Officials: Colorado’s election infrastructure not among 39 states’ reportedly hit by Russian cyber attack
Author: Ernest Luning - June 14, 2017 - Updated: June 14, 2017
Colorado’s computerized voter system doesn’t appear to have been targeted by Russian hackers who penetrated systems in two states last summer and reportedly tried to access files in dozens of other states before last year’s election, officials with the Colorado secretary of state’s office said Tuesday.
While the Colorado system is subject to hundreds of attempted intrusions daily, the secretary of state’s computer security officers told Colorado Politics, a rigorous search for the electronic signatures left behind by Russian cyber attacks in Illinois and Arizona didn’t turn up any evidence of similar hacking attempts in Colorado.
Bloomberg News reported Tuesday that the scope of Russia’s online assault on state voter databases and election software systems last year was more widespread than had previously been acknowledged, citing unnamed sources said to be close to a federal investigation into the attacks.
In all, Bloomberg reported, 39 states determined the Russians had attempted to breach their systems, nearly double the number of states federal officials said last fall had been subject to the attacks.
The Department of Homeland Security announced in the run-up to last year’s November election that Russian hackers had targeted voting systems in “more than 20” states, although they appeared to have penetrated the systems in just two states, Arizona and Illinois. While Bloomberg reported that authorities suspect the hackers tried to delete tens of thousands of voter files in Illinois, federal officials have insisted that they’ve found no evidence the cyber attacks affected the vote count or election results anywhere in the country.
“Is Colorado one of those 39 states? The answer is no,” said Trevor Timmons, chief information officer for the Colorado secretary of state’s office. He said DHS and the FBI notified Colorado officials to be on the lookout for Internet addresses tied to the Arizona and Illinois attacks, as well methods the hackers had used.
“We got that information about all these computers associated with specific attacks and the patterns of behavior associated with those attacks,” Timmons said. “We added those to our system, to look through our log and see if we were seeing those same kind of attacks or anything using those patterns. We didn’t see anything. We initially did that check to see, ‘Oh, have we seen any activity from these bad actors?’ Once we’d done that investigation, we blocked those computers.”
“We don’t just rely on those reports,” said Rich Schliep, chief information security officer for the secretary of state’s office. “On a daily basis, we’re looking for similar attacks like that. It’s part of doing business in this day and age.”
Timmons said federal authorities didn’t issue additional warnings after those tied to the Arizona and Illinois attacks but did provide stepped-up assistance to state election security officials.
“We didn’t have more specific indicators — they use that word -—we didn’t get further information about new indicators, but we were in contact with DHS and the FBI up to and after Election Day,” he said.
Timmons noted that then-DHS Secretary Jeh Johnson offered “cyber hygiene” scanning services — “they’ll do that same poking and prodding that the bad guys do” — to states in order to identify vulnerabilities in voter and election systems. “I’m not saying we were the first to sign up, but we were among the first three states to sign up,” Timmons said.
Schliep added that the DHS service augmented regular tests performed on the secretary of state’s computers.
“We pay organizations to try to hack our website on a continual basis so we don’t find out about something the wrong way,” he said. “We want to know we have a vulnerability so we can patch it.”
The National Association of Secretaries of State issued a lengthy statement Tuesday warning against assigning much credibility to the Bloomberg report.
“Our policy at NASS has been to help correct misinformation from spreading, which we will continue to do,” the statement said. “However, since the piece contains convoluted claims from anonymous sources, we are only able to say that we are not able to assess the credibility or the accuracy of the piece and we have no additional information from DHS or any intelligence agency to support its claims at this time.”
The group cautioned against reading too much into an article it suggested could be confusing some terms.
“Some of the language in the Bloomberg piece suggests that the sources used were not necessarily intelligence officials. It also appears to conflate a cyber ‘attack’ with a ‘breach’ and it has vague claims that are difficult for NASS to address. For example, we have no way of knowing what it means exactly that hackers ‘hit systems in a total of 39 states.’ We don’t know what ‘hit’ means, or even which ‘systems’ are being referenced by the claim.”