U.S. election software companies aren’t that worried about phishing emails

Although a recently leaked intelligence report suggested that Russian spies attempted to hack into at least one election software vendor, many of the industry’s top companies say they aren’t threatened by spear phishing emails.

Prominent election software companies say that phishing emails do not present a pressing problem, even though a classified intelligence report recently published by The Intercept indicated that Russian military intelligence had previously targeted one such company. The report says Russia’s attempt to influence the U.S. voting process may have been more expansive, and revealed attempts to place malware on the computers of local government officials.

Of 16 U.S. election software companies contacted by CyberScoop, four said that they had not received any phishing emails between August 2016 and June 2017, including Free & Fair, ClearBallot, Scytl and BPro Inc. Others, like Everyone Counts, reported receiving phishing emails but stressed the sufficiency of the security systems currently in place to protect against such attacks.

“We have not been the target of any phishing emails,” Free & Fair CEO and Chief Scientist Joe Kiniry wrote in an email. “Moreover, because of the hardened systems we choose to use for our products, desktop machines, and servers, we are much better protected than our colleagues who chose to use less secure technologies.”

Everyone Counts VP of Technology and Operations James Simmons wrote in an email that Everyone Counts received phishing attempts between August 2016 and the present, but did not report any malicious cyber-activity to the FBI within the past year, as the incidents they saw were deemed “opportunistic in nature” and not specifically targeted at the company.

“Our e-mail provider filters the majority of them, either stopping them entirely or routing them to Spam folders,” Simmons wrote. “Every once in awhile they get through. Our employees are trained – and regularly reminded – to be very cautious in following links embedded in e-mails as well as identifying potentially suspicious e-mails and forwarding them to the IT team to review.”

The Intercept reported that phishing emails sent to one unnamed vendor contained a link to a faux-Google website that requested employee login credentials, based on a leaked National Security Agency report. While the report did not specify which vendor was targeted, it does refer to a product made by VR Systems, which provides electronic voting services to eight states, according to VR Systems’ website.

Simmons told CyberScoop that no phishing email received by Everyone Counts resembled those reportedly used against VR Systems. For its voter registration products, Simmons explained in an email that production systems are located in “secure data centers” and that the company maintains comprehensive logs to conduct regular audits in search of discrepancies.

Everyone Counts, Simmons said, works with the FBI and its government clients to put protocols in place for reporting and acting on suspicious emails. The FBI visited Everyone Counts offices last year before the general election to “understand what security protocols were in place and share some information they had regarding specific threats.” Internal audits of Everyone Counts’ logs revealed no similar attacks on their system, said Simmons.

Kiniry said that most Free & Fair employees do not rely on Microsoft products in order to avoid some digital security concerns. The broad generalization that Microsoft products are insecure is largely inaccurate — effective software security practices depend on regularly updated software, encryption and user vigilance.

Free & Fair emphasized that it was prepared for such attacks. Kiniry said that all emails addressed to Free & Fair are subject to spam and malware filters. If there was cause for concern, the company would read emails in a virtualized OS, “thereby preventing all forms of malware from infecting any of our systems,” Kiniry wrote, adding that “these practices are the standard operating procedure for any entity that has proper cybersecurity expertise and holds a concern about this form of attack.”

Smartmatic declined to comment on the specifics of any phishing attacks targeting the company.

“Like many other organizations, we face a range of cyber attempts, spam emails and the like and keeping our systems safe and secure is one of our top priorities,” Samira Saba, integrated communications director of Smartmatic, stated in an email.

The Intercept’s story has motivated lawmakers on capitol hill in recent weeks to reexamine the impact of Russia’s hacking campaign against the 2016 election. Both the House and Senate intelligence committees have hearings scheduled for Wednesday to discuss the issue.

Following the publication of the leaked report, VR Systems said in a statement, “Phishing and spear-phishing are not uncommon in our society. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.”

Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence panel, told USA Today that he does not believe malicious cyber-activity effectively changed voting outcomes, although “the extent of the attacks is much broader than has been reported so far.”

Chris Bing contributed to this report.