On Jan. 6, 2017, less than two weeks before the dawn of the Trump era, the Obama administration designated the country's election infrastructure as "critical." The move was meant to add federal protections to voting systems. More important, it coincided with a report from the U.S. intelligence community detailing its assessment that the Russian government undertook an elaborate – and ultimately successful – cyber warfare campaign to boost Donald Trump into the White House.
In the ensuing months and years, as more has come to light regarding the foreign actors' intentions, more has also come to light about our election process' flaws: not just gerrymandering and the gradual chipping away of voting rights, but the more acute, dire threat to each election's actual results.
According to the Trump administration, 21 states' election systems were compromised or probed during 2016, though officials insist no votes were changed. Only one of those states – Illinois – has publicly acknowledged a "malicious cyberattack." And while Florida is among them, its officials continue to deny any tampering.
Not surprisingly, perhaps, the issue has become partisan. For President Trump and his base, any evidence that his victory was aided by Russians is an attack on his legitimacy, so there's little incentive to acknowledge it as a real problem, let alone treat it like a real threat. For everyone else, foreign interference planted seeds of doubt that a system long held to be sacrosanct was perhaps not always on the level.
"I think the worst-case scenario is what is currently happening, which is voters lacking trust in the process," says Michael Ertel, Seminole County's Republican Supervisor of Elections. "So regardless of whether there is any interference, which there hasn't been, there are partisans all over the political spectrum who are proffering interference in the election. What that does is it causes voters to have a lack of faith in the process."
Ertel adds: "If voters have a lack of faith in the process, they might not vote in the end."
What we know
Even prior to the 2016 election, concerns of a threat to election security in Florida had already begun to the surface.
On Sept. 30, 2016, FBI officials held a conference call with the state's 67 supervisors of elections. Though officials were told to keep tight-lipped, one supervisor later told reporters that the FBI informed them of "a malicious act found in a jurisdiction" in Florida. However, the agency stressed that the systems had not been hacked and that nothing was found to have occurred at the state level, such as tampering with Florida's voter registration database.
The call took place two days after then-FBI Director James Comey informed Congress that there had been more "attempted intrusions" in U.S. voter registration databases, and the agency was looking "very, very hard" at whether Russian hackers were responsible.
As Florida's election officials would later learn, that was only the tip of the iceberg.
On June 5, 2017, the Intercept leaked a classified document from the National Security Agency. Although the intelligence report did not specify the company's name, a document dated May 5 clearly described products made by Tallahassee-based elections vendor VR Systems, which provides elections technology to 64 of the state's 67 counties (but not Seminole or Orange counties), as well as seven other states. According to the documents, VR Systems had been penetrated in August 2016 by hackers working for Russian military intelligence, known as the GRU.
That was the first prong of the hackers' attempt. Using the company as a connection, foreign actors sent phishing emails to 122 elections officials across the country just days before Florida's 2016 primary election took place. The intelligence report states that the foreign actors tried to trick as many as seven "potential victims" at VR Systems with a spear-phishing email directing them to a fake Google website.
"[The GRU] executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions," intelligence officials wrote in the report. "The actors likely used data obtained from that operation to launch a voter-registration-themed spear-phishing campaign targeting U.S. local government organizations."
The report concludes: "It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor."
Following the leak, on June 6, 2017, at least five of Florida's county election officials confirmed that Russian hackers attempted to break into their offices' computer systems days before the general election. Election supervisors in Hillsborough, Pasco, Citrus, Clay and Volusia counties told the Tampa Bay Times that they'd received the same type of emails described by the intelligence report. In the first four counties, the officials said their staffers hadn't opened the emails; Volusia officials admitted one staffer had but said the attachment didn't compromise its system.
VR Systems did not respond to Orlando Weekly's request for comment.
On Sept. 22, 2017, the Department of Homeland Security informed state officials that Florida was one of 21 states targeted by hackers in the 2016 election, later confirming it was one of seven states compromised by foreign actors. Both the Florida Department of State and the Office of the Director of National Intelligence have insisted that while Russians targeted Florida's voting systems, their efforts were unsuccessful.
But even that insistence – that Florida's results weren't hacked – underscores the fact that the Russian government got a peep show into the state's electoral process. And that could set the table for a future attempt.
"What usually happens with a foreign enemy is, if they don't do it one time, they try and try again until they succeed," says U.S. Rep Val Demings, D-Orlando. Earlier this year, Demings helped introduce the "Defend Against Russian Disinformation Act," legislation intended to strengthen federal cyber security and intelligence gathering. "You install a lock; they pick it. You install an alarm system; they learn how to defeat it. If they're determined to get into your house, your business, they're going to keep trying. They're watching, waiting for the opportunity."
Hardening the systems
A February report by the Center for American Progress gave Florida an "F" for election security, making the state one of only five to receive failing marks. Sarah Revell, spokeswoman for the Florida Department of State, says this grade is misleading. She says the state was unable to participate in the study because Florida law wouldn't allow the release of the information requested by CAP.
"It's ironic that because we kept protected information secure, we earned a failing grade," Revell says. (Orlando Weekly edited this story to include Revell's comment, which was received after press deadline.)
Still, that doesn't necessarily mean Florida's election security measures are weak, says Bill Cowles, Orange County's Democratic Supervisor of Elections.
"Miami-Dade County is the only county still using the touchscreens for the [Americans with Disabilities Act] requirement," Cowles says. "So because of one county, for disability voters only, we got an 'F' because we're still using electronic stuff. But everybody else in the state votes on a paper ballot."
To some extent, it's surprising that the Sunshine State has switched back to using paper ballots, especially after the hanging-chad fiasco of 2000. (The only exception to the state law, says Revell, "allows voters with disabilities the option to vote on accessible devices, but even this will require a paper record under Florida law by 2020.")
After the disputed 2000 election, Congress passed the Help America Vote Act, which pushed states to buy electronic machines. But former Gov. Charlie Crist announced the move away from touchscreen voting machines in 2007, opting again for the use of paper ballots counted by scanning machines.
"Anybody, anywhere in the world, honestly, who works in elections, will tell you that the safest, most secure way to conduct an election is with paper ballots," says Lori Edwards, Polk County's supervisor of elections.
In March, Congress approved $380 million in grants – $19.2 million of which was set aside for Florida – as part of a national election protection program. But for reasons that felt particularly partisan, state officials were slow to apply for the federal funds.
In May, Secretary of State Ken Detzner moved to preserve the money for long-term needs rather than short-term security. At the annual Florida State Association of Supervisors of Elections conference in Fort Lauderdale, Detzner said the money couldn't be distributed early enough before the November midterms, and that it would likely require a vote by the Joint Legislative Budget Commission to do so.
Even so, the requirements to qualify for the funds were simple: Every state had to submit a detailed summary of a timeline and description of the project's details. By law, states were also required to match 5 percent of the federal total, meaning Florida is on the hook for roughly $959,000. Each county election supervisor's funding is dependent upon voter population.
Gov. Rick Scott, who is running to unseat three-time U.S. Sen. Bill Nelson, wasn't happy with Detzner's approach. Less than a week after the secretary of state, a Scott appointee, waved off the funding for this election cycle, the governor ordered him to file the paperwork. It took just days for the feds to have the request approved.
Because of state officials' foot-dragging, county election supervisors had to put the money to use quickly.
Cowles says the funds his office requested must be spent on items or software that could be purchased and used in the November elections. "Any unspent funds must be returned to the state by mid-December 2018," Cowles says. "So the selection of projects had to be ones that we could do very quickly."
Of the more than $766,000 allocated to Orange County, Cowles says his office applied for about $408,000. He says he didn't request the full amount due to the restrictions that were placed on counties, including that Orange County wouldn't have been able to recoup county dollars already spent to help upgrade the systems.
Elsewhere in Central Florida, Seminole County received more than $300,000 from the program; Osceola County received $210,000; and Lake County received $240,000.
So far, county election officials say, the money has also been used to train staff on avoiding phishing schemes; employ vendors to make sure all firewalls and IT products are up to date, as well as ensuring that those meet the proper standards; replace old electronic poll books; and enhance each building's physical security, such as installing additional security cameras and dual authentication to enter secure rooms.
The Florida Department of State also received $1.9 million during the 2018 legislative session to provide grants to supervisors of elections for the purchase of a Network Monitoring Security solution, or ALBERT, a program offered through the Multi-State Information Sharing and Analysis Center. MS-ISAC, Revell says, identifies and shares information about potential threats with states and helps monitor state networks for suspicious activity.
Cowles, whose office received more than $19,000 in grant money from MS-ISAC, says election offices will be required to pick up the cost of the monitoring system after one year.
There are other security measures being put in place, elections supervisors say. But talking about them could make them vulnerable.
"Of course, there are other things having to do with internet security that we will not talk about," explains Lake County Supervisor of Elections Alan Hays.
A formula for mass confusion
Until August, the general consensus was that the Russians had tried and failed to breach the American voting system, which, in the words of Val Demings, "leads us to believe that the systems that we have in place obviously were able to withstand and did not fail us."
But then Sen. Bill Nelson, the ranking member of the Senate Armed Services Committee's cybersecurity subcommittee, made an off-the-cuff comment about how election interference was already underway in Florida.
"They have already penetrated certain counties in the state and they now have free rein to move about," Nelson told the Tampa Bay Times on Aug. 8. A day earlier, Nelson said something similar, though he declined to elaborate. "That's classified," he told reporters.
So what was Nelson referring to?
DHS and the FBI almost immediately disputed Nelson's claim, as did many election supervisors.
Paul Lux, Okaloosa County's Supervisor of Elections and the president of the Florida State Association of Supervisors of Elections, says Nelson's comments struck him as odd. "To me, that says either someone's over-exaggerating something or someone's not telling the Department of Homeland Security and the FBI what they need to know," Lux says. But the situation brings up a critical point.
"If there are intelligence agencies who have information about threats to elections in Florida or any other state, and they are not sharing this information with [DHS], who is tasked under the Patriot Act with protecting critical infrastructure," Lux says, "then we have a much more serious problem on our hands."
Alan Hays says, "[Nelson's] statement that the Russians are free to roam about, as far as I'm concerned, is total bunk.
"I have seen no evidence of that. I have heard nothing from any of the supervisors about that, and frankly, I think loose talk like that is doing a gross disservice to the voters in the whole state and in the whole nation."
It wouldn't be the first time Florida's election supervisors weren't given the whole truth. However, after staying mum for several days after making the claim, Nelson seemed to double down on his previous comments.
"It would be foolish to think that the Russians would not continue to do this as they did in Florida in 2016," Nelson told the Tampa Bay Times. "It's unfortunate that some Florida officials are trying to use this for partisan political purposes," he said, referring to how his opponent, Scott, had pounced on Nelson's comments by saying that the Democratic senator might have released classified information.
Nelson's comments ended up drawing an ethics complaint from the Foundation for Accountability and Civic Trust, described by OpenSecrets.org as "a conservative counterweight to watchdog groups viewed as more left-of-center," known for dark money funding from the likes of Charles Koch. FACT asserted that Nelson was guilty of either "disclosing classified information or improper conduct." Since then, he has neither stood by his comments nor denounced them.
"Nelson made these declarations with the authority and credibility of the Senate, which has access to classified information not made available to the public," the complaint says. "Yet, there is no publicly known evidence supporting the veracity of Nelson's remarks."
A statement from Senate Intelligence Committee Chairman Richard Burr, a Republican from North Carolina, neither confirmed nor contradicted Nelson's claim, though the statement made reference to "Russia's continued efforts to interfere in our democracy and undermine our elections."
Orlando Weekly reached out repeatedly to various operatives within Nelson's office for further comment, but did not receive a reply by press time.
"I think part of this thing is to scare people, to build that fear," Cowles says. "And what does it do? Keeps people from going to vote. So is it becoming more of a tool to control voter turnout, without really being malicious in trying to destroy records?"
Still, many experts still see cause for concern.
"The real threat is in the periphery, in the margins of the peripheral details, and that's why I think people have not quite grasped the nature of the threats," says Bradley Moss, a Washington, D.C.-based lawyer who specializes in matters relating to national security. "When someone is scanning and trying to infiltrate these systems, the real issue is just messing with the underlying data. Can they secure it efficiently enough to convince and to persuade and reassure voters that their data is accurate when they show up on Election Day?"
It's a question that's at the forefront of Florida election officials' minds.
"We've got unified statewide procedures," Cowles says. "That's what the [Florida Secretary of State] is doing, and that's why we have the training at our conferences to make sure that everybody is unified in terms of understanding what the potential risks are, and then what you need to protect your systems, to protect the statewide system, because we're all connected to the statewide voter registration database."
Asked how he feels going into the November midterms, Cowles says, "Very confident. But I'm always looking over my shoulder."
