California elections officials are confident that the state’s voter data and election technology is secure enough to withstand cyber attacks such as those Russian hackers recently carried out against Arizona and Illinois.
“We are agile and always evaluating and adapting our security posture to protect the confidentiality of voter data and to protect the integrity of our elections,” said Sam Mahood, a spokesman for California Secretary of State Alex Padilla
Mahood declined to provide specifics, but said there is no evidence of a successful hack of the state’s systems.
“In California, voting systems – the equipment that you’ll see at polling places – cannot be connected to the Internet at any time,” Mahood said in an emailed statement. “All electronic voting systems must have a paper trail that can be audited.”
Mahood added that California “has one of the most strenuous voting system testing and certification programs in the country.”
Counties must “follow specific procedures for programming, deployment, and use of voting equipment,” he said.
“In addition, California elections officials are required to conduct a manual tally of 1 percent of the precincts as part of the official canvass of election results as a safeguard to ensure votes were accurately read and tallied.”
Earlier this month, the FBI issued a national alert after cyber intrusions into elections offices were uncovered in two states, believed to be Arizona and Illinois, according to multiple media reports.
Hackers downloaded personal data for as many as 200,000 Illinois voters but were unable to access Arizona voter data. The two attacks were linked to eight IP addresses – digital fingerprints for computers – and the FBI alert asked states to check for breaches.
States are responsible for maintaining voter databases, and the information, which can contain dates of birth and home addresses, is attractive to identity thieves.
The FBI alert exacerbates already heightened fears about foreign interference, especially by Russia, in this year’s presidential elections.
Just before the Democratic National Convention in July, Democratic National Committee emails were leaked online showing committee staff favored Hillary Clinton over Bernie Sanders. Clinton’s campaign suggested the leak was the work of Russian hackers.
Many voters already are suspicious of Clinton, nicknamed “Crooked Hillary” by Donald Trump. The Republican presidential nominee has said that Clinton stands to benefit from a “rigged” system on Nov. 8 and that the only way he could lose the swing state of Pennsylvania is through fraud, despite multiple polls of Pennsylvania voters that show him trailing Clinton.
Even if hackers aren’t able to alter election results, questions about voting system security could fuel voter doubts about the election’s legitimacy, said Sinan Eren, vice president of Avast Software, an international company that develops anti-spyware and anti-virus software.
While there’s no danger in using technology to count votes, there’s more of a danger for voting systems that allow votes to be cast electronically, said Alfredo Ortega, of Avast.
QUESTIONS RAISED
California counties rely on a statewide voter registration database, said San Bernardino County Registrar of Voters Michael Scarpello.
“I think that it’s always wise to be vigilant with your security protocols, but I’m confident that the Secretary of State’s office has done so,” he said.
Questions about the security of voters’ personal information surfaced in July, when Riverside County District Attorney Mike Hestrin said his office found evidence of voters’ party affiliations being switched online without their knowledge or consent.
The culprit or culprits had access to voters’ private information, Hestrin said, adding the digital trail went cold. It’s not clear how many voters’ party affiliations were changed.
At the time, Mahood said his office had not received “any substantiated claims from district attorneys and county registrars of unauthorized political party affiliation changes.”
Riverside County Registrar of Voters Rebecca Spencer said there is no evidence of unauthorized access into her office’s system.
“We have two different election databases. One is the voter registration database and the other is the vote counting database,” she said. “The vote counting database is a standalone network that is not connected to the internet, that is not connected to the (county) network, and is completely self-contained in a secure facility.”
California was on the road to electronic voting machines. But then-Secretary of State Debra Bowen pulled the plug on them in 2007, citing security concerns.
CHECK SYSTEMS
Voter information is not strictly private and can be requested by the public, said Cris Thomas, a strategist at Tenable Network Security, whose clients include the city of San Diego.
“The recommendations outlined in the (FBI) bulletin will significantly raise the bar for any attacker and should be taken seriously by all defenders, regardless of whether their threat model includes nation-state attackers or not,” Thomas said.
“However, if their threat model does include nation-state attackers, these recommendations will most likely not keep them out.”
The Arizona and Illinois incidents underscore the need to check computer systems for vulnerabilities, said Bill Berutti, an executive at BMC, an information technology firm with offices in Irvine.
“The average vulnerability is open for 193 days,” Berutti said. “As the elections close in, other state systems may want to consider what is already active or vulnerable within their systems.”
California also needs to reassure nervous voters, said Michael Rubin, a senior vice president at LEVICK, a public relations firm specializing in crisis communications with offices in Washington, D.C., New York and Chicago.
“Voter databases are also not the systems used to vote or tabulate votes, so California can reassure its citizens that while the state is working to protect all state databases,” Rubin said. “The purpose of hacking these particular databases is to incite fear and cast doubts, not to steal information or change votes.”
