If you find the threats posed by election hacking anxiety inducing Well, you are not alone from election database insecurities to ransomware and disinformation.
The American democracy is digital and it’s under attack.
Okay, so now what
Here to help us understand the threats to election security, as well as technology, and how we can protect the instruments of American democracy at the same time as Chris Krebs?
He is the director of the cybersecurity and infrastructure security agency.
At the United States Department of Homeland Security.
This is the top cyber job in the US government, and Chris, you were the first person to hold this job.
So first, help us to understand your role at DHS.
Yeah, I’m still director of the cyber and infrastructure security agency.
We’re only about two years old.
[UNKNOWN] in November of 2018 so we got a birthday coming up.
But our job is to work with the nation’s critical infrastructure community and provide them a range of cyber security and physical security support and services including information sharing and other capabilities to make sure that they can manage the rest successfully and Since 2017, January 2017, election infrastructure has been considered part of this nation’s critical infrastructure community.
And really all that means is it’s the functions it’s the services, it’s the systems that underpin it.
The American way of life, whether it’s the economy or as you pointed out our institutions of democracy.
And so our job is to help support in this case, election officials, across the state or country.
To get them the services, the support, and the technical own that they need to ensure that 2020 is the most secure election ever.
Between now, and November voters will hear a lot about election security, cybersecurity, hacking, but these are kind of abstract ideas if you don’t work in infosec.
So let’s start broad help us understand what the biggest cyber threats to the 2020 election?
Who are the adversaries, and how did we get from 2016 to here.
So when you think about the election process, and particularly if you’re a systems engineer, you have to really think about workflow.
And when you start at the left of the workflow diagram and move to the right on the workflow diagram it’s almost like you take a voter through the entire process, so you’ve got to register the voter.
There are a series of systems included with that including online Registration, and then there’s a sit back end system that supports it including voter registration databases.
And then as you get closer to the election day, you have ballot design ballot printing.
Then you’ve got the actual election day where there are some system, some equipment That support election day day of activities including scanning and tabulating votes and then there’s all sorts of election night reporting, equipment and systems and then you know, you carry that all the way through the December timeline, the systems that are.
Support audit systems that support the certification of the vote and ultimately lead to the seeding of the electoral college this year, December 14.
So when we think about vulnerabilities and the threats to the systems, well, you know, in some cases, there’s some specialized equipment but a lot of the times it’s just standard enterprise equipment that we have in our Normal office spaces in fact, some some of these laptops you may even have at home.
So So for us, it’s really about basic cybersecurity cybersecurity one on one.
It’s good patching, it’s vulnerability management.
It’s about sharing information on risks.
It’s about multi factor authentication.
Basics that we all think about on a daily basis and basis in our in our whether it’s our corporate life or at home.
And then when we think about the threats the threats are ranging from state actors.
So the big four typically, China, Russia, Iran, North Korea, but also Criminal actors, these ransomware games games that are wreaking havoc across the state, local governments of this great country.
They’re pretty active too.
And so what we think about and where we think the risk lies, at least right now, based on what we’re seeing is is in Those highly connected, connected and highly centralized systems and right now those are principally voter registration databases, and election night reporting systems, they touch the internet.
They’re highly visible and they really roll up each individual states activities.
So what we’re worried about at this point and just to step back for a moment We, we, you know, a few things here first is we’ve never seen a nation state adversary with the capability or in a position to change a single vote the tabulation of a single vote.
So that’s important to context to keep in mind.
The second thing is right now, we’re not seeing a lot of activity either from the threat side targeting tool systems.
So we’re not seeing on system activity that we can attribute back to a nation state actor.
And then the third piece is Working with our intelligence community partners, we’re also not seeing a great deal of activity or planning on the adversary side.
So, so from from where we sit cybersecurity right now, compared to 2016, it’s really a night and day comparison and 16 we had already seen a compromise of voter registration database in Illinois.
But again, we’re not seeing that same level of activity.
So as we prepare for this run up the next, 70 plus days in the run up to November 3rd, we’re thinking about those highly capable disruptive actors, including those that deploy ransomware that could get into a real big loud smash and grab in, cause some habit, but we have been focused specifically on ransomware.
In securing those databases for over a year now and feel like we’ve made a great deal of progress to secure those systems in the news right now is a distinctly low tech method of voting.
And that’s vote by mail, absentee ballots.
But it is intrinsically tied to election security, which is also very high-tech right now.
So does DHS consider vote-by-mail systems as a threat at all to election security?
So when you sit back and you think about how elections are conducted in this country, Constitution clearly delineates the responsibilities of the various levels of government and this federalist system.
State locals under Article One, Section four of the Constitution determine the time, place and manner for how elections are conducted and we see a variety of
Of approaches to elections and how they’re conducted.
Classically it has been in person, but we’re seeing in response to COVID some adjustments, whether it’s expanded early voting or adoption of more open absentee or expanded mailing.
So when you think specifically about absentee are male and The systems, the actual equipment, the tabulation, the ballot printing, they’re the same whether it’s absentee or whether it’s mail-in.
And so what we’re looking at more than anything is, what are the risks with these approaches?
And so it’s, do you have a different type of equipment?
Okay, our job is to work with state and locals to understand the risks.
Have those systems and then identify the security controls that you can apply, and then help them apply those.
So just a couple weeks ago, we released a Mail-in voting risk assessment and provided for each step of the process of potential risk.
And potential security controls.
And so we’ve had great uptake on that product and we’ve been working with our partners to make sure that these systems are ready to go.
Come the election.
You mentioned a moment ago auditability It might sound kind of like a dry topic, but it is intrinsically tied to all sorts of voting systems mail in and traditional.
So what are the advantages of creating an audible paper trail?
Yeah this for us has really been one of the top priorities for the last frankly four years is getting more paper, a paper record associated with each ballot or vote into the system and that’s important just for that auditability piece any any IT security professional knows that.
That auditability is just a key tenant of ensuring you can secure have a secure and resilient system.
It really what we’re talking about here is that if you’re able to detect any sort of anomaly or something seems out of the ordinary.
Want to be able to kind of roll back the tape and if you’ve got paper, you’ve got receipts and so you can build back up to what the accurate count is.
And so what we saw in 2016 was about 82% of votes cast in the United States in a presidential were associated with a paper record.
We’re on track for the 2020 election have about 92%.
We don’t have good numbers just yet on whether we’re going to meet But I suspect we might actually clear that 92% number because of the expansion of absentee voting in ballot requests across this country again, anytime you introduce paper into the process, you have an opportunity for us.
Auditing and auditing is going to be a critical part of ensuring the integrity of the action.
You also mentioned that elections in the United States are distributed and handled by States.
And your office just released a guide for for For states to help monitor and report election, or potential election security threats, or loopholes.
How does this guy work, and what will states be doing in the process of looking for bugs?
So we issued a couple things.
And I think you talked about two different products we released.
One was A incident reporting guideline and another is a vulnerability disclosure program guide.
And so starting with the second is, again vulnerability disclosure is the key part in improving the cybersecurity of services in systems and really the idea behind that product and we did see we have seen to take up here the state of Ohio just recently announced.
A vulnerability disclosure program with their election systems and their networks.
We’ve also seen all the major vendors recently commit to a vulnerability disclosure program.
But the idea is, is that you want to make sure that you’ve got a mechanism so that anyone out there that you know, team internet that’s working towards a secure election, if they discover any sort of vulnerability Or gap in your security posture, that you have a process that you can.
You can take that report and you can thank the reporter, and you can work with them to close out that vulnerability.
The second thing that we issued a few weeks ago was this incident reporting guidelines.
And again, it’s just Hear the things you need to collect, hear the things you need to look for when you’re when you’re going through an incident response process.
And then please do let us know if you find anything.
And that’s really important and when we talk to state and local election officials right now, that’s really our key takeaway or key ask for them as is please report even the smallest incident to us because little things sometimes Together become big things and we are in an advantageous position here at Casey, where if we are able to stitch together the mosaic or a trend across the country from little things, we have unique position to be able to do that.
And we want to make sure that we’re understanding activity across election systems, systems country nationwide as best we can.
I wanna Talk a little bit about social media applications.
We know that coordinated inauthentic activity tends to proliferate across social networks help us get in An understanding of what disinformation is how it proliferates and what are the threats posed to the 2020 election by inauthentic actors spreading bad information across the social web.
So this info is a technique it’s a technique that adversaries have used really is is one of my my counterpart up at the National Security Agency has had they’ve really used since you know, since the times of Adam and Eve it’s just getting fake information or amplifying edge information or what’s what’s you know, otherwise Would seem to be an extraordinary opinion, but making it seem more commonplace.
And so this is something that we saw the Russians in particular do quite well in 2016.
And they they’ve really never given up and it’s not necessarily that they’re focused on elections in particular It’s their broader campaign to the legitimize liberal democracies worldwide You know, they’re very active in in Europe, they’ve been active here and again it’s not necessarily about any specific election activity it’s elections, it’s just one more tactic that they can use in their toolkit but way we’ve seen them historically work.
Across social media is that they identify their device of issue, whether they want to use, they figure out the accounts that they need and sometimes they’ve been dormant for years or they’ve been cultivating them over months.
Takes a little bit of time to season these accounts.
So they don’t set off the flags, or the alert algorithms or the platforms.
And then they start, pushing a message pushing a message, and then they get it mainstream ,and then they really want it to get it.
Into the media, traditional media and then ideally what they want is to have it go real time get out on the streets and have people actually protesting and counter protesting we.
We’ve seen them do that, we developed a product last year a campaign called the War on Pineapple that took a non divisive issue whether you like wine, pizza, or not.
Really kind of walk people through as an educational and awareness building a technique.
We’re going to have to update that product though, because this whole of nation effort over the last three and a half or so years to push back on disinformation activities.
Has forced the adversary in this case Russia has forced them to change their tactics.
We’re not seeing as much really disinfo happening on social media platform from accounts because we’ve been so.
So effective in understanding how they’re doing it from the account perspective, sharing that information with the social media companies and to their credit, they’ve done a great job of disrupting these activities.
There’s, you’re disrupting that coordinated inauthentic behavior, but that just means that you know, they’re not giving up, they’re not throwing their hands up in the air and moving on.
They’re actually just evolving their techniques so they are moving to more traditional Media sources, in this case RT and Sputnik as well as using proxies elsewhere, outside of, you know, outside of the Russian IP space.
So, again, we’re seeing these things evolve and that’s a good thing because it means we’ve had some success and disrupting, but But again, it’s it’s not just trying to That’s using these techniques these influence mechanisms.
So when we talk about election infrastructure that’s really about interference.
This is influenced and in China’s been active.
Iran’s been active in a number of other countries.
Countries have been active as well.
Well, speaking of China.
WeChat Tick Tock and other Chinese apps have been in the news, what is the perceived threat at least by DHS posed by Tick Tock and similar apps?
Well look anytime, And then you’ve got a resource or an application that’s collecting a significant amount of personal private data.
And that’s aggregated and then sent back to whether it’s a data center back, in China or elsewhere.
Those are the things that are going to present some kind of privacy risks some kind of potential security risks.
We do know that Chinese over the last decade plus have been just hoovering up data for for whatever nefarious purpose and you know I think again Tick Tock is just another example of The next frontier in this in this conversation, but we’ve been we’ve really been trying to understand data flows and data movements, how things where they end up what sort of access and we do understand that they are, There are a systems of laws in China, there are system of laws in Russia, for instance, as well, that provide the intelligence services pretty much unfettered access to communications and IT companies.
And again that’s just not the sort of thing, particularly going back to that liberal democracy that we’re defending here.
Their interest, their values, they just don’t align and there’s not a similar level of transparency Visibility into what’s happening along with, you know, judicial independence.
So again, it’s just not a system that we’re comfortable with
You and your department talk about ransomware pretty frequently.
But when most people think about it That type of attack they think about cities being shut down or a Bitcoin ransoms help me understand why ransomware is a threat to the American electoral system, particularly the 2020 election.
Yeah, so you know, With imperfect information, you you unfortunately have to make imperfect decisions.
And you also extract an imperfect conclusion.
So, what you said about ransomware, seemingly being a state or local issue.
It’s actually All of infrastructure it’s private sector to private sector though what we found doesn’t always report ransomware lockups, they they sometimes deal with it quietly and hope for it not to get out there.
Stay locals unfortunately don’t have that same luxury until it does.
Just based on the body of reporting seem to be a predominantly state local issue, but we do think that state locals have a particular vulnerability or particular exposure in terms of their, in some cases under resourced or undercapitalized.
And so you’ve got some more vulnerable out of date potentially, systems that may be in place.
The other aspect of this is when you talk about cybersecurity, to a state or local official, particularly one that may be at the county level, to them, a Chinese cyber actor or Russian cyber actor coming in and disrupting their system or targeting them even.
It seems a little far fetched, right, you know, in your you’re in the middle of Nebraska and you’re on the frontline of a geopolitical conflict.
It doesn’t make a whole lot of sense.
Moreover, when these actors come in, they’re not waving the Russian flag.
They’re not waving the Chinese flag, cyber actors by their very nature, particularly intelligence services.
Want the cloak of of you know, covert action and secrecy to them they want to be unattributed as long as possible.
Ransomware actors completely different smash and grab come in.
Yeah, they’ll do their reconnaissance, but then they lock you up and they tell you who they are.
They tell you how to pay them.
So it’s a completely different experience and I suspect that the average American has had some sort of encounter where they’ve had a disrupted service or function because of ransomware.
And so the what this really represents more than anything.
is a shift in our messaging so about this time last year.
In fact, we, we kind of stepped back from pushing the nation state adversary threat landscape and really started talking to the American people in our, our state local counterparts about.
What’s the day to day threat to them and that’s ransomware.
So it that really resonated that that I think that struck much, much closer to home.
The good news is, though, based on what we know about the nation state actors and based on what we know about the the cyber criminals and the ransomware operators There are toolkits overlap there ttps overlap.
So for instance, if you’re able to close out on emotet and trick bot, which different malware and access kits.
Then you can also likely close out against like 90 to 95% of what the typical Russian or cyber or Chinese cyber actors use as well.
So there’s some, pay it forward benefits that we’re getting through this this approach on ransomware.
All right, Chris, we run this gamut of kind of horrifying threats to electoral systems.
But democracy still matters.
I’m still going to vote.
I know you are still going to vote.
So come Election day or even before Election day.
How will you vote?
Are you gonna mail in or show up at the poll?>> So I had this conversation with my wife the other day.
I will aim to vote in person here in the Commonwealth of Virginia.
But it’s because I feel like you know, we’ve done enough here to ensure that voting in person is safe.
Dr. Falchi said the same thing last week, but my wife may take a different approach she may be voting absentee.
She’s also Also, I have the luxury of getting outside of the house more than she does.
We’ve got five kids, and that brings a whole other set of responsibilities with it too.
But look, either way you do it.
It’s important that you’re prepared voter, that you know what you’re gonna do, you have a plan.
So I encourage everyone to go to the helpamericavote.gov.
And there is just a part of information on and links to resources at the state level about how things may have changed over the last several months.
A precaution that you can take to be a safe voter on election day.
But we also want you to be a participating voter.
COVID has unfortunately increased some of the concerns, for poll workers to show up and in typically the I think the average age of a poll worker across the United States is about 66.
And so, that also gets into that higher risk Category of COVID and comorbidities.
And so what we want is if you feel safe if you feel comfortable doing so, really encourage you to volunteer to be a poll worker, but the last thing is probably the most important part.
Be a patient voter.
So due to these changes due to expansion of absentee Due to some of the systems that are in place, it may take a little bit longer to get the results particularly in a handful of states on election night.
And just to be clear, electronic reporting is always been unofficial reporting.
The certification process in some cases takes several weeks.
But again, be a patient voter.
The election results.
The certified election results will come out in due time.
It’s always been that way.
nothing’s really changed on that front.
So again, prepared, participate, patient.
There are you know, there are all sorts of threats out there.
There are all sorts of risks out there, but the American people need to be confident That we’re doing everything possible to ensure that 2020 is a secure election and that American voters decide American elections.
All right, last question, Chris.
After the vote.
We’ve had all of these these cyber threats that are designed to undermine our faith and confidence in the electoral process.
You just gave us great actions what we can do but after the vote, will you trust that your vote is accurately counted and how do you.
Affirm the confidence of voters to make sure that they feel as though their vote will also be accurately counted.
If I’ve learned anything over the last three and a half, four years of doing this job, it’s that election officials against state local election officials, they are professionals.
They are natural risk managers.
They deal with a whole range of threats.
It’s just now that it’s on the front lines.
There’s a county in in Florida two years ago had hurricane Michael walk right down the middle of the county in wipe out the state or the local infrastructure.
They were able to pop up Election capacity in a matter of weeks to ensure that the voters in that county were able to cast their vote and participate in democracy.
So again, you have to have the utmost confidence in these professionals that that are that are conducting elections on an annual basis.
But also you need to take confidence that again, the intelligence community, the Department of Defense, the law enforcement community, my team here we are working as well and as closely on any single issue that I’ve ever seen it’s election.
There’s a unified federal support to the state local community.
We are on the watch, and we’re going to ensure that this is a secure election.
If you find the threats posed by election hacking anxiety inducing Well, you are not alone from election database insecurities to ransomware and disinformation.