The Senate Intelligence Committee provided a narrative of Russia’s efforts to disrupt the 2016 presidential election and offered six recommendations for the government to improve its security.
Here’s what you need to know about the report:
1. Russian activity began as early as 2014 and continued through election day 2016.
2. The committee notes it has not seen evidence that vote tallies were manipulated or voter registration was altered in any way. At least 18 states had election systems targeted by Russian-affiliated cyber actors.
3. Russian-affiliated cyber actors went beyond passive scanning, conducting malicious access attempts on voting-related websites in at least six states.
4. Russian-affiliated cyber actors in a small number of states were able to gain access to restricted elements of election infrastructure posturing them to, at a minimum, alter voter registration data, though they did not appear to be in a position to manipulate individual or aggregate votes.
5. The Department of Homeland Security’s initial response to counter this widespread effort was deemed “inadequate.”
6. Even voting machines not connected to the internet are vulnerable to hackers given they are updated via software downloaded from the internet.
7. The committee was unsure whether Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking actor or if they were gathering information and testing capabilities for a future attack. Regardless, the actions taken go beyond traditional intelligence collection.
The report also offered five recommendations:
1. The U.S. government should clearly communicate to adversaries that an attack on election infrastructure is a hostile act and will warrant a response. Moreover, the government should engage allies to establish international cyber norms.
2. The intelligence community should make quick and accurate attribution a high priority. DHS must create clear communication lines between the federal government and states. The IC should work to declassify information quickly to provide warnings to state and local officials.
3. States should institute two-factor authentication for state databases, install monitoring sensors on state systems, identify weak points in the network, update software in voter registration systems, create backups such as paper copies. DHS should develop a risk management framework to mitigate risks to the electoral process, create voluntary guidelines on cybersecurity best practices to promote election security awareness, and promote the catalog of services it has available for states to secure systems, expand capacity to reduce wait times for cybersecurity services and work with GSA to establish a list of credible private sector vendors that can provide similar services provided by DHS.
4. States should replace outdated and vulnerable voting systems with newly purchased machines possessing a minimum of voter-verified paper trail and no Wi-Fi capability.
5. States should use federal grant funds to improve cybersecurity by hiring additional IT staff, updating software and contracting vendors to provide cybersecurity services.