Was North Carolina's election system hacked in 2016?
The Department of Homeland Security has finally agreed to examine election equipment used in North Carolina, nearly three years after voters reported malfunctions on Election Day in 2016, Politico reports.
In April, special counsel Robert Mueller wrote in his report that Russian military hackers had penetrated a voting software firm and “installed malware on the company network” of an unidentified election vendor. That vendor appears to be VR Systems, a Florida-based firm that Politico reports used remote access software to access a central computer in Durham County, North Carolina. DHS has agreed to send investigators to see whether the firm exposed that central computer to the hackers.
Hackers would not have been able to alter vote tallies, but could potentially have prevented people from voting in the key swing state. Computers used to check in voters in Durham County malfunctioned on Election Day 2016, telling voters that they had already voted even though they had not, NPR reported.
“Vulnerabilities in voting machines get most of the attention, but the security and availability of poll books is as critical to the integrity of elections as voting machines themselves,” election security expert Matt Blaze told Politico. “If poll books are compromised, this can selectively disenfranchise voters, create long lines at polling places, and cast doubt on the legitimacy of election results.”
The county switched to using paper poll books after numerous reports of malfunctions but officials never identified what had caused the issues in 2016, finally leading DHS to agree to review the computers nearly three years later.
Homeland Security officials told the Washington Post they plan to conduct a forensic analysis on the laptops used in Durham County. Josh Lawson, former general counsel of the North Carolina State Board of Elections, told the Post that his agency had requested a DHS review more than 18 months ago.
The DHS announcement came just weeks after the FBI came under fire for not sharing information with Florida officials about another alleged hack. After Mueller’s report revealed that Russian hackers accessed “the network of at least one Florida county government in 2016,” the FBI finally told Florida Gov. Ron DeSantis that two Florida counties had been hacked, but asked him not to disclose which ones. The Post reported last month that one of the counties was Washington County in the Florida panhandle, which is rural and sparsely populated.
VR Systems admitted to the Post that “we think we are the company referenced” in the Mueller report but denied that its network was breached or that its software had failed in Durham County.
But according to a leaked report by the National Security Agency, Russian hackers mounted a spearphishing campaign targeting the firm before using VR Systems credentials to send malicious emails to roughly 120 local government offices.
More than 60 Florida counties used VR Systems in 2016, as did counties in North Carolina, California, New York, Illinois, Indiana, Virginia and West Virginia.
Sen. Ron Wyden, D-Ore., told Politico that VR Systems had served up “our democracy on a silver platter to foreign hackers” by remotely accessing voting systems the day before Election Day.
“No company that plays such a critical role in our elections should be taking such a reckless shortcut with the cybersecurity of its state and local customers,” he said. "The fact that we’re just learning about this practice two years after the election, and after any evidence of hacking has likely been destroyed, is inexcusable. Americans need to know if VR Systems still has remote access to election computers in other states, and how often this occurred.”