Security Of State Election Systems The Focus Of Dueling Capitol Hill Hearings
Updated at 1:56 p.m. ET
If two nearly simultaneous hearings Wednesday by the House and Senate Intelligence Committees into Russia's meddling in last year's presidential election revealed anything, it's that U.S. officials saw what was going on but were all but powerless to stop it.
In his prepared remarks, former Homeland Security Secretary Jeh Johnson said the Russian government, "at the direction of Vladimir Putin himself, orchestrated cyberattacks on our Nation for the purpose of influencing our election — plain and simple."
But in response to a question from the committee's ranking member, Rep. Adam Schiff, D-Calif., Johnson said he was concerned he would be criticized "for perhaps taking sides" in an ongoing election if he publicly spoke out about the Russian meddling that he knew was going on.
One of the candidates, Johnson said, not naming but clearly referring to Donald Trump, "was predicting that the election was going to be rigged," Johnson said, and so we were concerned that by making the statement, we might in and of itself be challenging the integrity of the election process."
Johnson said that on October 7, he and then-Director of National Intelligence James Clapper issued a statement accusing the Russian government of interfering with the U.S. election process — a claim Russian President Vladimir Putin has denied. But that statement he said "did not get the attention it should have," because of the release of the Access Hollywood tape that day — in which then-candidate Trump boasted of groping and kissing women.
In retrospect, Johnson said he wished "he had camped out with a sleeping bag" in front of the Democratic National Committee to get them to take seriously warnings that their email server had been hacked.
Johnson said he was disappointed the DNC would not accept Homeland Security's help in finding its cyber-vulnerabilities. He said he had asked on a number of occasions if the DNC had taken up the Department of Homeland Security's help. "I recall very clearly that I was not pleased we were not in there helping them patch this vulnerability," Johnson told lawmakers, adding that the agency does not have the authority to go into a private company with a warrant to fix its IT problems.
Johnson also testified he feared designating states' election systems as "critical infrastructure" earlier than he did would have driven away states that were suspicious of federal involvement in their elections. He said he first raised the issue with states in a conference call in mid-August, after seeing "troubling reports" of scanning and probing activities around various state voter registration databases. Johnson said initial reaction from state officials to the designation "ranged from neutral to negative." It wasn't until after the election, that Johnson formally made the designation.
But Johnson told lawmakers that there was no evidence that votes were altered as the result of Russian efforts to breach state election systems.
"Based on everything I know, that is correct," Johnson told Rep. Mike Conaway, R-Texas, "I know of no evidence that, through cyber-intrusions, votes were altered or suppressed in some way."
His prepared remarks were released by the House Intelligence Committee Tuesday evening:
"In 2016 the Russian government, at the direction of Vladimir Putin himself, orchestrated cyberattacks on our nation for the purpose of influencing our election — plain and simple. Now, the key question for the President and Congress is: What are we going to do to protect the American people and their democracy from this kind of thing in the future?"
While Johnson testified on the House side, the Senate Intelligence Committee held its own hearing focused on state election systems. Senators heard from cybersecurity experts from the FBI and Department of Homeland Security as well as from representatives of state election systems and state secretaries of state across the country.
In the Senate hearing, Department of Homeland Security and FBI witnesses told lawmakers they expect the Russian cyber-threat against the U.S. to "evolve" — and that governments across the country must try to keep up as well.
"I believe the Russians absolutely will continue to try to conduct influence operations in the U.S., which will include cyber operations," said Bill Priestap, assistant director of the FBI's Counterintelligence Division.
Democrats on the Senate panel, however, are frustrated by DHS Secretary John Kelly's unwillingness to disclose more detail about the states that were targeted or compromised last year. DHS acknowledges that Russia's intelligence officers went after elections systems in 21 states, only two of which — Arizona and Illinois — have been officially confirmed.
Jeanette Mafra, acting director of DHS' national protection and programs directorate, told senators that DHS must "build trust" with the state and local agencies it supports and that releasing names or details about them would ruin that by embarrassing them.
Vice Chairman Mark Warner, D-Va., complained that the official work of investigating and explaining Russia's mischief last year was hamstrung by all the secrecy about what had been compromised.
"I understand the notion of victimization," he said. "But I do not believe our country is made safer by holding this information back from the American public. I have no interest in trying to embarrass any state, but we've seen this too long in cyber ... people try to sweep this under the rug and assuming it will all go away."
Sen. Marco Rubio, R-Fla., also said he hoped the Intelligence Committee could reveal as much as possible because of how corrosive Russia's influence efforts have already proven.
"I think you could argue they've achieved quite a bit because if you look at the amount of time we've spent in this country on what happened and if you look at the political fissures that formed."
Rubio told a story about seeing a fake story that said President Obama had "banned" the Pledge of Allegiance — and getting text messages asking him about it.
"I knew it wasn't true," he said, "but people thought it was."
The testimony was grim from the Senate Intelligence Committee's second panel, which included state elections officials and a computer science expert who described the vulnerability from which he said electronic voting systems suffer.
Alex Halderman, a computer science professor at the University of Michigan, described the work he and colleagues had done exploring state computer systems with a view toward helping improve their security.
"My conclusion from that work is that our highly computerized election infrastructure is vulnerable to sabotage, and even to cyberattacks that could change votes," he warned. "These realities risk making our election results more difficult for the American people to trust. I know America's voting machines are vulnerable because my colleagues and I have hacked them."
Federal and state officials insist that no votes were changed by Russian cyberattacks in 2016, but Halderman said that would remain a real possibility unless the nation took a series of steps to update its security.
States must replace what he called "obsolete" paperless machines with optical-scan machines that count paper ballots, Halderman said. States must audit election results by examining paper ballots to "provide high assurance" that the election results were correct. And state officials must apply tougher cybersecurity safeguards to voting equipment and elections management.
The federal government is supposed to be helping states do that, but state officials complained to the Senate Intelligence Committee that they're waiting to see any benefit from the designation by DHS of elections systems as "critical infrastructure."
Senate Intelligence Committee Chairman Richard Burr, R-N.C., asked Indiana Secretary of State Connie Lawson, the president-elect of the National Association of Secretaries of State, whether there had been any negative consequences after the efforts DHS has made to assist states.
"Nothing has negatively happened, but also nothing positive has happened," Lawson said.
She and other state elections officials are frustrated by what they call a lack of clear guidance or information from the federal level and an absence of understanding by Washington about how elections practically work around the country.
The hearings Wednesday refocused all the recent drama in Washington about the Russian election-meddling narrative back onto what Russian intelligence services sought to do to breach the security of state election systems, among other things, in order to interfere in the 2016 presidential race.
NPR's Phil Ewing contributed to this report.