The Department of Homeland Security’s assessments that 21 states’ election systems were somehow targeted by Russian hackers has fallen apart at the seams.
In Wisconsin and California, for example, the supposed targets were unrelated agencies including a department of workforce development that distributes unemployment benefits and another that handles information technology for state agencies but not for elections.
Now, it turns out that the activity reported initially as “targeting” was actually “scanning” of publicly faced government websites looking for vulnerabilities that do not even tabulate vote counts.
“In the majority of the 21 states targeted, only preparatory activity like scanning was observed,” said Department of Homeland Security spokesperson Scott McConnell. “In some cases, this involved direct scanning of targeted systems. In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.”
That is a far cry from the Director of National Intelligence assessment published in January that stated, “Russian intelligence accessed elements of multiple state or local electoral boards.”
It was, however, more in line with the original joint assessment put out prior to the election in October 2016, which stated, “Some states have also recently seen scanning and probing of their election-related systems, which in most cases originated from servers operated by a Russian company.”
Then there was a big but in that 2016 finding: “However, we are not now in a position to attribute this activity to the Russian Government.”
With good reason. There are billions of bots crawling the Internet every day. As noted by Forbes.com columnist James Lyne back in 2013, “Cybercriminals have automated scanning tools scouring the web looking for websites to infect to deploy their malicious code. Their target could be a personal blog, a small business website or a massive news site. Wherever there is a vulnerability they will happily capitalize on it to spread their wares.”
In other words, the “scans” these government websites received sound a whole lot like the same types of automated scans that happen thousands of times every week to almost every website on the web looking for vulnerabilities to install malware.
It’s like saying if rain hits your house today, it was “targeted” by the clouds. In the meantime, every building in your town got wet.
This sort of bogus reporting by DHS has rightly been met with healthy skepticism by state officials across the country, with others now joining Wisconsin and California to question the DHS finding. “We were not aware that they considered scanning as symptomatic of targeting,” Colorado director of technology and information services Trevor Timmons told Talking Points Memo.
The Talking Points Memo report also noted that such scans were common across each state’s computer networks, “A spokesperson for Iowa’s secretary of state described seeing 6,000 scans or attempted scans each day. The spokesperson for Oklahoma’s secretary of state said that state had half a million scans a year.”
The claim is practically laughable.
Without more specific information about what made these particular network scans exceptional as compared to all the other scans happening all over the web all the time, DHS is going to be hard-pressed to prove there was any nation-state strategic intent to do with the scans based on an IP address trace, let alone that these were attempts to somehow influence or obstruct the 2016 elections.
In fact, according to Incapsula, in 2016, 51 percent of all Internet traffic was bots, 55 percent of which were so-called “bad bots.” These encapsulate billions of requests every single day to websites. The programs operating these are very much automated. Good luck figuring out which ones were specifically targeting a website for any specific reason let alone who the culprits were.
For example, if a local police department’s website gets scanned by an IP address that traces back to China, and indeed, if similar bots are found on other publicly facing law enforcement websites across the fruited plain, do we conclude that foreign adversaries are attempting to obstruct criminal investigations?
Or in the case of Wisconsin, since it was the state unemployment office’s website that was supposedly “targeted” according to DHS, does that make our intelligence services believe there was a plot by Russia to interfere with the distribution of unemployment benefits?
These bots can do all sorts of harm. They’ll deposit malicious code into a website’s Chron jobs, comments sections, and so forth. There’s often no rhyme or reason about why a site will get infected. They’re just finding exploits because they can. The attacks range from simply defacing public websites, so-called “pwning,” to DDOS attacks to take down websites by overwhelming them with traffic, to engaging in identity theft by going after user data for more hardened cybercriminals, or just infecting local computers with adware to gather user data on customer preferences.
Divining intent from these types of breaches, when the code does get injected, is going to be more than problematic, let alone when it isn’t, as in the case of most of the 21 states.
Just looking at our Sucuri interface that protects Americans for Limited Government’s news site, NetRightDaily.com, I can see about 500 blocked requests every single day. According to the software, in the past six months, 47.9 percent of the blocked requests were DDOS attacks being blocked, 17.7 percent were bad bot access being denied, 16.7 percent were spam comments, 7.5 percent were evasion attempts being denied and 2.8 percent were backdoor access being denied.
Just yesterday, Sucuri blocked requests from IP addresses in the U.S., China, Ireland, India, the UK, Lithuania, Romania, Syria, India, Sri Lanka and Thailand. Does this mean the intelligence services of each of these countries were attempting to hack Americans for Limited Government’s website? Are we some major threat? No. There is no pattern. These appear to be bots.
And in a shared server environment, as most websites are hosted in, we were not alone as the attacks and other scans focus in on ranges of IP addresses hosted across the web. It’s just part of the normal course of business on today’s Internet. There’s a lot of malware. But we already knew that.
The only thing unusual about all this is that it wound up in misleading government intelligence assessments purporting to show widespread Russian disruption of our election systems in 2016 where there may not have been any — probably to suit a narrative — that were then published, repeated and propagated. That’s the real scandal.
Robert Romano is the Vice President of Public Policy at Americans for Limited Government.
