WASHINGTON—Hackers have targeted the voter registration systems of more than 20 states in recent months, a Homeland Security Department official said Friday.
The disclosure comes amid heightened concerns that foreign hackers might undermine voter confidence in the integrity of U.S. elections. Federal officials and many cybersecurity experts have said it would be nearly impossible for hackers to alter an election’s outcome because election systems are very decentralized and generally not connected to the internet.
The official who described detecting the hacker activity was not authorized to speak publicly on the subject and spoke to The Associated Press on condition of anonymity. It was unclear, the official said, whether the hackers were foreign or domestic, or what their motives might be. ABC News earlier reported that more than 20 states were targeted.
The FBI last month warned state officials of the need to improve their election security after hackers targeted systems in Illinois and Arizona. FBI Director James Comey told lawmakers this week that the agency is looking “very, very hard” at Russian hackers who may try to disrupt the U.S. election.
Last month, Donald Trump, the GOP nominee for president, suggested that he feared the general election “is going to be rigged.”
The Homeland Security Department has stepped up its outreach to states and localities, but it is up to them to ask for help. So far, 19 states have expressed interest in a general “cyber hygiene” scan of key websites—akin to ensuring that windows in a home are properly closed, according to another Homeland Security official directly involved in securing local elections who also was not authorized to speak publicly about ongoing efforts.
The FBI has detected a variety of “scanning activities” that are early indications of hacking, Comey told the House Judiciary Committee this week.
The FBI held a conference call on Friday with the local officials who run elections in the battleground state of Florida. Meredith Beatrice, a spokeswoman for Secretary of State Ken Detzner, called it an “informational call related to elections security,” but a person on the call who was not authorized to discuss it and requested anonymity said authorities had seen evidence of someone probing a local elections website.
Homeland Security Secretary Jeh Johnson spoke to state election officials by phone last month, encouraging them to implement existing technical recommendations to secure their election systems and ensure that electronic voting machines are not connected to the internet.
DHS is offering states more comprehensive, on-site risk and vulnerability checks. Only four states have expressed interest in the assessment, and because the election is only weeks away, the department will likely only be able to conduct an assessment of one state before Election Day on Nov. 8, the official said.
Two of the hacking attempts involved efforts to mine data from the Arizona and Illinois voter registration systems, according to Kay Stimson, a spokeswoman for the National Association of Secretaries of State. She said in Arizona a hacker tried to probe voter registration data, but never infiltrated the system, while in Illinois hackers got into the system, but didn’t manipulate any data.
These systems have “nothing to do with vote casting or counting,” Stimson said in an email. “While it is theoretically possible to disrupt an election by infiltrating a voter registration system, their compromise would not affect election results” and there are system controls in place to catch any fraud.
Rep. Henry Johnson, D-Ga., introduced two bills earlier this month that would require voting systems be designated as critical infrastructure and limit purchases of new voting systems that don’t provide paper ballots, among other measures. It’s unlikely the bills will be passed before the election.
The Homeland Security Department is already considering designating voting systems as critical infrastructure in the future, though it is unlikely to happen before the election, the second official said.
A presidential directive released in 2013 details 16 sectors that are considered critical infrastructure, including energy, financial services, healthcare, transportation, food and agriculture, and communications. The designation places responsibilities on the Homeland Security secretary to identify and prioritize those sectors, considering physical and cyber threats. The secretary is also required to conduct security checks and provide information about emerging and imminent threats.