MADISON, Wis. -- Wisconsin Elections Commission Chair Mark Thomsen and Administrator Michael Haas issued the following statement.
In 2016, Russian government cyber actors unsuccessfully targeted Wisconsin’s voter registration system. The U.S. Department of Homeland Security (DHS) helped Wisconsin’s Division of Enterprise Technology (DET) successfully protect our systems from attack. However, DHS did not inform DET or the Wisconsin Elections Commission of the Russian government’s involvement in those specific attempts until last Friday. Also, DHS incorrectly claimed that DET had been notified in October 2016 of the Russian government’s involvement in this targeting.
Because DHS did not previously inform DET or WEC of its conclusions, we were surprised by the DHS notification last Friday, and the resulting confusion over the past week has been an unnecessary distraction from the fact that Wisconsin’s systems are secure and have not been breached in any way. We have all learned many important lessons and DHS officials have apologized and promised to improve their communications with state and local elections officials.
The past week has been dedicated to learning what actually happened and who knew what, and when. This has involved multiple meetings and phone calls with DHS, DET and other officials. We now understand that there were two separate events.
- DHS has confirmed that Russian scanning activity on July 30 and 31, 2016 had actually occurred on an inactive IP address assigned to a Wisconsin Department of Workforce Development job center site. DET subsequently blocked access to Wisconsin systems from the suspicious IP address associated with the scanning activity.
- In another event in August 2016, DET’s firewalls blocked an advertisement embedded in a publicly available website from being displayed on a WEC computer. The ad could have led the user to a suspicious IP address, but DET’s web content filtering system proactively blocked the ad, and the user had no opportunity to be directed to the suspect IP address. DET advised DHS of this suspect IP address, which DHS later determined is connected to Russian government cyber actors.
Since the initial notification Friday, WEC staff has had further discussions with high-level officials at DHS, we now understand that they consider Wisconsin to have been targeted based on a variety of sources, including intelligence information that cannot be publicly disclosed. We also understand that while Wisconsin’s elections systems were not scanned directly, DHS believes the DWD scans were looking for vulnerabilities in order to gain information about how to target elections systems. This is based on activity DHS observed in other states where election agencies were not scanned directly.
Unfortunately, DHS did not initially provide the information supporting its conclusion that Russian government cyber actors targeted Wisconsin’s voter registration system by attempting to scan another state agency. DHS communications led the Elections Commission to believe that it had not been targeted, which we announced at the Commission’s meeting Tuesday. In further discussions, DHS officials have acknowledged that they did not inform DET officials that Wisconsin’s elections systems had been targeted by Russian government cyber actors in 2016.
DET routinely blocks approximately 9 million scanning attempts each year. The basic fact remains that Wisconsin’s cyber security defenses protected our elections systems from any intrusion, theft or damage. These scanning attempts were unremarkable, except for the fact that DHS later identified their source as being Russian government cyber actors.
We are confident that DHS and other federal agencies worked closely with DET and provided critical information which DET used to protect all of Wisconsin’s systems. We will continue to work with DET and DHS to protect Wisconsin’s elections into the future.