F.B.I. to Florida Lawmakers: You Were Hacked by Russians, but Don’t Tell Voters

MIAMI — The governor knows. The state’s congressional delegation knows. The F.B.I. knows. The Russian hackers certainly must know.

Almost everyone, it seems, has been told which Florida voter registration systems were breached during the 2016 presidential election — except for the voters whose information was targeted.

Elected leaders in Washington and Tallahassee want to tell them, but they say they can’t. The F.B.I. has kept the information classified, refusing to publicly identify the two counties where Russian hackers had access to voter data that could have allowed them to wreak havoc for voters on Election Day.

On Thursday, the F.B.I. faced a torrent of bipartisan fury from Republican and Democratic lawmakers in Florida, who, one after another, denounced the federal agency’s lack of transparency, calling it unacceptable that it has taken three years for the authorities to reveal to them which counties were hacked.

“I don’t know who the hell they think they are to not share that information with us,” Representative Matt Gaetz, a Republican from the Panhandle, said in a news conference on Thursday after the Florida delegation met behind closed doors in the Capitol with officials from the F.B.I. and the Homeland Security Department.

Now that they know, Florida officials are prohibited from sharing the details with voters.

Adding to the lawmakers’ anger were worries about what the hackers did once they gained access to the voter rolls. F.B.I. officials told lawmakers that they had no evidence any data had been altered, but they could not say “with certainty” that no manipulation had occurred, said Representative Debbie Mucarsel-Powell, a Miami Democrat.

The voter registration systems are separate from voter tabulation systems, which officials say were untouched. Voter rolls are public information in Florida, but access to the registration data could have allowed the hackers to delete or add voters, cancel their mail-in ballots or alter their party affiliation.

“We still have a lot of questions,” Ms. Mucarsel-Powell said.

Tucked in the Mueller report last month was confirmation that the F.B.I. had determined that a Russian military intelligence unit known as the G.R.U. had breached “at least one Florida county government” during the 2016 election.

That revelation prompted members of Congress to request Thursday’s briefing. Its importance only grew after Gov. Ron DeSantis, a Republican, disclosed on Tuesday, after his own briefing, that two counties had been hacked. The governor added a note of exasperation that the F.B.I. had required him to sign a nondisclosure agreement to receive the classified information.

Identifying the two counties has become Florida’s political parlor game du jour, with the state’s 67 elections offices offering varying degrees of denials that they were breached to local and national news outlets. Lawmakers said on Thursday that the F.B.I. told them the intrusion came through a spear phishing email, as elections officials had earlier suggested.

F.B.I. officials said the names of the hacked counties should remain classified because identifying them could tip off the Russians to law enforcement sources and methods. That argument did little to quell the politicians’ frustrations, given that the Mueller report has been public for weeks, and now the governor and almost every federal officeholder in the state knows the names of the two counties.

“The Russians know we know,” said Representative Stephanie Murphy, a Democrat from the Orlando area. “The only people who don’t know are the American people.”

In a statement earlier this week, the F.B.I. said that it continues to work with local, state and federal officials “to proactively share information in a concerted effort to protect elections networks in Florida, and across the country, from adversary activity.”

The F.B.I. notified the two counties of the breach as part of the agency’s victim notification protocol, several lawmakers said. As part of that protocol, the F.B.I. does not publicly identify victims, to maintain productive working relationships with them.

But lawmakers took issue with the notion that the elections supervisors were the victims — as opposed to the public.

“It’s the voters that are the victims,” said Representative Michael Waltz, a Republican from St. Augustine.

Without knowing which counties were breached, voters can do little to hold elections supervisors (who are elected officials in all but one Florida county) accountable for taking the necessary steps to prevent a similar hacking in the future, lawmakers said.

The F.B.I. assured the lawmakers that the computer systems in 66 of Florida’s 67 counties are now equipped with “Albert sensors,” devices affixed to networks to detect cyber intrusions. The lone holdout, Palm Beach County, expects to install its sensor in a matter of weeks, a spokeswoman for the local elections office said.

But with the 2020 presidential election approaching, lawmakers said the F.B.I. must be more forthcoming with information crucial to the public.

“This chaotic, drip-drab of information coming out is doing more harm for voters’ faith in the electoral system than just coming out and providing information, appropriately declassified,” Ms. Murphy said in the news conference. Later, she added in an interview: “Florida is the biggest swing state. You’ve seen very close elections in Florida in the past. We have to instill confidence in our electoral system.”