The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials.
Top-secret intelligence requested by President Barack Obama in his last weeks in office identified seven states where analysts — synthesizing months of work — had reason to believe Russian operatives had compromised state websites or databases.
Three senior intelligence officials told NBC News that the intelligence community believed the states as of January 2017 were Alaska, Arizona, California, Florida, Illinois, Texas and Wisconsin.
The officials say systems in the seven states were compromised in a variety of ways, with some breaches more serious than others, from entry into state websites to penetration of actual voter registration databases.
While officials in Washington informed several of those states in the run-up to the election that foreign entities were probing their systems, none were told the Russian government was behind it, state officials told NBC News.
All state and federal officials who spoke to NBC News agree that no votes were changed and no voters were taken off the rolls.
After NBC's report on the compromised states aired Tuesday night, Department of Homeland Security (DHS) Acting Press Secretary Tyler Houlton challenged its accuracy in a series of tweets. "NBC's reporting tonight on the 2016 elections is not accurate and is actively undermining efforts of the Department of Homeland Security to work in close partnership with state and local governments to protect the nation's elections systems from foreign actors," wrote Houlton.
"As we have consistently said, DHS has shared information with affected states in a timely manner and we will continue to do so. We have no intelligence — new or old — that corroborates NBC's reporting that state systems in seven states were compromised by Russian government actors. We believe tonight's story to be factually inaccurate and misleading."
On Wednesday morning, however, Michael Daniel, the top White House cybersecurity official at the end of the Obama administration, told NBC News that the government's assessment when he left the White House in January 2017 was that networks in seven states were compromised. He said he could not account for whether that assessment had changed in the past year.
Daniel, who is now president of the Cyber Threat Alliance, an industry group, said it was the intention of the Obama administration to inform those states, "but clearly it didn't happen the way that we wanted it to."
He said he could not name the states because some of the assessment was based on classified information.
"This continued debate about whether or not the states were notified is actually distracting from the larger point, which is that we need to build the relationship between the federal government and state governments in the electoral area to improve cybersecurity," he said.
"It is also easy to get lost in the cybersecurity industry's ability to parse words, and the differing definitions of malicious cyber activity. But between what the states themselves detected and what the federal government detected through law enforcement and intelligence, it clearly showed a really broadbased Russian campaign to probe and figure out how they could gain access to different components of our electoral systems."
According to classified intelligence documents, the intelligence community defines compromised as actual "entry" into election websites, voter registration systems and voter look-up systems.
NBC News reached out to all seven states that were compromised, as well as 14 additional states that DHS says were probed during the 2016 election.
To this day, six of the seven states deny they were breached, based on their own cyber investigations. It's a discrepancy that underscores how unprepared some experts think America is for the next wave of Russian interference that intelligence officials say is coming.
Eight months after the assessment, in September 2017, the Trump administration's DHS finally contacted election officials in all 50 states to tell them whether or not their systems had been targeted. It told 21 states they had been targeted, and U.S. officials acknowledged that some of those attempts had been successful.
"I think the Obama administration should have been doing much more to push back against the Russians across the board," said Juan Zarate, an NBC News analyst who was deputy national security adviser for combating terrorism under President George W. Bush. "I think the U.S. was very meek and mild in how we responded to Russian aggression."
Denis McDonough, who was Obama's last chief of staff, strongly disagrees, arguing the administration acted to thwart the Russians before and after the election. Obama administration spokespeople also say they transmitted sensitive intelligence regarding state compromises to congressional leaders.
"The administration took a series of steps to push back against the Russians to include far-ranging sanctions, diplomatic steps to push people associated with the Russian effort out of this country and also warning our friends and allies," he said.
The Trump DHS, like under the Obama administration, has declined to share the intelligence assessment of which states were actually compromised, according to state election officials.
This month, in an exclusive interview with NBC News, Jeanette Manfra, the current head of cybersecurity at DHS, said that "an exceptionally small number" of those 21 states "were actually successfully penetrated." But Manfra declined to answer questions about the classified intelligence assessment, or to say specifically how many states had been penetrated.
Top election officials from all 50 states met in Washington this month for a National Association of Secretaries of State conference and received temporary security clearances for a classified threat briefing from intelligence officials. According to two officials present, one from the intelligence community and the other a state official, the actual intelligence on state compromises was not shared.
While numerous state election officials told NBC News that the Department of Homeland Security has been stepping up communications with them, many say they're worried they are still not getting enough information from Washington.
Illinois itself had detected a "malicious cyberattack" on its voter registration system in the summer of 2016 and reported it to DHS, saying its voter rolls had been accessed but nothing had been altered. It is the only state to acknowledge actual compromise.
The other six states from the January 2017 assessment, however, say that when DHS told them last September that their systems had been targeted, it still did not tell them that their systems had been compromised. All six also say that based on their own cyber investigations, they believe their election systems were never compromised.
Three states said publicly in September that while some state websites were affected, none were directly related to voting; specifically, Texas, Wisconsin and California say some sites were "scanned." But a former senior intelligence official told NBC News that these types of probes can also be serious, either as gateways to other networks or as reconnoitering for future attacks.
Fears of a repeat in 2018
Nearly 16 months after the presidential election, and more than eight months before the critical midterms, many state and federal officials are convinced the Russians will be back. They're concerned that 2016 was laying the groundwork for a possible future attack.
"We have an extreme sense of urgency on insuring security of the 2018 elections, because you don't get a chance to do it over," said Alex Padilla, California's secretary of state, who said there was no evidence of a successful hack in California.
Several state election officials, including Padilla, told NBC News they think they should have been told that U.S. intelligence agencies believed they'd been breached whether or not that turned out to be true.
"It is hugely imperative that intelligence be shared with state elections officials immediately in order to protect our election infrastructure and the integrity of election results," Padilla said.
Reluctance to share the information may be due, in part, to the classification of the intelligence itself. Multiple intelligence officials told NBC News that determining the Russian government was behind the hacks depended on "exceptionally sensitive sources and methods" including human spies and eavesdropping on Russian communications.
No state election official at the time had a security clearance sufficient to permit access to such sensitive information, according to DHS.
"Look, whether or not state elections officials had the proper clearance has unfortunately been an excuse in my opinion, a bureaucratic response for why information or intelligence hasn't been more quickly shared with state elections officials," Padilla said.
"We've got to fix that right away, because it does us no good, [when somebody is] sitting in Washington, D.C., with a bit of information about a significant cyberthreat and elections officials and locals are completely unaware. That doesn't help anybody and that needs to be addressed," Padilla said.
Zarate said that he thought "too much of this has happened behind the veil of the government," and that "much more has to be discussed openly with the public about what we know of the kinds of attacks that are happening, who may be behind them, and how we defend ourselves against [them]."
A spokesperson for Florida's secretary of state, Mark Ard, said the state was informed by DHS in September 2017 that Florida had been targeted by hackers in 2016. "This attempt was not in any way successful and Florida's online elections databases and voting systems remained secure," Ard said.
Texas Secretary of State Rolando Pablos said in a statement that his agency had not seen any evidence that any voting or voting registration systems in Texas were compromised before the 2016 elections.
The public information officer for the Wisconsin Elections Commission said the commission has never detected a successful hack on its system, "nor has it ever been notified of one by the Department of Homeland Security or any other state or federal agency."
A spokesperson for the Arizona secretary of state, Matt Roberts, said the state had still not been informed of a successful hack, and had seen no evidence of one. Roberts said the state had not been told that "ANY Arizona voting system has been compromised, nor do we have any reason to believe any votes were manipulated or changed. No evidence, no report, no nothing."
Alaska did not respond to repeated requests for comment, but has previously denied that any breach occurred.
Bradley Moss, a lawyer specializing in national security, tried to lift the veil and find out what U.S. intelligence knew about the Russian attempts to compromise the voter system. He sued for disclosure of government files and won last week, receiving 118 top-secret pages from the intelligence community. The pages referred to "compromises" and other breaches but the pages were almost completely blacked out for security reasons.
Said Moss: "The spreadsheets show that there were documented breaches of election networks. That there were documented, numerous documented instances of attempted breaches of state election networks, and that there was a widespread concern among several agencies in the intelligence committee about the sanctity and the integrity of these election networks."
In a statement, DHS said it has been working with state and local officials for more than a year on the issue.
"This relationship is built on trust and transparency, and we have prioritized sharing threat and mitigation information with election officials in a timely manner to help them protect their systems," DHS acting press secretary Tyler Houlton said.
"In addition to granting state officials clearances to give them access to classified information, we work to declassify information rapidly and have the ability to grant one-day waivers when necessary to provide state officials with information they may need to protect their systems.
"We are committed to this work and will continue to stand by our partners to protect our nation’s election infrastructure and ensure that all Americans can have the confidence that their vote counts — and is counted correctly."
A statement from the Office of the Director of National Intelligence said only: "The declassified Intelligence Community Assessment of January 6, 2017, found that Russian actors did not compromise vote tallying systems. That assessment has not changed."
Next steps
At a Senate hearing on Tuesday, the National Security Agency director, Adm. Mike Rogers, acknowledged that the White House has not directed him to try to stop Moscow from meddling in U.S. elections.
Sen. Claire McCaskill, D-Mo., said that was "outrageous" and asked whether the U.S. was in a position to stop Russia from "doing this again."
"We’re taking steps but we’re probably not doing enough," Rogers said.
"I want to know, why the hell not?" McCaskill shot back. "What’s it going to take?"
While the FBI and the Department of Homeland Security say they are taking steps to shore up cyberdefenses, FBI Director Christopher Wray told Congress this month that the instructions did not come from the top.
When Sen. Jack Reed, D-R.I., asked Wray if the president had directed him or the bureau to take "specific actions to confront and blunt" ongoing Russian activities, Wray said, "We're taking a lot of specific efforts to blunt Russian efforts."
Reed then asked, "Specifically directed by the president?" Wray answered, "Not as specifically directed by the president."
The White House on Tuesday pushed back on any suggestion they’re not doing enough, saying President Trump is "looking at a number of different ways of making sure that Russia doesn’t meddle in our elections."
For the future, Zarate suggests taking a lesson from the past.
"After 9/11, the walls between law enforcement and intelligence sources had to be broken down in order to connect the dots," Zarate said. "There has to be a whole-of-government and whole-of-nation approach to dealing with what is an assault on American democracy."