More than two and a half years after the fact, the Feds are finally going to investigate the failure of voter registration software – from a company that had been cyber-attacked by Russians just days before the November 2016 US presidential election – in the swing state of North Carolina.
Politico has reviewed a document and spoken to somebody with knowledge of the episode, both of which suggest that the vendor, VR Systems, “inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election.”
Specifically, VR Systems used remote-access software to connect for several hours to a central computer in Durham County so as to troubleshoot problems with the company’s voter registration software. In fact, election officials would come to find out that this was common practice, according to Politico’s source, in spite of the fact that election technology security experts agree that it opens up systems to hacking.
Election Day 2016: Dunham County
When the polls opened in Dunham County on 8 November 2016, election officials discovered that the laptop computers used by precincts to verify voter registration had malfunctioned. They were forced to cross-check voter registration with old-fashioned paper poll registries and to extend voting hours.
It was suspicious, and it wasn’t an isolated incident. Five or six precincts reported the same problem with the computerized check-in system from VR Systems, a Florida-based e-voting vendor with customers in eight states. The county, which leans heavily to the Democrats, had delivered 75% of its votes to Barack Obama during both of his presidential runs, and North Carolina was considered a key swing state in the 2016 presidential election.
At the time, state election officials hadn’t taken the 21 affected laptops as evidence. If there were any forensic analysis done on those laptops before now, it wasn’t publicly disclosed, making last week’s announcement the first known federal probe of the malfunctioning technology.
The Associated Press last week reported that the US Department of Homeland Security (DHS) will be conducting the forensic analysis to find out what happened with those laptops during an election that special counsel Robert Mueller has said the Russians had tried to push toward a win for Donald Trump.
More than a year for attackers to erase their tracks
It wasn’t until 2017 that the state election officials seized those 21 laptops, following the Intercept having published a leaked report from the National Security Agency (NSA). In that report, the NSA described how Russian hackers had launched a spearphishing attack against employees of VR Systems just days before the 2016 election.
Josh Lawson, who was general counsel of the North Carolina board of elections at the time, says that following the leaked report, state election officials seized those 21 laptops as evidence. But it was more than a year after the Election Day episode – plenty of time for hackers to erase their tracks.
On Thursday, Lawson said that his office had asked federal officials to do a forensic exam of those laptops, and that the state, working with the FBI, had taken images of the hard drives.
Did those 12 indicted Russian intelligence officers hack VR Systems?
As recently as June 2018, VR Systems reportedly denied that the attackers had succeeded in hijacking any of its systems.
According to the Intercept’s report, the Russian hackers used a VR Systems account to send spearphishing emails to more than 100 local election officials.
Politico’s source told the publication that VR Systems finally agreed to stop using remote-access software to troubleshoot its customers’ systems – at least, in North Carolina. The company reportedly considers remote support a feature, not a bug, in spite of the fact that election security experts generally condemn remote connections to election-related computer systems.
In fact, they don’t like internet-anything when it comes to election technology. In September 2018, an expert panel at the National Academy of Sciences called for sweeping election reforms, including one, specific recommendation that should come as no surprise: use paper ballots.
From the panel’s report:
Ballots that have been marked by voters should not be returned over the internet or any network connected to it, because no current technology can guarantee their secrecy, security, and verifiability.
DHS to the rescue?
The state election board’s spokesperson, Patrick Gannon, last month told Politico that state investigators believe that “human error on the part of Durham County election and poll workers likely contributed to the 2016 incident,” but that the investigation remains open because the agency “does not have the technical expertise to conduct a forensic examination of the laptops.”
DHS told Politico that it plans to work with the state election board “to analyze the laptops used in Durham County elections in 2016. This support may help to provide a better understanding of previous issues and help to secure the 2020 election.”
Senator Ron Wyden, a leading critic of VR Systems, told Politico that the e-voting technology company is “serving up our democracy on a silver platter to foreign hackers” by remotely accessing voting systems the day before Election Day, as the company did. Remote access the day before elections, that is, and after they’d discovered that they’d been targeted in a spearphishing attack (an attack that, again, the company says didn’t succeed in breaching its systems).
No company that plays such a critical role in our elections should be taking such a reckless shortcut with the cybersecurity of its state and local customers.
The fact that we’re just learning about this practice two years after the election, and after any evidence of hacking has likely been destroyed, is inexcusable. Americans need to know if VR Systems still has remote access to election computers in other states, and how often this occurred.