It’s been a tough couple of years for the business of voting.
There’s the state that discovered a Russian oligarch now finances the company that hosts its voting data.
Then there’s the company that manufactures and services voter registration software in eight states that found itself hacked by Russian operatives leading up to the 2016 presidential election.
And then there’s the largest voting machine company in the country, which initially denied and then admitted it had installed software on its systems considered by experts to be extremely vulnerable to hacking.
Private companies play a crucial role in elections, from printing and designing ballots, to manufacturing voting machines, to hosting results websites. The industry exists because the local and state governments who run elections don’t have the resources or expertise to maintain all aspects of an election themselves.
As the United States grapples with how to make its elections more secure, the voting industry’s security practices are under scrutiny like never before.
“Election officials have been doing a ton around election security, but if that same thing isn’t going on at the vendor level, then that creates a really big potential vulnerability for the entire system,” said Edgardo Cortéz, an election security adviser for the Brennan Center, and a former Virginia elections official.
A buyout brings suspicious news
In 2015, a company called The Sidus Group was purchased by another company called ByteGrid.
The state of Maryland had been contracting with Sidus to hold much of the state’s voting data, including its online voter registration system and its election night results website. After the buyout, nothing really changed, according to Maryland Deputy Elections Administrator Nikki Charlson.
“The team members were the same,” she said.
This past July however, Charlson got some surprising news.
The FBI organized briefings with elections officials and politicians in the state to let them know that ByteGrid is financed by AltPoint Capitol Partners, whose fund manager is Russian and whose largest investor is a Russian oligarch, Vladimir Potanin.
“Who would’ve thought? I mean, we were obviously very cyber aware, doing all the best practices for I.T. systems and that, but who would’ve thought?” said Charlson. “That’s out of a Tom Clancy novel, right?”
While there’s no evidence any votes cast or registrations in the state were affected, and ByteGrid emphasizes its investors have no involvement or role in its operations, Maryland is considering whether to end its contract with the company.
“We’re looking at all options,” Charlson said, before adding that she would be asking about the financial ties of any companies the state decides to contract with going forward.
The Florida breach
An NSA document leaked last year to The Intercept, detailed how Russian operatives hacked a Florida election vendor, VR Systems, that sells and maintains voter registration software.
After the document surfaced, the company denied that Russia gained access, including in an interview with NPR.
“Some emails came into our email account that we did not open. Even though NSA says it’s likely that we opened them, we did not,” said company executive Ben Martin in a June 2017 interview. “We know for a fact they were never opened. They did not get into our domain.”
But an indictment filed in July 2018 by special counsel Robert Mueller’s office says Russian operatives “hacked into the computers of a U.S. vendor that supplies software used to verify voter registration information for the 2016 U.S. elections.”
The details in the indictment match up with what was laid out in the NSA document. The hackers used an email address designed to look like a VR Systems email address to send over 100 phishing emails containing malware to “organizations and personnel involved in administering elections in numerous Florida counties.”
Transparency isn’t a given
One of the industry’s strongest critics is Sen. Ron Wyden, D-Ore., who says voting equipment makers don’t take cybersecurity seriously.
“These companies want to be gatekeepers of our democracy, but they seem completely uninterested in safeguarding it,” he said at a Senate Rules Committee hearing this summer.
Since last October, Wyden has gone back and forth with the largest manufacturer of voting equipment in the country, Election Systems and Software, or ES&S, about security holes in its equipment.
More than 50 percent of the registered voters in the U.S., vote on ES&S equipment, according to the company. While election officials argue that the decentralized way the U.S. conducts elections makes it incredibly susceptible to disruption, a company like ES&S could provide a more appealing target, because its equipment is used in 41 states.
There’s no evidence of a successful attack against the company, but nonetheless ES&S’s practices have come under harsh criticism.
In February, the New York Times reported that ES&S installed remote access software on machines it sold in the mid-2000s, which the company denied. Experts consider that sort of software vulnerable to hackers because it leaves a virtual ‘back door’ into the machines.
“None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the company told The Times.
But after Wyden asked about it, the company revealed that it had provided the software for a “small number of customers.” The company didn’t provide Wyden specifics however, despite his explicit requests for them.
“If [elections companies] are going to have such a broad berth in the American elections system, the public has a right to know if they are addressing basic questions of cyber security,” said Wyden.
In an interview with NPR, ES&S Vice President Kathy Rogers said around 300 voting jurisdictions were provided the software, which helped the company provide IT support. She added that it wasn’t installed by the company after 2007, and stressed that it was never installed on machines that tabulated votes.
The software was used on election-management systems, not voting machines, and are used to program voting machines and to aggregate and report final results.
The challenge public officials is that they have visibility into the companies’ practices. Like most other industries, there’s no requirement companies even publicly say if they’ve had a security breach.
ES&S is taking steps to reassure its critics.
The company’s new security chief, Chris Wlaschin, says ES&S will soon become the first election vendor to install an Albert sensor, which many governments use to monitor cyber threats and share information with the Department of Homeland Security.
The company now also requires two-factor authentication for elections officials who access the company’s systems.
Wlaschin also directly said the company has not been successfully attacked at any point in the past.
“There has not been an incident going back as far as anyone there that I have communicated with,” Wlaschin said.
For now, voters will just have to take his word on that.