In Southern California, home to some of the nation's most competitive congressional contests, that threat of Russians cyberhacking this year's midterm elections is being taken seriously.
Consider just a few of the many new security protocols being adopted by election officials in the four-county region encompassing Los Angeles, Orange, Riverside and San Bernardino counties. Office emails are being encrypted and networks buttressed. Election employees are randomly being mock phished to see if they'll fall for simulated online invaders. Federal officials are being invited to inspect and test the region's many voting systems.
The local upgrades are part of a national response to Russia's meddling in America's 2016 elections. Intelligence agencies have determined that, among other things, Russian agents and their operatives executed a cyberattack on a U.S. voting software supplier, sent spear-phishing emails to election officials, and targeted voter rolls in at least 21 states, breaching a small (but undisclosed) number of them. Since then, Congress has authorized $380 million to help states strengthen voting systems' digital defenses, including $34 million earmarked to protect the integrity of elections in California.
California's voting infrastructure is, in many ways, far more secure than those of most other states. Counties in California are legally required to keep paper ballots as fixed records of electronic voting tallies and to hand-count the ballots cast in 1 percent of all precincts to verify digital totals. But despite California's superior safeguards, cybersecurity experts say the state's voting systems remain susceptible to some forms of attack. Recognizing the threat, election officials in the four counties say they've become more vigilant since the 2016 campaign.
The leader of the pack seems to be Orange County, where four congressional contests in longtime GOP-held district are being targeted by national Democrats in their effort to take control of the House of Representatives. Registrar of Voters Neal Kelley released a 28-page 2018 Election Security Playbook outlining new security protocols his office has implemented: improving its ability to detect network intrusions and malware; encrypting its emails; enhancing building security; implementing a third-party cybersecurity audit; and randomly testing employees by sending them faux phishing emails and seeing if they bite.
The most substantial of the county's new fixes is its risk-limiting audit — a protection that verifies electronic tallies with an even higher degree of certainty by hand-counting a random sample of paper ballots, with the number of votes scrutinized corresponding to the margin of victory in a given race.
Kelley knows firsthand that malicious actors are constantly probing local voting systems.
In Los Angeles County, Registrar of Voters Dean Logan has educated his staff on cyberthreats by having them see firsthand how voting machines can be hacked. Last year, he sent members of his team to DEF CON in Las Vegas, one of the world's largest hacker conventions. There, at something called the Voting Machine Hacking Village, they watched white-hat hackers "go through and show the vulnerability of voting systems," a process that helped Logan's office identify its own potential shortcomings. Since the 2016 elections, the office has upgraded its malware protection and mandated cybersecurity training for staff.
San Bernardino County Registrar of Voters Michael Scarpello was less forthcoming about what he'd done to enhance election security in his jurisdiction. His office has worked with federal agents and the county's IT department to harden its voting systems, website and local voter registration database from attack. Scarpello declined to identify any specific security system or protocol changes — and even declined to disclose the federal agency his office worked with.
California Secretary of State Alex Padilla's office, which operates the state's voter registration database, said his office had no evidence that voter rolls were breached.
Despite all the recent upgrades to Southern California's election infrastructure, cybersecurity experts say most voting systems — even bolstered local ones — still have vulnerabilities.
Many Southern California polling places use 15- to 20-year-old voting machines with outdated operating systems that officials acknowledge are less secure than modern versions. While voting machines are tightly protected, some need to be programmed with a separate memory card, which, depending on the offices' protocols, could be a vehicle for malicious code.
And experts say some voting machines are serviced by outside vendors with varying security protocols, sometimes via computers that might occasionally be connected to the Internet, providing a pathway for attack.
Another feasible mode of attack, experts say, could target the state's voter registration system. Intruders might seek to change or delete portions of voter rolls in a way to deter citizens from voting. To prevent such a breach, Padilla's office has buttressed its information systems in advance of the 2018 elections by conducting an agencywide security audit, enhancing its server security and replacing antiquated infrastructure. The state also has implemented "increased 24/7 monitoring" to detect and block potential strikes.
"I think we're in a much better place in 2016 because we really have our antennas up," UC Irvine law professor Jack Lerner, who studies electronic voting, said of California's system.
(c)2018 The Orange County Register (Santa Ana, Calif.). Distributed by Tribune Content Agency, LLC.