DeSantis says FBI had him sign NDA to not identify Florida’s hacked election offices
Florida’s governor is facing calls to name the two local election offices he says were hacked ahead of the 2016 election. But based on his own comments, he’s not the only one in Florida choosing to keep that information secret.
In the weeks since Robert Mueller’s report on Russian interference in the 2016 election revealed that hacking efforts by Russian intelligence outfit GRU were in fact successful in “at least one” Florida county despite years of public information to the contrary, the Miami Herald and Tampa Bay Times have contacted each of the state’s 67 election supervisors to ask whether their office had been hacked.
And all but a handful of Florida’s election supervisors have said in interviews or in public statements that they have no reason to believe their offices were involved — even though the FBI told Gov. Ron DeSantis recently that it notified the victims years ago.
“We have not been told we are [among the hacked counties],” Assistant Suwanee Elections Supervisor Jennifer Kinsey said Wednesday. “We’re kind of wondering who it is, too.”
Election offices in Gadsden and Hardee counties either declined to comment or failed to respond to requests for information, although there’s no information to suggest that either of those two counties were hacked. Sumter County Supervisor Bill Keen said in an interview Wednesday morning that he has no reason to believe his office was hacked, but an election coordinator in his office later responded to an email seeking comment by saying information about hacking was exempt from disclosure because “our answers could either directly or indirectly allow yourself or others, including nation states trying to do harm to our elections process, to ascertain details harmful to national security. ...”
At least 11 election offices received malware-laced emails from hackers. But officials in Florida’s largest counties say they have no reason to believe they were hacked.
The widespread denials continue to cloud an already muddy controversy that refuses to fade even as Florida’s senior-most politicians assert that no election data was manipulated by the hackers who tricked their way into local registration databases. They also undercut trust in Florida’s election security, given that only a few weeks ago the same people who are now assuring that successful hacking attempts had no consequence on the 2016 election were insisting that, in fact, those hacking attempts had all failed.
“It is absolutely shameful and ridiculous that the federal government will not tell the citizens of the state of Florida and the public officials all they know about the hack,” said Ion Sancho, a former Leon County election supervisor who went public in September 2016 with the details of a private conference call between election officials, Homeland Security and the FBI on hacking attempts . “Certainly, the Russian GRU, they already know which counties they’ve penetrated. The only ones that are being kept in the dark are the citizens, the voters themselves.”
Until Tuesday, and even after the release of Mueller’s report, all indications were that the FBI and Homeland Security had consistently told state and local officials that hacking threats in 2016 were widespread but unsuccessful.
Information that Russian intelligence agents spoofed emails made to appear as if they came from elections vendor VR Systems and tried to trick Florida supervisors into opening malware-laced attachments has been public for two years. But going back to an initial conference call with the FBI’s Jacksonville office in September 2016, elections officials in the nation’s largest swing state have said they were told those efforts all failed because no one opened the attachment.
What information that did exist publicly to suggest that any hacking attempts had succeeded anywhere in the U.S. was limited to vague references without geographical information in a January 2017 Director of National Intelligence report and a May 2018 U.S. Senate Intelligence Committee report. When then-Sen. Bill Nelson warned last summer that hackers had gained access to voting systems in Florida and had “free rein” to move around, he was ridiculed by his opponent, Florida’s then-Gov. Rick Scott, and questioned by election supervisors.
There’s no information to support that hackers still had access in 2018, as Nelson warned, but it now appears that he was at least partially correct. And it also appears that the FBI left the state in the dark even though it had, in fact, informed two local offices that they’d been hacked in 2016 — offices that either remained quiet or lied publicly about whether they’d been breached.
“This was something the counties knew about prior to the 2016 election” as they worked with the FBI, Gov. DeSantis said Tuesday during a hastily called press conference. “I’m not allowed to name the counties. I signed a disclosure agreement [with the FBI]. I would be willing to name it for you guys but they asked me to do that so I’m going to respect their wishes.”
The FBI did not specifically answer questions Wednesday about why it deemed the identity of the hacked election offices as classified, but a spokesperson noted that non-disclosure agreements are “required” under the terms of a 2003 executive order when people without security clearances, such as DeSantis, are briefed on sensitive or classified information. The spokesperson also said that the “FBI’s victim notification policy was followed in this case.”
But with the FBI saying little publicly, it’s difficult to know what’s true in cases when rumors spread and information conflicts.
During a recent congressional hearing on voting rights in Fort Lauderdale, U.S. Rep. Frederica Wilson, D-Miami, said there’s a “rumor” that Broward was one of the hacked election offices. But both the current and former election supervisors in Broward said that information was false.
And before DeSantis revealed details of his Friday briefing, U.S. Sen. Marco Rubio, a member of the Senate intelligence committee, suggested to The New York Times that the FBI had likely chosen not to inform election officials who’d been hacked in order to protect sensitive information. Also on Wednesday, the chief operating officer of VR Systems disputed DeSantis’ assertion that “the reason why those counties got affected was not necessarily those counties but it was because of a private vendor they were using.”
“After receiving a media inquiry based on Governor Ron DeSantis’ comments, we immediately called our contact at the FBI, who confirmed what as we’ve said all along, VR Systems was not the source of any penetration into any county supervisor of elections systems,” said COO Ben Martin. “Based on this information, we stand by our assessment that a spear phishing email impersonating our company was the likely source.”
DeSantis said Tuesday that he’s trying now to determine why Florida officials were left unaware that hacking had been successful. He said he was told during his briefing that there were state agents of a task force who knew about the hacks and it’s possible that information should have been transmitted to the governor. In the meantime, some elections watch organizations say they’re less concerned with who was hacked three years ago than with the question of whether Florida is prepared to stop hacking efforts in 2020.
“2016 proved that foreign governments have much to gain from meddling in our elections,” said Liza McClenaghan, chairwoman of the Florida board of voting advocacy group Common Cause. “More attacks are on the way.”
A spokeswoman for Florida’s Division of Elections confirmed that Secretary of State Laurel Lee also signed a non-disclosure agreement during the same meeting attended by DeSantis. But she said “the FBI was very clear that there was no manipulation of voter data, vote counts or election results in 2016,” and said there were “zero successful hacking attempts” during last year’s midterm elections.
State, local and federal officials also stress that the voter registration networks that were breached don’t connect to the systems that tabulate votes, although hacking into a registration database would potentially allow for other kinds of mischief.
“It’s not necessary for me to know the specific county,” said Chris Chambless, election supervisor in Clay County and a member of a Homeland Security Government Coordinating Council. “I do realize that while it’s frustrating at times, that there is a need for security and the ability to withhold information, and I have to trust in the protocols that are in place....”
Former Gov. Scott, now a U.S. senator, met Wednesday with the FBI, and Florida’s Democratic delegation has scheduled a press conference to follow their own Thursday FBI briefing. Calls have grown for officials to make public what the FBI is keeping classified. And as more people are informed about the extent of hacking in 2016, it’s possible that more information will be forthcoming as well.
“If I gotta bet,” said Madison Supervisor Tommy Hardee, “Thursday, when they have that committee meeting, the names will come out.”
McClatchy DC reporter Alex Daugherty and Tampa Bay Times reporter Steve Contorno contributed to this report.