The Department of Homeland Security has finally agreed to conduct a thorough inspection of election equipment used in North Carolina that was supplied by a vendor whose system was targeted by Russian hackers in 2016.
It has been three years since the machines — laptops used to check in voters in Durham County — malfunctioned on Election Day, telling voters that they had already voted, even though they had not.
The county took the laptops out of service that day and switched to using paper poll books, but what caused the problem has remained a mystery. It’s one of several remaining questions about what happened in the 2016 elections, the answers to which could help the U.S. protect itself against future cyberattacks.
“This support may help to provide a better understanding of previous issues and help to secure the 2020 elections,” said Sara Sendek, a DHS spokesperson. She added that the agency “has no information that there is any previous or ongoing issues regarding elections systems” in the state.
The North Carolina glitch would have been dismissed as fairly routine had it not been revealed in 2017 that the vendor, Florida-based VR Systems, was one of the targets of Russian efforts to interfere in U.S. elections.
A leaked report by the National Security Agency said that Russian intelligence officers had mounted a spear-phishing campaign in August 2016 against a firm identified as “U.S. Company 1” and then used VR Systems credentials to send malicious emails to about 120 local government offices, later identified as the company’s customers in Florida.
Last month, Florida Gov. Ron DeSantis revealed that the Russians had successfully breached two county election systems in his state as a result of that phishing attack, although there was no evidence voter data was affected. The governor’s announcement followed the release of special counsel Robert Mueller’s report, which stated that the Russians had successfully installed malware on the network of a company widely believed to be VR Systems.
VR Systems has consistently denied to NPR and others that its system was hacked, although the company acknowledges that the Russians tried to do so and impersonated the company in its spear-phishing attack on its customers. It has also defended the security of its equipment in North Carolina.
The latest revelations by Mueller and DeSantis have renewed interest in what happened in Durham County.
The county concluded after its own investigation in 2016 that the problem was likely caused by human error. Officials said it appeared that software on the troublesome electronic poll books had not been updated and displayed information from a prior election, which is why voters were mistakenly told they had already cast their ballots.
But when the NSA report was leaked in 2017, revealing Russia’s efforts to hack into VR Systems, the North Carolina State Board of Elections decided to conduct an investigation of its own. It took custody of the Durham County laptops — more than a dozen — and said it would conduct its own forensic tests to determine what had caused the Election Day problems.
Subsequent efforts by NPR and others to find out the outcome of those tests were unsuccessful. But after the Mueller report was released this year, the state elections board issued a statement that it had been unable to conclusively determine the cause of the machine malfunctions, although it said its investigators believed “user error on the part of Durham County election and poll workers likely contributed to the 2016 incident.”
The board then revealed that it lacked “the necessary technical expertise to forensically analyze the computers” and that “other government agencies declined the agency’s requests to evaluate them.”
Josh Lawson, who until Friday was general counsel for the state elections board, told NPR that North Carolina officials asked the Department of Homeland Security several times over the past two years to investigate the equipment but did not receive a positive response until a few days ago.
“It’s not that we have anything definitive that would trace what happened in Durham County to a breach, but we have not definitively ruled it out,” he said.
DHS has been the lead federal agency working with state and local officials on election security since the 2016 elections, but it has taken many months to open up the lines of communications. One of the main issues has been how much threat information federal agencies can share with election officials and the public.
Florida officials were disturbed to learn only last month that two counties — which have yet to be publicly identified — had been successfully hacked by the Russians. County supervisors of elections told NPR that they were less concerned about which counties were involved but needed to know what the Russians had done and how the problem was addressed so they are able to make sure their systems are secure for 2020.
Members of Florida’s congressional delegation were also upset to be learning in 2019 new details about what happened in 2016, first in the Mueller report, then from the governor and later during a classified FBI briefing.
“This chaotic dribs and drabs of information that’s coming out is doing more harm to our constituents’ faith in the electoral system than just coming out and providing some information,” said Democratic Rep. Stephanie Murphy.
There are other unanswered questions about what the Russians did in 2016. The FBI told Florida officials that it had “no evidence” that any voter data was manipulated, which lawmakers noted was not the same as saying the agency was certain that nothing had been tampered with.
The leaked NSA report also said that the Russians spoofed a second company, “U.S. Company 2,” and sent out a test email that offered election-related products and services. It is not publicly known which company was spoofed, or what the Russians were ultimately trying to do.
The Russians also sent test emails to what appeared to be two fake accounts set up to look like they could provide voters with absentee ballots, according to the leaked NSA report. Again, it’s unknown what the ultimate aim was, and whether there were other vendors and election officials whose systems were attacked or involved.
The increased reliance on electronic poll books, like those used in Durham County, has also raised security concerns because the equipment can be connected at some point to the Internet or an election board’s network to get voter roll information, increasing their vulnerability to cyberattacks.