Not So Fast: Vendor Vigorously Disputes NC’s Suggestion It Was Hacked
[Image via imgflip]
E-pollbook vendor VRSystems is vigorously pushing back against a suggestion by the North Carolina State Board of Elections, drawing on the recently-released Mueller Report, that it was hacked during the 2016 election. WRAL has more:
A vendor that supplies electronic pollbook software for more than a dozen North Carolina counties is disputing “misleading insinuations” by state elections officials about whether it’s the company named in the Mueller report as the victim of a 2016 Russian hacking operation.
The statements from the Florida-based VR Systems come just days after the State Board of Elections sent the firm a letter requesting “immediate written assurance”regarding the security of its network. VR Systems supplies e-pollbook software called EViD to 17 North Carolina counties for use on Election Day.
In a redacted version of his report released last week by the U.S. Department of Justice, Special Counsel Robert Mueller wrote that in August 2016, officers with Russia’s military intelligence agency targeted a “a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.”
The name of the company was redacted.
State officials are essentially acting on a series of reports that suggest VRSystems was targeted – some of which the company reported previously but strenuously denying a deeper compromise:
But elections officials noted that an unnamed elections vendor was also referenced in a 2017 indictment of 12 Russian nationals, and that VR Systems was specifically identified as a target of Russian intelligence in a report leaked to The Intercept in 2017.
The letter from state elections officials last week sought to find out whether VR Systems was the company in question – and whether its claims in court filings that EViD had not been breached were still true.
In the company’s letter to the board [available here], attorney Michael Weisel wrote that VR Systems “was not breached during a phishing attempt” and that its previous statements about the security of its systems remained accurate.
“Since VR Systems first alerted the Federal Bureau of Investigation in August 2016 of an attempted spearphishing attack, to VR Systems’ knowledge, EViD has never been hacked,” Weisel wrote.
But he also told elections officials the company “has no independent knowledge and is unable to confirm or deny” whether it is the company referenced in the Mueller Report.
“Neither the FBI, the Department of Homeland Security, nor the National Security Agency has ever contacted VR Systems as to these specific ‘hacking’ incidents,” Weisel wrote.
By phone Monday afternoon, Weisel added that the EViD system “is totally separate from any of these presumed hacking attacks.”
He said he was unable to speculate whether the Mueller report’s assertion about the unnamed company’s compromised network was accurate – or whether it referred to another vendor.
“We can’t make any statement about it, because we don’t know,” Weisel said.
As for the Mueller report itself, Weisel said the document didn’t concern the leadership of the company because it revealed “nothing new.”
After contacting the FBI, the company’s letter said it has been proactive in its efforts to search for malicious activity. It pointed out that a risk and vulnerability assessment from the Department of Homeland Security “found no indications of a breach of any kind.”
VRSystems also notes that some of the issues encountered in North Carolina were the results of human error on the client side, not the company’s:
The company’s response Monday specifically addressed issues in Durham County in 2016, when election workers were forced to switch to paper poll books after experiencing software problems that slowed down voting in some precincts.
Durham uses VR Systems’ EViD software, and State Board of Elections spokesman Pat Gannon said last week that the company “did not immediately explain the cause of the issues.” A report from a forensics firm hired by the county, Gannon said, was inconclusive.
Weisel said those statements were “patently false,” and wrote that a third-party report found it wasn’t the software that failed on Election Day.
“‘It appears that certain steps were not taken to verify all laptops were properly prepared for the November election,'” Weisel wrote, quoting from the report. “Durham County election board workers handled laptop preparation, not VR Systems.”
Gannon noted last week that State Board of Elections investigators still believe user error was responsible for the issues in 2016.
“However, the agency’s review to date, including questions posed to VR Systems, has not conclusively determined the cause, in part because the agency lacks the necessary technical expertise to forensically analyze the computers used in Durham County, and other government agencies declined the agency’s requests to evaluate them,” Gannon said in a statement last week.
The company is also going on the offensive against the state board, arguing that the agency itself has failed to address its own security posture or respond to the vendor’s efforts to diagnose the problem:
In an email to WRAL News Monday afternoon, Weisel said his letter on behalf of VR Systems attempts to correct “misleading insinuations” by State Board of Elections General Counsel Josh Lawson “widely transmitted by the media.”
Weisel’s letter took specific aim at the board, accusing its leadership of rejecting offers by the company to pay for forensic investigations and refusing to answer questions about the agency’s own security.
Gannon declined to comment on the letter from VR Systems Monday afternoon.
This matter is the unfortunate consequence of the use of redactions in the Mueller Report; while previous reporting suggests that VRSystems is the company named, there is simply no way to know until the full report is released – and the company is insisting, based on its own investigations and cooperation with federal authorities, that it is not a source of vulnerability to its clients in the Tar Heel State. Given the sensitivity of the matter – and the fact that it’s North Carolina – I wouldn’t expect this controversy to subside anytime soon. Stay tuned …