Voting in the United States is highly decentralized—and in many ways that’s a good thing when it comes to security. Having different regions operate their own elections and count their own votes makes it harder for someone to forge, compromise, or change a large number of votes all at once. But that decentralization also means that individual states, counties, or districts are also often free to make bad decisions about what kind of voting technology to use—and it’s surprisingly hard to stop them. Earlier this week, North Carolina’s state elections board made a last-ditch attempt to convince a judge to prohibit counties in the state from using voting software manufactured by VR Systems on the grounds that the board hadn’t officially certified the software since 2009. On Monday—the day before Election Day—that attempt failed when Superior Court Judge Paul Ridgeway declined to intervene.
The situation in North Carolina highlights just how hard it is to make progress securing elections at the state level even at a moment when there’s more interest in and attention to state election security than ever before. Much of that interest stems from reports of Russian attempts to infiltrate and compromise the voting infrastructure of 21 states in the lead up to the 2016 election. According to the Intercept, VR Systems—the electronic voting company North Carolina’s election board was concerned about—was the target of a series of phishing attempts that were intended to enable Russian hackers to impersonate a voting software vendor and distribute malware to local election officials. Besides, five Durham County precincts experienced problems with VR Systems software in 2016 and were ultimately forced to give out paper ballots instead (probably an improvement in terms of security).
It’s unclear whether any of Russia’s attempts were successful and, if so, what the consequences were. The NSA document obtained by The Intercept indicated that it was “likely” that an employee account had been compromised at an unnamed election software company selling a VR Systems product and that access was probably used to gather information for the next round of phishing, directed at local governments, during which the hackers impersonated VR Systems employees. VR Systems disputes this account and says that no employee credentials were compromised.* And the fact that hackers were targeting the company and impersonating VR Systems vendors in their efforts to distribute malware does not necessarily indicate that the company’s voting software is vulnerable. And it’s possible that the Durham County problems were user error, as VR claims. But even without these red flags, it would be pretty reasonable for North Carolina to do another security audit after an interval of eight years.