WASHINGTON — Russia was preparing to undermine confidence in the United States’ voting process when its hackers surveilled around 20 state election systems in the run-up to the 2016 elections, the Senate Intelligence Committee concluded in a brief report released on Tuesday.
But the committee said it saw no evidence that the Russians had ultimately changed vote tallies or voter registration information. In a few states, however, Russian hackers were “in a position to, at a minimum, alter or delete voter registration data,” the committee said.
“These activities began at least as early as 2014, continued through Election Day 2016, and included traditional information-gathering efforts as well as operations likely aimed at preparing to discredit the integrity of the U.S. voting process and election results,” the senators wrote.
The Intelligence Committee has been investigating Russia’s election interference campaign for well over a year now. The findings and earlier recommendations related to election security amount to its first public conclusions based on that work.
Many of the committee’s findings have already been disclosed publicly, but they add new detail to the scope of the Russian efforts in states across the country and the continuing vulnerabilities of those systems.
The senators found that the Russians targeted at least 18 states, and said that there is evidence that they also went after three others, scanning them for vulnerabilities. In six states, they went further, trying to gain access to voting websites, and in “a small number of states” actually breached election computer defenses.
In those instances the intruders had the ability to change registration data but appeared unable to change votes, the report stated. The senators cautioned that other Russian attacks and breaches could have gone undetected.
The report, which was unclassified, faulted the Department of Homeland Security for an initially slow response to the Russian meddling, but it added that cooperation with the states had greatly improved.
The department said this week that 17 states have gotten or soon will get so-called risk and vulnerability assessments of their election systems, a weekslong evaluation that is the government’s most thorough cybersecurity check. Before November 2016, only one state had been assessed.
The department conducts less intensive weekly “cyberhygiene” scans of election systems in 33 states. And it has granted federal security clearances to about 30 state election officials, removing at least some of the barriers to sharing information about future threats to election security.
Lawmakers also succeeded in getting $380 million in a large spending bill in March for grants to states to improve their election infrastructure and bolster election security.
The committee released a list of recommendations in late March to help secure American voting systems ahead of the midterm elections. Those recommendations included the adoption of voting machines with paper ballot backups to replace paperless or otherwise outdated ones, instituting routine vote audits and updating software systems. The senators also urged the Trump administration at the time to send a clearer message that it would not tolerate attacks on any election systems or the democratic process.
In a public hearing the next day, senators pressed homeland security officials to move faster in enforcing key security measures such as the granting of security clearances to state election officials.
The senators also sounded concerns on Tuesday about the shrinking number of voting-machine makers. The three largest vendors of voting equipment dominate the industry, and both the companies and their subcontractors that serve local election agencies are largely unregulated. That makes them and other vendors “an enticing target for malicious cyberactors,” the Intelligence Committee wrote.
A National Security Agency analysis leaked publicly last June concluded that Russian military intelligence launched a cyberattack on at least one maker of electronic voting equipment during the 2016 campaign, and sent so-called spear-phishing emails days before the general election to 122 local government officials, apparently customers of the manufacturer. The emails concealed a computer script that, when clicked on, “very likely” downloaded a program from an external server that gave the intruders prolonged access to election computers or allowed them to search for valuable data.
The agency said the Russians appeared to have targeted managers of voter-registration computer systems, and that it was unclear whether any of those systems were compromised.
Separately, Alaska officials disclosed on Monday that one of the state’s election-related servers had been breached on Election Day 2016 by a hacker who apparently was unconnected to the Russians. The data on the server was not confidential and could not be changed, and the computer itself was unable to make outgoing connections via the internet, so the hacker was unable to rove elsewhere in the election network.
The breach was first reported the day after the 2016 election by the website Cyberwar News, but it went largely unnoticed until state officials revealed it this week.
The Senate Intelligence Committee plans to write and release additional reports on American intelligence agencies’ assessment of the Russian efforts, the Obama administration’s response, the Russians’ use of social media, and lastly, possible coordination or collusion between the Trump campaign and Russia. Senators have conceded that consensus on that final report may be difficult to reach.
Senator Richard M. Burr of North Carolina, the committee’s chairman, told reporters on Tuesday that the next report, on the intelligence assessment, could be out as early as next week.