Florida's secrecy about election security makes it nearly impossible for voters to be confident that they can make a difference. That's especially true after the state forced all 67 elections supervisors to sign nondisclosure agreements to keep hidden measures taken to prevent voter system hacking.
TALLAHASSEE — Florida’s March 17 presidential primary will be a referendum on state and county elections officials’ efforts to build a wall to stop hacking attempts that are constantly bombarding the system.
At a time when 59 percent of the public doesn't trust the election process, state elections officials have thrown a veil of secrecy over that work, refusing to disclose details about the weaknesses detected in their systems and whether they’ve been fixed.
RELATED>>Supervisor of Elections Lori Edwards: No danger Polk voting system will be hacked
Florida has doubled down on secrecy since federal officials reported at least four counties were hacked in 2016. The state forced all 67 elections supervisors to sign nondisclosure agreements before they could receive federal funding for elections security, be briefed about vulnerabilities found by cybersecurity experts or even hook up to the state’s voter registration system.
“It just felt coerced,” said Polk County Supervisor of Elections Lori Edwards, a former member of the Legislature. “We have a broad public records law for a reason, so having to sign a nondisclosure agreement didn’t sit well with me … not only to receive funds, but information too.”
The far-reaching confidentiality pacts, including a nondisclosure agreement that public records experts call bizarre and unenforceable, threaten to make a casualty out of transparency in the Sunshine State.
“Transparency is key," said Anthony J. Ferrante, global head of cybersecurity and senior managing director for Washington, D.C.-based FTI Consulting, an independent global business advisory firm. "It is important for every voter to know they have accessibility, integrity and reliability and that their vote is reported and true and accurate."
Without that transparency, residents will lack confidence their votes will count, said Ben Wilcox, research director for the nonprofit ethics watchdog Integrity Florida.
"If there is a complete lack of confidence in the integrity of the voting system, it will have a chilling effect," Wilcox said. "If people become so cynical that the election is predetermined or hacked by foreign countries ... then people may not vote."
A recent Gallup poll showed only 40 percent of Americans trust the election system, up from 30 percent in 2016.
Keeping secrets also doesn't help get “the additional resources to harden networks,” create backup systems and “make sure people can’t hack into our systems,” said U.S. Rep. Stephanie Murphy, a Democrat whose congressional district includes Orlando. Murphy and fellow Florida Rep. Michael Waltz, a Republican, have introduced legislation that would require federal officials to immediately notify state and local officials and members of Congress if an election system is hacked.
“We are not able to do that because of the lack of transparency with what happened in 2016," Murphy said. "We are victims of an info war."
Florida's official veil of secrecy
When it comes to patching up those vulnerabilities, Florida officials would rather tell residents to trust them than show what they’ve done. Too much specific information would just make it easier for foreign agents to access voter information, they say.
“I find Florida to be probably the most secretive state as far as not telling people where these hacks occurred. It only fuels the symptoms of suspicion,” said William Theobald, who writes about election security at the national level for The Fulcrum, an online news organization funded by nonprofits including the Hewlett Foundation.
"It’s the opposite of what they ought to be doing, and it seems like they are protecting local supervisors of elections from embarrassment,” Theobald said.
Florida’s heightened need for security is fueled by daily attacks and ever-present threats of future hacks, something state officials became aware of only after the 2016 elections.
“Every single day, foreign and domestic actors attempt to penetrate our network,” Secretary of State Laurel Lee, a lawyer and former judge who was appointed a year ago by Gov. Ron DeSantis, told the USA TODAY Network–Florida.
To fight those breaches, DeSantis in June reauthorized $2.3 million left over from a $15.1 million federal election security grant that Congress had approved the year before. That money was in addition to $2.8 million approved by the Legislature last session for election security.
As more information came out about the extent of the 2016 hacking, the federal government declared elections systems to be critical infrastructure. With that designation came a heightened need for confidentiality.
The FBI made DeSantis and Lee sign nondisclosure agreements, or NDAs, before being briefed on which Florida counties were hacked. And despite promising as much transparency as possible, Lee created a bureaucratic wall of paperwork to control the flow of money and information.
This layer of bureaucracy seemed to stem from Homeland Security’s new involvement in the state’s elections system, said Edwards, Polk County’s elections supervisor.
“There is a whole byzantine, bureaucratic stratus associated with that ever since Homeland Security named the electoral system as critical infrastructure,” Edwards said. “All of a sudden … they were not willing to share any information without an NDA to the secretary of state.”
Lee created the Joint Elections Security Initiative, or JESI, so the 67 elections supervisors could share cybersecurity information and receive training and support from the state’s “cyber navigators.” But to participate, they had to sign a memorandum of understanding and a “Cyber Security Non-Disclosure Agreement” that said they wouldn’t divulge any of the vulnerabilities they had found or the defense measures they took to beef up their cybersecurity.
Elections supervisors had to sign the NDA to see what the cyber navigators discovered during their risk assessment, according to an email they received in July and obtained by USA TODAY Network–Florida. Two reminders went out in September to supervisors who still hadn’t signed the agreement.
Elections officials also had to sign memoranda of understanding as part of the application process to receive the leftover federal grant money.
“It was made clear that receiving JESI grant funds and assistance from the Department of State cyber navigators was dependent on signing the agreements,” Edwards said.
The NDA came up around the same time the risk assessments were coming out, she said.
“I think it’s when they started giving the reports back that tripped this confidentiality issue,” Edwards said. Some supervisors didn’t want it known that they had problems. “Say Sunshine County had not configured its firewall correctly, for instance,” she said.
Elections supervisors were concerned about information from the risk assessment getting out that showed both strengths and weaknesses in the elections system, said Helen Aguirre Ferre, a spokeswoman for DeSantis. The NDA was a way to guarantee that potentially compromising information wasn’t released to the public, she said.
“Nobody was coerced,” Ferre said.
“The agreement was voluntarily signed by each supervisor of elections,” said David Frady, a former spokesman for the Department of State.
The NDA’s first draft didn't go over so well, said Mark Earley, Leon County's elections supervisor and a Democrat. Supervisors objected to some of the language, he said, but “both sides worked together to iron out those differences, and then all supervisors signed as well as the state.”
Edwards said no NDA would stop her from being transparent with voters.
“It’s not cramping my style in any way,” Edwards said. “I am telling people everything they need to know to feel we are doing all we can to protect our system. I am comfortable saying we had a vulnerability test and took appropriate action. We need to provide a level of confidence without telling anyone where the hole in the dike was.”
Little Sunshine for public records requests
USA TODAY Network–Florida sent two detailed public records requests to all 67 county elections offices to find out two things: who was warned by the FBI about hacking efforts prior to the 2016 election and how counties spent the funds to prevent it from happening again.
The NDA explained the uniform responses and heavily redacted records that came from the nearly three dozen elections supervisors who responded to the records requests. The exemptions seemed inconsistently applied among supervisors. Some provided partially redacted records. Some provided totally redacted records. Others provided no records at all.
The first records request was based on details in a federal intelligence report submitted last June to the U.S. Senate Intelligence Committee. The records request asked nine questions about information shared with the FBI and Homeland Security about hacking, spear-phishing, scanning and other attempts to breach voter registration files, as well as offers of assistance from both agencies.
The second records request asked what type of financial assistance the counties received from state and federal agencies. Invoices, bills, contracts and other records were requested to find out how they spent federal, state and county funds on software, equipment and training to improve election security.
About two-thirds of the counties responded to both requests. About a dozen never replied after acknowledging the request, while 10 wanted payment up front, ranging from $20 to almost $400.
One county, Duval, ultimately decided to waive its $180 fee.
For the request about security spending, about 30 sent heavily redacted documents, blacking out the names of vendors and descriptions of equipment purchased. Several provided no documents at all, saying the records themselves were exempt.
Sixteen counties provided complete, non-redacted records without charge.
On the hacking questions, most said either they had no records related to the request or that the records were protected under the Cybersecurity Information Sharing Act of 2015 or Florida statutes related to security plans and information technology.
"At first glance, most of this is exempt from public records under the Cyber Security Information Sharing Act of 2015," Lisa Lewis, elections supervisor for Volusia County, said in an email about the records requests.
Lewis had told reporters and officials that she spotted suspicious emails prior to the 2016 election but caught it before Volusia’s voter registration system could be infiltrated.
In a follow-up phone call, Lewis said suspicious emails made to look like they came from the voter registration system vendor, Tallahassee-based VR Systems, came to the addresses belonging to her, the previous elections supervisor, a deputy supervisor and the elections office email.
VR Systems is a technology company that provided voter registration information management to more than 50 Florida counties in 2016 and now provides that service to all 67 counties and more than a dozen states.
“I felt we were lucky,” Lewis said. “We were responding to lots of emails in the middle of an election, and this caught my eye and the eye of my deputy too.”
Lewis said no system is 100% protected, but she is “confident” they’ve done everything they can to make the elections system more secure.
Prior to the NDAs, all security procedures were a matter of public record, Lewis said.
While supervisors want the elections to be transparent, “we can’t divulge any security measures that would make it that much easier for our enemies to take someone’s vote away," Lewis said.
Most counties said they cooperate with the FBI and Homeland Security and receive regular updates on activities. But to say more “would provide information of value to those seeking to breach the security of our elections system," said Lana Self, Duval County's deputy supervisor of elections.
Robert Phillips, the chief elections officer for Duval’s elections supervisor, didn't redact any supposedly critical information before sending it.
"These have been our vendors of record for several years, and we have done other local media stories in which we disclosed our vendors," Phillips said.
Joyce Griffin, Monroe County’s elections supervisor, would share only that she spent all but $18 of the $100,746 in federal election security funds she received. “I have to sleep at night,” she said. “You want to write a story that I think is dangerous. Why would I give you any information about security if I want to keep the system secure?”
Only two counties — Alachua and Orange — acknowledged they were contacted by the FBI prior to the 2016 election about hacking attempts, but Orange County said it had no records related to the request.
Alachua County produced emails recounting at least two conversations with the FBI in October and November 2016 alerting them to malicious phishing attempts.
"The only confirmed malicious phishing email we are aware of targeting our office was the email from November 1, 2016 posing as a notification from one of our vendors which was widely reported on in 2017, based on an NSA report," Will Boyett, Alachua County’s chief deputy supervisor of elections, said in an email in response to a records request from another news agency.
"We confirmed at the time that no copies of said email were opened in our office and conducted a security review to ensure no corruption or penetration of any elements of our network occurred at that time," Boyett said.
That vendor was VR Systems.
A glimpse into how counties are protecting elections
The counties that did provide unredacted, detailed records on what they spent gave a glimpse into what was done to improve election security. And those in turn point to what vulnerabilities they were patching up.
For example, they replaced outdated voter check-in equipment with new, more secure EVID electronic devices from VR Systems to ensure that voters are properly identified and matched to the voter rolls.
They bought Albert sensors, which monitor for malicious emails.
They updated old firewalls, software and servers with enhanced security features, including auto-encrypting hard drives to prevent access by bad actors even if the drive itself was stolen.
They also beefed up their backup capabilities for vote tabulation equipment.
They even updated their Windows 10 laptops with self-encrypting hard drives.
And they invested in staff training to help them identify and respond to phishing and other social engineering attacks against users.
They also installed extra security cameras and door latches and put key cards on doors leading to rooms with sensitive election information and equipment.
Secrecy pacts 'unenforceable'
Sunshine law experts raised serious concerns about the NDA and whether the exemptions cited are valid.
“It’s bizarre, but we do see these kinds of nondisclosure agreements on occasion," said Barbara Petersen, immediate past president of the First Amendment Foundation and a lawyer who continues to monitor Sunshine Law violations.
Cases decided by the 1st District Court of Appeal and the Florida Supreme Court have ruled officials cannot "contract away" their obligations under the state Public Records Law either by NDAs or via settlement agreements, she said.
"If you could, we'd have no public records," Petersen said.
Ultimately, though, the NDA is unenforceable, she said. "The NDA itself is meaningless."
The NDA cites four state statutory exemptions, two of which she said are identical and apply only to plans for physical security.
“My understanding is it’s related to the physical security of a building, not IT security,” she said.
The other exemptions deal with information technology but apply only to state agencies under the executive branch, she said. In other words, they apply to the Department of State but not the elections supervisors, who are independently elected constitutional officers in every county except Miami-Dade, which appoints its supervisor.
A researcher for the First Amendment Foundation said the federal Cybersecurity Information Sharing Act could apply but only to specific records related to cyber threat indicators and defensive measures, Petersen said.
However, she added, the supervisors "must redact that which is exempt and provide you with access to the remainder."
Voters 'have a right to know'
In the end, it’s the voters who are the real victims, Rep. Murphy said. “They have the right to know if they were in” the counties that were hacked.
The legislation cosponsored by Murphy and Waltz is still pending.
The FBI pledged in January to update its notification policies about election system breaches. In addition to letting local officials know if they were hacked, the FBI will let the state know when a local system is breached. But the agency still won't tell the public or members of Congress in the state where the breach occurred.
“While this is welcome news, I will continue to press for voters to be eventually included and notified of breaches and will continue to push for full transparency,” Waltz said in a news release.
“The fact that the FBI won’t allow us to publicly release the names of the ... counties that were hacked means voters can’t verify their county wasn’t affected or deleted,” Murphy said. “Again, we need to give this information to the people who need it."