Florida Takes Steps to Bolster Election Security
At the Def Con hacker conference in Las Vegas last week, an 11-year-old boy was able to hack a Florida state election website and change voting results on the page — in under 10 minutes. Florida election officials contend that the real website for the Florida Department of State is a much more secure.
The episode puts a spotlight on election security in the Sunshine State, the epicenter of the 2000 presidential election recount and a perennial swing state. In June, the state received $19.2 million in federal grants to boost cybersecurity in advance of Florida’s Aug. 28 primary election and the general election on Nov. 6. Then, in July, the state legislature granted Secretary of State Ken Detzner authority to spend the money.
Last week, Florida Gov. Rick Scott announced that the DOS had approved Election Security Grant applications for all 67 Florida counties, totaling $15.45 million, Space Coast Daily reports.
Some counties are already taking advantage of the funds to harden existing defenses and purchase new equipment. Meanwhile, the University of West Florida’s Center for Cybersecurity is now offering election security training to Florida state and county cybersecurity personnel.
“As we approach the 2018 election season, there is nothing more important than ensuring the security and integrity of Florida’s elections,” Scott said last week, according to Space Coast Daily. “In Florida, we are focused on 100 percent participation and zero fraud, and this additional funding will help Supervisors of Elections build on their existing infrastructure and enhance security measures so that we can ensure Florida has another successful election in 2018.”
Florida Counties Get More Funding for Election Cybersecurity
The director of the state Division of Elections, Maria Matthews, said last month that the money can be used for physical security, cybersecurity, voting system upgrades, post-election audits and risk assessment audits, according to the Tampa Bay Times.
Some counties with larger populations are naturally getting more money. Miami-Dade County will receive $1.6 million, Broward will get $1.2 million, Hillsborough $814,000, Pinellas $666,000, Pasco $349,000 and Hernando $163,000, the Tampa Bay Times adds.
Notably, Detzner said county election supervisors cannot use the new funds to hire their own cybersecurity experts, calling that “duplicative” of the state’s existing election security efforts.
“I don’t think they need some,” Detzner said in July, the Times reports. “I think that they ought to have their own in-house cyberspecialists, like we hope to. But no, they don’t really need their own. They can use ours. That’s what the purpose was, to support the supervisors … I think it would be duplicative and I think they should use the resources that we're making available to them.”
Gulf and Palm Beach Counties Start to Step Up Election Defenses
Gulf County Supervisor of Elections John Hanlon says the county’s election system firewalls have almost daily contact with malicious actors searching for any vulnerabilities.
“None of them are successful, but every day we have IP addresses bounce off the firewall, people looking for a weakness, anywhere that is vulnerable,” Hanlon tells The Star.
Cybersecurity is “on the forefront of every supervisor’s mind,” Hanlon adds.
Gulf County is going to use the nearly $61,000 it received in grant money to harden systems it already has in place, Hanlon says. “This money will allow us to harden our systems even more than they are. We had to submit a plan, and while they didn’t fund all of our plan, they funded most of it. We want to make our systems even harder.”
Specifically, according to The Star, the extra funds will help Gulf County with real-time tracking of voter information and provide additional firewall protection and a server to monitor all electronic traffic within the office. Further, the county will use a multifactor identification system to protect workstations. In short, anyone “getting into the building would have another level of security to access a work station,” Hanlon notes.
Meanwhile, in Palm Beach County, Supervisor of Elections Susan Bucher has used some of the county’s extra $909,513 in election funding to order 1,750 updated Apple iPad Minis with the latest Apple security patches. The county will use the tablets to check in voters at the polls in the November election, according to the Palm Beach Post.
Bucher says the county’s elections office works with an FBI agent and an investigator with the Department of Homeland Security who are assigned to the area. The iPads’ internet connection is behind Palm Beach County’s firewall, which is monitored by DHS, Bucher tells the Post.
For extra security measures, votes are filled out on paper, election equipment is not connected to the internet, and the county elections office performs audits after elections. the Post reports. Bucher says iPads are individually licensed, encrypted and downloaded with the voter database. “So, if someone wanted to hack the voter database, they’d have to attack each Mini iPad separately,” Bucher tells the Post.
State Partners with University of West Florida on Election Security
Since March, the University of West Florida has been working with the state to bolster the state government’s general cybersecurity training curriculum. It now supports been county election supervisors and county IT and security staff, Eman El-Sheikh, the center’s director, tells StateScoop.
The publication reports:
The election security training started in June is comprised of the Center’s “Cybersecurity for All” curriculum and operations based out of the Florida Cyber Range, which is the Center’s multi-use cybersecurity range open to academia, industry and Florida state government entities. Election supervisors, IT staff and officials from Florida's Department of State sat in on the June training sessions, which covered a range of topics from why cybersecurity is important and its potential impact on election systems to identifying and remedying different types of threats, including malware, phishing, web-based attacks and denial-of-service attacks.