The U.S. official in charge of protecting American elections from hacking says the Russians successfully penetrated the voter registration rolls of several U.S. states prior to the 2016 presidential election.
In an exclusive interview with NBC News, Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said she couldn't talk about classified information publicly, but in 2016, "We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated."
Jeh Johnson, who was DHS secretary during the Russian intrusions, said, "2016 was a wake-up call and now it's incumbent upon states and the Feds to do something about it before our democracy is attacked again."
"We were able to determine that the scanning and probing of voter registration databases was coming from the Russian government."
There is no evidence that any of the registration rolls were altered in any fashion, according to U.S. officials.
In a new NBC News/SurveyMonkey poll, 79 percent of the respondents said they were somewhat or very concerned that the country's voting system might be vulnerable to computer hackers.
In January 2017, just weeks before leaving his post, Johnson declared the nation's electoral systems part of the nation's federally protected "critical infrastructure," a designation that applies to entities like the power grid that could be attacked. It made protecting the electoral systems an official duty of DHS.
But Johnson told NBC News he is now worried that since the 2016 election a lot of states have done little to nothing "to actually harden their cybersecurity."
Manfra said she didn't agree with Johnson's assessment. "I would say they have all taken it seriously."
NBC News reached out to the 21 states that were targeted. Five states, including Texas and California, said they were never attacked.
Manfra said she stands by the list, but also called it a "snapshot in time with the visibility that the department had at that time."
Following initial publication of this article, the National Association of Secretaries of State, which represents top electoral officials around the country, said it was “still only aware of one state voter registration system that was penetrated" during the 2016 election "and that office made a public statement at the time."
In 2016, the Illinois Board of Elections acknowledged that voter data had been breached. Hackers were inside the system for several weeks and were downloading data when they were caught, though they did not alter any files.
Many of the states complained the federal government did not provide specific threat details, saying that information was classified and state officials did not have proper clearances. Manfra told us those clearances are now being processed
Other states that NBC contacted said they were still waiting for cybersecurity help from the federal government. Manfra said there was no waiting list and that DHS will get to everyone.
Some state officials had opposed Johnson's designation of electoral systems as critical infrastructure, viewing it a federal intrusion. Johnson said that any state officials who don't believe the federal government should be providing help are being "naïve" and "irresponsible to the people that [they're] supposed to serve."