by Sam Biddle, The Intercept:
VOTERS ACROSS THE country were shocked to learn last year, through the disclosure of a top-secret NSA document, details of an intricate plot by Russian military hackers to infiltrate American electoral systems. New emails obtained by The Intercept through public records requests illustrate the disturbing extent to which potential targets of the attack were caught unaware, having apparently remained in the dark alongside the voting public.
On June 5, 2017, The Intercept published a top-secret National Security Agency assessment that detailed and diagramed a Russian governmental plot to breach VR Systems, an e-voting vendor that makes poll book software used by several pivotal electoral battleground states, such as North Carolina and Virginia. The report attributed the scheme to the Russian General Staff Main Intelligence Directorate, or GRU. GRU’s plan, the NSA claimed, was to roll any success with VR Systems into a subsequent email attack against state voting officials across the country.
According to the documents obtained by The Intercept, officials in a handful of crucial swing states were completely unaware that GRU was trying to infiltrate their voting systems — for months and months after the election had taken place. Experts contacted by The Intercept decried a system in which overstretched state officials were in the dark about potential threats. A former official from the Department of Homeland Security told The Intercept on the condition of anonymity that warning about the potential attacks did not filter down to state-level officials in part because of complicated bureaucratic turf wars between the NSA, DHS, and local bodies — all of which were exacerbated because, for the NSA, transmitting word of the cyberattacks down the chain was “not a high priority issue.”
In North Carolina — which had reported widespread, glitchy disruptions on Election Day — key state voting officials clearly were never filled in on the details of the threat they had faced seven months prior. Rather, the officials learned the details in the news along with the rest of the public, without permission or authorization. These emails, obtained via public records request, underscore the total failure of the U.S. government to get information about imminent threats to election infrastructure to the people most affected, and raises the crucial question of why exactly it took roughly seven months for word of a credible attack against the integrity of American elections to reach the very people and systems under threat.
In a June 2017 email to members of North Carolina’s Mecklenburg County Board of Elections, Kimberly Strach, the executive director of the state’s Board of Elections and Ethics Enforcement, made it clear that reports that the county “could have been subject to outside interference during the 2016 general election” were unexpected. She also announced that the state was beginning an “investigation” to “determine if any interference occurred.”
A separate June 15 email from Mecklenburg Commissioner-at-Large Trevor Fuller to Director of Elections Michael Dickerson echoes this uncertainty: “I’d like to know your thoughts about the reporting that a voting system software company whose product that we use was hacked by the Russians,” Fuller asked. “Have we investigated whether this had any impact in Mecklenburg County?” Fuller responded that the county’s IT staff found no GRU emails in Mecklenburg inboxes.
That such investigations into an attempt to compromise a presidential election didn’t even begin until the summer after Election Day is cause for concern, said Susan Greenhalgh, a voting security expert and policy director at the National Election Defense Coalition, an advocacy group. “It’s very troubling,” Greenhalgh told The Intercept, that officials at the state and county levels “only felt compelled to investigate further after it was reported publicly.” Still, Greenhalgh added that she’s heard complaints of inadequate or untimely intelligence-sharing “again and again” from state election officials.
A spokesperson for North Carolina’s Ethics Board confirmed that it didn’t begin any investigation until after the NSA report was made public because the state’s voting officials were never informed of the GRU threat in advance. “At the time, the information-sharing was not as good as it is now,” this spokesperson added. “The State Board of Elections & Ethics Enforcement now has a great working relationship with our federal partners at the Department of Homeland Security.”
NORTH CAROLINA WASN’T alone. In Virginia, another state that used VR Systems poll book software on Election Day, officials also appeared to be in the dark about what was revealed in the NSA report. On June 16, about a week after the NSA report was published, the Virginia Department of Elections’ Chief Information Officer Matthew Davis emailed the Department of Homeland Security “looking for some guidance” on the situation. “We are one of the states that uses VR Systems for electronic pollbooks,” Davis wrote. “Are there any steps that we need to be taking?” Given the particular nastiness of the malware that GRU hackers had tried to spread at the state level, if Davis or any of his colleagues had been successfully infected, they would have been rather far beyond the point of taking any protective “steps.” Nonetheless, Homeland Security didn’t have much to share, noting that the agency was still “working with partners to assess the intelligence and provide information out to you all.”
Even once news of the GRU attack arrived in Virginia, election officials remained unsure if they had even been victims — in a July 2017 email conversation between former Virginia Commissioner of Elections Edgardo Cortés and spokesperson Andrea Gaines, the two discussed how to respond to an Associated Press reporter asking if the state had been breached by the hackers. Gaines suggests telling the reporter that “there were no breaches discovered.” Cortés’s reply doesn’t inspire much confidence: “We need something a little broader … cause it’s more ‘as far as we know’ sort of situation.”