A new Politico investigation found there were potential security gaps identified before New Hampshire’s new voter database came on line. That included software that could connect to servers in other countries, including Russia and the Ukrainian national anthem coded deep in the database.
That voter database never went online, but New Hampshire’s case is just one in a series of other states facing intrusions into their elections software. NHPR’s All Things Considered host Julia Furukawa spoke with John Sakellariadis, the reporter who broke the story. A transcript of that interview follows below.
On Tuesday, New Hampshire Secretary of State David Scanlan denied many of the central claims in the original Politico article while speaking with reporters in Londonderry.
“Did not happen,” Scanlan said, when asked if the voter database, while under construction, had any vulnerabilities that would have permitted someone outside of the U.S., including in Russia, to access the system. He also said there was no coding language found during the review that was linked to a Russian programmer, as the article states.
Scanlan said he believes the main source in the Politico story, who is provided anonymity, was speaking about an issue in another state, not New Hampshire.
“I’m very confident that it is secure, and we’ve got a good handle on it,” he said.
Scanlan did confirm that source code found on a third-party file did include a prompt for the Ukrainian national anthem to begin playing, if the program was opened on a Russian server. He said it was “benign and dealt with straight away.”
Transcript
So let's start with the basics. What happened as New Hampshire was trying to bring this new voter database online?
New Hampshire was in the process of working with this vendor to build a new voter registration database for the state. Their old database was about 20 years old, and they were trying to bring the new one up to speed before the primary this year. And at some point, as the vendor was delivering the product, they learned that it had offshored part of the contract overseas, which alarmed officials in New Hampshire for a variety of reasons, right? You want to be sure, especially with a critical piece of democratic technology, like a voter registration database, which is used to help voters check in the polls to kind of assign them to the right polling stations, things like that, that there's no possible sort of subversion, infiltration, wrongdoing in that technology, especially in light of what we've seen over the last almost 10 years now, you know, dating back to the Russian influence campaign in the 2016 election.
So the secretary of state in New Hampshire, Dave Scanlan, went out and hired a supply chain security company to basically scour the database to see if there was any signs of tampering, wrongdoing, intentional, or other issues that they might want to be concerned about, which is a relatively rare move, as far as I can tell, on the part of a state to do that. And they found a few troubling things, one of which was a piece of open source software that was maintained by a Russian national who has actually served prison time for manslaughter in Russia. And then some parts of the code that were sort of misconfigured to send bits of data overseas, including to servers in Russia.
The state and the sources I talked to all were sort of of the same opinion, felt confident that there was no wrongdoing on behalf of the vendor, that nothing they found was sort of intentionally malicious. You know, there was no sleeper cell here, but these were the type of things that could have been exploited, you know, legitimate security issues that hackers at a future time, at a future date potentially could have sort of targeted. Alternatively, there was simply this optics issue. You know, in the really tense political environment we're in right now, that it could give fodder to conspiracy theorists. So the state then worked with the vendor to fix these issues before the database was ever brought online. So they were proactive. They really did everything right here after they found out about the offshoring issue. And in turn, they say that the vendor, you know, was quite responsive about this issue when they were confronted about it. And the database came online earlier this spring, and that's the vendor they're going to use.
John, after your article was published, the company that performed the software scan denied that there was a way to access servers from foreign countries, including in Russia, and New Hampshire secretary of State David Scanlan said there was no code in the software written by a Russian programmer, as you had written. How do you respond to those claims?
Listen, I stand by the reporting. And I would, I guess, honestly sort of side with the company and the secretary of state in saying that because the voter registration database never came online, a lot of these issues that were uncovered were purely hypothetical.
The voter database determines which Granite Staters are able to cast votes and, of course, we have a presidential election coming up. If this breach had not been discovered, what could have happened to some voters on the day they showed up to the polls?
You know, I don't want to engage too much in hypotheticals here. I wouldn't describe them as breaches. They were vulnerabilities. So there was no affirmative breach. And even if New Hampshire had never called in reversing labs to conduct the scan, if this system had gone online, it's possible that everything would have gone off without a hitch on Election Day. These were possible, exploitable security issues that you would expect, given a critical system that is used to, again, ferry people to the polls on Election Day.
And in the intensely scrutinized kind of partisan environment that we're heading into in 2024, this is not the type of thing that you would want exposed to possible exploitation. I don't want to scare people. I just think what the story is about for me, is officials throughout the country who are relying on these systems to administer elections, an inherently complex, difficult task, are slowly getting kind of educated on this other set of kind of security responsibilities they have to take account for in the digital age.
We've seen a lot of misinformation and disinformation around elections, particularly in the wake of the 2020 presidential election. How does a situation like this potentially play into the false narrative about election fraud in the U.S.?
Listen, I wrestle with this question all the time. Not just this story, any story I do on elections. You don't want to be patronizing as a journalist. So there are times where I would think to myself, is it worth it to publish this story, especially in advance of 2024, given, you know, the narratives flying back and forth on either side? And what I guess I would come back to in conversations that I had, especially with folks who I trusted when I sort of bounced off these perspectives, is you have to trust Americans to be smart about differentiating potential issues, real issues, etc., right? So my feeling here was that as difficult as it is right now, especially for election administrators to do their job, if we completely clam up about talking about security issues because of fears that it will be spun out of context, we might never get the resources, the funding, the motivation, the recognition that there are problems that we should be chipping away at over time. And that's really my hope with a story like this that people realize -- First of all, if you're reading about this and you're a concerned New Hampshirite, ask what you can do to help, especially if you have technical skills, if you can go out there and help state, local governments manage their IT infrastructure, secure anything. That's great. And then in particular, since I report at Politico, there's a federal kind of lens to everything I do. So trying to draw attention to these issues in the federal government where there's this huge sort of reflex against, you know, air quotes, federalizing elections in any way. That doesn't mean to me that you can't provide some type of stable funding to the states to help them maintain, protect, and secure these digital systems, because that's one of the biggest things you hear talking to folks about the states when it comes to cybersecurity. Despite all the concerns we've had for the last eight years, the kind of partisan rancor is such that it's been really hard for states to get consistent security and IT funding for this type of thing.