More than five dozen state and local election offices requested help from the Department of Homeland Security to protect their election systems from cyberattacks, according to DHS documents obtained by CNN.
Before the 2016 US election, 33 states and 36 local governments requested an assessment of their election systems to help prevent cyberattacks, and another two states and six localities requested the assessment since the election, according to a DHS memo issued in response to questions from Missouri Democratic Sen. Claire McCaskill.
The memo gives more detail on the scope of how many states and cities had concerns about the potential risk of a cyberattack last year, even before the Obama administration had issued its report confirming Russian hackers meddled in the US election.
Last month, DHS officials testified that the election systems of 21 states were potentially targeted by Russian government-linked hackers. None of the systems targeted were involved with vote counting, and only a very small handful of those states actually suffered any type of breach.
The DHS memo does not say how many of the 21 targeted states also requested a cyberassessment from the department.
CNN had previously reported that 33 states asked for assistance prior to the election, but the memo confirms that number and shows that more than three times as many localities as previously been known also requested the cyberassessments.
With just days left in the Obama administration, former Homeland Security Secretary Jeh Johnson declared election systems a “critical infrastructure,” a designation that made it easier for DHS to aid state and local governments to protect their election systems.
In the memo to McCaskill, DHS says it has “no plans to make any changes to the designation of election infrastructure as a critical infrastructure subsector.”
But the relationship between federal officials and state and local governments over protecting election systems has been rocky at times. State election officials expressed frustration and disappointment with the federal government following a meeting in Indiana last month preventing cyber attacks.
McCaskill, the top Democrat on the Senate Homeland Security and Government Affairs Subcommittee, wrote to then-Homeland Security Secretary John Kelly in March asking for more information about the critical infrastructure designation and the efforts to help state and local governments protect their voting systems.
She sent a staff memo to committee members on Wednesday detailing DHS’ work with state and local government to protect their election systems. The memo, obtained by CNN, notes that DHS provides the assessments to states and local governments for free, although those governments have to cover the costs to address any exposed vulnerabilities.
Like the intelligence community, DHS says that Russian officials were involved with hacking surrounding the 2016 US election, a conclusion that President Donald Trump has yet to agree fully with.
In the memo, the department states it observed along with the intelligence community “Russian cyber actors attempting to access voter registration databases prior to the 2016 elections.” In addition, DHS said that it shared technical information to help states and local governments identify and stop malicious cyber activity, which included reports “on malicious activity by Russian civilian and military intelligence services.”
The DHS memo also detailed how department determined that Russian hacking did not target vote tallying systems.
“There are no indications nor observed evidence of Russian actors using cyber or physical means to target voting systems, which include voting machines (the electronic machines used by voters to cast ballots) and vote tallying systems (the electronic machines used by election officials to count and tally marked ballots),” the memo states. “These voting systems should not have active connections to the Internet during the voting process, and are rarely, if ever connected to the Internet at all.”
DHS explained that the risk assessment the state and local governments have requested provide a scan against potential vulnerabilities, which were conducted remotely on a weekly basis. One state also ended its agreement with DHS for the scans after the election, according to the memo.
DHS also offered states a more in-depth risk and vulnerability assessment, which one state requested before the election and another afterward.
The more in-depth scan that two states requested includes “penetration testing, social engineering, wireless access discovery and identification, as well as database and operating system scanning,” according to the memo.