In the months after the 2016 elections, state election administrators spent millions of dollars investigating and addressing the cyber intrusions that had penetrated voting systems in dozens of states. Kentucky Secretary of State Alison Lundergan Grimes emerged as one of the loudest voices calling for improvements. In February 2017, at an elections conference dominated by talk of cybersecurity, Grimes claimed to have found the perfect answer to the threat: A small company called CyberScout, which she said would comb through Kentucky’s voting systems, identify its vulnerabilities to hacking and propose solutions. Three days later, Assistant Secretary of State Lindsay Hughes Thurston submitted paperwork to give the company a no-bid two-year contract with the State Board of Elections, or SBE, for $150,000 a year. She did not inform the SBE — the agency that oversees the state’s voting systems — that she was doing so.
At the time, CyberScout was new to voting-related cybersecurity. The company acknowledges that it had never had an election-systems client before.
CyberScout’s CEO and his wife had given Grimes a total of $12,400 in contributions over several elections, along with $4,000 to state Democratic groups. (All of the donations fell within state limits.) Ultimately, the contract went through — Grimes denies the contributions had any influence — and CyberScout delivered little in the way of results, according to 15 election officials interviewed for this article. CyberScout’s contract was not renewed after the first stage expired in June.