Cybersecurity lax for ‘very sensitive’ emergency alert system at the center of the Rebekah Jones raid
- Oops!Something went wrong.Please try again later.
The state left the door wide open to anyone wanting to access an emergency alert system that Gov. Ron DeSantis described Friday as a sensitive program that needed to be defended with a police search at the home of one of his critics.
DeSantis called the text messaging program a “very sensitive system” and added it could “cause a lot of damage” if someone improperly gained access.
Yet, staffers at the Florida Department of Health used the same username and password to log into the system, which allows them to send mass text messages to emergency officials working on the COVID-19 pandemic and other disasters. They even posted login and password information for multiple state accounts on the department’s public website, accessible to anyone who bothered to look.
That lax cybersecurity is one of several problematic issues experts identified in the state’s decision to raid the home of Rebekah Jones, a former Department of Health data analyst who has filed a whistleblower complaint accusing officials of manipulating COVID-19 statistics.
Defense lawyers say prosecutors could have a tough time securing a conviction if they press charges, and the raid is unusual because many cybercrimes are not aggressively investigated by law enforcement, even when theft and fraud are involved. In this case, the message in question involved neither: it urged state employees to tell the truth about the handling of the pandemic.
Since the state fired Jones in May for alleged insubordination, she has been an outspoken critic of the governor’s handling of the coronavirus pandemic. Jones then launched her own website where she posts COVID data.
State agents brandishing guns raided Jones’ home on Monday and seized her computer, phone and thumb drives as part of an investigation into a the message sent on Nov. 10.
The message read, “It’s time to speak up before another 17,000 people are dead. You know this is wrong. You don’t have to be a part of this. Be a hero. Speak out before it’s too late.”
At that time, Florida’s COVID-19 death toll stood at 17,460.
‘A very sensitive system’
DeSantis and the Florida Department of Health have not addressed the agency’s cyberdefense measures or explained what they are doing to improve safeguards.
But DeSantis was clear in defending the Florida Department of Law Enforcement’s agents, saying during a news conference in Tampa that agents had a lawful warrant to search Jones’ house and the unauthorized message was a serious matter.
Part of the justification for the action was to defend the messaging system’s integrity.
“There was an intrusion of a very sensitive system,” DeSantis said. “It’s an emergency alert system. If somebody gets a hold of that, they can do a lot of damage. You could really frighten a lot of elderly people, other vulnerable populations.”
The text messaging system is a communications tool used to send alerts to emergency officials. For instance, a mass text could be sent telling officials that the state’s emergency operations center has been activated. Health officials did not respond to questions asking them to describe in detail the program’s capabilities.
DeSantis acknowledged Friday he was aware of the investigation into one of his most prominent critics — contradicting a previous statement from his spokesman Fred Piccolo that the governor did not know about the probe.
Jones, 31, has a different view of the state’s motives. She said the search was an effort to root out leakers in the Department of Health and intimidate DeSantis’ critics.
She said she never had access to the messaging system when she was a state employee and denied sending the message. Jones has not been charged with a crime in connection with the breach.
Prosecutors would have a difficult case
Numerous factors weaken the state’s case against Jones and raise questions about the raid’s intent, according to interviews with legal experts.
Public passwords: When news of the raid broke, users of the popular website Reddit quickly uncovered seven PDFs posted on the Health Department’s website that contained login information and passwords.
The technology news website Ars Technica reported that those documents included the login information and password needed to send out a mass text message through the state’s system. It noticed that document included login information for the same group of contacts mentioned in the affidavit authorities filed to secure the search warrant.
Gretl Plessinger, an FDLE spokeswoman, disputed that account and said the program under investigation was not on the sheet of passwords found on the Health Department’s website. The state’s affidavit justifying the warrant, however, notes that state employees shared the same username and password for the emergency alert system.
Such lax cybersecurity practices, including shared passwords and passwords posted where the public could easily find them, could be used by Jones’ defense lawyers to show the state’s systems were not secure.
“They are not doing due diligence to make sure her access is limited in some way,” said Katherine Clark, a criminal defense attorney from Stuart who handles cybercrime cases.
FDLE Commissioner Rick Swearingen in a statement said someone “illegally hacked” into the system.
But it wouldn’t take much sophistication to simply obtain the password. Such a breach by an unauthorized user still would violate state law, experts say, but it would be harder to prove if the password was widely available and shared by many people.
The Florida Department of Health ignored a list of questions from the Sun Sentinel, including whether Jones was notified she could no longer access the system, whether cybersecurity safeguards had been audited and tested and whether any state employees are under investigation for the breach or violating cybersecurity rules.
Unusual investigation: When Floridians call the cops to report online bank fraud or other internet crimes, they often are not investigated and prosecuted aggressively, said Hasan Buker, an expert on cybercrime at the University of West Florida’s Center for Cybersecurity
Those investigations take personnel and time, and proving the case in court can be a challenge, he said.
“It is not easy to trace it back to a certain IP address,” Buker said. “It is not an easy investigation.”
But in this case, the Florida Department of Law Enforcement devoted significant investigative resources on a case that involved a single unauthorized message urging state employees to tell the truth.
IP addresses can be misleading: The probable cause affidavit justifying the search warrant relies on the message being traced to an IP address associated with Jones’ residence. But IP addresses can be easily spoofed, Buker said.
The Electronic Frontier Foundation has cautioned against relying on and IP address as the sole basis for a search warrant because it can be misleading with open networks and was never intended to be a unique personal identifier.
“An IP address alone is not probable cause that a person has committed a crime,” the digital rights attorney Marcia Hofmann wrote in a 2011 article for the Electronic Frontier Foundation. “Furthermore, search warrants executed solely on the basis of IP addresses have a significant likelihood of wasting officers’ time and resources rather than producing helpful leads.”
The court of public opinion: State law makes it a third-degree felony, punishable by up to five years in prison, to access a computer system without authorization. But in the court of public opinion, the substance of the message — which simply encouraged people to tell the truth about an issue of great public concern — could make it difficult to persuade a jury to convict, criminal defense attorney Joshua Deckard said.
“It was not a bad intent,” Deckard said. “It was meant to inform and warn the public. That would be a key part of the defense. It would certainly be a huge mitigator.”
Jones elevates her profile
Jones has emerged as a polarizing figure. For many on the political left, she is a courageous whistleblower who is speaking the truth about the coronavirus pandemic and is the target of a politically motivated investigation that aims to silence her dissent.
On the other side, critics have labeled her an unreliable troublemaker with a checkered past. DeSantis described her as someone who has “got issues.”
It took her about 20 minutes to let agents in to her house, according to body camera footage released by FDLE. It wasn’t her first brush with the law.
One misdemeanor charge accusing her of cyberstalking an ex-boyfriend in 2019 is still pending in the courts. Prosecutors withdrew a plea deal in that case after Monday’s raid.
Sexual cyber-harassment and stalking charges against Jones in the same incident were dropped, as were previous charges of robbery, trespassing and contempt of court for violating a domestic violence injunction against the same ex-boyfriend stemming from incidents in 2017.
Jones quickly rose to prominence after her firing in May, but she has become even better known with the significant national media coverage of the raid at her house.
Jones has amassed more than 358,000 followers on Twitter and has raised more than $231,000 for her legal defense through a GoFundMe page.
That’s on top of another $250,000 she raised through a separate GoFundMe page to help her “pay her bills after she was fired for refusing to manipulate COVID-19 data for the Florida plan to prematurely reopen the state.”
Jones maintains a website where she posts COVID-19 statistics, and she also is soliciting checks to support that project.
DeSantis said the motive of state officials wasn’t to intimidate but to protect.
“Floridians want government to protect them,” he said. “They want these sensitive systems to be protected.”
Staff writer Gray Rohrer contributed to this report.
Skyler Swisher can be reached at sswisher@sunsentinel.com, 561-243-6634 or @SkylerSwisher.
