Russian hackers likely to target Florida again in 2020 election, experts warn

Peter Stone in Washington
Photograph: Justin Sullivan/Getty Images

Florida’s record as a vital swing state made it a target for meddling in the 2016 election when Russians breached two county voting systems and a software vendor and now concerns are being raised about voting security in the state for the 2020 ballot, say election and cyber security experts, federal reports and Democrats.

With FBI director Christopher Wray and other intelligence officials predicting more Russian and possibly other foreign interference in the next elections, experts say Florida is again a likely target for Russian hackers, or others bent on disrupting voting, which potentially could alter tallies and create other problems.

“Obviously, Florida will be a critical state in 2020 and Florida election officials should assume they will be targeted again,” said Larry Norden, who runs the election reform program at the Brennan Center for Justice.

Election security experts are concerned about several potential problem areas, including software that stores sensitive voter registration data, the short timetable for any post-election audits and Florida’s history of voting snafus.

Some of Florida’s election problems in 2016 were highlighted in April by special counsel Robert Mueller’s report about Russian interference and in a July Senate intelligence committee study on Russian meddling and election security issues nationwide.

The senate report indicated Florida state and county officials were warned by federal authorities in mid-2016 that Russian hackers were targeting four counties, but their warnings didn’t stop attacks on at least two of them.

“There are a lot of reasons to be concerned about the security of Florida’s elections,” said senator Ron Wyden, who sits on the panel and advocates more robust efforts and spending for election security in 2020.

Wyden cited Florida Republican senator Marco Rubio’s statement that Russia was in a position to “change voter registration files in 2016,” and the Mueller revelation that a major Florida software vendor, VR systems, which operates in most Florida counties and seven other states, was “hacked by Russia.”

Security experts are concerned about several potential problems, including software that stores sensitive voter registration data, the short timetable for any post-election audits and Florida’s history of voting snafus. Photograph: Scott Audette/Reuters

Florida has taken several steps since 2016 to bolster its electronic voting systems including deploying network monitoring sensors in all counties to detect meddling, expanding paper ballot backup systems, and other measures.

But experts and top Democrats say much more needs to be done to minimize the chances of foreign interference with the state’s voting systems in 2020.

The Brennan Center’s Norden stressed that, in contrast to the state’s electronic voting machines, there is no requirement in Florida to certify the security of electronic poll books, which store voter lists and are widely used to check-in voters at the polls.

VR systems supplies e-poll books and other tools that are used in almost all of Florida’s 67 counties. “E-poll books are critical,” Norden said. “We should have security certification for them, just as we have for voting machines.”

Likewise, Norden noted “there is no requirement in Florida to require paper back ups in the polling place” for e-poll books, which he noted was “a weakness if electronic pollbooks fail or malfunction during the election”.

Norden’s concerns about VR systems stem partly from a key finding in the Mueller report indicating that a Florida voting technology company, which matches VR systems profile, was targeted by Russian hackers who placed malware on its network.

Soon after Mueller’s report disclosed that malware was placed on VR’s network, Florida governor Ron DeSantis acknowledged that the FBI informed him that two counties election systems were breached apparently due to a so called “phishing” attack on VR systems, where a flood of infected-emails are sent to a target in the hope one is opened, allowing the hackers access.

VR systems notified the FBI about the phishing attack in August 2016, and has said it had an outside audit done later which indicated its systems were not breached.

Other questions persist about VR systems including voting problems on Election Day 2016 in a North Carolina county that used VR laptops. According to a Washington Post report, the Department of Homeland Security this June launched an inquiry into VR laptops used to check in voters in Durham county, which were quickly taken out of use after it was discovered they incorrectly informed some voters that they already voted, or needed IDs.

Moreover, other election security problems in Florida were underscored by the Mueller and the Senate intelligence reports, which undercut previous statements from Florida officials about the security of their elections.

While the Senate intelligence report doesn’t name Florida, it refers to a “state #2” which analysts say matches what Mueller’s report first disclosed: Russian intelligence breached two counties’ electronic voting systems.

Although no evidence has surfaced that the two counties’ vote totals were changed, the senate report says Russian hacking gained access to sensitive information.

Florida officials are portrayed in the senate report as in the dark about what happened in the counties, and wary of sharing information on the state’s cybersecurity measures.

The report, for instance, quoted the Florida election director telling the committee in a conference call in late 2017 that there was “‘never an attack on our systems’ and ‘We did not see any unusual activities. I would have known about it personally,’” the report says.

And the report said that Florida “did not want to share with the Committee its cybersecurity posture, but state officials communicated that they are highly confident in the security of their systems”.

For their part, Florida officials last month announced $2.3m in election security grants to 55 counties that applied for them, and have touted their network monitoring sensors, which are considered good tools to detect foreign hacking

But Florida Democratic congresswoman Stephanie Murphy has criticized officials for their slow release of details about what happened in 2016, and their continuing failure to disclose which counties the Russians targeted.

“This unwillingness by our federal agencies and county election officials to be forthcoming with information will only undermine public confidence in the integrity of our election systems,” Murphy said in a statement.

Other Democrats and experts are urging Florida to take more steps to thwart potential problems in 2020.

Wyden has suggested Florida “follow the lead of states like Virginia and Colorado and switch to a paper-ballot system with automatic risk-limiting audits, which experts widely agree is the most secure way to vote”.

Wyden added that “the state doesn’t require routine, rigorous post-election audits, which means it could be impossible to detect if the state’s elections are hacked”.

Another concern of Robert Anderson, the CEO of Cyber Defense Labs in Texas and an ex-FBI official overseeing criminal and cyber inquiries, is Florida’s problems with vote counting going back as far as 2000’s hotly contested presidential election which makes it a “strategic intelligence target” for foreign interference.

“Florida has had ongoing voter tabulation issues that could allow a foreign actor like Russia the ability to penetrate their systems and obfuscate their movements,” Anderson said.