A long-awaited report this week from the Department of Homeland Security found security problems with the computer systems that a North Carolina county used to handle voter data during the 2016 election — but no evidence that Russian hackers had breached them.
Still, the review is unlikely to totally resolve questions surrounding the county’s use of software provided by the Florida company VR Systems, which — as POLITICO reported last week — have added to broader doubts about the security of election technology that Americans will use at the polls in 2020.
Experts contacted by POLITICO said the new DHS analysis has its share of holes — for instance, failing to examine all the computer systems the Russians could have targeted. And they noted that officials in Durham County, N.C., had waited until about a week after Election Day to preserve some potentially important evidence.
“I think [the investigation is] incomplete,” says Jake Williams a former NSA hacker who is founder of the security firm Rendition Infosec and trains forensic analysts. “It’s the best investigation that can be conducted under the circumstances. We can’t investigate what we don’t have, [and] a lot of the crucial evidence is missing.”
Among other security issues, the heavily redacted DHS report indicates that someone had used a “high value” desktop computer handling Durham County’s voter-registration data to access a personal Gmail account on Election Day. The report provides a lengthy list of suggestions — all blacked out — for how the county can improve the security of its election infrastructure.
Election officials in North Carolina — a state President Donald Trump carried by more than 170,000 votes — nonetheless said the review resolved the more dire questions about problems that arose in Durham County in 2016, which contributed to long lines at the polls that deterred an unknown number of voters from casting ballots. The report shows “that outside interference did not play a part in what happened in Durham County,” said Noah Grant, a spokesman for the North Carolina Board of Elections, which had asked for the federal examination.
But DHS’ findings are actually more narrow than that conclusion, the experts consulted by POLITICO say, and indicate only that malware was not found on the systems that investigators examined. Williams said the DHS report doesn’t completely close the door on the possibility that Russian hackers could have been inside Durham County’s computers.
DHS’ Cybersecurity and Infrastructure Security Agency launched the review in June 2019, three years after problems arose with the VR Systems software used for managing voter lists and signing in voters.
VR Systems has previously attracted attention because of government reports that Russian nation-state hackers had tried to breach its computer networks two months before the 2016 election. The company says those attempts were unsuccessful, but last year’s release of special prosecutor Robert Mueller’s report on Russian election interference renewed interest in VR Systems, the problems in Durham, and whether the two were related, when it indicated that an election company was successfully hacked by the Russians in 2016 and had malware installed on its network. Though the report didn’t identity the company by name, the description of the victim in this and other government documents matches VR Systems.
A previous investigation of Durham County’s problems, conducted by a security firm hired by the county in 2016, had pointed to errors by poll workers and election workers as the likely cause — but that probe didn’t examine the computer systems themselves for evidence of foul play. DHS later examined VR Systems’ network in 2018 at the company’s request and found no signs of malware, but the assessment didn’t occur until two years after the attempted Russian breach. If the hackers were successful in breaching the company’s network, they could have erased their tracks in the interval.
A VR Systems spokesman expressed satisfaction Tuesday with the newest DHS report, saying it shows that the company software used in Durham’s polling places “was not breached or compromised.”
“We are pleased but not surprised to learn that the Department of Homeland Security review found no evidence of malware or a cybersecurity attack related to the Durham County election in 2016,” spokesman Ben Martin said in a statement.
Election integrity activists aren’t so quick to accept the results, however, given that evidence used in the investigation wasn’t gathered on Election Day.
“Absence of evidence shouldn’t be mistaken for evidence of absence,” said Susan Greenhalgh, vice president of policy and programs for National Election Defense Coalition. “I would hope the lesson learned here is that we need to be vigilant about irregularities from their onset … and promptly initiate investigations to rule out malicious cyber events.”
Generally, forensic investigations examine mirror images of a computer device or system, captured at the time they experience problems to preserve the state of the system’s hard drive. In this case, though, the image of a critical county desktop computer that DHS examined was not captured until “mid-November” 2016, according to the DHS report released this week. This was at least a week after the Nov. 8 election.
The VR Systems software in question is not used to cast ballots or count votes, so hackers could not have exploited it to directly change vote totals. But the software problems experienced in Durham County pointed to some of the other ways that cyberattacks can interfere with elections — for instance, by blocking voters from the polls and causing long lines that depress turnout.
Cybersecurity experts have become increasingly concerned about the vulnerabilities of the vendors, software suppliers and other election third parties as conduits for hackers to attack critical election systems.
The latest DHS probe did not take another look at VR’s networks. Instead, the investigators looked only at two dozen laptops that Durham County had used as so-called electronic poll books to check in voters at the polls in the 2016 election. The investigation also involved a desktop computer that handled voter-registration records and 21 flash drives that county workers used to transfer those voter records from the desktop computer to the laptops.
The problems in Durham began on Nov. 6, the Sunday before the election, when a county worker found it was taking eight to 10 times longer than normal to transfer that voter data from the desktop computer to 227 flash drives — a problem that a VR Systems employee tried to help troubleshoot the following day by gaining remote access to the desktop computer. If VR Systems had been hacked, the latter could have potentially opened a gateway for the hackers to pass from VR Systems’ network to the county’s computer. On Election Day, some of the laptops being used as electronic poll books crashed or froze or displayed false information, such as incorrectly indicating that a voter had already voted.
The county switched to using paper printouts of the voter rolls to contain the problem, but that solution caused extensive delays at some precincts.
The DHS investigation examined only a subset of the 227 laptops and flash drives the county used in that election; its report indicates that investigators found no malware on the laptops they examined, the USB drives or the county desktop computer and no evidence that malicious code had once been installed and deleted. A DHS official told POLITICO that the agency also found no signs of more sophisticated techniques that skilled attackers might use to cover their tracks.
The DHS investigators also concluded that while Durham’s desktop computer included a software tool that could allow someone to access and control it remotely, the tool had never been used. The report doesn’t explain how they reached that conclusion, though, and Williams said some types of remote-control software make it easy to prevent accurate tracking by deleting a log file.
System administrators normally use remote-access software tools to troubleshoot a system, but its inclusion in a computer used for running elections raised red flags with security experts.
The investigators did find that a screen-sharing tool had been used on the Durham system, but this would have allowed someone only to view the computer’s screen without being able to interact with it. The tool was used in November 2016, according to the report, which suggests that this may have been what VR Systems used as part of its pre-election troubleshooting.
But VR Systems’ access to that system wasn’t the only potential gateway for the Russian hackers to breach the county’s desktop computer that handled voter data. The DHS report indicates that someone using that county computer on Election Day accessed his or her personal Gmail account and also clicked on a website link, using the computer’s browser. If the website had been a malicious one, it could have surreptitiously downloaded malware to the county computer. The DHS report, however, says investigators found no signs in this case that anything was downloaded to the computer from the site or that the site was malicious.
Asked if the state’s board of elections plans to issue new security instructions to counties before the 2020 elections to improve security practices around their election systems, Grant told POLITICO, “We will be sending a detailed security memo to all county boards in the very near future, which is in addition to the current security measures that are in place at both the state and county level.”
Article originally published on POLITICO Magazine