After President Donald Trump joked with Russian President Vladimir Putin about Russia meddling in U.S. elections, a talk show host asked Democratic presidential candidate Tulsi Gabbard to respond.
Appearing on HBO’s Real Time with Bill Maher, Gabbard, a U.S. representative from Hawaii, told Maher:
“We have to take seriously the security of our elections because of the vulnerabilities that exist — still, now — that really have the ability to undermine our democracy. There’s a hacking conference that’s held every year in Las Vegas, where I think a 14- or 15-year-old girl from Florida hacked into a replica of Florida’s election system in less than 15 minutes.”
What we found is some indication of vulnerability — even if it’s not a direct threat to the voting system itself. At least one kid did do some quick hacking.
But two points are problematic for Gabbard’s claim.
First, there wasn’t hacking into a replica of the election system — but rather a website made to look like Florida’s Secretary of State website that reports preliminary election results. In other words, not the system that receives and counts actual votes.
And second, what was hacked into was not even a replica — as in an exact copy of the website — because it did not contain the proprietary security features that the Secretary of State website has.
As the National Association of Secretaries of State said at the time:
“While it is undeniable websites are vulnerable to hackers, election-night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”
To support Gabbard’s statement, her campaign sent us two news articles about DEFCON 26, a hacking and cybersecurity event held in Las Vegas in August 2018. As part of the annual event, kids ages 8 to 16 could try to hack into what DEFCON described as replicas of election websites of 13 battleground states, including Florida.
One article said an 11-year-old boy hacked into the website that was made to look like the Florida Secretary of State’s website; and the other article said an 11-year-old girl hacked into one of the sites, but didn’t indicate which state. Both were done in under 15 minutes. (The home states of the kids were not named.)
As DEFCON said, the purpose was not nefarious: “By exposing the cyber vulnerabilities of these websites, young contestants will compete for prizes in a number of categories, including proposing the best plan to defend the Secretary of State websites from cyber attacks.”
But to be clear: While the websites might report election results and have other voting information, they are not used to receive or count actual votes.
One of the articles, from PBS Newshour, said an 11-year-old boy hacked into a version of the Florida state election website and changed voting results in under 10 minutes. And an 11-year-old girl tripled the number of votes on the same site in about 15 minutes.
In other words, hacking into a state’s election website could cause confusion if results were manipulated. But that is not the same as hacking into an election system and actually changing votes.
And with regard to how closely the hacked websites matched the actual websites, ProPublica published an article shortly after the DEFCON convention emphasizing that the websites hacked by the kids were not actual replicas of the state election websites.
“Instead, students were working with look-alikes created for the event that had vulnerabilities they were coached to find,” ProPublica said. “Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter.”
Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at DEFCON, was quoted as saying the websites were “fake.”
“When I learned that they were not using exact copies and pains hadn’t been taken to more properly replicate the underlying infrastructure, I was definitely saddened,” he said.
Similarly, Vice.com reported after Gabbard’s interview that DEFCON organizers had given the participants “clones” of state election websites “with vulnerabilities inserted by the organizers. In particular, the sites were designed to be vulnerable to SQL injection attacks, one of the most ancient — and yet still very common — hacks ever.”
So despite news reports that used terms such as replica and facsimile, the hacked site Gabbard referenced was not a copy of the Florida site and did not contain the same security features. Moreover, the site that the hackers meant to target does not include the system that is used for receiving and tabulating actual votes.
Gabbard’s loose recollection could leave readers with the wrong impression about the vulnerability of Florida’s election system. We rate her statement Mostly False.
Read more rulings at PolitiFact.com.