LAS VEGAS—When it comes to election security, politicians like Alex Padilla, the top election official for the most populous state in the nation, are more worried about how they’re going to fund election modernization and counter disinformation campaigns than about hackers slipping into voting machines.

Padilla, California’s secretary of state, says that in the “new reality” of election security, there’s a “distinction” to be made between exposing security vulnerabilities in voting machines and greater election security concerns. But most importantly, he said at the DefCon Vote Hacking Village on August 10, is that if Congress wants election officials to “implement all these findings, recommendations, and discoveries,” it’s going to have to go back to the coffers.

“While I thank the United States Congress for appropriating $340 million last month, let me be abundantly clear: We need more resources,” Padilla said. “The money that came to states is not new money. It’s the remaining Help America Vote Act dollars, appropriated last month but authorized 15 years ago, in the wake of Florida 2000. That’s butterfly ballot hanging-chad money.”



READ MORE ON ELECTION HACKING 

There’s more to election integrity than secure voting machines
Mueller’s indictment of election hackers a cybersecurity ‘wake-up call’
For want of a VPN, Guccifer 2.0 was lost
Facebook’s Stamos on protecting elections from hostile hackers (Q&A)
For decade-old flaws in voting machines, no quick fix
Post-recount, experts say electronic voting remains ‘shockingly’ vulnerable
Can your vote be hacked—after you cast it?


Over the past year, hackers have schooled Padilla and other election administrators on the security vulnerabilities of electronic voting machines, especially those that lack a paper trail. They’ve also called attention to “social engineering” campaigns bent on decreasing voter confidence in election integrity.

A comprehensive MIT study on voter confidence that included research from the Pew Research Center and the Roper Center found that only 19 percent of respondents said they were confident in the integrity of nationwide vote results before the election.

Jeanette Manfra, national protection and programs directorate assistant secretary for the Office of Cybersecurity and Communications at the Department of Homeland Security, told The Parallax that she agrees with Padilla’s concerns about funding. She also compared election security to the current state of Internet-connected medical devices.

“You have to balance raising awareness of vulnerabilities and pushing vendors to make more secure products, which is what DefCon is trying to do, with the ability for vendors to react to that,” she said. “We have to bring both communities to see each other’s perspective.”

Padilla spent a few minutes speaking with The Parallax after his Vote Hacking Village presentation. What follows is an edited transcript of our conversation.

Q: You seem keenly aware of the issues surrounding voting machines and hacking, but not all secretaries of state appear to be on board, as the National Association of Secretaries of State statement shows. Is this an issue that’s worth convincing your peers of?

I think that the vast majority of my colleagues, both Democrat and Republican, clearly understand the stakes. I think the release you read comes from an appreciation of a practitioner’s standpoint that we’re always balancing the attention we give technology and cybersecurity with public perception. We don’t want to overplay threats; we don’t want to underplay them, either.

At last year’s conference here, a lot of headlines came out about effective hacks of voting equipment. When you look at the equipment they were using and the conditions they were using the equipment in, it didn’t exactly reflect real-world conditions that we deploy on Election Day.

As an engineer, I’m trained to understand that methodology matters. If DefCon is going to be constructive, we distinguish between what is an applicable take-away versus what may or may not apply in the real world.

So you do agree with the memo?

I might have phrased it differently, but I’m here [at DefCon]. I think there’s a lot of value in this convening, and in the spirit of this convening. In the Vote Hacking Village, I hope to see what kinds of lessons we can take away that we might not yet have thought of in California. I’d rather be enlightened today than be enlightened after an incident.

Are there other secretaries of state who used to not think that voting-machine and election systems hacking is important to consider and address, but do now?

I can’t think of a colleague that doesn’t take this seriously. We’re all actively engaged within each state and our local jurisdictions. We’re all participating in this. There is improved collaboration with the federal intelligence agencies, as well. I think best practices are being shared.

If we’re united on anything else, it’s on the need for additional resources. For Congress to only invest in election modernization and security once every 15 years doesn’t cut it.

What’s being done to counter the social-engineering angle, where the point is more to create fear, uncertainty, and doubt in elections than to exploit computers to change votes?

If the question is, were any systems penetrated? Or, was the vote outcome in any race changed due to hacking or any cyberthreats in 2016? The answer is no. And if the question is, were there attempts at finding vulnerabilities in those systems? The answer is yes.

Those are very different questions than, was there a concerted, massive disinformation campaign conducted by the Russian government to create chaos, sew doubts, and undermine confidence in elections? Absolutely.

To the extent that devices are used to make selections, they must still provide a voter-verified paper audit trail that we can go back to count, recount, audit to ensure the integrity of the results.

Another question would be, was there collusion between a certain presidential campaign and the Russian government? Well, there’s a whole special investigation going on to find the answer to that question. But whether there were successful penetrations or breaches of any type, that’s a different question than, is there misinformation that’s undermining public confidence in our system? And we have to address both.

In our democracy, there’s an important balance to maintain between voting-system cybersecurity, accessibility, and participation.

Many of the security researchers investigating election security talk about “risk-limiting audits” as an effective tool in ensuring election integrity. Do you have plans to use them in California?

Absolutely. We’re actively working on legislation to call for that before this year’s session is over. California already has a 1 percent manual tally requirement. That’s a good foundation to build on. I think there’s added value in a risk-limiting audit, but like with everything else, details matter, methodologies matter.

We have 58 counties in California, each with a different size and different complexity, so the exact methodology that best suits Alpine County versus Los Angeles County may be different, and we’ve got to get the language on our legislation right.

Are you looking outside the United States for guidance or inspiration toward how best to adopt electronic-voting technology?

There’s a lot of room for technology to improve how we register voters, how we inform voters, and even how we facilitate the act of voting. But one of the criteria that has served California well is the requirement of paper ballot, paper ballot, paper ballot. To the extent that devices are used to make selections, they must still provide a voter-verified paper audit trail that we can go back to count, recount, audit to ensure the integrity of the results.

So you don’t see that changing anytime soon?

Not on my watch.

Speaking of new technology, what’s your take on West Virginia’s use of a blockchain-backed mobile-voting app for its citizens stationed overseas in the military?

I’d be cautious, if I were them. It’s not coming to California.