"We have to take seriously the security of our elections because of the vulnerabilities that exist — still, now — that really have the ability to undermine our democracy. There’s a hacking conference that’s held every year in Las Vegas, where I think a 14- or 15-year old-girl from Florida hacked into a replica of Florida’s election system in less than 15 minutes."
What we found is some indication of vulnerability — even if it’s not a direct threat to the voting system itself. At least one kid did do some quick hacking.
But two points are problematic for Gabbard’s claim.
First, there wasn’t hacking into a replica of the election system — but rather a website made to look like Florida’s Secretary of State website that reports preliminary election results. In other words, not the system that receives and counts actual votes.
And second, what was hacked into was not even a replica — as in an exact copy of the website — because it did not contain the proprietary security features that the Secretary of State website has.
As the National Association of Secretaries of State said at the time:
"While it is undeniable websites are vulnerable to hackers, election-night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results."
Besides being a large swing state, Florida is important because Russian hackers gained access to at least one Florida county’s election computer network during the 2016 presidential campaign, according to Special Counsel Robert Mueller’s report on Russian interference in that campaign. The county was not named.
The Republican governor has emphasized that while the counties had experienced "intrusion into the supervisor of election networks," no information was manipulated or changed, and that it’s possible they obtained voter information that was public record anyway.
To support Gabbard’s statement, her campaign sent us two news articles about DEFCON 26, a hacking and cybersecurity event held in Las Vegas in August 2018. As part of the annual event, kids ages 8 to 16 could try to hack into what DEFCON described as replicas of election websites of 13 battleground states, including Florida.
One article said an 11-year-old boy hacked into the website that was made to look like the Florida Secretary of State’s website; and the other article said an 11-year-old girl hacked into one of the sites, but didn’t indicate which state. Both were done in under 15 minutes. (The home states of the kids were not named.)
As DEFCON said, the purpose was not nefarious: "By exposing the cyber vulnerabilities of these websites, young contestants will compete for prizes in a number of categories, including proposing the best plan to defend the Secretary of State websites from cyber attacks."
But to be clear: While the websites might report election results and have other voting information, they are not used to receive or count actual votes.
One of the articles, from PBS Newshour, said an 11-year-old boy hacked into a version of the Florida state election website and changed voting results in under 10 minutes. And an 11-year-old girl tripled the number of votes on the same site in about 15 minutes.
In other words, hacking into a state’s election website could cause confusion if results were manipulated. But that is not the same as hacking into an election system and actually changing votes.
And with regard to how closely the hacked websites matched the actual websites, ProPublica published an article shortly after the DEFCON convention emphasizing that the websites hacked by the kids were not actual replicas of the state election websites.
"Instead, students were working with look-alikes created for the event that had vulnerabilities they were coached to find," ProPublica said. "Organizers provided them with cheat sheets, and adults walked the students through the challenges they would encounter."
Josh Franklin, an elections expert formerly at the National Institute of Standards and Technology and a speaker at DEFCON, was quoted as saying the websites were "fake."
"When I learned that they were not using exact copies and pains hadn’t been taken to more properly replicate the underlying infrastructure, I was definitely saddened," he said.
Similarly, Vice.com reported after Gabbard’s interview that DEFCON organizers had given the participants "clones" of state election websites "with vulnerabilities inserted by the organizers. In particular, the sites were designed to be vulnerable to SQL injection attacks, one of the most ancient—and yet still very common—hacks ever."
Gabbard said, "There’s a hacking conference that’s held every year in Las Vegas, where I think a 14- or 15-year old-girl from Florida hacked into a replica of Florida’s election system in less than 15 minutes."
In less than 15 minutes, two 11-year-olds attending a 2018 hacking convention were able to hack into a website that was made to look similar to the website of the Florida Secretary of State’s Office that reports election results.
Despite news reports that used terms such as replica and facsimile, the hacked site was not a copy of the Florida site and did not contain the same security features. Moreover, the site that the hackers meant to target does not include the system that is used for receiving and tabulating actual votes.
Gabbard’s loose recollection could leave readers with the wrong impression about the vulnerability of Florida’s election system. We rate her statement Mostly False.