State Politics

Cyber security replaces hanging chads as elections officials’ big worry

Broward County canvassing board member Judge Robert Rosenberg uses a magnifying glass to examine a disputed ballot at the County Courthouse in Fort Lauderdale, Nov. 24, 2000.
Broward County canvassing board member Judge Robert Rosenberg uses a magnifying glass to examine a disputed ballot at the County Courthouse in Fort Lauderdale, Nov. 24, 2000. AP

Voting experts in Florida, the national epicenter of electoral suspense, have one concern above all others as they prepare for the 2018 election.

Click. Cyber-security.

Efforts by Russian hackers to attack computers in Florida last fall failed, but that shed light on potential vulnerabilities of an election system managed locally and in mostly small counties with limited technological resources.

“It’s the main topic of conversation,” said Pinellas County Supervisor of Elections Deborah Clark at a conference of election supervisors. “I just don’t think you can have too many people looking at this stuff.”

As Clark and dozens of her colleagues mingled at the Omni Champions Gate near Walt Disney World on Tuesday, they said they are more security-conscious than ever. On Thursday, officials will attend a seminar titled “Election Integrity in the Current Political and Media Environment.”

Nearly two decades ago, Florida was thrust into unprecedented scrutiny of its voting system after a deadlocked 2000 presidential election. The stuff of books, movies and monologues, it largely came down to punch-card ballots and those chads that left voters’ intentions hanging, too.

IMG_7998
Ben Martin is chief operating officer of VR Systems, the Florida firm targeted by a Russian phishing attack in 2016. Steve Bousquet Tampa Bay Times

The new threat is seen as far more sinister because it’s blamed on a hostile foreign power, and it’s much harder to see.

The first of two Russian hacking attempts in Florida last August targeted VR Systems, a 25-year-old vendor of voting equipment software based in Tallahassee that serves 64 of the state’s 67 counties and does business in several other states.

A leaked report by the National Security Agency, which cited the Kremlin’s involvement, said the would-be hackers likely penetrated VR’s email system to reach counties using a tactic known as phishing.

On Tuesday, VR Systems’ chief operating officer Ben Martin told the Herald/Times at the conference that this hack failed.

“We were not compromised during that phishing campaign,” Martin said.

According to the NSA report, the hackers then created spoof email accounts designed to resemble VR Systems’ own accounts and fired off malicious “spear-phishing” messages to 122 election officials, including some in Florida.

The first of two Russian hack attempts in Florida last August targeted VR Systems, a vendor of voting equipment software based in Tallahassee. Ben Martin, VR Systems’ chief operating officer

Florida’s electronic system of counting votes is not connected to the Internet, and it’s separate from voter registration data. VR Systems has no role in counting ballots in Florida. The FBI and Department of Homeland Security opened an investigation, but Martin said he learned of the probe from county clients, not the federal agencies.

Martin said VR Systems did not survey counties on how they reacted to the suspicious emails. He said that’s the responsibility of the counties and their own IT staffers.

“We didn’t necessarily want to know unless they wanted to share that with us,” Martin said, expressing their concern about media leaks.

Even as he vowed his company’s system had not been successfully breached, Martin did warn that there’s no such thing as “totally secure” in today’s world.

“If anybody tells you they’re secure, don’t believe them,” Martin said. “There are just different gradients of security.”

One lingering unknown is how the Russian hackers got the email addresses of 122 election officials across the country.

VR Systems says all were online but at least one election supervisor is skeptical.

“There are a couple of missing links here,” Hillsborough Supervisor Craig Latimer told the Associated Press. He declined to elaborate.

No publicly disclosed evidence shows that any county was breached. But on Tuesday, Florida supervisors stressed the importance of ensuring that any lingering anxiety be eased before the next statewide election cycle in 2018.

“Our success depends on having the trust of voters,” said Mark Earley, supervisor of elections for Tallahassee’s Leon County. “If that trust is lost, it’s almost impossible to regain.”

To give historical perspective to today’s cyber threats, Theresa LePore, who ran Palm Beach County’s elections office during the presidential recount in 2000, spoke of her own traumatizing experience.

0101035824
Palm Beach County’s infamous ‘butterfly’ ballot from 2000. James W. Prichard Palm Beach Post

Many of today’s election supervisors were not in office during the historic 36-day siege of manual recounts, hanging chads and the notorious “butterfly ballot,” produced by LePore’s office. Some Democrats said the design was so confusing that they mistakenly voted for Pat Buchanan, not Al Gore, in an election that a 5-4 U.S. Supreme Court decided in favor of George W. Bush.

LePore, who is working on a book about her 2000 experience, noted that the “facing page” ballot, as it was known, was approved by both parties and candidates, but that is largely forgotten.

“Document, document, document,” LePore told the crowd of election officials as footage showed angry demonstrators in South Florida and bleary-eyed canvassing board members holding paper ballots up to the light.

“Have an emergency plan in place. You may think it may never happen to you,” LePore warned them. “When you do have something happen, try to be as transparent as possible.”

Contact Steve Bousquet at sbousquet@tampabay.com. Follow @stevebousquet.

  Comments