Sun Sentinel Palm Beach Edition
FBI finds Russians hacked into a Florida county election system
Russian efforts to influence the 2016 presidential election included attempts to infiltrate Florida election offices’ computer systems. The FBI concluded the operation was successful and the intruders were able to “gain access to the network of at least one Florida county government.”
The tantalizing — and alarming — information about the FBI’s findings came out on Thursday, as part of the public release of Special Counsel Robert Muller’s report on Russian attempts to influence the presidential election. The attempt to infiltrate Florida’s elections system has been reported
previously; the Mueller report provided a few more details — but didn’t answer critical questions about just what was accessed, and where.
State and local elections officials on Thursday repeated what they’ve said before: They have no evidence that Florida elections systems were infiltrated by the Russians, and the presidential election wasn’t compromised.
Supervisors of elections offices in Broward, Palm Beach and Miami-Dade counties each said it wasn’t them. Their technology systems weren’t compromised, the supervisors or their representatives said.
“The 2016 elections in Florida were not hacked. The Florida Voter Registration System was and remains secure, and official results or vote tallies were not changed,” said a statement from Sarah Revell, a spokeswoman for Secretary of State Laurel Lee, who is responsible for overseeing elections.
Paul Lux, the Okaloosa County supervisor of elections and president of the Florida State Association of Supervisors of Elections, said the Mueller report’s description of the FBI’s conclusion — which refers to a county government — doesn’t mean an elections office was affected.
“In the Mueller report, the ambiguity of that statement is not specific to an elections office. It says a county government office,” Lux said. He said he does not know of any Florida elections office that was compromised. “I have not heard that from any county in Florida.”
The Florida Department of State added that it “has no knowledge or evidence of any successful hacking attempt at the county level during the 2016 elections. Upon learning of the new information released in the Mueller report, the Department immediately reached out to the FBI to inquire which county may have been accessed, and they declined to share this information with us.”
The Mueller report said that the GRU, the Russian Military intelligence agency, attempted to gain access to election systems.
In November 2016, the Mueller report said, “the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election. The spearphishing emails contained an attached Word document coded with malicious software [commonly referred to as a Trojan] that permitted the GRU to access the infected computer.
“The FBI was separately responsible for this investigation. We understand the FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida county government,” the report said. The Special Counsel’s Office “did not independently verify” the FBI’s belief and “did not undertake the investigative steps that would have been necessary to do so.”
Sarah Schwirian, press secretary for U.S. Sen. Rick Scott, R-Fla., said via email that “The FBI needs to provide any and all available information in relation to what is in the report to state elections professionals in Florida and Congress in order to ensure free and fair elections across the nation.”
Last year, then-U.S. Sen. Bill Nelson, D-Fla., warned that Russians had gained access to Florida voter data. But he declined to identify which counties had been penetrated, saying the information was classified. No other officials backed up Nelson’s claim.
Scott, who defeated Nelson in November, doesn’t view what’s in the report as vindicating his predecessor’s assertions, Schwirian said via email. “Bill Nelson made claims about Russian interference without providing any evidence. Senator Scott called on then-Senator Nelson to provide evidence, which he refused to do. The Florida Department of State had no information to corroborate Nelson’s claims and the FBI and Department of Homeland Security did not provide any information to support the claim.”
Nelson could not be reached on Thursday.
While he didn’t comment on the specifics offered by Nelson last year, U.S. Sen. Marco Rubio, R-Fla., warned repeatedly that “state election systems are potentially vulnerable to Russian cyberattacks.” Rubio wasn’t available for comment on Thursday.
An indictment as part of Mueller’s investigation alleged that an officer in the Russian military who worked in Russian intelligence and his co-conspirators relied on an email account designed to look as if it came from a vendor used by election officials.
The Mueller report said that in August 2016, “GRU officers targeted employees of [redacted], a voting technology companies that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.”
An elections system vendor, VR Systems, which wasn’t named in the Mueller report but in the past was repeatedly identified in news accounts as the vendor in question, repeatedly denied that information was stolen from it and used to send phishing emails to local elections officials. On Thursday, Benjamin Martin, chief operating officer of VR, said in a written statement that the company “implemented a comprehensive program to ensure integrity in elections” after the phishing attempt. He said the company has completed a Department of Homeland Security Risk Vulnerability Assessment and continues to work “tirelessly every day to protect our systems and our customers.”
Tallahassee-based VR is a dominant provider of election systems software. Orange County Elections Supervisor Bill Cowles said 65 of 67 Florida counties now use the company’s software, up from 52 in 2016, and the last two counties, Palm Beach and Sarasota, are in negotiations to do so as well.
Lux said someone clicking on a phishing email does not mean access to the actual elections systems that are used for tabulating votes and programming voting machines. He said any attempts to meddle in voter registration systems would have become obvious during the 2016 sand 2018 elections because people would have shown up to vote and their registrations would be altered or gone. Voter registration problems would also have become known when elections offices filled requests for vote by mail ballots.
Lux, whose background is in information technology, said the wording in the report — “gaining access to a county network versus being poised to act on a county network are two different things.”
In November 2016, the Mueller report said, “the GRU sent spearphishing emails to over 120 email accounts used by Florida county officials responsible for administering the 2016 U.S. election.”