The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Super Tuesday will be big test for security of Los Angeles County's new voting machines

Placeholder while article actions load

with Tonya Riley


Today’s Super Tuesday contest will mark a critical test for the brand new voting machines that Los Angeles County had custom built in the hopes voting could be easy and accessible for its 5.2 million residents. 

But as security concerns persist, it may also be judgment day for the strategy to try to wrest control of voting technology from the stranglehold of a handful of major vendors experts say can't be trusted in an era of Russian hacking. 

The county poured $280 million into the machines, a rare example of a system not built by any of the three companies that control more than 90 percent of the U.S. voting machine market, as my colleague Neena Satija and I report. The county even planned to offer its software, which produces ballots with paper records in more than a dozen languages, free to other jurisdictions that also wanted to break free of the big vendors. 

Yet an official review contracted by California’s top election office in December uncovered numerous digital and physical flaws and sparked fears among security advocates that the vote could be compromised. 

“We may be witnessing something like the emperor’s new clothes,” Susan Greenhalgh, vice president of policy at the National Election Defense Coalition advocacy group, told us. “We’ve been told that this is so great and so expensive and so fabulous for the past 10 years. And when it actually had to see the light of day and get scrutinized by some independent testers, it didn’t come close to meeting…expectations.” 

The debut of the new machines in L.A. was especially enticing since states and counties across the country are struggling to figure out the best way to protect elections against foreign interference – and how to spend their state taxpayer dollars and federal assistance on technology as security advocates warned the old guard of voting machine vendors isn't transparent or nimble enough to guarantee security. 

But the poor report card for the effort by the largest county in the nation, with massive resources, may have them questioning whether it’s worth going this route. 

The security problems – which the county’s Registrar of Voters Dean Logan told us were all remedied or mitigated before today’s primary contest – include a flaw that could allow hackers to insert malicious software into vote-tallying machines using a USB drive and inadequate physical security around both the voting machines and boxes used for transferring ballots. 

The machines, dubbed Voting Solutions for All People or VSAP, also lack full-disk encryption – a cybersecurity gold standard – that won’t be added before 2021, officials said. And there’s no word on when the county will release its software code to other jurisdictions that want to follow its lead, though Logan told us that’s still the plan. 

The concerns come as top government officials warn that Russia and other U.S. adversaries remain eager to undermine the 2020 election even though they haven’t yet identified “any activity designed to prevent voting or change votes.”

Officials renewed those warnings yesterday with a joint statement from top intelligence, law enforcement and cybersecurity officials sounding an alarm about adversaries’ efforts to “spread false information and propaganda about political processes and candidates on social media in hopes to cause confusion and create doubt in our system.”

Logan, who led development of the system, defended it in an interview, saying the issues critics raise are to be expected for a bold system that was built from scratch.

“Given the time frame and the dynamics that we had to work under, I don’t think it’s particularly surprising or shocking,” he said. “It’s an entirely new and innovative way to deploy a voting system, and it’s more complex and challenging than any other election jurisdiction in the country.”

He also accused critics of reflexively attacking the system because it’s new, adding that “that’s why we’ve been stuck for decades on the limited voting systems we have in this country.”

Indeed, the system has become fodder for critics of ballot-marking devices – a category of touch screen voting machines like the VSAP that also produce paper ballots for voters to review. BMDS have become far more common since 2016 when election officials across the nation shifted to paper-based voting systems that are more secure against hacking – but many cybersecurity experts say they’re less secure than hand-marked paper ballots.

L.A. County has made a number of fixes ahead of today's primary. In addition to patching vulnerabilities, the county increased training for poll workers and voter education, and it has placed tamper-evident seals and protective covers on some equipment.

The secretary of state’s office also required the county to provide a paper ballot option for voters who don’t want to use the new machines. But the paper ballots do not list the candidates or the specific races, meaning voters must write all of their choices in by hand, raising the possibility of ambiguous responses that could confuse election results.

L.A. County began the process of replacing its antiquated legacy voting machines back in 2009 – long before the election world was upended by Russia’s 2016 hacking and disinformation operation, which included digitally probing voting systems across the country and penetrating databases in Illinois and at least two Florida counties. 

The county’s development contract with its vendor Smartmatic, however, promised that California’s cybersecurity and accessibility standards for voting systems – some of the strictest in the nation – would be “woven directly into the DNA” of the new system. That didn’t happen, according to the report commissioned by the California secretary of state’s office and conducted by the consulting firm Freeman, Craft, McGregor Group.

In addition to the digital and physical security concerns, the report highlighted a messy ballot design that requires voters to scroll through multiple pages to review all the candidates for some races. That has already prompted a lawsuit from the city of Beverly Hills, which says it’s unfair to candidates on the second page. 

“It’s a great concept, but it has a fatal flaw in that it does not provide the electorate with an objective view of the election,” Julian Gold, a Beverly Hills City Council member who will appear on the ballot, said in an interview. “When was the last time you [got] to Page 2 of a Google search?” 

Here’s a full rundown on what to expect on Super Tuesday from my colleagues Amy Gardner and Elise Viebeck


PINGED: At least 50 election-related websites for counties and towns voting today have security problems that make them especially vulnerable to cyberattacks, a review by Jack Gillum at ProPublica found. The sites are in districts that serve about 2 million voters. The vulnerabilities, which include outdated software and poor encryption, raise concerns that Russian hackers could sow chaos by changing election night tallies or taking sites offline during critical reporting periods.  

Several localities said they would fix their websites after ProPublica contacted them. But others said they had no plans to make fixes before today’s primaries. 

That includes Richmond, the Virginia capital that represents more than 153,000 voters, which is still running on a 2003 version of Microsoft’s Windows operating system that the company is no longer issuing routine patches for. Richmond officials said they’re still getting periodic updates from Microsoft meant to plug major security holes. 

“We are absolutely prepared to protect the integrity of our elections and have taken significant steps to do so, Richmond spokesman Jim Nolan said.

None of the election offices contacted by ProPublica reported that their sites had been hacked. But U.S. intelligence agencies warn foreign adversaries are eager to compromise the election, and attacking county websites is in the playbook, one senior U.S. official told Jack.

PATCHED: Internal Huawei documents reviewed by Reuters add meat to long-standing charges that the Chinese telecom has violated U.S. sanctions against Iran, Steve Stecklow at Reuters reports.

The new documents relate to a multimillion-dollar Iranian telecommunications project that figures prominently in an ongoing U.S. criminal case against Huawei and its chief financial officer, Meng Wanzhou. The documents, which aren’t cited in the criminal case, could bolster a campaign by U.S. officials to get allies to ban Huawei equipment from their next-generation 5G wireless networks. 

Huawei has pushed back against numerous U.S. charges, including that it’s complicit in Chinese government spying and dodged sanctions to sell U.S. equipment to Iranian telecom carriers. 

But the new documents  show the company sold more than 300 cases of U.S. computer equipment, including HP goods, to an Iranian telecom provider.

A Huawei spokesman declined to comment, citing the ongoing legal case.

PWNED: U.S. prosecutors indicted two Chinese citizens for allegedly helping North Korean hackers launder at least $100 million in stolen virtual currencies, my colleagues Spencer S. Hsu and Ellen Nakashima report. The charges could signal that U.S. officials are turning up the heat on long-suspected Chinese involvement in North Korean hacking operations.

The indictment is the first known case of U.S. officials charging Chinese citizens for aiding North Korean hacking. The Treasury Department also imposed sanctions on the two Chinese men, Tian Yinyin and Li Jiadong, yesterday. 

U.S. officials and the United Nations have accused North Korea of stealing bitcoin and other virtual currencies as a way to circumvent global sanctions and fund its renegade nuclear program. U.N. officials estimate North Korean hackers have stolen at least $2 billion for its weapons program by hacking financial institutions and cryptocurrency exchanges in recent years.

Want the latest reporting on the coronavirus? Sign up for “To Your Health: coronavirus” a new Washington Post newsletter that will bring you everything you need to know about the spread of the coronavirus in the U.S. and abroad.


— Cybersecurity news from the public sector:

Fake cures and other coronavirus conspiracy theories are flooding WhatsApp, leaving governments and users with a ‘sense of panic’ (Tony Romm)

Coder charged in massive CIA leak portrayed as vindictive (Jim Mustian | AP)

Ethical hackers submitted more bugs to the Pentagon than ever last year (CyberScoop)


— Cybersecurity news from the private sector:

Walgreens app exposes customer prescription data (CyberScoop)

Carnival Corp units say were hit by cyber attack last year (Reuters)

A psychiatrist fights the cyber industry’s mental health stigma — and appeals for help (CyberScoop)


— Cybersecurity news abroad:

Facebook takes down inauthentic accounts from India, Egypt - CyberScoop (CyberScoop)

UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme (ZDNet)

A Cyberspace ‘FIFA’ to Set Rules of the Game? UN States Disagree at Second Meeting (CFR)


—Coming up

  • The Senate Commerce Committee will hold a hearing titled “5G Supply Chain Security: Threats and Solutions,” on Wednesday at 10 a.m.
  • The Carnegie Endowment for International Peace Cyber Policy Initaitive will hold a discussion on the forthcoming Cyberspace Solarium Commission report  Wednesday at noon.
  • The Senate Judiciary Committee’s panel on crime and terrorism will hold a hearing titled “Dangerous Partners: Big Tech and Beijing” on March 4 at 2:30 p.m.
  • The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on March 11 at 2:30 p.m.