The calls started flooding in from hundreds of irate North Carolina voters just after 7 am on Election Day last November.
Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours.
Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state. The problems involved electronic poll books — tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters’ identities and registration status. She knew that the company that provided Durham’s software, VR Systems, had been penetrated by Russian hackers months before.
“It felt like tampering, or some kind of cyberattack,” Greenhalgh said about the voting troubles in Durham.There are plenty of other reasons for such breakdowns — local officials blamed human error and software malfunctions — and no clear-cut evidence of digital sabotage has emerged, much less a Russian role in it. Despite the disruptions, a record number of votes were cast in Durham, following a pattern there of overwhelming support for Democratic presidential candidates, this time Hillary Clinton.
But months later, for Greenhalgh, other election security experts and some state officials, questions still linger about what happened that day in Durham as well as other counties in North Carolina, Virginia, Georgia and Arizona.
After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.
The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found.
Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified.
Intelligence officials in January reassured Americans that there was no indication that Russian hackers had altered the vote count on Election Day, the bottom-line outcome. Government officials said that they intentionally did not address the security of the back-end election systems, whose disruption could prevent voters from even casting ballots.
That’s partly because states control elections; they have fewer resources than the federal government but have long been loath to allow even cursory federal intrusions into the voting process.
That, along with legal constraints on intelligence agencies’ involvement in domestic issues, has hobbled any broad examination of Russian efforts to compromise American election systems. Those attempts include combing through voter databases, scanning for vulnerabilities or seeking to alter data, which have been identified in multiple states. Current congressional inquiries and the special counsel’s Russia investigation have not focused on the matter.
“We don’t know if any of the problems were an accident, or the random problems you get with computer systems, or whether it was a local hacker, or actual malfeasance by a sovereign nation-state,” said Michael Daniel, who served as the cybersecurity coordinator in the Obama White House. “If you really want to know what happened, you’d have to do a lot of forensics, a lot of research and investigation, and you may not find out even then.”
In interviews, academic and private election security experts acknowledged the challenges of such diagnostics but argued that the effort is necessary. They warned about what could come, perhaps as soon as next year’s midterm elections, if the existing mix of outdated voting equipment, haphazard election-verification procedures and array of outside vendors is not improved to build an effective defence against Russian or other hackers.
In Durham, a local firm with limited digital forensics or software engineering expertise produced a confidential report, much of it involving interviews with poll workers, on the county’s election problems. The report was obtained by The Times, and election technology specialists who reviewed it at the Times’ request said the firm had not conducted any malware analysis or checked to see if any of the e-poll book software was altered, adding that the report produced more questions than answers.
Neither VR Systems — which operates in seven states beyond North Carolina — nor local officials were warned before Election Day that Russian hackers could have compromised their software. After problems arose, Durham County rebuffed help from the Department of Homeland Security and Free & Fair, a team of digital election-forensics experts who volunteered to conduct a free autopsy. The same was true elsewhere across the country. “I always got stonewalled,” said Joe Kiniry, the chief executive and chief scientist at Free & Fair.
Still, some of the incidents reported in North Carolina occur in every election, said Charles Stewart III, a political scientist at the Massachusetts Institute of Technology and an expert on election administration.
“Election officials and advocates and reporters who were watching most closely came away saying this was an amazingly quiet election,” he said, playing down the notion of tampering. He added, though, that the problems in Durham and elsewhere raise questions about the auditing of e-poll books and security of small election vendors.
Greenhalgh shares those concerns. “We still don’t know if Russian hackers did this,” she said about what happened in North Carolina. “But we still don’t know that they didn’t.”
Disorder at the polls
North Carolina went for Donald J Trump in a close election. But in Durham County, Hillary Clinton won 78 per cent of the 156,000 votes, winning by a larger margin than President Barack Obama had against Mitt Romney four years earlier.
While only a fraction of voters were turned away because of the e-poll book difficulties — more than half of the county cast their ballots days earlier — plenty of others were affected when the state mandated that the entire county revert to paper rolls on Election Day. People steamed as everything slowed. Voters gave up and left polling places in droves — there’s no way of knowing the numbers, but they include more than a hundred North Carolina Central University students facing four-hour delays.
At a call centre operated by the monitoring group Election Protection, Greenhalgh was fielding technical complaints from voters in Mississippi, Texas and North Carolina. Only a handful came from the first two states.
Her account of the troubles matches complaints logged in the Election Incident Reporting System, a tracking tool created by nonprofit groups. As the problems mounted, The Charlotte Observer reported that Durham’s e-poll book vendor was Florida-based VR Systems, which Ms. Greenhalgh knew from a CNN report had been hacked earlier by Russians. “Chills went through my spine,” she recalled.
The vendor does not make the touch-screen equipment used to cast or tally votes and does not manage county data. But without the information needed to verify voters’ identities and eligibility, which county officials load onto VR’s poll books, voters cannot cast ballots at all.
Details of the breach did not emerge until June, in a classified National Security Agency report leaked to The Intercept, a national security news site. That report found that hackers from Russia’s military intelligence agency, the G.R.U., had penetrated the company’s computer systems as early as August 2016, then sent “spear-phishing” emails from a fake VR Systems account to 122 state and local election jurisdictions. The emails sought to trick election officials into downloading malicious software to take over their computers.
© 2017 The New York Times News Service