This article is part of TechRepublic’s series on how states across the US are approaching the cybersecurity threat to the 2018 midterm elections. Read each installment:

or download the entire series as a free PDF.

When it comes to election security, Florida has a reputation for being a bit of a problem child–and a popular target for hackers.

The Sunshine State was one of 21 states whose voter registration databases were targeted by Russian hackers in 2016. Several counties were also targets of phishing attacks from Russian operatives that year, and the Department of Homeland Security warned that the swing state remains a target.

“The global attention that has been given to the fact that there was Russian interference in our election may encourage others to try and interfere,” said Juan Gilbert, chair of the department of computer and information science and engineering at the University of Florida, Gainesville, and co-author of the Securing the Vote report from the National Academies of Sciences, Engineering, and Medicine. “We really need to be diligent about this and take it seriously.”

SEE: Network security policy template (Tech Pro Research)

Florida also does not require its voting machines to meet federal standards before they are purchased and used in elections in the state, according to a February report from the left-leaning Center for American Progress comparing the election security of all 50 states.

Nowhere was the election security issue on larger display than at DEFCON 2018 in Las Vegas in August, where an 11-year-old boy hacked the election reporting section of a replica Florida Secretary of State website in under 10 minutes. An 11-year-old girl then hacked the same replica site, and tripled the number of votes on it in about 15 minutes.

“Of course, the environment and situation there is different than an ordinary election scenario,” said Danielle Root, voting rights manager at the Center for American Progress. “But the fact than an 11-year-old boy managed to do that in so little time should concern a few people.”

SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)

With all of this in mind, election officials across Florida’s 67 counties are taking steps to improve election security ahead of the 2018 midterms. In July, the state accepted $19.2 million from Congress as part of a 2018 spending bill to address cybersecurity issues through the Help America Vote Act (HAVA). That money has been divided among the counties and is being used for physical security, voting system upgrades, post-election audits, and risk assessment audits, to maintain election integrity.

Phishing scam

In August 2016, Russian operatives hacked the computers of election system vendor VR Systems that has contracts with several states. The software, used to verify voter registration data, would not be able to change votes, but could cause serious disruptions at polling places. The operatives sent 122 spear-phishing emails to counties in Georgia, Iowa, and Florida, with a link directing employees to click on a malicious website, that would request their login credentials.

This information was uncovered after the US Justice Department indicted 12 Russian military intelligence officials for attempting to disrupt the 2016 US presidential election.

Clay County, located just south of Jacksonville, was one of the counties that received the phishing message. However, the email was offloaded to a quarantine server, said county election supervisor Chris Chambless.

SEE: Security awareness and training policy (Tech Pro Research)

“It was never a threat to the network,” Chambless said. “That was generally the case in all counties affected. There was no Florida county that executed the malicious script.” At that time, Clay County also blacklisted 700 IP addresses that were designated as potentially malicious, Chambless said.

The same was the case in Collier County, located south of Fort Myers, which also received the message. “Staff is trained to be alert of suspicious emails, so it was quarantined right away, and we reported it to our county IT staff who manages our emailing system and we alerted the vendor of the email,” said Trish Robertson, Collier County election communication coordinator.

Even if the phishing email had made its way to inboxes, “it was very uncharacteristic of our vendor,” Chambless said. “Our vendor’s very good about locking down the code several months before we go into an election cycle, and so had we received it, we would’ve questioned the fact that they were doing a release that would require new documentation anyway.”

Collier County received $261,657 in HAVA funding, which is being used for software and hardware purchases to monitor network activity, replacing outdated hardware with new equipment, and IT staff training to identify and mitigate possible attacks in the future, Robertson said.

Clay County was given about $115,000 from the HAVA grant. It has not used all of the funds, largely because many new protections had been put in place before the money was disbursed, Chambless said.

Improvements were made to physical security, as well as network hardening, including the addition of more complex passwords and multi-factor authentication, Chambless said. More tools were also implemented to focus more on proactively addressing intrusion attempts, rather than only monitoring them, he added. There is also training in place to help elections officials identify threats like phishing attacks.

“Supervisors of elections have always been security-conscious, so there’s always been an emphasis on that, whether it was human security or computer security,” Chambless said. “However, technologies evolve and threats emerge and mature, so the focus is ever-shifting. It’s important that you stay vigilant, and continue to ride that bloody edge of both threat and evolvement of technology to stay constantly aware.”

SEE: Incident response policy (Tech Pro Research)

Auditing issues

A major problem in Florida’s election security standards are its post-election audit requirements, the Center for American Progress report found.

For one, these audits can be carried out electronically, by retabulating the ballots in either the same or another electronic machine.

“Any time you are using an electronic machine, there is a chance for malfunction, not to mention hacking,” Root said. “By allowing post-election audits to be carried out electronically, you’re opening yourself up to vulnerability and unreliable post-election audit results.”

Audits here are not mandated to escalate in the event that an error is identified, the report found. “By not escalating, you don’t have a picture of how extensive the problem could be,” Root said.

SEE: Can Russian hackers be stopped? Here’s why it might take 20 years (cover story PDF) (TechRepublic)

Florida also has no requirement for post-election audit results to potentially overturn erroneous election results, according to the report. “This is problematic, because if an audit tells you that the outcome of an election was wrong, then those results should be able to overturn incorrect elections,” Root said.

However, it’s not all bad news: The state’s election security strengths include requiring certain cybersecurity standards like access control for the voter registration database, and performing regular vulnerability assessments, the report found.

“Gone are the days when you can make a blanket statement that systems are almost a defacto secure,” Chambless said. “Certainly with zero-day threats and new malware coming out, it is very important that you develop a robust system that is multi-layered in detecting and identifying, and with recovery that can come in a number of different ways, and different resources that continue to evolve.”

CBS News