By Chris Finnie

There’s been a lot of media coverage lately about Russian hacking of voter rolls, and whether they could do more.

Nationally

The Washington Post reported that, “People connected to the Russian government tried to hack election-related computer systems in 21 states.”

TIME magazine wrote “The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers.”

Bloomberg News reported that Russian hackers had “hit” systems in 39 states, and The Intercept, citing a classified intelligence document, reported that Russian military intelligence, “executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 1,100 local election officials just days before last November’s presidential election.”

NPR, however, reports the Florida elections vendor that was a target for Russian cyberattacks denied that the company’s computer system was compromised. VR Systems, based in Tallahassee, provides voter registration software and hardware to elections offices in eight states. Including for poll books in one county in California.

Statewide

Voter registration isn’t kept nationally, but at the state level. So how secure are voter rolls in California?

A California voting watchdog group says there is a problem with Microsoft based systems, which can now be considered for funding under AB 668, passed by the California Assembly to place a bond measure on the ballot to fund new voting systems. This group wants only systems based on open-source software approved. An article in Computerworld says a flaw in Visual Basic can allow hackers to introduce malware into systems.

But the Los Angeles Times noted that, “More than 40 states use voting systems that are over a decade old. Governor Jerry Brown signed a new law requiring the state to alert voters when their registration has been changed after the Riverside County District Attorney’s Office heard of about three dozen voters who said they were either removed from the voting rolls or had their party changed without consent, which District. Atty. Mike Hestrin attributes to hacking.

Since Assemblyman Stone voted for AB 668, we reached out to his office for a comment. A staff member in the assemblyman’s Sacramento office said the Secretary of State was in charge of certifying systems for the state. AB 668 simply provides much-needed funding to replace antiquated equipment.

The Secretary of State’s office gave us this statement on the topic, “There is no evidence of any breach of elections systems in California. VR Systems, which is headquartered in Florida, does not provide services to the Secretary of State. However, they have previously provided e-pollbook services to Humboldt County—one of California’s 58 counties. VR Systems does not provide any vote tabulation services in California.”

The Times continues, “Some California counties have also joined Colorado and New Mexico in conducting robust audits of paper backup ballots to ensure they match the digital vote results, which many computer security experts advocate as the best defense against election hacking. Vendors of voting machines were chastened over the weekend after the DefCon hacking conference in Las Vegas highlighted how programmers can penetrate the machines in as little as 90 minutes if left in the same room with them. Some found passwords for the administrative functions of the equipment on Google.”

In the County

This still didn’t answer the question of whether or not voters in Santa Cruz County could feel safe about our votes. Ultimately, that’s where voter information is collected, and where votes are counted. Fortunately, we have an outstanding County Clerk who is in charge of our elections. And Gail Pellerin, along with her Senior Information Systems Analyst Martin Peaden spoke with the Bulletin about all of this.

In their view, voters in Santa Cruz County can feel very secure about the integrity of our votes for a number of reasons:

The county follows a number of security protocols. For example, there is no connection to the Internet from voting or counting systems or from the voter registration files. So they’re not vulnerable to remote hacking.
Peaden says the county uses Microsoft SQL for databases for ballot counting. But, as he correctly noted, it’s the most widely used database software in the world. And nothing is 100% secure, including open-source software.
The county follows mandated state processes as well. These include equipment verification testing, post-election vote audits, random hand counts, verified voter printouts, logic and accuracy testing, and rotation of candidate names on ballots to make electronic voting machines harder to hack.
Pellerin says the entire process safeguards the vote, from securing the equipment with tamper-proof seals checked by two people, to verifying the count. Plus, all touchscreen equipment in the county provides voter-verified printed ballots so the voter can verify their vote. That serves as the official ballot for the voter, and is used for audits and recounts.

In the end, one of the things that will make it hard for hackers to really affect elections is that systems are decentralized. While results are sent to the Secretary of State, all the tabulations and database maintenance are done locally.

And Pellerin does agree with Stone that we need new systems. She says they currently can’t get new servers, but have to find one from 2004 because that’s when the system was certified. Santa Cruz borrows printers from Santa Clara because we don’t have enough to print records of really long ballots. If we want to keep our votes safe, we need to replace outdated equipment.

Anyone who wants more information on this can see the May 2017 grand jury report at votescount.com, under “Current Activities.”