STEVE INSKEEP, HOST:
This fall's elections will be overseen by the states. But they're also big business for a lot of private companies, the people who print ballots or make voting machines or do other things. NPR's Miles Parks reports the business of voting has complicated the effort to make voting secure.
MILES PARKS, BYLINE: Like all states, Maryland's government needs help running elections. So it pays a bunch of different companies to take on different aspects. In 2015, the company that owns the servers that hold much of Maryland's voting data changed hands. It wasn't considered a big deal.
NIKKI CHARLSON: We were notified of the change that Sidus Group is now ByteGrid. It's a wholly owned subsidiary - whatever it was. We were told of the change but nothing else. And the team members were the same.
PARKS: That's Maryland Deputy Elections Administrator Nikki Charlson. In July, Charlson got some surprising news. The FBI told her that ByteGrid, the company that hosts Maryland statewide online voter registration system and their election night results website, is now financed by a company whose largest investor is a Russian oligarch.
CHARLSON: Who would have thought? I mean, we were obviously very cyber-aware and doing all the best practices for IT systems and all that. But who would have thought that? Like, that's out of a Tom Clancy novel, right?
PARKS: The company has said its investors have no involvement or role in its operations. And there's no evidence at all that the Russian connection had any effect on votes cast or registrations in the state in 2016. Since then, however, the election industry's lack of transparency has come under scrutiny. An NSA document leaked last year detailed how Russian operatives hacked a Florida vendor called VR Systems that sells and maintains voter registration software. While the company's denied that Russia gained access, a recent indictment from special counsel Robert Mueller team said VR Systems was breached. Investigators say Russian operatives broke into the company's computers, then sent fraudulent emails to election officials using the VR Systems logo.
(SOUNDBITE OF ARCHIVED RECORDING)
RON WYDEN: These companies want to be gatekeepers of our democracy, but they seem completely uninterested in safeguarding it.
PARKS: That's Oregon Senator Ron Wyden speaking at an election security hearing this summer. Wyden has gone back and forth with the largest manufacturer of voting equipment, Election Systems & Software, or ES&S, about a number of cybersecurity issues. In one case, ES&S originally said it never installed a hackable kind of software on machines it sold. But after Senator Wyden asked about it, the company revealed they had provided the software for a small number of customers. The company didn't provide Wyden specifics, however.
(SOUNDBITE OF ARCHIVED RECORDING)
WYDEN: If they are going to have such a broad berth in the American election system, the public has a right to know about whether they are addressing basic questions of cybersecurity.
PARKS: In an interview with NPR, ES&S vice president Kathy Rogers said around 300 voting jurisdictions were provided the software, which helped the company provide IT support. But Rogers says it wasn't provided by the company after 2007, and it was never installed in machines that tabulated votes. The hard part is the public and even federal government officials like Wyden have no tool for an unfettered look at the inner-workings of these companies. The companies aren't even legally required to publicly say if they've had a cyber breach.
Here's Edgardo Cortes, an election security adviser for the Brennan Center and a former Virginia elections official.
EDGARDO CORTES: Election officials have been doing a ton around election security. But if that same thing is not going on at the vendor level, then that creates a really big potential vulnerability for the entire system.
PARKS: ES&S vice president Chris Wlaschin joined the company in April to lead its cybersecurity efforts. He says the company is soon becoming the first election vendor to install what's called an Albert sensor. Many governments use them to monitor cyber threats and share information with the Department of Homeland Security. Wlaschin also directly said the company has not successfully been attacked at any point in the past.
CHRIS WLASHIN: There has not been an incident at ES&S, going back as far as anyone there that I have communicated with.
PARKS: For now, voters will just have to take his word on that.
Miles Parks, NPR News, Washington. Transcript provided by NPR, Copyright NPR.