The other Mueller finding: How one state addresses Russian hacking risk

An election worker puts up a ‘vote’ sign outside a polling station on the first day of early voting in Florida's Miami-Dade County for the general election Oct. 24, 2016.

Lynne Sladky/AP/File

April 25, 2019

Amid all the debate over whether the Mueller report incriminates or exonerates President Donald Trump, one salient point is being largely overlooked: Russia interfered in the 2016 election to undermine American democracy as a whole. And the damaging effects go beyond any one party or candidate. 

The intent of Russian meddling was to sow discord in the U.S. political system, said special counsel Robert Mueller in his report to the U.S. Justice Department. The intelligence community and others say that the Kremlin will likely launch more sophisticated attacks in 2020 – both cyberattacks and disinformation campaigns on social media.

“I guarantee you that Russia is working on hacking this election right now,” says Seth Moulton, a decorated Marine and Democratic congressman from Massachusetts who entered the presidential race this week on promises to bolster national security and restore America’s moral authority in the world.

Why We Wrote This

Florida has been a poster child for election glitches. Yet its efforts since 2016 show both the scope of a nationwide threat of election hacking and paths for states to face that threat.

“And the fact that we are just letting them undermine our democracy, undermine the very fundamental principle that every vote counts in a democracy, is complete dereliction of duty by the commander in chief of the United States,” says Representative Moulton, responding to a question amid campaigning in Bedford, New Hampshire, on Wednesday.

Nearly half the nation’s states were targeted by Russian hacking in 2016, and the Mueller report revealed that at least one county government in Florida was breached by it. It also revealed that Russians compromised the computer network of Illinois’ Board of Elections and gained access to information about millions of voters there.

Boston broke a record last year for fewest homicides. It’s on track to do it again.

Florida is of particular concern as a key swing state and one which has faced numerous crises in its election system going back to the “hanging chad” controversy in the 2000 race between George W. Bush and Al Gore.

And it makes an important case study for other reasons. Its efforts since 2016 to step up election security and improve its cyber defenses illustrate both the scope of the challenge and possible paths to address it.

“We definitely here in the state of Florida have been and will continue to make this issue one of the most important issues moving forward,” says David Stafford, supervisor of elections for Escambia County and one of nine local election officials on the national Government Coordinating Council (GCC) for election infrastructure.

How Florida has stepped up security

One thing the Trump administration has done, with the help of the GCC, is establish the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), which monitors election security threats.

Paul Lux, president of the Florida State Association of Supervisors of Elections, says the state was one of the first to get all local election offices to join EI-ISAC or a related national information sharing network, MS-ISAC, which alert election officials to new and ongoing threats.

Why Florida and almost half of US states are enshrining a right to hunt and fish

In addition, 66 of 67 Florida counties have installed ALBERT sensors, which help detect malicious activity in their networks (the final county is in process).

Congress, for its part, last March approved $380 million to be disbursed to states for election security.

Florida’s then-Gov. Rick Scott directed the state to spend all $19.2 million of its allocation on shoring up its 2018 election. That covered everything from physical fences to digital defenses, including hiring five roving cybersecurity specialists.

The state has also worked with the federal Election Assistance Commission to provide cybersecurity training to state and local officials. They learned tips like, “Passwords are like underwear … change them frequently and don’t share them with anybody.”

The University of West Florida’s Center for Cybersecurity provided additional training, including live simulations in their Florida Cyber Range. The range provides a virtual environment in which attacks can be launched, giving election officials and IT workers an opportunity to learn how to identify such attacks and respond to them in a highly realistic scenario.

“Cybersecurity needs to be everybody’s business, from the elections supervisor to the volunteer,” says Eman El-Sheikh, a computer scientist who directs the university’s center. “You’re only as secure as your weakest link.”

Despite all this, a February 2018 report by the Center for American Progress gave Florida an “F” for its election security.

The think tank made that assessment based on incomplete information because the Department of State declined to participate, but lead author Danielle Root says that even with all requested information, the highest rating Florida could have received would have been a “D.” Department of State spokeswoman Sarah Revell counters that the department could not provide the information under state law, and that the report is misleading as a result. “It’s ironic that because we kept protected information secure, we earned a failing grade,” she writes in an email.

Mueller report: At least one county office breached

Florida has 67 county election offices, which service anywhere from 10,000 to 1.4 million voters with staffs ranging from one or two people up to 50 to 70 employees.

The Mueller report, on page 51, says that according to an FBI investigation, Russia sent spear-phishing emails to 120 Florida county election officials. The FBI concluded that Russia was able to “gain access to the network of at least one Florida county government.”

Then-Sen. Bill Nelson, a Democrat, warned last summer that multiple counties had been breached.

The Mueller report provided the first confirmation from a federal entity that Russians gained access to a Florida county government.

In response, Florida’s Department of State said it was not notified of any such breach, including by any of the 67 counties, and that the FBI had declined to provide further information.

“The Florida Voter Registration System was and remains secure, and official results or vote tallies were not changed,” the department said in a statement.

There is no evidence that Russian interference affected actual ballots or vote tallies.

Mr. Stafford says even if the FBI hasn’t divulged details of any attack, information from such threats is likely being incorporated in the ALBERT monitors and the alerts going out through EI-ISAC.

In addition, Mr. Lux says there’s an important distinction between a system being accessed and being compromised. He compares access to someone who sneaks into the lobby of a New York City apartment building behind someone who has a key.

“You don’t have the key to operate the elevator, you don’t have the key to open any of the doors, you’re just kind of sitting in the lobby and you’re not doing anything,” he says. “That’s the difference between being accessed and compromised.”

The road ahead

Mr. Trump has played down claims of Russian interference, apparently equating the issue with attempts to delegitimize his election. According to The New York Times, recently ousted Homeland Security chief Kirstjen Nielsen was repeatedly thwarted in her efforts to develop a more comprehensive and robust plan to protect the 2020 elections – a point Representative Moulton echoed on the campaign trail.

“He’s more concerned about his own personal reputational security than the security of the United States of America,” said the congressman.

Lawrence Norden, deputy director of the Democracy Program at the Brennan Center for Justice, says he is concerned that Russia’s success in 2016 will not only encourage them to try again – but could open a Pandora’s box of interference from multiple actors.

“Up to 2016, whether it was said publicly or not, there was a feeling among some that nobody would attempt to meddle in our elections because we’re the United States, we’re the world’s superpower, and to do something like that would risk a tremendous pushback with real repercussions,” he says.

“Now that it’s happened and there weren’t such repercussions, I do fear that others will say, ‘Well, we want to get in this game, too.’”

Dr. El-Sheikh, the computer scientist and head of UWF’s Center for Cybersecurity, says the key is not preventing all attacks but being prepared to respond to them.

“There are always going to be threats, and the threat landscape continues to evolve. Every attack is more complex than the one we’ve seen before,” she says. “The solution isn’t in trying to reach 100% security. The solution is to create more awareness, education, and training … so that we try to prevent damage from attacks to the extent that’s possible.”