Florida’s top election official on Tuesday warned that attackers could attempt to disrupt elections without even breaking into the voting systems — by simply changing the results on election websites.
Secretary of State Laurel Lee told the governor’s Cybersecurity Task Force that Florida’s elections tabulation system is secure, but state and county elections websites “are far more vulnerable to being attacked or defaced and pose a very real threat, not of changing election results, but of undermining voter confidence.”
“If our website is defaced such that it reflects that the losing candidate won, and I have to go out the next morning and explain to the press and the public that the actual winner was the other candidate, we’ve lost critical public trust,’’ Lee told the group meeting at Florida International University in Miami.
To address that possibility, Lee said the department is “working very hard to secure those sites and stay on top of evolving threats and tactics to keep them secure.”
She offered few details but said the Department of State has established the Joint Election Security Initiative, also referred to as JESI, to work with and train the 67 county elections offices to identify any vulnerabilities in the election infrastructure.
But the threat of hackers hijacking social media, email accounts and web sites is a looming concern that has been raised across the country as elections security comes under intense focus since Special Counsel Robert Mueller released the “Report On The Investigation Into Russian Interference In The 2016 Presidential Election.”
On the same day the Mueller report was released, a civil grand jury in San Mateo County California, released a report outlining what it perceived were significant vulnerabilities in that county’s election security. The county had strong safeguards against voter fraud and manipulation of election results, the report concluded, but officials shared passwords and rarely used two-factor verification and other safeguards. Hackers could easily infiltrate the website, emails, or Facebook and Twitter pages to disrupt voter confidence in the election.
Lee is issuing a similar warning in Florida.
“If one of our adversaries can compromise a supporting system associated with the voting system, they can do significant damage,’’ she said. “This could include hijacking the elections website or social media page and creating misleading information about where and when to vote.”
After the Mueller report, the FBI said hackers sent spear-phishing emails to more than 120 email addresses at local elections offices around Florida. One phishing email, for example, was sent to Volusia County officials disguised as an email from VR Systems, a Tallahassee-based vendor that handled registration software for 52 counties. Volusia County officials said they did not open the attachments or click links that would have allowed the hackers access to their computers.
U.S. Sen. Marco Rubio said hackers were in a position to manipulate voter registration data, although Gov. Ron DeSantis has since said the FBI told him that voting data had not been altered in 2016.
Lee said her office is attempting to deal with these potential threats through rigorous security training of local officials, conditioning them to recognize phishing emails, denial of service, or Trojan horses and instill good “cyber hygiene” into the culture.
“Many, if not most, of these vulnerabilities come from exploiting human behavior instead of an actual technical shortcoming,’’ Lee said.
“We refer to this part of our resiliency efforts as the human firewall,’’ she said. “As many an IT professional has said to me, sometimes to my dismay, you can invest millions in the latest software, assets, and firewalls, but a single employee who clicks the wrong link can undermine and expose your network.”
The task force asked Lee to outline what her agency is doing to be prepared for a potential cyber attack on Florida’s elections system.
Lee responded with a prepared speech, which she had previously given last month in Orlando to the annual meeting of one of the top lobbying groups in the state, the Associated Industries of Florida.
She described the five-person cyber team that is conducting a “thorough elections-specific assessment in every Florida county.”
When weaknesses and vulnerabilities are found, she said, state and county elections officials have “agreed to share critical incident information.’’
To guard against voting systems being hacked, Lee said the state relies on a paper ballot system because “you can’t hack paper.” The state also conducts logic and accuracy tests on all its hardware and software and the source code is “sent through an independent, federally-certified test lab.”
When votes are scanned by the machines that tabulate the vote totals, they are “not connected to the Internet while they are tabulating ballots” and “at no point in the process is there any connectivity,” she said.
And once each polling site completes its tabulation, “the encrypted results are modemed up to the Division of Elections.”
It is there where things could go wrong if the web site is hacked, Lee conceded.
Lee noted that while some counties “have an ample budget and large IT staff, others have significantly less” and so the state will provide a baseline level of support for those who need it.
“I’ve said many times, we will succeed or fail together and no county will be left alone to face a foreign adversary,’’ she said.
To that end, she said DeSantis is asking the Legislature to expand the five-member cyber security bureau at the Department of State by adding 10 full-time positions.
“We don’t pay much, but we can promise a very, very interesting opportunity,’’ she said.
Lieutenant Gov. Jeanette Nuñez, who chairs the task force, asked Lee what the worst-case scenario was used for their hypothetical “tabletop” exercise. Lee said they imagined a county’s election system being hacked and what might be needed to get the county’s system back in operation as quickly as possible.
One lesson learned from local governments faced with ransomware attacks, she said, is that communication early and quickly is key.
“If the threat is disclosed it equips nearby agencies to protect themselves from the threat spreading,’’ she said. If the local government notifies both state and federal authorities effectively, “we have the full complement of resources deployed.”
Mary Ellen Klas can be reached at firstname.lastname@example.org and @MaryEllenKlas