Cyber Incident Victim: Hillsborough County Supervisor of Elections

On May 3, 2023, Hillsborough County Supervisor of Elections Craig Latimer publicly disclosed that his office had been the target of criminal cyberactivity. The incident involved an unauthorized user who illegally accessed files located on a shared drive within the election office's network. The discovery of this intrusion prompted immediate notification to a comprehensive list of law enforcement and cybersecurity partners. These partners included the Hillsborough County Sheriff’s Office, the Florida Department of Law Enforcement, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Florida Department of State, and the cybersecurity division of Hillsborough County’s own Information and Innovation Office. The office emphasized its close collaboration with these entities to ensure a thorough investigation was conducted.

A critical point clarified in the initial statement was the specific scope of the network compromise. The unauthorized access was confined to a shared network drive and did not extend to the core electoral systems. The voter registration system, described as having multiple layers of protection, monitoring, and redundancy, was not accessed by the intruder. Furthermore, the ballot tabulation system was confirmed to be entirely uncompromised. This system was characterized as utilizing a stand-alone, air-gapped server that is not connected to any other network or system, providing a high degree of isolation and security. The integrity of these critical systems was a focal point of the public communication to assure the community that election operations remained secure.

The response to the incident was treated with the highest level of seriousness by Supervisor Latimer, who cited his 35-year background in law enforcement as informing his perspective on the criminal nature of the event. He characterized any intrusion into an elections office as an extremely serious offense and an attack on the community and democracy itself, regardless of whether it interfered with the immediate conduct of an election. Addressing the incident became his top priority, with efforts focused on supporting the investigation led by the involved law enforcement and cyber technology experts. The public statement was crafted with the intent to provide transparency while simultaneously avoiding the release of any information that could potentially compromise the ongoing investigative efforts.

The incident underscored the reality that elections infrastructure is considered critical infrastructure and is therefore a target for malicious actors. The Hillsborough County Supervisor of Elections office took steps to manage the situation by leveraging established relationships with federal, state, and local agencies. This coordinated approach involved digital forensic analysis to determine the exact method of intrusion, the extent of data accessed or exfiltrated from the shared drive, and the identification of the responsible threat actor. The investigation aimed to uncover these details while the office maintained its regular election-related duties, ensuring that voter confidence was not undermined by the security breach on a non-critical part of its network.

Supervisor Latimer expressed confidence in the teams working on the incident, noting he was proud to be working alongside partners who understood and respected the seriousness of the situation. The public was assured that further information would be provided upon the conclusion of the investigation, though no specific timeline for that conclusion was given in the initial announcement. The statement served as the primary source of information, deliberately released to control the narrative with confirmed facts and to preempt speculation or misinformation regarding the security of the county's electoral systems. The incident highlighted the continuous need for vigilance and robust cybersecurity practices in protecting essential government functions from cyber threats.