WASHINGTON – U.S. Senator Amy Klobuchar (D-MN), Ranking Member on the Senate Rules Committee with jurisdiction over federal elections, and Senator Jack Reed (D-RI), Ranking Member of the Armed Services Committee, questioned the Department of Homeland Security (DHS) about election equipment malfunctions in North Carolina in the 2016 general election. In a letter to Acting Secretary Kevin McAleenan, Klobuchar and Reed pressed DHS to explain what steps it took to investigate the unexpected behavior of equipment made by VR Systems. The company provides election software, including electronic poll books. 

The Mueller Report revealed that “[i]n August 2016, GRU officers targeted employees of [redacted], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.” VR Systems has since confirmed to the media that it believes it was the unnamed voting technology company in the Mueller Report. 

Despite the fact that VR Systems equipment malfunctioned in several North Carolina precincts in November 2016, leading to long delays at the polls, it’s unclear what steps federal agencies took to investigate the extent of Russian hacking, and whether malicious activity was responsible for the failure of VR Systems’ electronic poll books. 

Federal agencies and state election officials are now far more aware of the scope and urgency of the threats to our elections from foreign interference than they were in 2016. However, it is critical that we learn as much as we can about the extent of the attacks we faced in 2016, and that these lessons be shared as widely as possible so that our nation is fully prepared for the 2020 elections,” the members wrote. 

The full text of the letter can be found below: 

Dear Acting Secretary McAleenan, 

We are writing to express our concern with the continuing public uncertainty as to why certain election equipment malfunctioned in North Carolina in the 2016 general election, and to better understand your agency’s investigation into this matter. 

On Election Day 2016, North Carolina voters in Durham County experienced delays and confusion. Early in the day, Durham County’s electronic poll books malfunctioned, which led county officials to make a sudden switch to paper-based voter rolls. VR Systems, the vendor responsible for Durham County’s electronic poll books, is known to have been targeted by Russian military intelligence in 2016 as part of Russia’s efforts to interfere with the 2016 elections. 

However, there is still serious uncertainty about whether Russia was successful in hacking VR Systems, and if any successful hack might be related to the problems Durham County experienced in 2016. 

The Department of Homeland Security (DHS) recently announced it will forensically analyze the laptops used by Durham County in 2016 that were running VR Systems’ software. While this is a positive step, we are concerned that this is only happening now, over two and a half years after the 2016 elections. Even if these laptops had been imaged on Election Day, at this point much of the supporting information, such as access logs, that DHS and other agencies could use to draw conclusions about what happened to these laptops could already have been lost or erased. 

Federal agencies and state election officials are now far more aware of the scope and urgency of the threats to our elections from foreign interference than they were in 2016. However, it is critical that we learn as much as we can about the extent of the attacks we faced in 2016, and that these lessons be shared as widely as possible so that our nation is fully prepared for the 2020 elections. 

Accordingly, we respectfully request your answers to the following questions by July 26th: 

1.      The former general counsel for the North Carolina State Board of Elections has publicly stated that the Board of Elections asked DHS to conduct a forensic review “more than 18 months ago.” How did DHS respond to this request at the time and what caused the delay in reviewing the laptops? 

2.      VR Systems has said that DHS led a cybersecurity “hunt” at VR Systems’ headquarters in the summer of 2018 over the course of two weeks. What kinds of forensic analysis did this review consist of, and what were DHS’ findings from this review? 

3.      VR Systems has also said that in the summer of 2017, it contracted FireEye, a private sector security firm, to perform a forensic examination of its systems. Has DHS reviewed a complete copy of FireEye’s report? If so, what were its principal conclusions? 

4.      Public reporting indicates that VR Systems maintained remote access to Durham County voting list management systems for troubleshooting purposes, and that VR Systems used this remote access the night before the general election. Has DHS analyzed whether this remote access capability potentially contributed to any malicious activity in Durham County’s systems? 

5.      In DHS’ experience working with US election systems, are remote access capabilities common in vendor-developed election management or voter registration systems in the United States? Does DHS recommend against having these capabilities in place? 

Sincerely,

 ###