Russians will hack again in ’18. Here’s how So Cal elections will answer

At a recent conference on election security, Orange County Registrar of Voters Neal Kelley said he’d asked former CIA Director Michael Hayden if Russian hackers will try to disrupt the 2018 mid-term elections.

“He didn’t hesitate,” Kelley recounted. “He said, ‘They will be targeting congressional races.’”

In Southern California, home to some of the nation’s most-competitive congressional contests, that threat is being taken seriously. Consider just a few of the many new security protocols being adopted by election officials in the four-county region.

Office emails are being encrypted and networks buttressed. Election employees are randomly being mock phished to see if they’ll fall for simulated online invaders. Federal officials are being invited to inspect and test the region’s many voting systems.

Even the seemingly oldest of old-school safety protocols — counting up some election results by hand — is expected to play an expanded role in the 2018 midterms.

The local upgrades are part of a national response to Russia’s meddling in America’s 2016 elections. Intelligence agencies have determined that, among other things, Russian agents and their operatives executed a cyberattack on a U.S. voting software supplier, sent spear-phishing emails to election officials, and targeted voter rolls in at least 21 states, breaching a small (but undisclosed) number of them.

Since then, Congress has authorized $380 million to help states strengthen voting systems’ digital defenses, including $34 million earmarked to protect the integrity of elections in California. In the last weeks of the Obama administration, the Department of Homeland Security also designated state-run election systems as critical infrastructure, elevating them to the same classification as nuclear reactors and the Hoover Dam. And the FBI and other federal officials are offering free cybersecurity assessments to local election offices.

To date, there’s no evidence that votes were changed or voting machines infected during the 2016 cyberattacks. And election security experts say such threats are remote in any specific jurisdiction, and nearly impossible on a substantial scale.

But the upcoming midterms are the first national election since 2016. And those same election experts caution that attacks remain feasible in some American elections systems, particularly if existing vulnerabilities aren’t fixed.

Risk is low; security high

California’s voting infrastructure is, in many ways, far more secure than those of most other states. Counties in California are legally required to keep paper ballots as fixed records of electronic voting tallies and to hand-count the ballots cast at one percent of all precincts to verify digital totals. That means even if voting machines are compromised, there’s a physical backup to warn of a discrepancy.

That’s not true in 11 states, where voting equipment can’t be audited manually and a hack that alters voting results could go entirely undetected. (Interestingly, most of the un-auditable, all-digital machines in those states were put into use after Florida’s “hanging-chad” debacle during the 2000 presidential election scared officials away from punch-card voting systems to what were perceived as more reliable electronic machines.)

Despite California’s superior safeguards, cybersecurity experts say the state’s voting systems remain susceptible to some forms of attack. Recognizing the threat, election officials in Los Angeles, Orange, San Bernardino and Riverside counties all said recently that they’ve become more vigilant since the 2016 campaign and have welcomed help from federal agents to assess their systems.

But implementing fixes has happened at different speeds across the region, with some counties addressing potential vulnerabilities more aggressively than others.

The leader of the pack seems to be Orange County, where four congressional contests in longtime GOP-held districts are being targeted by national Democrats in their effort to take control of the House of Representatives.

In April, Kelley released a 28-page “2018 Election Security Playbook” outlining new security protocols his office has implemented: from improving its ability to detect network intrusions and malware, to encrypting its emails, to enhancing building security, to implementing a third-party cybersecurity audit, to randomly testing its employees by sending them faux phishing emails and seeing if they bite.

The most substantial of the county’s new fixes is its risk-limiting audit – a protection that verifies electronic tallies with an even higher degree of certainty by hand-counting a random sample of paper ballots, with the number of votes scrutinized corresponding to the margin of victory in a given race.

Kelley knows firsthand that malicious actors are constantly probing local voting systems.

At the election security conference, held at UC Irvine in March, Kelley revealed that he and Los Angeles County Registrar of Voters Dean Logan were contacted by federal officials in spring 2016. They warned Kelley that people using overseas IP addresses had prodded his office’s networks in a move that was described as “checking to see if the front door of your house was locked.”

Kelley said his office’s defenses withstood the test, but he immediately worked to strengthen protections anyway.

“We’ve reevaluated every piece of the voting system and process, identified potential vulnerabilities, and made sure those are solid and secure,” said Kelley, who serves on a recently created federal 25-member election security council.

“Even though the risk is low, (the potential for hacking) is being taken very seriously,” he said. “And that should inspire voter confidence, just to know that there’s a different approach being taken to elections than there was in 2016.”

In Los Angeles County, home to another one of the nation’s most competitive congressional races, Logan has educated his staff on cyber threats by having them see firsthand how voting machines can be hacked.

Last year, he sent members of his team to DEF CON in Las Vegas, one of the world’s largest hacker conventions. There, at something called the “Voting Machine Hacking Village,” they watched white-hat hackers “go through and show the vulnerability of voting systems,” a process that helped Logan’s office identify its own potential shortcomings. Since the 2016 elections, the office has upgraded its malware protection and mandated cybersecurity training for staff. It soon will implement vulnerability-assessment and phishing exercises to further test its new systems.

“If we don’t know those vulnerabilities, we can’t respond to them,” Logan said at the conference.

San Bernardino County Registrar of Voters Michael Scarpello was more cryptic about what he’d done to enhance election security in his jurisdiction.

Scarpello said his office had been working with federal agents and the county’s IT department to harden its voting systems, website and local voter registration database from attack. He noted the effort was partially in response to a “heightened level of scrutiny, based on what’s going on at a national level.” Scarpello declined to identify any specific security system or protocol changes – and even refused to disclose the federal agency his office worked with.

And in Riverside County, election officials say the FBI and Department of Homeland Security are helping to monitor their network traffic and supplying a list of IP addresses to watch out for.

Riverside County Registrar of Voters Rebecca Spencer said the increased vigilance isn’t in response to a July 2017 Time magazine cover story. In that article, the Riverside County District Attorney stated that hackers had changed a small number of county residents’ voter registration data in advance of the 2016 primary. And unnamed national cybersecurity officials said the incident may have been a “test run by the Russians… (to see) what kind of chaos they could unleash on Election Day.”

Since then, that version of events has been rebuffed by election officials. California Secretary of State Alex Padilla’s office, which operates the state’s voter registration database, said his office had no evidence that voter rolls were breached. And Spencer said her office had identified the cause of nearly all the voter roll changes, many of which occurred because voters simply forgot they had updated their information.

Hacking your confidence

Despite all the recent upgrades to Southern California’s election infrastructure, cybersecurity experts say most voting systems – even bolstered local ones – still have vulnerabilities.

Many Southern California polling places use 15-to-20-year-old voting machines with outdated operating systems that officials acknowledge are less secure than modern versions. While voting machines are tightly protected, some need to be programmed with a separate memory card, which, depending on the offices’ protocols, could be a vehicle for malicious code. And experts say some voting machines are serviced by outside vendors with varying security protocols, sometimes via computers that might occasionally be connected to the internet, providing a pathway for attack.

Another feasible mode of attack, experts say, could target the state’s voter registration system. Intruders might seek to change or delete portions of voter rolls in a way to deter citizens from voting – similar to what was alleged in Riverside County. To prevent such a breach, Padilla’s office has buttressed its information systems in advance of the 2018 elections by conducting an agency-wide security audit, enhancing its server security and replacing antiquated infrastructure. The state also has implemented “increased 24/7 monitoring” to detect and block potential strikes.

“I think we’re in a much better place in 2016 because we really have our antennas up,” UC Irvine law professor Jack Lerner, who studies electronic voting, said of California’s system.

“I don’t think we’re totally safe unless we have a (mandatory risk-limiting) audit, the way experts have recommended. But we’re in way better shape than other jurisdictions.”

Even if the elections systems are never breached, though, many election-security experts worry the intrusions and hacking attempts are damaging elections in a more intangible way.

Mary Beth Long, a former CIA intelligence officer and Assistant Secretary of Defense, said at the UC Irvine conference that a central aim of Russia’s efforts is to foster distrust of the democratic process and amplify divisive dialogues by causing voters to think elections are able to be rigged.

“It sows discord, controversy and a real lack of confidence in our system… And that has a tremendous impact in how we conduct ourselves, and how we move forward with our elections,” Long said.

“We’ll definitely see more (attempts) in 2018 and 2020.”

That knowledge has put election officials and others in a delicate position when deciding whether or not to sound the alarm about potential election security threats and the need to safeguard and modernize voting systems. Tread too softly, and the fixes might never come. Announce the vulnerabilities too loudly, and you risk cultivating skepticism among voters.

“There are election officials who worry that if voters know what the risks are, they might not come to the polling place,” said Alex Halderman, a University of Michigan computer scientist who in 2017 testified before U.S. Senate Select Committee on Intelligence about cyber threats to U.S. elections.

“Although studies show that voters who are more aware of cybersecurity issues are just as likely to vote, I think there’s a concern that even talking about these problems is somehow negative,” Halderman said at the UC Irvine conference.

“But if we don’t talk about them, nothing is ever going to get done.”

Powered by WPeMatico

Mail-in primary ballots arrive this week; here’s what’s happening

Primary election day is June 5 in California and local communities. But balloting actually begins May 7 — this Monday. That’s the start of voting by mail.

For people who have avoided thinking about politics for as long as they could, time’s up. Here’s a refresher about what’s at stake in the next month.

In this election between presidential elections, voters here will begin to decide who leads California, with primaries to select the two candidates to advance to the Nov. 6 general elections in races for governor, seven other statewide offices, every Assembly seat and half of the state Senate, and the state Board of Equalization. They’ll also begin to choose California’s representatives in Washington, D.C., with a U.S. Senate seat and all U.S. House seats in play. And they’ll start to select who’ll hold many municipal offices and judgeships.

Some themes will be pervasive.

The #MeToo movement, which hangs over several races for the state Legislature in Los Angeles County, has brought out a record number of women candidates, hoping to increase their numbers in Sacramento and Washington. Also, young voters — many who registered during pro gun control marches related to the Parkland shooting — are expected to turn out in higher numbers than usual, even as 84-year-old U.S. Sen. Dianne Feinstein seeks her sixth six-year term. And the partisan battle for control of the U.S. House, with Democrats targeting at least a half-dozen Republican-held seats in California, could energize voters of all stripes.

Donald Trump isn’t on any ballot — or you could say he’s on almost every ballot as Democratic candidates play up their opposition to the president whose record-low approval percentages nationally are even lower in California’s major cities.

“A lot of them [the elections] are about Trump, and the divisions that are so raw in this country among people who follow politics,” said Jaime Regalado, professor emeritus of political science at Cal State Los Angeles. “This doesn’t mean we’ll get record [voter] turnout, but there is a heightened sense that these elections matter.”

These are the contests likely to get the most attention in the weeks before election day:

GOVERNOR: Jerry Brown, now 80, is leaving office because of term limits. Lt. Gov. Gavin Newsom, another Democrat, has led the polls. It was long assumed the race would boil down to Newsom and Democrat Antonio Villaraigosa, a battle of former San Francisco and L.A. mayors. But some polls show Villaraigosa fighting for the second spot in the top-two primary against Democrat John Chiang and Republicans John Cox and Travis Allen.

CONGRESS: Democrats need a net gain of 24 seats in the 435-member House of Representatives to seize the majority and take control from Republicans. The districts they’re targeting include seven in California where voters in ’16 elected GOP representatives even as they picked Democrat Hillary Clinton over Trump for president. Five of those districts are in Southern California, including two in Orange County where incumbent Republicans (Dana Rohrabacher and Mimi Walters) are hoping to keep the seats, and two others in the county where long-time GOP representatives (Darrell Issa and Ed Royce) are retiring, and one in northern L.A. county where Republican Steve Knight hopes to keep the seat.

STATE LEGISLATURE: Sexual harassment scandals in state government hang over several races for the Legislature, all involving Democrat-controlled districts in L.A. County. Special elections will fill out the terms of Raul Bocanegra and Matt Dababneh, assemblymen from the San Fernando Valley who resigned after multiple accusations of sexual misconduct. (The race for Dababneh’s seat includes 19-year-old Republican Justin Clark, who could become the youngest known legislator in California history.) A special-election primary will fill out the term of Tony Mendoza, a senator from Artesia who resigned after being accused of sexual harassment, only to remain on the ballot for the special election.  Also, Assemblywoman Cristina Garcia, D-Bell Gardens, is running for re-election while on voluntary, paid leave during an investigation of sexual harassment charges against her.

Potentially confusing for many voters is this: The special elections to fill out remaining terms of resigning legislators occur on the same day as the primaries in the regular elections for the next full term of those same legislative offices.

In another unusual state legislative contest, Sen. Josh Newman, D-Fullerton, faces a recall election. Republicans started the recall drive after Newman voted in favor of California’s gas-tax increase.

State legislative election results in November will determine if Democrats regain their hold on two-thirds of the Assembly and Senate. Democrats currently are one seat short in each house of the two-thirds “supermajority” that would allow them to, among other things, pass tax increases without Republican members’ votes.

Voters have until May 21 to register to vote and until May 29 to request vote-by-mail ballots (see the sample ballot that comes in the mail). For those who have already requested mail-in ballots or have arranged for permanent vote-by-mail status, the ballots will be sent out starting May 7; so many Californians could fill out their votes in the next few days.

Mail-in ballots must be postmarked by June 5 and arrive at county election offices by June 8 to be counted.

The percentage of votes cast by mail in Californians has grown steadily in the past 50 years from the low single digits — back when, ostensibly, only people traveling out of town used what was known as “absentee voting.” The past six state election primaries have all seen more than half of the votes cast by mail, including 69.4 percent in the 2014 primary.

Southern Californians can get more information about voting from election officials in Los Angeles County at 800-815-2666 and, Orange County at 714-567-7600 and, Riverside County at 951-486-7200 and, and San Bernardino County at 800-881-VOTE and

Powered by WPeMatico