State Election Officials Didn’t Know About Russian Hacking Threat Until They Read It in the News, Emails Show

Voters across the country were shocked to learn last year, through the disclosure of a top-secret NSA document, details of an intricate plot by Russian military hackers to infiltrate American electoral systems. New emails obtained by The Intercept through public records requests illustrate the disturbing extent to which potential targets of the attack were caught unaware, having apparently remained in the dark alongside the voting public.

On June 5, 2017, The Intercept published a top-secret National Security Agency assessment that detailed and diagramed a Russian governmental plot to breach VR Systems, an e-voting vendor that makes poll book software used by several pivotal electoral battleground states, such as North Carolina and Virginia. The report attributed the scheme to the Russian General Staff Main Intelligence Directorate, or GRU. GRU’s plan, the NSA claimed, was to roll any success with VR Systems into a subsequent email attack against state voting officials across the country.

According to the documents obtained by The Intercept, officials in a handful of crucial swing states were completely unaware that GRU was trying to infiltrate their voting systems — for months and months after the election had taken place. Experts contacted by The Intercept decried a system in which overstretched state officials were in the dark about potential threats. A former official from the Department of Homeland Security told The Intercept on the condition of anonymity that warning about the potential attacks did not filter down to state-level officials in part because of complicated bureaucratic turf wars between the NSA, DHS, and local bodies — all of which were exacerbated because, for the NSA, transmitting word of the cyberattacks down the chain was “not a high priority issue.”

In North Carolina — which had reported widespread, glitchy disruptions on Election Day — key state voting officials clearly were never filled in on the details of the threat they had faced seven months prior. Rather, the officials learned the details in the news along with the rest of the public, without permission or authorization. These emails, obtained via public records request, underscore the total failure of the U.S. government to get information about imminent threats to election infrastructure to the people most affected, and raises the crucial question of why exactly it took roughly seven months for word of a credible attack against the integrity of American elections to reach the very people and systems under threat.

In a June 2017 email to members of North Carolina’s Mecklenburg County Board of Elections, Kimberly Strach, the executive director of the state’s Board of Elections and Ethics Enforcement, made it clear that reports that the county “could have been subject to outside interference during the 2016 general election” were unexpected. She also announced that the state was beginning an “investigation” to “determine if any interference occurred.”

A separate June 15 email from Mecklenburg Commissioner-at-Large Trevor Fuller to Director of Elections Michael Dickerson echoes this uncertainty: “I’d like to know your thoughts about the reporting that a voting system software company whose product that we use was hacked by the Russians,” Fuller asked. “Have we investigated whether this had any impact in Mecklenburg County?” Fuller responded that the county’s IT staff found no GRU emails in Mecklenburg inboxes.

That such investigations into an attempt to compromise a presidential election didn’t even begin until the summer after Election Day is cause for concern, said Susan Greenhalgh, a voting security expert and policy director at the National Election Defense Coalition, an advocacy group. “It’s very troubling,” Greenhalgh told The Intercept, that officials at the state and county levels “only felt compelled to investigate further after it was reported publicly.” Still, Greenhalgh added that she’s heard complaints of inadequate or untimely intelligence-sharing “again and again” from state election officials.

A spokesperson for North Carolina’s Ethics Board confirmed that it didn’t begin any investigation until after the NSA report was made public because the state’s voting officials were never informed of the GRU threat in advance. “At the time, the information-sharing was not as good as it is now,” this spokesperson added. “The State Board of Elections & Ethics Enforcement now has a great working relationship with our federal partners at the Department of Homeland Security.”

North Carolina wasn’t alone. In Virginia, another state that used VR Systems poll book software on Election Day, officials also appeared to be in the dark about what was revealed in the NSA report. On June 16, about a week after the NSA report was published, the Virginia Department of Elections’ Chief Information Officer Matthew Davis emailed the Department of Homeland Security “looking for some guidance” on the situation. “We are one of the states that uses VR Systems for electronic pollbooks,” Davis wrote. “Are there any steps that we need to be taking?” Given the particular nastiness of the malware that GRU hackers had tried to spread at the state level, if Davis or any of his colleagues had been successfully infected, they would have been rather far beyond the point of taking any protective “steps.” Nonetheless, Homeland Security didn’t have much to share, noting that the agency was still “working with partners to assess the intelligence and provide information out to you all.”

Even once news of the GRU attack arrived in Virginia, election officials remained unsure if they had even been victims — in a July 2017 email conversation between former Virginia Commissioner of Elections Edgardo Cortés and spokesperson Andrea Gaines, the two discussed how to respond to an Associated Press reporter asking if the state had been breached by the hackers. Gaines suggests telling the reporter that “there were no breaches discovered.” Cortés’s reply doesn’t inspire much confidence: “We need something a little broader … cause it’s more ‘as far as we know’ sort of situation.”

In a statement to The Intercept, the Virginia Department of Elections said it “continues to work with our local, state, and federal partners to ensure the safety and security of our electoral process,” but declined to answer specific questions about its knowledge of VR Systems or the GRU campaign. A Homeland Security spokesperson also declined to comment.

An email summary of a meeting between Virginia state election officials from that same week following the release of the NSA report also reflects a group caught unaware. The June 15, 2017 email, sent by Radford County Director of Elections Tracy Howard, told colleagues, “DO NOT be surprised if you get a call or visit from the FBI,” suggesting that such visits had not yet occurred.

At the federal level, those tasked with running American elections also seemed to be without vitally important information. On June 6, the day after the NSA report’s publication, the Election Assistance Commission issued an alert bulletin with a revealing title: “Following NSA document leak, EAC Issues Guidance and Recommendations.” The EAC attributed the alert not to federal intelligence or law enforcement agencies, but rather “to credible news reports that surfaced yesterday.”

Seven months after it mattered most, the EAC told election officials nationwide that “the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) are currently notifying the officials who were targeted by the attack and are coordinating the incident response.” The alert went on to provide simple, concrete steps that people could take to check if they were targeted or compromised by the GRU hackers, such as checking “email logs for emails from noreplyautomaticservice@gmail.com and vr.elections@gmail.com which were identified by the leaked NSA document as being the email addresses utilized by the attackers.”

.@EACgov Alert – Following NSA document leak, EAC Issues Guidance and Recommendations: https://t.co/CRPsbph7w4 #RealityWinner #NSA

— Election Asst. Comm. (@EACgov) June 6, 2017

Incredibly, the EAC went on to publicly promote the alert with a tweet hashtagged #RealityWinner, the name of the NSA analyst accused under the Espionage Act of releasing national security information, which other news organizations have connected to the document in the June 5 Intercept story (The Intercept has no knowledge of the source’s identity). Two days later, the copy of the alert posted to the EAC’s website was edited to remove any mention of the NSA report or its coverage in the press.

There’s nothing in any of the emails obtained by The Intercept indicating a coverup or evidence of deliberate negligence. Rather, the emails leave a startling impression that people around the country for whom this information would have been precious and vitally important to ensuring that GRU’s efforts fell flat were left uninformed. But a communications breakdown can be just as pernicious as any coverup.

A report published last month by the Senate Intelligence Committee, titled “Russian Targeting of Election Infrastructure During the 2016 Election,” said as much. The report noted that “although DHS provided warning to IT staff in the fall of 2016, notifications to state elections officials were delayed by nearly a year.” The report added, “Many state election officials reported hearing for the first time about the Russian attempts to scan and penetrate state systems from the press.” For this reason, “states understood that there was a cyber threat, but did not appreciate the scope, seriousness, or implications of the particular threat they were facing.”

The FBI did reportedly provide briefings to state officials in Florida, though according to the Tampa Bay Times, the warning was vague and came with a demand for continued secrecy. Leon County Elections Supervisor Ian Sancho told the Times that the FBI needed to practice “a little more openness and clarity.” He said, “In security and espionage, secrecy might be a great thing. In the area of elections, secrecy is a poison pill.”

That state-level election officials were left in the dark was no doubt caused, at least in part, by the legal and institutional complexity of sharing information gleaned by American foreign-facing spy agencies with domestic, state-level officials. So, too, is the intelligence community’s eternal unwillingness to share information outside its own ranks as a matter of principle, leaving municipalities in a position in which they must wait for information to gradually trickle down through protracted declassification processes. The NSA has the vast resources and expertise required to identify GRU hackers at work; suffice it to say that Mecklenburg County, North Carolina, does not.

Keeping federal intelligence siloed from the people who need it at the state level is perhaps only part of the problem, said Greenhalgh, the voting security expert. Greenhalgh said the silence after the spear-phishing attempt is “indicative of the lack of seriousness and urgency with which many election officials initially regarded this issue and the knee-jerk reaction from the vendors to sweep the possibility of hacking under the rug.”

Soon after it was made aware of the attack, on November 1, 2016, one of those vendors, VR Systems, issued a brief alert to state customers, warning against opening the suspicious attachment. But the initial warning contained no indication as to whether this was an example of a garden variety email scam or something more grave, only advice against opening the attached files, no matter who had attached them or why. At this very early point in the affair, VR couldn’t have known it was being targeted by the GRU or discerned exactly what malware was lurking in those files. Still, it wasn’t until June 2017 that the company provided election officials with a more comprehensive, three-page set of “Frequently Asked Questions” about the attack that reflected an understanding more sophisticated than a general warning not to click on a link or attachment.

Greenhalgh said both federal intelligence-hoarding and PR-minded vendors make for a poor security foundation. “In this case there was a vendor that played a critical role in the running of elections in several states and there was an attempt to compromise that vendor. And that information should be shared with the vendor and all of its customers, at a bare minimum,” Greenhalgh said. “You don’t need to be talking about classified signal intelligence to be able to share that basic information.” She added, of private-sector election systems contractors, that “the vendors are not forthcoming with the possibility of security breaches with their customers because they have financial disincentive to talk about that.”

A VR Systems spokesperson denied that the company was ever hacked, contrary to the NSA assessment that the company was “likely” breached by the GRU in some fashion in order for the hackers to prepare for targeting state election officials. The spokesperson added that after “turning the matter over to law enforcement” back in November 2016, the company “did not hear any more about it” until being contacted by The Intercept for comment prior to the publication of the NSA report.

“In the midst of the 2016 election, there was difficulty getting information about what happened at VR Systems out of law enforcement, specifically the FBI.”

According to a former Homeland Security official who spoke to The Intercept on the condition of anonymity because they were not authorized to speak to the media, the DHS would have liked to have given information about the GRU threat to states, but had been impeded by both the FBI and the NSA. “In the midst of the 2016 election,” the ex-official said, “there was difficulty getting information about what happened at VR Systems out of law enforcement, specifically the FBI.” The bureau refused to share its GRU findings with other federal agencies because “they were treating it as an open investigation” and therefore, off limits, the official said.

“We didn’t realize that there was a problem with VR Systems until the FBI decided to hold a phone call with a bunch of Florida election officials in the fall of 2016,” the former official continued. The DHS “didn’t know about that call until about 30 minutes” beforehand, they added, and even then was informed by a state election official — there was no formal heads-up from the FBI. The former official added that even within the FBI, there was a deep reluctance to share information about what had happened to VR Systems, with the Florida field office treating the investigation as a local criminal matter, and not something of national concern. (The FBI declined to comment for this story.)

As for the NSA, the DHS source told The Intercept that the American spy agency tasked with monitoring the whole of the internet was unaware of the GRU attack until “March or April,” months after the fact. (The NSA report itself cites information that “became available in April 2017.”) The NSA informed the DHS of its findings in “early May,” the ex-official said, but the intelligence was so heavily classified that it would’ve been illegal to share it with the election operators who needed it. The conundrum spurred Homeland Security to immediately request a “downgraded” version of the top-secret findings that could be passed on to state officials. “We were definitely pushing NSA to give that to us as fast as possible. Personally, I was extremely frustrated,” the source explained. “When we from a DHS perspective go to NSA and say, ‘Hey, we need to downgrade [this] information,’ it was not a high-priority issue.”

The former official described the situation as a battle over “turf” between intelligence and law enforcement agencies, confounded by the “FBI’s unwillingness to share” and the NSA’s reluctance to speedily declassify its findings. “That is an inherent rub,” the former official explained, “that the federal government has between its treatment of cybersecurity as a law enforcement problem” — which is the domain of the FBI — “and a network protection problem,” typically the NSA’s territory. Meanwhile, officials in Mecklenburg County and swing-state counties like it around the country were oblivious.

To Greenhalgh, a longtime election observer, there’s a simpler explanation: It’s easier to not think about how vulnerable these systems really are. To county governments on fixed budgets, it’s an administrative nightmare. To e-voting vendors, it’s poison PR. To spy agencies and law enforcement, it’s proprietary.

That unwillingness to see the depth and scope of the problem at hand — from those who would explain the whole crisis away as a misunderstanding, rather than reckoning with the fact that Russian hackers were able to effectively menace the American electronic voting system with an obviously bogus Gmail account — was put on display at an EAC meeting last spring. EAC convened the meeting at a riverside San Antonio hotel to discuss, among other issues of election integrity, how to counter the media “narrative” that American elections face an outsider threat. The solution to this threat was not to just concentrate on making elections safer from interference, according to a public transcript, but savvier public relations.

After showing meeting attendees a slide of headlines about election security issues, EAC Communications Director Brenda Bowser Soder suggested the fix was to out-media the media: “My frustration is, you and I both know, those are not the headlines that should be shaping perceptions of elections and their work moving forward.”

Top photo: An elderly couple reads a ballot prior to voting on Nov. 8, 2016, in Durham, N.C.