-partisan investigation by the Senate Intelligence Committee into Russia's alleged 2016 election interference.
"In 2016, the U.S. was unprepared at all levels of government for a concerted attack from a determined foreign adversary on our election infrastructure," Senate Intelligence Committee Chairman Sen. Richard Burr, R-N.C., said in statement. "Since then, we have learned much more about the nature of Russia's cyber activities and better understand the real and urgent threat they pose."
The report accused Russia of attempting to find vulnerabilities in the voting infrastructure systems most likely in all 50 states. It described 21 states in which officials noted suspicious incidents or the scanning of their systems.
Russia successfully exfiltrated the personal data of hundreds of thousands of voters from systems in at least two states, the report says: Illinois and another unnamed state. Illinois was previously named by local officials as likely a victim state mentioned in an indictment secured in July 2018 by then-special counsel Robert Mueller against purported Russian military intelligence cyber operatives.
More recently Florida officials said Russian hackers were able to infiltrate voter database systems there, though there was no evidence that the data was manipulated.
While the nation-wide scanning and probing was going on, the federal government was struggling to properly address, or even understand the threat, the Senate report said. It cited state and local officials who said some of the Department of Homeland Security personnel with whom they were dealing with didn't appear to understand how elections worked.
Perhaps more significantly, the report said that though the federal government issued warnings about nefarious Russian activity online and told states what specific internet protocol (IP) addresses to block or be on the look out for, they failed to describe the level of the threat to local officials or say that a sophisticated nation-state was behind them. In some cases the federal government warned the wrong local officials, the report says.
"For most states, the story of Russian attempts to hack state infrastructure was one of confusion and lack of information," the report says.
The report does, however, laud the steps the Department of Homeland Security and the FBI have taken to improve communication with state and local officials since 2016, and how many states have worked to improve their own election security.
It notes that in 2017 a two-person DHS team sat in with one state's officials during a special election. Though they "really didn't do much," their "presence was comforting," the report says, quoting an unidentified source.
But some mysteries related to the Russian intrusion endure, the report says, including at least two "unexplained events" involving some cyber-security chicanery involving two unidentified states.
It also says the committee was unable to determine why, exactly, Russia conducted so much cyber reconnaissance in the first place without appearing to act on the information and access it gleaned.
"Russian intentions regarding U.S. election infrastructure remain unclear. Russia might have intended to exploit vulnerabilities in election infrastructure during the 2016 elections and, for unknown reasons, decided not to execute those options," it says. "Alternatively, Russia might have sought to gather information in the conduct of traditional espionage activities. Lastly, Russia might have used its activity in 2016 to catalog options or clandestine actions, holding them for use at a later date.
"Based on what the [intelligence community] knows about Russia's operating procedures and intentions more broadly, the [intelligence community] assesses that Russia's activities against U.S. election infrastructure likely sought to further their overarching goal; undermining the integrity of elections and American confidence in democracy," it says.
Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., said, "When the Russians attacked elections systems in 2016, neither the federal government nor the states were adequately prepared."
Warner noted that the federal government and states had made strides in election security since, but said, "there's still much more we can and must do to protect our elections."
The report makes a number of recommendations from urging state and local officials to quickly update their voting equipment and shoring up their cyber defenses, to encouraging the Trump administration to establish an effective deterrence policy to keep nation-states away from U.S. elections.
The Senate committee's report comes just hours after former special counsel Robert Mueller, whose investigation into Russian interference paralleled the committee's, offered his own stark warning about Russian activity targeting the 2020 elections.
Speaking of Russia's purported attack on U.S. democracy, Mueller told lawmakers that the 2016 effort "wasn't a single attempt."
"They're doing it as we sit here," he told the House Intelligence Committee on Wednesday afternoon. "And they expect to do it during the next campaign."
In response to the Senate report, Department of Homeland Security Assistant Director Bob Kolasky issued a joint statement with several state- and local-level election officials, detailing some of the measures that have been taken since 2016 to improve election security, including the installment of cybersecurity sensors on networks in all 50 states and their participation in tabletop exercises.
"The democratic process requires a secure and resilient election," the statement said, adding that the federal, state and local officials will "continue to work together and with our colleagues to secure the nation's election infrastructure and combat any foreign interference to protect the 2020 elections."
Russia has long dismissed the election interference allegations.