An attempt by Russian hackers to infiltrate an obscure Florida elections technology company is igniting concerns about whether the small industry is vulnerable to attacks that could undermine confidence in election results.
Russian hackers apparently targeted employees of Tallahassee, Fla.-based VR Systems with phishing attacks to swipe their computer log-in credentials, then impersonated the company’s workers by sending emails with nefarious attachments to local governmental officials, according to a National Security Agency document leaked to news site The Intercept. The NSA concluded it was “likely” that at least one of the employees’ accounts was compromised.
“We have seen no reports of attacks against voting machine vendors and vendors that program ballots for those machines, but it would be naïve to think it’s not a possibility that there would be attempts to do that,” said Lawrence Norden, deputy director of New York University School of Law Brennan Center for Justice’s Democracy Program.
The episode highlights a vulnerability that technological advances in voting have introduced to an institution considered vital to a healthy democracy.
The entire election tech industry has about $300 million in annual revenue and has made few substantive advancements over the last decade, a March report by the Penn Wharton Public Policy Initiative at the University of Pennsylvania and the OSET Institute estimates. By comparison, tech giant Apple reaps that much revenue in about half a day.
“The industry that provides the hardware and software for the election process has been scarcely studied and often is opaque, even to election administrators, policymakers and representatives at other governmental and non-governmental organizations that support or directly participate in the election process,” the Wharton researchers, led by Lorin Hitt, said in their report.
Three companies — Election Systems & Software, Dominion Voting Systems and Hart InterCivic — control about 92% of the market, according to the Wharton report. With 44% market share, ES&S is the largest player and has about 460 employees. Representatives of ES&S and Dominion did not respond to requests seeking comment for this story. Hart InterCivic declined to comment.
Norden of the Brennan Center said the voting technology sector’s opacity is pervasive, leaving open questions about the security of current technology.
“As big a problem as it is that the voting machine industry is opaque, there’s an even bigger problem with the industry around voter registration being in the dark,” he said. “Because it’s so opaque we don’t know what they’ve adopted and what they haven’t.”
Employee-owned VR Systems creates software that helps local governments track voter registration information, including most of swing-state Florida’s 67 supervisors of elections offices.
The Florida Department of State said it had identified no security breaches during the 2016 election. The state’s online elections databases and voting systems remained secure throughout 2016 with “multiple safeguards in place to protect against election fraud,” said Sarah Revell, spokeswoman for Secretary of State Ken Detzner.
But the VR Systems incident — in addition to a second phishing attempt in which hackers impersonated another publicly unidentified election company — puts enormous pressure on small election companies with limited wherewithal to fend off international cyber security intrusions.
U.S. investigators have concluded that Russian hackers attempted to influence the 2016 election in favor of now-President Trump through cyber means, though allegations of voter fraud haven’t been proven.
VR Systems does not tabulate or maintain actual election results, meaning the impact of the alleged Russian attack was likely limited to any leverage the attackers could gain by impersonating the company’s employees in their attempt to gain access to governmental networks.
“When a customer alerted us to an obviously fraudulent email purporting to come from VR Systems, we immediately notified all our customers and advised them not to click on the attachment,” VR Systems CEO Mindy Perkins said in a statement. “We are only aware of a handful of our customers who actually received the fraudulent email and of those, we have no indication that any of them clicked on the attachment or were compromised as a result.”
Most voter registration data is public, so accessing it is of limited utility. Still, once hackers have gained access to a network, they can use that foothold to grab a broader swath of data or alter records.
That’s why it’s ultimately critical to ensure that the system relies on paper ballots that are digitally counted and thus can be hand-checked if necessary to confirm results, said Susan Greenhalgh, elections specialist at the Verified Voting Foundation, an organization that advocates for the integrity of elections.
“You’re never going to be able to create one 100% secure computerized system that can’t be attacked,” she said, adding that lawmakers should adopt policy forcing elections technology companies to disclose when they’ve been hacked.
VR Systems was founded in 1992 by David and Jane Watson of Tallahassee, in part to help the Leon County Supervisor of Elections Office move its voter registration data from the county’s mainframe to a custom-made system. It sold its first system to Leon County the following year.
The company created and patented an electronic poll book system designed to replace old paper systems at polling locations and speed up voter check-ins. The Electronic Voter Identification system, known as EViD, is in use in more than 50 Florida counties, including Leon, Broward and Miami-Dade. The company, which became employee-owned in 2010, serves clients in more than a dozen states.
In Indiana, where six counties used VR Systems technology during the 2016 election, the Secretary of State’s office said it had not been contacted by the FBI or VR Systems about a possible problem with election results.
“We think we would have noticed if there was an issue,” said Vallerie Warycha, spokeswoman for Secretary of State Connie Lawson.
Floyd County Clerk Christy Eurton said VR Systems’ work there only involved its voter registration system, which is used to check in voters at the polling place. The system was not tied to voting machines.
In Brevard County, Fla., the Supervisor of Elections office uses VR Systems for its voter registration system, including for voter check-in procedures at the polls. The office has no record of receiving emails from the bogus address created by hackers to infiltrate local governments.
“There is no indication or record of any attempt to illegally access Brevard County voter information,” Brevard County Supervisor of Elections Lori Scott said in a statement. “Our election tabulation system is a closed system, with no direct access to the internet. Every election is verified with a post-election audit conducted where votes tabulated are verified against your paper ballot, as prescribed by state law.”
Contributing: Indianapolis Star reporters Kaitlin Lange and Elena Mejia Lutz; Florida Today reporter Dave Berman. News-Press reporter Bill Smith, Pensacola News Journal reporter Jim Little.
Follow USA TODAY reporter Nathan Bomey on Twitter @NathanBomey.