Pollbook vendor pushes back amid questions over software security

In a redacted version of his report released last week by the U.S. Department of Justice, Special Counsel Robert Mueller wrote that, in August 2016, officers with Russia's military intelligence agency targeted a "a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network."

The name of the company was redacted.

The letter from state elections officials last week sought to find out whether VR Systems was the company in question – and whether its claims in court filings that EViD had not been breached were still true.

In the company's letter to the board, attorney Michael Weisel wrote that VR Systems "was not breached during a phishing attempt" and that its previous statements about the security of its systems remained accurate.

"Since VR Systems first alerted the Federal Bureau of Investigation in August 2016 of an attempted spearphishing attack, to VR Systems' knowledge, EViD has never been hacked," Weisel wrote.

But he also told elections officials the company "has no independent knowledge and is unable to confirm or deny" whether it is the company referenced in the Mueller Report.

"Neither the FBI, the Department of Homeland Security, nor the National Security Agency has ever contacted VR Systems as to these specific 'hacking' incidents," Weisel wrote.

By phone Monday afternoon, Weisel added that the EViD system "is totally separate from any of these presumed hacking attacks."

He said he was unable to speculate whether the Mueller report's assertion about the unnamed company's compromised network was accurate, or whether it referred to another vendor.

"We can't make any statement about it, because we don't know," Weisel said.

As for the Mueller report itself, Weisel said the document didn't concern the leadership of the company because it revealed "nothing new."

After contacting the FBI, the company's letter said it has been proactive in its efforts to search for malicious activity. It pointed out that a DHS risk and vulnerability assessment "found no indications of a breach of any kind."

The company's response Monday specifically addressed issues in Durham County in 2016, when election workers were forced to switch to paper poll books after experiencing software problems that slowed down voting in some precincts.

Durham uses VR Systems' EViD software, and State Board of Elections spokesman Pat Gannon said last week that the company "did not immediately explain the cause of the issues." A report from a forensics firm hired by the county, Gannon said, was inconclusive.

Weisel said those statements were "patently false" and wrote that a third-party report found it wasn't the software that failed on Election Day.

"'It appears that certain steps were not taken to verify all laptops were properly prepared for the November election,'" Weisel wrote, quoting from the report. "Durham County election board workers handled laptop preparation, not VR Systems."

Gannon noted last week that State Board of Elections investigators still believe user error was responsible for the issues in 2016.

"However, the agency’s review to date, including questions posed to VR Systems, has not conclusively determined the cause, in part because the agency lacks the necessary technical expertise to forensically analyze the computers used in Durham County, and other government agencies declined the agency’s requests to evaluate them," Gannon said in a statement last week.

In an email to WRAL News Monday afternoon, Weisel said his letter on behalf of VR Systems attempts to correct "misleading insinuations" by State Board of Elections General Counsel Josh Lawson "widely transmitted by the media."

Weisel's letter took specific aim at the board, accusing its leadership of rejecting offers by the company to pay for forensic investigations and refusing to answer questions about the agency's own security.

Gannon declined to comment on the letter from VR Systems Monday afternoon.