How secure is your vote in MD, VA & DC? Threats from Russia and within exist on eve of midterms

It was an elite veteran of the Marine Corps Cyberspace Command who first sounded the alarm in 2016 that Russia had launched a coordinated cyberattack targeting the Democratic National Committee.

Captain Robert Johnston saw unmistakable signatures of Russian intrusions; patterns and code leaving no doubt in his mind that America was targeted by an emboldened adversary.

“It’s not an impulsive decision, making the call that Russia was responsible,” Johnston said in an interview. “It’s a matter of figuring out the puzzle, solving the crime. And I happen to be good at it.”

WUSA9 Reporter Mike Valerio talks with Captain Robert Johnston of the Marine Corps Cyberspace Command about Russian attempts to infiltrate American elections.

Some 60 years after his grandfather faced the armies of Mao Zedong in the Korean War, Johnston is the first in his family’s Marine Corps lineage to combat cyber warfare.

Johnston warned the world of Russia’s election meddling in the midst of a chaotic campaign. Today, he warns Maryland could be within Russia’s sights – the state’s sensitive voter information potentially in reach.

ALSO READ | Republicans block $250 million to beef up election security

His concerns are shared by the FBI, Department of Homeland Security and at least three United States senators.

Maryland’s voter database is hosted by a tech company called ByteGrid – a firm financed by one of the richest men in Russia.

Billionaire oligarch Vladimir Potanin serves as ByteGrid’s largest investor. Potanin is a well-known ally of Putin and is included on a U.S. Treasury list of oligarchs affiliated with the Russian government.

When you have a Russian oligarch who owns a private equity company that has a controlling stake in a U.S. election system, he can exert influence.

ByteGrid operates the servers holding Maryland’s voter registration data, election management system and election night results website.

Potantin’s relationship with ByteGrid and Maryland’s election system flew under the radar for at least three years.

The chain of events began when an American private equity firm called Altpoint Capital purchased ByteGrid in June 2011.

In June 2014, Potanin became the majority owner of Altpoint, according to filings with the Securities and Exchange Commission.

In 2015, ByteGrid bought a Maryland tech company called Cytis. The state board of elections trusted Cytis to host its voter database – trust that was then transferred without major scrutiny to ByteGrid.

The 2015 sale went unnoticed, until mid-July 2018. The FBI then revealed the connection to Maryland Gov. Larry Hogan (R), Sens. Chris Van Hollen (D-Md.), Benjamin L. Cardin (D-Md.) and state election officials.

“Access to these systems could provide a foreign person with ties to a foreign government with information that could be used for intelligence or other purposes averse to U.S. interests,” Van Hollen and Cardin wrote in a letter to Treasury Secretary Steven Mnuchin.

“For that reason, Altpoint Capital’s relationship with ByteGrid must be carefully scrutinized.”

Nikki Charlson, Maryland's deputy elections administrator, said in an interview that ByteGrid’s Russia connection would have likely gone unnoticed, were it not for increased federal investigations following the 2016 elections.

That’s because foreign disclosure requirements for the state’s election systems are nonexistent.

“There was no reporting requirement of investors or secondary investors under the state’s contract,” Charlson said. “I do believe there will be changes to that moving forward.”

July’s FBI announcement of Potanin’s connection to ByteGrid came only hours after Special Counsel Robert S. Muller III indicted 12 Russian agents for 2016 election meddling.

The charges included the DNC hack investigated by Marine Corps Captain Robert Johnston, as well as incursions into the Democratic Congressional Campaign Committee and computer networks used by Hillary Clinton’s 2016 presidential campaign.

“When you have a Russian oligarch who owns a private equity company that has a controlling stake in a U.S. election system, he can exert influence,” Johnston said. “And so, ByteGrid can be weaponized later on down the line.”

ALSO READ | Cybersecurity: States ramp up election protections ahead of midterms with $380 million in federal funds

Sens. Cardin and Van Hollen have asked the U.S. Treasury to investigate whether ByteGrid’s access to the voter database constitutes a national security risk.

The company declined to answer a series of questions submitted by WUSA9. Instead, ByteGrid’s chief marketing officer released a two-sentence statement.

“ByteGrid continues to cooperate fully with all official inquiries involving this matter,” ByteGrid’s Annie Eissler said in an email. “We have no further comment.”

To date, a hunt incident response team with the National Cybersecurity and Communications Integration Center has found no evidence of adversarial activity within Maryland’s voter database.

In a Sept. 24 letter to Gov. Hogan, DHS Under Secretary Christopher C. Krebs said the on-site investigation of ByteGrid’s systems is finished.

But an analysis of ByteGrid’s data continues, with a final written report incomplete before Election Day.

“We are getting weekly updates from them, and as of last Friday’s update, no new information,” Charlson of the Maryland Board of Elections said.

“We feel ready, and we hope that voters are confident that the system we have in place and the procedures will give them confidence to participate.”

Charlson’s confidence comes from a double-layered audit Maryland will perform of every ballot cast in the state’s elections.

Paper ballots are first scanned by voting machines across every locality. The results are then sent to the state board of elections to be tabulated.

But to verify the results, images of each ballot are saved electronically. The images will be submitted to an independent auditor, a company called Clear Ballot.

Clear Ballot uses software to examine the markings of each ballot, looking for differences between how the state originally counted each vote and how the software counts voters’ selections.

Humans are then used as a final layer of defense.

“We will be doing a manual audit where we take a sample of ballots from early voting, Election Day, absentee and provisional ballots, and the local boards of election will hand count those results,” Charlson said.

The full process is the only one of its kind in the nation – a verification of each vote completed within a rapid timeframe of 10 days.

Critics fear ballot images saved as digital PDF files could be altered by a hostile hacker. But state authorities dismiss those concerns as purely hypothetical.

“The images are encrypted and stored in a thumb drive in every voting machine,” Charlson said. “The thumb drives are taken out of the unit at the end of the day. Then a bipartisan team of poll workers drives them to the local election office, where they’re loaded into the computer system.”

While Maryland and Washington use the same model voting machine, tiny circuits within DC’s machines create a difference only the size of a modem.

But the modems found inside Washington’s voting machines are why the District is denied a security blessing from federal authorities.

Plainly put, the nation’s capital uses voting machines that are not certified by the federal government. The lack of a federal security certification has not been previously reported.

The issue is known to District election officials, who have asked the federal government for more money to buy more of the same machines.

The problem comes down to modems that rely on wireless technology.

Both Maryland and Washington use a voting machine known as the DS200 manufactured by the nation’s largest producer of voting equipment, Election Systems & Software (ES&S).

If a jurisdiction is utilizing a voting system that has a DS200 with modeming capability, it has not been certified.

The 140 DS200s used in Washington on Election Day are equipped with wireless modems, but Maryland’s are made without them.

When the polls close, precincts throughout the District transmit their initial election results using the DS200 modems.

But their signals can be susceptible to hacking or manipulation. The transmission of results can be captured by surveillance devices, popularly known as StingRays.

A 2017 DHS study found StingRays are in operation throughout Washington, placed near the White House, Russian Embassy, FBI headquarters and the Senate. They are generally used for foreign espionage, mimicking cellphone towers to capture digital signals.

DHS disclosed the existence of the StingRays in a May 2018 letter to Sen. Ron Wyden (D-Ore.), but federal officials declined to specify which nation states or companies control the devices.

Federal authorities were unequivocal – Washington’s voting machines have never been tested with government supervision.

“The EAC has never certified an ES&S voting system that contains a DS200 with modeming capability,” said Ryan Macias, senior election technology specialist with the U.S. Election Assistance Commission (EAC).

“If a jurisdiction is utilizing a voting system that has a DS200 with modeming capability, it has not been certified.”

The EAC is the arm of the United States government charged with testing voting equipment across the country. Yet compliance with EAC certification is only voluntary.

In short, no state is stopped from using voting equipment that lacks a federal stamp of approval. A state can use any equipment it so chooses.

When reached for comment, ES&S said an Alabama lab approved by the National Institute of Standards and Technology (NIST) tested Washington’s machines.

“The system used in DC was fully tested by a voting system test laboratory accredited by NIST for the purpose of modeming unofficial election results,” spokesperson Teresa Paulsen said.

But EAC officials strongly pushed back – pointing out a private entity performed the testing.

“Nobody at the Federal level had any oversight or visibility into the testing done,” said Brian J. Hancock, EAC director of testing and certification. “We don't know what standards (if any) the system was tested to.”

The lack of federal certification has not caused the District to change course.

Election officials in Washington asked the EAC for $1.5 million this year to acquire ballot-marking devices and more wireless modem DS200s.

“The acquisition of additional voting equipment which uses cellular/modem connectivity will streamline the closing/tabulation process,” a 2018 grant application reads.

The text continues by stating DS200s with modems “generate faster results of the election night totals.”

DC Board of Elections spokesperson Rachel Coll defended the use of the machines, asserting only encrypted data is sent out on election night.

“I would just add that the modemed results are our initial results,” Coll said. “USBs [with results] are transported by police escort to our offices and those never reach the internet. Once those results are confirmed as matching the modemed results, and we have conducted an audit, then we certify the election.”

In a preemptive move to detect malicious actors intruding in election infrastructure, the District is equipped with an advanced warning sensor known as “Albert.”

DHS awards two Albert sensors per state, free of charge. Washington was one of the earliest jurisdictions to install the defense, integrating the system in the summer of 2016.

Albert is also used in Maryland. Virginia declined to comment on its specific security postures.

The non-profit Center for Internet Security developed the Albert sensors, using threat intelligence provided by the cybersecurity company Symantec.

In an interview, Symantec CEO Greg Clark stressed voting integrity should be monitored even in the smallest of places – including Washington, a city that sends one non-voting delegate to Congress.

“If we have one place that gets affected through some cyber problem, what does that put into the citizens’ minds about the validity of the election and the news cycle that would then follow?” Clark said.

“The issue is maintaining integrity of the citizens’ mindset around the election, after what happened in 2016 especially.”

In 2017, children at a Las Vegas tech conference hacked into voting machines used across 22 Virginia localities – changing names and changing votes.

The kids were as young as 10.

“That was, by far, the biggest surprise of the convention,” said Jake Braun, a cybersecurity veteran of the Obama White House and organizer of the DEF CON hacking conference. “It was literally child’s play.”

The news hit Richmond like a tsunami – with deputy elections commissioner Liz Howard left to replace all the machines in just 59 days.

“Replacing all of them was a very quick process, and it was not ideal,” said Howard, now serving as counsel at the Brennan Center for Justice at NYU School of Law.

“Putting in place a periodic certification process, or at least a periodic review, could have prevented that abrupt transition.”

Former Virginia deputy elections commissioner Liz Howard talks to WUSA9 about election security.

Voting equipment usually receives federal certification without regular follow-ups. The dynamic is a direct result of states and communities running their own elections without the federal government taking major enforcement or administrative roles.

Virginia now uses a system where every vote in the swing state is backed up by paper ballots. Paper provides an un-hackable hard copy. If election results need to be verified, a reliable record will exist.

But cause for concern in 2018 emerges not with Virginia’s voting machines – but with its new game plan for a state-wide review of its election outcome.

Bottom line: The game plan isn’t finished; it won’t impact the election results; and it won’t examine every part of the Commonwealth.

For the first time, Virginia now requires a post-election audit to be conducted across the state to verify that locally reported results are indeed accurate.

But the process is complex. And incomplete.

Personnel need to be mobilized after the election and a statistically significant number of ballots needs to be reviewed by hand.

The city of Fairfax demonstrated earlier this year how election results could be efficiently reviewed – and applied to all of Virginia’s 133 localities.

But costs and logistics have not been hammered out from the state’s Appalachian counties to Washington suburbs.

Additionally, Virginia statute does not require every locality to take part in the audit. A jurisdiction is only compelled to participate once every five years.

If a cyberattack happened discreetly in only one Virginia county, the possibility exists it may go unnoticed – since not all areas are subject to the new accuracy check.

“We should have these post-election audits so that we can go back and have confirmation that no one successfully attacked our systems,” Howard said. “Confirmation that no one successfully hacked into our voting machines or voter registration databases.”

Since September, the Virginia Department of Elections declined a series of WUSA9 requests for interviews with Commissioner Christopher E. Piper.

Furthermore, the new accuracy reviews happen after Virginia’s election results are certified. Problems uncovered because of malicious cyber actors run the risk of remaining unchanged.

“An audit shall have no effect on the election results,” is clearly stated in Va. Code §24.2-671.1.

While the stakes for election security are higher than ever, the region has moved farther than other states with competitive contests capturing the attention of the nation.

Georgia conducts all voting electronically with machines that have been hacked in two demonstrations on Capitol Hill this year.

As Georgia’s critical governor’s race hangs in the balance, an election security case is moving towards the 11th U.S. Court of Appeals in Atlanta.

Voters sued the state to move quickly and replace vulnerable voting machines – a transition U.S. District Judge Amy Totenberg ruled is moving too slowly.

“Advanced persistent threats in this data-driven world and ordinary hacking are unfortunately here to stay,” Totenberg wrote.

“The Court advises [Georgia] that further delay is not tolerable in their confronting and tackling the challenges before the state’s election balloting system.”

Cybersecurity is a path, not a destination.

South Carolina, New Jersey, Louisiana and Delaware have no paper trail for their elections – with two-thirds of Pennsylvania’s 67 counties using machines where digital votes can simply be deleted.

“Cybersecurity is a path, not a destination,” Howard said. “There are absolutely steps we can take to improve our election security posture here. But that said, I feel like this region is well-prepared going into the midterms.”

Maryland’s senators and Sen. Amy Klobuchar (D-Minn.), have introduced the Elections Systems Integrity Act, requiring disclosure of foreign ownership in election systems.

But attention ebbs and flows, with no dedicated stream of revenue from the federal government to states for election security.

Congress disbursed grants earlier this summer, but WUSA9 reporting shows little, if any, has been spent in time to prepare for the 2018 midterm elections.

“I think this is a problem that will go on for centuries,” said Symantec CEO Greg Clark in an interview from Silicon Valley.

“I do not believe that it’s something you can fix one time. It’s a cat and mouse game. Things will move around and we’re going to have to be diligent forever in the democratic process.”

Homeland Security Secretary Kirstjen Nielsen and senior White House officials stressed last week that malicious Russian activity has decreased from levels seen in 2016.

But the same officials cautioned the nation cannot afford another Russian assault on American democracy.

Robert Johnston, who vividly remembers discovering Russia’s role in the DNC hack, is confident the Kremlin’s barrier for next time is lower.

“I think they just have to give the illusion to the American people that they’re actually conducting those same hostile actions,” Johnston said.

“The efficacy of those actions really doesn’t matter. Because the headlines, the news cycle, everything else, will just take care of itself.”

CORRECTION: A previous version of this story indicated Mr. Potanin was under U.S. sanctions. He is instead included within a Jan. 29, 2018 U.S. Treasury list of oligarchs affiliated with the Russian government, not under U.S. financial sanctions.