From Politico: How Close Did Russia Really Come to Hacking the 2016 Election? <read>
Why does what happened to a small Florida company and a few electronic poll books in a single North Carolina county matter to the integrity of the national election? The story of Election Day in Durham—and what we still don’t know about it—is a window into the complex, and often fragile, infrastructure that governs American voting…The infrastructures around voting itself—from the voter registration databases and electronic poll books that serve as gatekeepers for determining who gets to cast a ballot to the back-end county systems that tally and communicate election results—are provided by a patchwork of firms selling proprietary systems, many of them small private companies like VR Systems. But there are no federal laws, and in most cases no state laws either, requiring these companies to be transparent or publicly accountable about their security measures or to report when they’ve been breached. They’re not even required to conduct a forensic investigation when they’ve experienced anomalies that suggest they might have been breached or targeted in an attack.
And yet a successful hack of any of these companies—even a small firm—could have far-flung implications.
But VR Systems doesn’t just make poll book software. It also makes voter-registration software, which, in addition to processing and managing new and existing voter records, helps direct voters to their proper precinct and do other tasks. And it hosts websites for counties to post their election results. VR Systems software is so instrumental to elections in some counties that a former Florida election official said that 90 percent of what his staff did on a daily basis to manage voters and voter data was done through VR Systems software…
The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network —either in 2016, or at any other time. Could they, for example, alter the company’s poll book software to cause the devices to malfunction and create long delays at the polls? Or tamper with the voter records downloaded to poll books to make it difficult for voters to cast ballots—by erroneously indicating, for example, that a voter had already cast a ballot, as voters in Durham experienced? Could they change results posted to county websites to cause the media to miscall election outcomes and create confusion? Cybersecurity experts say yes. In the case of the latter scenario, Russian hackers proved their ability to do precisely this in Ukraine’s results system in 2014.
Apparently NC is not the only suspicious incident related to VR Systems, and perfect for one Russian M.O.:
An incident in Florida in 2016 shows what this kind of Election Day confusion might look like in the U.S. During the Florida state primary in August 2016—just six days after the Russians targeted VR Systems in their phishing operation—the results webpage VR Systems hosted for Broward County, a Democratic stronghold, began displaying election results a half hour before the polls closed, in violation of state law. This triggered a cascade of problems that prevented several other Florida counties from displaying their results in a timely manner once the election ended…
If an attacker is inside VR Systems’ network or otherwise obtains the VPN credentials for a VR Systems employee, he can potentially remotely connect to customer systems just as if he were a VR Systems employee. When it comes to Russian hacking, this threat is not theoretical: It is precisely how Russian state hackers tunneled into Ukrainian electric distribution plants in 2015 to cause a power outage to more than 200,000 customers in the middle of winter.
VR systems was likely successfully hacked:
The Mueller report goes a step further. It says that not only did Russian hackers send phishing emails in August 2016 to employees of “a voting technology company that developed software used by numerous U.S. counties to manage voter rolls,” but the hackers succeeded in installing malware on the unidentified company’s network. The Mueller investigators write: “We understand the FBI believes that this operation enabled the GRU [Russia’s military intelligence service] to gain access to the network of at least one Florida county government.”… Since the Mueller report was published earlier this year, it has been confirmed that two Florida counties were hacked by the Russians after receiving phishing emails…
It is possible that the reports from Mueller and the NSA are wrong, and that their authors—with no firsthand knowledge of events and with limited details about what occurred—mistakenly concluded that the phishing campaign against VR Systems was successful…
The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.
Its a long article, well worth reading. There are many details supporting and going beyond what we have highlighted here.
*****Update from Kim Zetter 1/02/2020 Election probe finds security flaws in key North Carolina county but no signs of Russian hacking <read>
“Absence of evidence shouldn’t be mistaken for evidence of absence,” said Susan Greenhalgh, vice president of policy and programs for National Election Defense Coalition. “I would hope the lesson learned here is that we need to be vigilant about irregularities from their onset … and promptly initiate investigations to rule out malicious cyber events.”
