In wake of Mueller report, NC elections officials want answers from electronic pollbook vendor
Posted April 18, 2019 10:19 p.m. EDT
Updated April 22, 2019 6:11 p.m. EDT
Raleigh, N.C. — North Carolina elections officials want to know whether an unnamed voting technology company that Robert Mueller's report says was compromised by Russian hackers is the same firm that supplies poll book software to more than a dozen counties across the state.
In a letter to VR Systems sent Thursday afternoon, State Board of Elections General Counsel Josh Lawson asked the company to provide "immediate, written assurance" about the security of its products, which came under fire two years ago when a leaked intelligence report named the company as the target of a Russian hacking attempt known as "spearphishing."
Mueller's report, released in a redacted form Thursday morning, notes that, in August 2016, Russian intelligence officers targeted a "voting technology company that developed software used by numerous U.S. counties to manage voter rolls," installing malicious code on the company's network.
The name of the firm is blacked out due to "personal privacy" exemptions.
Lawson said, based on the leaked intelligence report and a separate 2017 federal indictment, that VR Systems was a target of the GRU, the Russian military intelligence agency.
But if the company is in fact the one referenced in the Mueller report, Lawson said, it will be the first acknowledgement that hackers were actually successful in compromising the firm's network.
That's important because 17 counties use the company's EViD electronic poll book software on Election Day. The list includes Durham County, which in 2016 experienced software issues that forced poll workers to switch to paper poll books.
State Board of Elections spokesman Pat Gannon said VR Systems failed to immediately explain what happened. When Durham County hired a digital forensics firm to investigate, its report was inconclusive.
The leaked report in 2017, however, prompted elections officials to try to revoke the company's certification, a move that VR Systems successfully fought in court.
In those court filings, elections officials asked VR Systems if it "ever experienced a breach of security regarding EViD." The company's answer: No.
"If there was knowledge of any type of breach and the answer was a two letter answer - 'no' - we need to know why," Lawson said Thursday evening.
In his letter to VR Systems Chief Executive Mindy Perkins, Lawson asks the company to confirm whether it's the one named in the redacted report, whether VR Systems' past statements about its security remain accurate and how secure its systems are going forward.
"If they continue to expect to operate in North Carolina, it's necessary that the board understand their present security," Lawson said.
The company has already told the elections board it expects to respond by early next week.
In a public statement Thursday afternoon, VR Systems said Mueller's report included details "that have been known for several years about the spearphishing attempts made during the 2016 election period."
"Immediately after the spearphishing attempt, VR Systems implemented a comprehensive program to ensure integrity in elections," Chief Operating Officer Ben Martin said in the statement. "This included engaging a leading global cyber security firm to consult, test and monitor VR’s systems and servers and a host of best practices and training with employees and customers."
The statement stops short of acknowledging whether the company is the unnamed vendor in the Mueller report.
Electronic poll book software poses a particular vulnerability in the voting process, Lawson said, because inaccurate information or malfunctioning software can mean longer lines or provisional voting, which can delay the ballot-counting process and discourage voters.
In a statement Thursday evening, Gannon said elections investigators believe "user error" by Durham County poll workers contributed to the voting issues in 2016. But he said that's not conclusive, "in part because the agency lacks the necessary technical expertise to forensically analyze the computers used in Durham County, and other government agencies declined the agency’s requests to evaluate them."
Lawson said he hopes the company's response will provide clarity.
"That file has not been closed," Lawson said. "There are plausible explanations, but they do not fully explain why what happened happened."