Federal review finds no evidence hacking caused 2016 Durham election problems

The Department of Homeland Security reviewed multiple computers and USB drives and found "no artifacts suggesting malware."

Posted Updated
I voted stickers, election generic, voting generic
Travis Fain
, WRAL statehouse reporter
RALEIGH, N.C. — A U.S. Department of Homeland Security review found no evidence that hacking caused the 2016 election problems that forced Durham County to shut down electronic poll books on Election Day, the State Board of Elections said Monday in a joint statement with Durham's board of elections.
The report, months in the making, is "compelling evidence that there were no cyberattacks impacting the 2016 election in Durham," Durham County Board of Elections Chairman Philip Lehman said in the joint statement.
The state released a heavily redacted version of the 12-page report late Monday afternoon. In it, federal cyber security experts say they "did not conclusively identify any threat actor activity," but that aspects of the state's election security could be improved. Most of these recommendations are redacted for security reasons, but Lehman said in his statement that the county has already "implemented additional training, security measures and staffing changes" since 2016.

State elections director Karen Brinson Bell said the state is working with county boards and the federal government "to improve security at every step in the voting process."

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said it assessed 24 Durham ePollbook laptops, 21 USB drives and two images of a desktop computer used to download voter registration information from state servers for transfer onto the USB drives during the 2016 election cycle. Those drives got plugged into the poll books, and election officials planned to use the poll books to check voters in at precinct sites on Election Day.

They abandoned that strategy in favor of paper copies when the poll books malfunctioned, which caused delays.

None of this affected separate systems used to tally votes, but concerns have lingered that the poll book malfunctions resulted from foreign attempts at election hacking, and references in special counsel Robert Mueller's report and other federal documents suggested the poll books' software provider was targeted by Russian military intelligence.

The software maker has said it was never hacked, and state and local election officials have repeatedly said they believed the 2016 issues in Durham were due to human error. A security firm hired earlier to investigate didn't come back with a definitive answer.

In their report, federal investigators said they found "no artifacts suggesting malware on or remote access to EPollbooks" and "no artifacts suggesting malware" on the USB drives.

From the desktop computer imaging they found "artifacts indicating that screen sharing and file transferring occurred" on Election Day, but they "did not find artifacts suggesting remote access (remote ability to manipulate systems or modify data) to the device occurring on or before that date."

State Board of Elections spokesman Pat Gannon said in an email Monday that screen sharing "could happen for a number of reasons" and that this may have been between internal staff or with a system vendor.

Investigators also said someone made an FTP connection and uploaded a file using this desktop computer on Election Day, and that someone accessed a personal Gmail account on it, but there's no indication anything was downloaded onto the computer. Gannon said the file transfer was to the State Board of Elections, which is common on Election Day.

The federal "Hunt and Incident Response Team" that handled this review "did not positively identify any threat actors or malware on the DCBoE systems provided for analysis," the report concludes.

"Additionally, HIRT did not identify remote access to the systems under analysis during the election timeframe," it states. "HIRT did identify several areas where defense-in-depth protections and system configurations could be improved."

Several pages of the report are fully redacted, and Gannon said the blackouts were made with guidance from State Board of Elections’ legal team, cybersecurity staff and consultants and with approval from the Cybersecurity and Infrastructure Security Agency.

The report is dated Oct. 23, and Gannon said the state board received it from Durham County on Nov. 23. It was released to reporters shortly before 5 p.m. Monday.

"The report had to be read, digested and redacted for sensitive security and other confidential information," Gannon said in explaining the delay. "We wanted to be careful that we did not release any information that could put the State Board or any counties at risk of a cyberattack in the future."


Copyright 2024 by Capitol Broadcasting Company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.