This story, the third in a three-part series, was co-published with the Lexington Herald-Leader.
In the months after the 2016 elections, state election administrators spent millions of dollars investigating and addressing the cyber intrusions that had penetrated voting systems in dozens of states. Kentucky Secretary of State Alison Lundergan Grimes emerged as one of the loudest voices calling for improvements.
In February 2017, at an elections conference dominated by talk of cybersecurity, Grimes claimed to have found the perfect answer to the threat: A small company called CyberScout, which she said would comb through Kentucky’s voting systems, identify its vulnerabilities to hacking and propose solutions.
Three days later, Assistant Secretary of State Lindsay Hughes Thurston submitted paperwork to give the company a no-bid two-year contract with the State Board of Elections, or SBE, for $150,000 a year. She did not inform the SBE — the agency that oversees the state’s voting systems — that she was doing so.
At the time, CyberScout was new to voting-related cybersecurity. The company acknowledges that it had never had an election-systems client before.
CyberScout’s CEO and his wife had given Grimes a total of $12,400 in contributions over several elections, along with $4,000 to state Democratic groups. (All of the donations fell within state limits.) Ultimately, the contract went through — Grimes denies the contributions had any influence — and CyberScout delivered little in the way of results, according to 15 election officials interviewed for this article. CyberScout’s contract was not renewed after the first stage expired in June.
The story of the CyberScout contract, told here in detail for the first time, suggests a consequence of the unprecedented power that Grimes has amassed as chief elections officer. (The first two articles in this series explored how she expanded her power as well as some of the voter-privacy concerns raised by her actions.) It shows what can happen when one person consolidates decision-making authority that has historically been divided, by design, among different entities.
Grimes has been criticized for overstepping her role as secretary of state by taking day-to-day control of the SBE, a nonpartisan agency that is constitutionally separated from the secretary of state’s office (albeit chaired by the secretary of state). Grimes’ expansion of power, and the ways in which she has used that power, are the focus of three ongoing investigations by state agencies. The investigators have also asked questions about the CyberScout contract, according to people who have been interviewed.
“These allegations demonstrate exactly why Kentucky law is set up to have separation between the secretary of state and the State Board of Elections,” said Joshua Douglas, an election law professor at the University of Kentucky College of Law. “The point is to ensure transparency, oversight and checks on each entity. That may have broken down in this instance.”
Grimes has called the complaints against her “unfounded” and “political,” though they have come from members of both political parties. “I urge all Kentucky agencies to realize partisanship has no role in safeguarding Kentucky against cyber threats,” she said in a statement in September addressing an episode in which some state government email accounts were hacked. “I want to reiterate to all Kentuckians, I won’t back down from doing everything I can to protect you and our elections.”
CyberScout delivered for Kentucky, Grimes said in an interview for this article. The company, she asserted, uncovered “huge weaknesses” in the state’s voting systems. (She declined to detail those deficiencies, citing security reasons.) Grimes called CyberScout “an industry leader in security” with a focus on elections. As she put it, “We wanted to make sure we got the best of the best and no one could make any claims otherwise.”
But that’s not how the state’s own experts viewed CyberScout at the time. “I want to be perfectly clear that contracting with them in no way [fulfills] the actual security needs of our systems and in no way will mitigate our risk of intrusion,” wrote Steve Spisak, a software developer for the Secretary of State’s office who built Kentucky’s voter-registration system, and Tom Watson, a software engineer for the SBE, in a March 30, 2017, email to an executive at the board. “In fact, they don’t offer any security devices or real-world experience of any type.”
The origin of the connection between CyberScout and Grimes is murky. Adam Levin, the founder and CEO, said he and Grimes had been in contact long before the secretary of state tapped his company. “I had spoken to her for years about cybersecurity,” he said before abruptly ending an interview when pressed about their relationship. For her part, Grimes said she was “unaware” whether or not she had met Levin.
What seems clear from interviews with multiple people involved in the state’s election security is that Grimes’ team did not divulge the political contributions when the state was considering a contract for CyberScout. It was not legally required to do so. More specifically, the contributions were not disclosed to the SBE. Don Blevins Sr., a board member at the time the contract was processed (and, like Grimes, a Democrat), said he would have opposed a contract with CyberScout if he’d known about the donations. “In no way would I have ever gone along with that,” he said. “I find that outrageous.”
Not only did Grimes fail to disclose the financial links, her team misrepresented how far negotiations with CyberScout had progressed, according to members of the SBE. On Feb. 21, 2017, the day after Thurston sent the initial proposal for the contract “on behalf of the State Board of Elections,” CyberScout gave the board an overview of the company and its offerings.
Blevins called the presentation “vague,” and he said it provided little guidance as to how CyberScout and its subcontractor, Nordic Innovation Labs, would proceed and what work product they would provide. “I asked a bunch of questions, but then just shut up because I wasn’t getting anywhere,” he said.
Board members unanimously voted that day to “allow the State Board of Elections to engage with CyberScout in the future.” They said they believed they were opening the negotiation process. But in the following months, documents show the secretary of state’s office represented this vote to government agencies and the public as having approved a contract with CyberScout.
Shortly after the meeting, the contract proposal was rejected by the Kentucky Finance and Administration Cabinet. It cited a lack of evidence that CyberScout was uniquely qualified for the project, a state requirement for a no-bid contract. Without consulting the SBE, Thurston and CyberScout resubmitted the proposal with a more detailed justification letter on March 7. That submission was approved by March 24.
Grimes maintains that any issues with the contract should be blamed on the Finance Cabinet, which she said is run by “Republican Gov. Matt Bevin.” The Finance Cabinet responded that it “relies on the integrity” of statements made by constitutional officers.
Board members remained unaware that the proposal had been submitted or approved. They continued to raise questions about CyberScout during this time. “I know we had previously voted on approving to allow the Secretary and staff to further engage in discussion,” wrote Josh Branscum, a Republican board member on April 18, 2017. “Have we received any proposal fee or scope of services to look at as a board before we vote to enter into any type of official contract?” Michael Adams, another Republican board member, asked when the board could expect to receive a more detailed proposal.
Thurston responded by asserting that the board had already approved the CyberScout contract. “You will recall on February 21, 2017, the Board unanimously voted to engage CyberScout,” she wrote.
Confusion swirled inside the SBE. The agency’s staff also was unaware that a contract with CyberScout had already been submitted and approved. They were actively researching other cybersecurity contractors. Matt Selph, the assistant executive director of the SBE at the time, said he and then-Executive Director Maryellen Allen appealed to Thurston in a meeting that month, telling her they were not interested in working with CyberScout.
Despite these recommendations, Thurston repeatedly represented to the Finance Cabinet that, as she put it in one letter, CyberScout had “expertise in elections cyber security that is unmatched by any other cyber security firm.” Grimes did not respond when asked what research she or Thurston had done to substantiate this assertion, and Thurston did not respond to calls for comment.
In interviews with ProPublica and the Herald-Leader, multiple cybersecurity experts disagreed that CyberScout was uniquely qualified. Most had never heard of the company. Numerous firms provide near identical services, and several of the services listed in the contract were redundant to those offered by the U.S. Department of Homeland Security for free. (According to its website, CyberScout was founded in 2003 as a consumer-oriented operation called Identity Theft 911 and adopted its current name in 2017. CyberScout spokeswoman Lelani Clark said, “As of today, we believe that no other firms offer the spectrum of election security services we do.”)
Kentucky would have been well aware of these services and other qualified vendors in February 2017, according to Jennifer Morrell, an elections consultant heading up the Democracy Fund’s Election Validation Project. Election officials, she said, were “almost exclusively focused on cybersecurity resources and information” at the time.
Morrell previously ran elections in Arapahoe County, Colorado, which briefly retained two of the founding partners of Nordic Innovation Labs, CyberScout’s subcontractor, to pilot a new auditing technique. She called their work “a complete failure and waste of money.” CyberScout cited this Colorado project in the letter that stated the firm was uniquely qualified for the Kentucky assignment. (Nordic referred a request for comment to CyberScout.)
In the same letter and various reports produced for the state, Eric Hodge, the director of consulting for CyberScout, also claimed “the team” had done similar work in Ohio, Massachusetts and California. When contacted, all three states denied working with CyberScout or Nordic Innovation Labs. Asked about the discrepancy, Hodge said Harri Hursti, a recognized voting-machine security expert and the founding partner of Nordic, had been part of a cybersecurity report commissioned by the Ohio secretary of state in 2007. Hursti was one of 23 named experts in the report. Hodge did not respond to claims regarding the other states.
The deal with CyberScout worked out as the SBE staff feared. No one in Kentucky could point to a specific change spurred by CyberScout, and SBE employees indicated all changes made in the last two years came as a result of recommendations by the Department of Homeland Security. The company’s contract ended in June, ultimately costing the state about $150,000.
CyberScout “did absolutely zero work and got paid a bunch of money,” Selph said.
Selph was fired in late 2017, after he submitted a complaint about Grimes, including his objections to the CyberScout contract, to the Executive Branch Ethics Commission. Grimes said Selph was fired after harassing employees of the SBE. He has denied that allegation and has filed a whistleblower lawsuit against the state.
Current SBE employees have also expressed confusion as to CyberScout’s work product. As late as August, emails show SBE staffers expressing confusion about the work CyberScout had performed and the bills the company sent.
In his own complaint, which he submitted to multiple state agencies and the SBE, Jared Dearing — a Democrat picked by Grimes as executive director of the SBE — recommended an audit of vendors used by the SBE despite internal objections. He recommended that vendors who provided campaign donations be investigated.
Hodge said it didn’t matter if the SBE was unhappy. “Our client is the secretary of state,” he said. All that matters, he said, was that Grimes was satisfied. In fact, CyberScout’s contract is with SBE. (Clark defended the company’s work and maintained that Kentucky’s IT staff was “hostile” to being audited and dismissive of security concerns.)
County clerks also remain unclear as to what services CyberScout provided. As part of its contract, the company visited a handful of counties to offer guidance on shoring up their wireless connections and on the security of elections systems.
Hodge rejected criticism of the company’s county visits. For example, he asserted that the Crittenden County clerk was “overjoyed” at the company’s recommendations. In an interview, Carolyn Byford, the clerk in the county, said people from CyberScout followed her around during a special election held in September 2017 but issued no report or recommendations. “All it did was make me anxious that day,” she said. “Elections are tough enough as it is.”
In late December, more than six months after the contract expired, CyberScout published a 20-page public report summarizing its work in Kentucky. The report is missing elements generally seen in reports released by cybersecurity contractors. Most, for example, explain the methodology used for security tests. CyberScout did not do so.
The remainder of the report contained rehashed recommendations made to the SBE over the year the contract was active. Some were pasted verbatim from the notes section of a PowerPoint presentation given to the board months before. There were multiple typographical and grammatical errors and inconsistencies: On one page, CyberScout recommended that Kentucky join a multistate group on cybersecurity. On the next page it congratulated the state for having joined the group.
Hodge declined to answer questions about the report’s inconsistencies.
Herald-Leader reporter Bill Estep contributed to this story.