“He didn’t hesitate,” Kelley recounted. “He said, ‘They will be targeting congressional races.’”
In Southern California, home to some of the nation’s most-competitive congressional contests, that threat is being taken seriously. Consider just a few of the many new security protocols being adopted by election officials in the four-county region.
Office emails are being encrypted and networks buttressed. Election employees are randomly being mock phished to see if they’ll fall for simulated online invaders. Federal officials are being invited to inspect and test the region’s many voting systems.
Even the seemingly oldest of old-school safety protocols — counting up some election results by hand — is expected to play an expanded role in the 2018 midterms.
The local upgrades are part of a national response to Russia’s meddling in America’s 2016 elections. Intelligence agencies have determined that, among other things, Russian agents and their operatives executed a cyberattack on a U.S. voting software supplier, sent spear-phishing emails to election officials, and targeted voter rolls in at least 21 states, breaching a small (but undisclosed) number of them.
Since then, Congress has authorized $380 million to help states strengthen voting systems’ digital defenses, including $34 million earmarked to protect the integrity of elections in California. In the last weeks of the Obama administration, the Department of Homeland Security also designated state-run election systems as critical infrastructure, elevating them to the same classification as nuclear reactors and the Hoover Dam. And the FBI and other federal officials are offering free cybersecurity assessments to local election offices.
To date, there’s no evidence that votes were changed or voting machines infected during the 2016 cyberattacks. And election security experts say such threats are remote in any specific jurisdiction, and nearly impossible on a substantial scale.
But the upcoming midterms are the first national election since 2016. And those same election experts caution that attacks remain feasible in some American elections systems, particularly if existing vulnerabilities aren’t fixed.
Risk is low; security high
California’s voting infrastructure is, in many ways, far more secure than those of most other states. Counties in California are legally required to keep paper ballots as fixed records of electronic voting tallies and to hand-count the ballots cast at one percent of all precincts to verify digital totals. That means even if voting machines are compromised, there’s a physical backup to warn of a discrepancy.That’s not true in 11 states, where voting equipment can’t be audited manually and a hack that alters voting results could go entirely undetected. (Interestingly, most of the un-auditable, all-digital machines in those states were put into use after Florida’s “hanging-chad” debacle during the 2000 presidential election scared officials away from punch-card voting systems to what were perceived as more reliable electronic machines.)
Despite California’s superior safeguards, cybersecurity experts say the state’s voting systems remain susceptible to some forms of attack. Recognizing the threat, election officials in Los Angeles, Orange, San Bernardino and Riverside counties all said recently that they’ve become more vigilant since the 2016 campaign and have welcomed help from federal agents to assess their systems.
But implementing fixes has happened at different speeds across the region, with some counties addressing potential vulnerabilities more aggressively than others.
The leader of the pack seems to be Orange County, where four congressional contests in longtime GOP-held districts are being targeted by national Democrats in their effort to take control of the House of Representatives.
In April, Kelley released a 28-page “2018 Election Security Playbook” outlining new security protocols his office has implemented: from improving its ability to detect network intrusions and malware, to encrypting its emails, to enhancing building security, to implementing a third-party cybersecurity audit, to randomly testing its employees by sending them faux phishing emails and seeing if they bite.
The most substantial of the county’s new fixes is its risk-limiting audit – a protection that verifies electronic tallies with an even higher degree of certainty by hand-counting a random sample of paper ballots, with the number of votes scrutinized corresponding to the margin of victory in a given race.
Kelley knows firsthand that malicious actors are constantly probing local voting systems.
At the election security conference, held at UC Irvine in March, Kelley revealed that he and Los Angeles County Registrar of Voters Dean Logan were contacted by federal officials in spring 2016. They warned Kelley that people using overseas IP addresses had prodded his office’s networks in a move that was described as “checking to see if the front door of your house was locked.”
Kelley said his office’s defenses withstood the test, but he immediately worked to strengthen protections anyway.
“We’ve reevaluated every piece of the voting system and process, identified potential vulnerabilities, and made sure those are solid and secure,” said Kelley, who serves on a recently created federal 25-member election security council.
“Even though the risk is low, (the potential for hacking) is being taken very seriously,” he said. “And that should inspire voter confidence, just to know that there’s a different approach being taken to elections than there was in 2016.”
In Los Angeles County, home to another one of the nation’s most competitive congressional races, Logan has educated his staff on cyber threats by having them see firsthand how voting machines can be hacked.
Last year, he sent members of his team to DEF CON in Las Vegas, one of the world’s largest hacker conventions. There, at something called the “Voting Machine Hacking Village,” they watched white-hat hackers “go through and show the vulnerability of voting systems,” a process that helped Logan’s office identify its own potential shortcomings. Since the 2016 elections, the office has upgraded its malware protection and mandated cybersecurity training for staff. It soon will implement vulnerability-assessment and phishing exercises to further test its new systems.
“If we don’t know those vulnerabilities, we can’t respond to them,” Logan said at the conference.
San Bernardino County Registrar of Voters Michael Scarpello was more cryptic about what he’d done to enhance election security in his jurisdiction.
Scarpello said his office had been working with federal agents and the county’s IT department to harden its voting systems, website and local voter registration database from attack. He noted the effort was partially in response to a “heightened level of scrutiny, based on what’s going on at a national level.” Scarpello declined to identify any specific security system or protocol changes – and even refused to disclose the federal agency his office worked with.
And in Riverside County, election officials say the FBI and Department of Homeland Security are helping to monitor their network traffic and supplying a list of IP addresses to watch out for.
Riverside County Registrar of Voters Rebecca Spencer said the increased vigilance isn’t in response to a July 2017 Time magazine cover story. In that article, the Riverside County District Attorney stated that hackers had changed a small number of county residents’ voter registration data in advance of the 2016 primary. And unnamed national cybersecurity officials said the incident may have been a “test run by the Russians… (to see) what kind of chaos they could unleash on Election Day.”
Since then, that version of events has been rebuffed by election officials. California Secretary of State Alex Padilla’s office, which operates the state’s voter registration database, said his office had no evidence that voter rolls were breached. And Spencer said her office had identified the cause of nearly all the voter roll changes, many of which occurred because voters simply forgot they had updated their information.
Hacking your confidence
Despite all the recent upgrades to Southern California’s election infrastructure, cybersecurity experts say most voting systems – even bolstered local ones – still have vulnerabilities.Many Southern California polling places use 15-to-20-year-old voting machines with outdated operating systems that officials acknowledge are less secure than modern versions. While voting machines are tightly protected, some need to be programmed with a separate memory card, which, depending on the offices’ protocols, could be a vehicle for malicious code. And experts say some voting machines are serviced by outside vendors with varying security protocols, sometimes via computers that might occasionally be connected to the internet, providing a pathway for attack.
Another feasible mode of attack, experts say, could target the state’s voter registration system. Intruders might seek to change or delete portions of voter rolls in a way to deter citizens from voting – similar to what was alleged in Riverside County. To prevent such a breach, Padilla’s office has buttressed its information systems in advance of the 2018 elections by conducting an agency-wide security audit, enhancing its server security and replacing antiquated infrastructure. The state also has implemented “increased 24/7 monitoring” to detect and block potential strikes.
“I think we’re in a much better place in 2016 because we really have our antennas up,” UC Irvine law professor Jack Lerner, who studies electronic voting, said of California’s system.
“I don’t think we’re totally safe unless we have a (mandatory risk-limiting) audit, the way experts have recommended. But we’re in way better shape than other jurisdictions.”
Even if the elections systems are never breached, though, many election-security experts worry the intrusions and hacking attempts are damaging elections in a more intangible way.
Mary Beth Long, a former CIA intelligence officer and Assistant Secretary of Defense, said at the UC Irvine conference that a central aim of Russia’s efforts is to foster distrust of the democratic process and amplify divisive dialogues by causing voters to think elections are able to be rigged.
“It sows discord, controversy and a real lack of confidence in our system… And that has a tremendous impact in how we conduct ourselves, and how we move forward with our elections,” Long said.
“We’ll definitely see more (attempts) in 2018 and 2020.”
That knowledge has put election officials and others in a delicate position when deciding whether or not to sound the alarm about potential election security threats and the need to safeguard and modernize voting systems. Tread too softly, and the fixes might never come. Announce the vulnerabilities too loudly, and you risk cultivating skepticism among voters.
“There are election officials who worry that if voters know what the risks are, they might not come to the polling place,” said Alex Halderman, a University of Michigan computer scientist who in 2017 testified before U.S. Senate Select Committee on Intelligence about cyber threats to U.S. elections.
“Although studies show that voters who are more aware of cybersecurity issues are just as likely to vote, I think there’s a concern that even talking about these problems is somehow negative,” Halderman said at the UC Irvine conference.
“But if we don’t talk about them, nothing is ever going to get done.”
©2018 The Orange County Register (Santa Ana, Calif.) Distributed by Tribune Content Agency, LLC.