Engaging Policymakers at the State Level

and here we go with engaging policymakers at the state level all right well welcome everyone I really appreciate you showing up for this one as you can see we're gonna be talking about building bridges oh well well well we're while we're fixing this so I'm I'm David 4c I work at the National Governors Association Oh you go ahead take it there we go so from federal data breaches to foreign governments phishing political campaigns to malware shutting down city services our nation is under attack and so what we really want to express today is you can help and we really want you to start right in your own community my name is Maurice Turner I work as senior technologist at the

Center for Democracy and technology based out of Washington DC and I'm David 4c also based in DC I work at the National Governors Association abbreviated NGA not the geospatial geospatial intelligence agency and not the National Gallery of Art people get that wrong all the time and no ' so Center for Democracy and Technology CDT we do a lot of things work in a lot of issue areas but most importantly our focus this year is to really get back to putting democracy ahead when we're talking about some of these technological technology issues I came on board to CDT back in February and my focus is on election cyber security and the privacy project my goal is to get

out and really touch the local election officials to get them up to speed we need to be with cyber security so that we can have a more secure election infrastructure and I work at nga we're over a hundred years old we're actually created by statute but I work in a part of nga that's a 501c3 nonprofit so I like to say we are the most nonpartisan most nonprofit organization in DC but everything we do focuses outside of DC we work with governors and their senior officials to help them solve really complicated problems from Medicaid to Workforce Development and homeland security and public safety which is my division and I help run our cybersecurity program so

yeah we can go the next one so this what we're going to explore we're gonna use elections as a way to give a little bit of a case study on how you all might be able to get involved so we're gonna go over some basics as far as elections go a little bit of the history we're going to talk about the state of election security and then we're gonna dig into how you can help and then also how you can impact policy elections right everyone is familiar with them but what you might not know is that it is something that is a responsibility of the states it is not the federal government's are responsible for elections that's in the Constitution

that means it's really difficult to change that means that there are certain responsibilities that are spelled out and they're pretty clear but sometimes those responsibilities get a little fuzzy so we're going to talk about how elections actually are the election process the United States works this is a great photo great painting actually it gives you an idea of what elections were like just a hundred years ago so Election Day used to be really big pay day for folks so look actually earn up to one third of their annual salary just by voting a particular way that's how valuable voters were back when elections were more open so the ballots weren't secret that's something we kind of take

for granted today it was very obvious who you voted for because the parties actually provided literal tickets that had a particular color so that people could see I've circled a couple of interesting aspects here as you can see some people enjoyed their election day a little bit too much actually quite a few people enjoyed their election day too much you'd think it was a hacker con or something but we had a couple of major events that we'll get into a little bit later that changed the way that we view elections here's the really easy version of how an election works there are some pre election activities like voter registration there are some Election Day activities that happen where its voters

actually going to their polling location casting their vote on a ballot those ballots are tallied up and then we have some post-election activities that include reporting about those those particular results under under the covers I'd like to say this is how complicated the election system is because quite frankly it's multiple systems working together a new directional and bi-directional capability to make sure that all the information from the time that a person registers to vote to the time that they cast their vote to the time that those results are actually reported up through the states and then to the federal government and then to the public this is how it all works you can see this is not a very

good blueprint for something being secured there are actually roles for every level of government when we're talking about systems like this working together it's not just a huge attack surface because so many different counties and jurisdictions use different systems it's really difficult to figure out who has what it's so difficult to figure out what is on your networks but either at the national level or at the state local level as I mission we had a couple of really big events that changed the way that we do elections in recent memory back in the 2000 election if you remember the hanging Chad we had some controversy over who actually won the election was it Al Gore was it George

Bush the result of that was going from paper ballots to electronic ballots that happened because of 3.3 billion dollars that Congress distributed to States through the help America Vote Act hollow way another major incident just two years ago where there was some interference by some rather fancy looking bears they were able to to fish John Podesta of the Democratic Party and actually use that as part of a misinformation campaign to help sway some voters it's up to a matter of opinion as to how effective you think that interference was but it is not a matter of opinion as to whether or not actually happened yes Russians did in fact interfere with our elections that resulted in 380 million dollars being

distributed by Congress to the states to help out with security specifically so what's the current state the current state is that we all know that the election systems are vulnerable we saw last year at DEFCON every machine was hacked we're gonna see it again just a couple of days I would be very surprised if there was any machine that will be in the voting village that will not be hacked I am betting that it'll probably all hacked on the fur today but that's important because there's a certain amount of public awareness we need to bring the issues before there is action we saw action last year the voting village hosted hackers they were able to cessful e

infiltrate the voting machines and just a short time later the state of Virginia Commonwealth of Virginia decertified their election machines which is a really big step to be able to say look these machines are so insecure we're not willing to risk the integrity of our elections on these machines now the other side of it is if researchers are out there and they're interested and they're motivated they want to do the right thing they have to be careful we have the DMCA we have the Digital Millennium Copyright Act and we also have the Computer Fraud and Abuse Act those are pieces of legislation that make it very risky for people to do this kind of research to hack in and find the

vulnerabilities in these machines so part of what CDT is working on but it's something to keep in mind because Department of Homeland Security has designated election infrastructure as critical infrastructure that means that there is extra attention which means please do not go out hacking election systems we're going to tell you and show you how vulnerable they are but you could end up in jail so what we can do is find the right way to do it so we would like to ask for your help to get involved to have an impact on this one point I just want to make on the critical infrastructure designation it doesn't give any authority to DHS to do anything they couldn't do before it is

just a matter of allowing them to prioritize resources okay so if anyone tells you that the critical infrastructure designation gives the federal government more authority it's not true okay just want to say that so how many people when they think about information security or cyber security think of their state government nobody right no it's always about the feds when we think about government and cyber security but we are here to tell you that state cyber security is actually super interesting and super important and there's a lot of stuff going on because they are the keystone of cyber security so number one they are the consequence managers if anything happens whether it's elections and the other aspect of critical infrastructure

whether it's a normal crime a normal victim of cybercrime the actual response is manifested physically every time and the people on the ground are the state and local officials the other point is states are the connection that's in you between local stakeholders and the federal government local counties cities mayor's they don't they don't deal that frequently with a lot of the federal agencies whether it's FBI or DHS or DNI really and so they know their state partners pretty well in states provide a really excellent conduit for sending information from companies up to the feds and from the feds down to local stakeholders and the other point to remember is that states do a lot more

than just run elections so states not not the feds regulate the distribution of electricity across the country states regulate insurer's that are now coming up with Cyril cyber liability policies we've heard a lot about workforce problems today States set standards for education if you're interested in expanding computer science and in the list goes on and on and on don't forget states have an enormous wealth of PII some say more than the federal government I don't know if that's true but it's a good talking point so it's not just election states have a lot of different roles in cybersecurity so that's why we have a cybersecurity program what we do is we work with chief information officers in every state

chief information security officers in every state every governor has a homeland security adviser we work with them we work with the Public Safety directors we work with the chief emergency managers we work with the state legislators and we help them do a few different things number one every state has a chief information officer or chief information security officer they're just like you bonafide nerds they know what they're talking about their problem is in a lot of states it's not a centralized enterprise security program right so even if they're the state chief information officer in California they're 140 different agencies and they don't necessarily have to follow the security controls that are established by a centralized office

right so we help them think through how can they bring more states into those programs it's not always through law sometimes it's through policy sometimes it's through some sort of incentive so that's kind of one of the things we do the other big pillar of effort for us is every state is realizing that they have an obligate when it comes to cybersecurity and this is why I think cybersecurity is actually a good term even if you hate it it's not just about data security it said they had an obligation to protect the entire state all the citizens from the consequences of a defunct Information Security world so they protect people from fires they protect people from hurricanes they

respond to murder why wouldn't they do the same in cybersecurity but obviously it's quite a challenge to bring in a lot of you a lot of the private sector a lot of the other stakeholders to actually come up with statewide cybersecurity programs so we help them think through that with strategy and that's why we own the reasons I'm here I am NOT an information security expert I'm a lawyer who doesn't practice law who loves the information security community I came here last year and it was amazing love learning for me people and a lot of our state officials come to us with questions that I can't answer but you can a lot of questions about risk

modeling a lot of questions about best practices and awareness training and so we want to figure out how we can bring you and our state officials together and overcome some of the mistrust that is unfortunately but truthfully arisen over the past 20 30 years so I want to note in 2018 there will be at least 18 sorry in 2019 there will be at least 18 new governor's across the country at least 18 because those are their term-limited or they're not running they're probably there are 39 governors who are up so maybe 25 maybe 30 new governors that's a huge opportunity when it comes to coming up with innovative initiatives to bring the public in the private sector and you

all together but it's also brings a lot of risks because a lot of the people who are champions for cybersecurity in your States might be leaving so I just want to really push that button and also the secretaries of state who in many states run elections a lot of them I think it's 24 or up for election too so the next couple years are gonna be a huge opportunity to really think creatively and brainstorm about how I am the cavalry and other groups can work better with state officials to raise the boat for everybody all right now we're getting to the participation part of the presentation so I want you to put your hats on and get ready to

raise your hands speak up so what do you think are some of the threats to our election systems okay voter suppression trust influence campaigns all right all right so it's trying to try to change some votes through influence okay you sort of like big buckets or categories we might be able to put these into central house okay port scanning all right I was expecting that what Stalin said is very water the way if nobody cares no but I think people care so let's let's if I may Stalin said something very important that was kind of interesting that may be related to this there we go Stalin said that the voters don't matter the people who count the votes matter so if we're

talking cyber security and cyber related stuff with this these systems count the votes so they're if they're vulnerable our entire system could be thrown on its ear great I love that I'll give him a walkie button right there so we're gonna step through this got three big buckets first being misinformation so the idea that some adversaries might use fake social media accounts to push out messages like you know watching a has been changed to Wednesday or all you have to do is call you know such a such number to put in your boat or just retweet your favorite candidate because that'll count please don't do that we actually need you to vote in the ways

that are legal in your jurisdiction this isn't like some other you know polling contest or TV show another big bucket disruption so the idea there is that you don't necessarily need to get into the election systems themselves to cause an impact you have long lines there can be names missing off with the voter rolls or there can be broken machines right so we're not talking about actually changing the votes just making it a little bit more difficult a little bit more discouraging to the voters and remember when it comes to disruption interdependencies so it's not just the election infrastructure right remember San Francisco MTA what if you do that on election day right so that's another way

to disrupt without actually targeting election or voting systems very good point and then you get to what I call the Holy Grail actually changing votes right so the idea that you can you can change the winner or you can be a little more devilish about it maybe you just want to target a close race and you want to change it so that you stretch that margin of victory just enough so that people aren't so suspect and they don't do the recount or they don't do the audit audits will be coming up soon so keep that in mind this is where we get to have some fun so who do you think would want to interfere with elections

oh that's we should have put that up there I you know we'll just skip the next slides everyone wants energy okay who doesn't want interfere with elections they would start with this circus know who who are some of the people are some of the types of people that would want to or would benefit from interfering with elections candidates losers okay supporters or losers should put that up there

billionaires okay that's I like I'm literally more creative than we were yeah who also want to influence again and election there we go so we're getting there foreign actors right it's happened before the US has done it it seems to be a an adversary we can count on we're not going to talk about what's legal or not yes illegal interference is what we're talking about organized criminal groups right so those are some folks who make some money off of what things are illegal what things are not legal maybe there's particular water bond out there maybe there's a big contract that you know that a particular candidate would be in favor of or not in favor of

pranksters you all wouldn't know any pranksters would you they might just think it's fun there you go political activists right yeah you have some folks who are looking to make a point maybe instead of organizing a rally they organized a DDoS attack as a way to prove their point and then you just have this wildcard the the unintentional disrupter is the folks who are just going after the vulnerable hardware they don't know what's the other end of it it it could be whatever it could be a company it could be hospital I could be an election system they might just be out there looking for something vulnerable and when they find it they're gonna go attack it like some

in cases of that there's one in Alaska where someone was just looking for a particular piece of hardware and a particular software configuration so these are the folks that election officials and other officials are on the lookout for but let's remember it's gonna be one some or all of these folks if we just get stuck on focusing on how we keep Russia out of our elections we are going to miss the boat we're gonna miss the big picture okay more to sad fuel of the fire please while not directly intending to disrupt the confidence of the public or the election coverage the Mirai botnet that took out the Internet and the eastern seaboard for half a day on a Friday took out cnn.com

and some other news outlets so the inability to get information to the electorate is a really really easy and repeatable target yeah we have this peculiar need in this country and a lot of countries I don't understand it we have to have the results like now right within the next 24 hours that would certainly mitigate that problem yeah it is a it is a big concern because when accurate timely information is not available there seems to be this void and this insatiable urge to fill it with commentary and opinion and misinformation that disinformation fake news that will fill it and then spread like wildfire so then the workload doubles and triples when you try to

fight those those rumors with actual facts but sometimes people just don't want to hear that no we might have to just wait until we get more information so how can you help the country has a rich history of volunteerism but maybe there's another way that some other folks in volunteer yeah so just lie emphasize it's been covered a little bit today but it is hard to underscore just how badly the workforce shortage hits states and localities I can tell you for a fact that there are thousands of counties or I don't want to say thousands there are many counties in this country whose entire IT infrastructure runs off a single laptop that might be running

Windows XP and the town or county manager does everything for that coming right imagine how imagine what happens if Sam Sam hits them right and the same thing extends to state government they're generally more prepared but a lot of times they've got open billets they can't fill or those who are hired it's an analyst and they have to do 12 other things so they really really need a lot of help and because they're constantly fighting fires everywhere they don't get the time to just they don't get time to go to conferences like this they don't get the time to really stay up to date with what's cutting edge and then finally no matter how much

preparation everyone is doing right now we are not ready for a high consequence disruption um I can tell you this that a lot of the major questions have not been answered and the manpower is not there to mount a serious statewide or nationwide response so we can do it next slide I want to talk about a few examples for how states are trying to engage volunteers so the first one is what I believe to be the first vulnerability disclosure policy issued by a state big shout-out to I'm the cavalry in Cady Missouri's for helping us on this kind of dinner without them I just want to tell you I'm just gonna give you a quick overview of what it

actually the purpose in the scope so it's to provide visitors to state of Delaware websites a way to report potential security vulnerabilities and the scope policy does not provide any third party right of action or create any third party beneficiary blah blah blah here's what it offers any public facing website owned operated or controlled by the state of Delaware including web applications hosted on these sites what it doesn't authorize is network DDoS testing physical social engineering or any other non-technical vulnerability brute-forcing a login page with any conceivable method infrastructure vulnerabilities like DNS issues server configurations clickjacking active scanning our automated tools and Aled app injection I don't know what LDAP injection is but as you can see this is a well-thought-out

VDP and this is a way to get involved help your state's identified their vulnerabilities report them if you can reach out write in a lot of states it's just done ad hoc people reaching out to the states is oh but in a lot of states they normally have instructions so you know read this come tell me what's wrong with it so I can help Delaware improve it if something's amiss and I we would really love to see more states do this the California CIO Pete Earley Burt has something he calls the California government advisory council where he brings people experts from the private sector into an advisory council to advise him on very basic aspects of

information security and very sophisticated aspects of information security a lot of other states have things like this if you're interested in learning more about your state please reach out to me let me know and I can put you in touch with the right people the michigan civilian cyber court and Wisconsin cyber Response Teams are somewhat similar the Wisconsin version was based on the Michigan version this is this has been enshrined in law now you volunteer your time your boss sends Michigan a letter that says I authorized my employee or if you're a if you're independently employed you'd be the boss I authorized them to spend at least 10 days of 10 days a year on training and

going to conferences and such and if something bad happens the government the governor does not need to declare an emergency response but if something bad happens you become activated as a state employee and you get immunity from civil liability if you do something wrong so it's supposed to be kind of a statewide firefighter for and the Wisconsin side response teams are very similar they have free right now they're looking to build sex right now the cyber response teams draw from state and local government only but they're looking to expand so these are just a few of the examples nationwide of how and some of the models that we can explore together to figure out well how

do these work how do they not work are they attracted to you if they're not attractive to you how could we change them so you know one of the reasons I'm here is to seek input from you because in many cases you're gonna know what things what kind of incentive States could provide you to get some of your help into state agencies I did a survey of a bunch of state CIOs and scissors before this conference to ask them how do they think about engaging with volunteers and hackers and security researchers and the most common elements were that they're very interested in doing it but background checks are generally going to be a must highly regulated data is probably gonna

be not allowed for obvious reasons things like HIPAA and other PII but most states don't have active programs on this stuff I when I said that what I just said was a just the tip of the iceberg has to tip of the iceberg of what states are doing generally engaging with the private sector but when it comes to actually engaging with security researchers and hackers that's pretty much it so the interest is there and we'd really love to talk more about how to expand these kinds of programs all right now we're going to jump back into what I think is probably gonna be the most fun part of the presentation and we're asking to think like an adversary and

also think like a defender so we have a couple of scenarios we're gonna run through three of them as a matter of fact and this is the first one so just imagine for a moment that we're going to talk about that pre-election activity this is an online voter registration database run at the state level that connects to all of the counties so it collects the information from the voters and then since it down to the counties so that way when the voter shows up at the polling place on Election Day their name is in there and they can actually go about so putting on your black hat how would you how would you attack this

okay DDoS

right so you're just you're just swishing up some data in the table there so it's nothing nothing too too obvious yep that'd be good one so maybe you you ready sure a lookalike domain and people can't tell the difference and you're just stealing a bunch of the good data

that's on yes that's on you yeah it depends on which one of those actors you close identify with and you know who's paying you right do we have another any other examples of thinking like an adversary how would you how would you tack this website

oh yeah I like that so I so taking advantage of some area some data from existing breaches and then putting in that in the registration database and getting those ballots mailed directly to you right or some location right okay so so go after the vendor that's actually hosting this maybe they're they're a vendor for other states as well so you can get to the database all right I like it all right I will add a little bit of reality to this so state of Illinois was one of the folks that was actually hacked and I used this term hacked literally not just scanned but actually hacked they were they were infiltrated in 2016 there was a sequel injection and

their website was vulnerable and there were there were lots of records that were pulled out anywhere from 80,000 according to the state to 500,000 according to the Mueller indictment that was made public a few weeks ago so this is not just a pie in the sky so you know that we thought of this is something that actually happened now we're gonna switch gears think like a defender so we had we heard all these wonderful examples of how you'd break it how do you think you might put your skills to good use to help defend a website like this and harden up the security

what can you repeat that please implement the Oh wasp wasp top-10 okay what is oh awesome Oh wasp is basically a site that provides the top thread top vulnerabilities of a website so it'll go through how to protect against an SQL injection it'll go through how to add HSTs to the website so that it's only using SSL those are just a couple that I can think of off the top of my head but the top 10 are the top 10 moaner ability is that they find occur on all web sites throughout everywhere and that they provide recommendations on how to fix them all right so staying up-to-date on the the current vulnerabilities and mitigations house did you help defend this there you

go how about we hire someone who actually breaks in for good and and you know provides our report outright

secur DevOps Wow boom security by design you mean bolted on security isn't the best way to do it yeah kind of on that same level reduce or eliminate any sort of script code you have to run on the site the more static plain HTML content the less likely of to be okay so static static code instead of a scripted code you know that that that would work a lot harder for a lot of people to register how to vote yeah well yeah the idiot in the 70s had some issues though right are there any folks from the 70s to the 80s who are a voting age that would shed some light on this discussion so it's

it's gonna be kind of hard to turn back the clock on online voter registration we have it in I believe 37 states plus the District of Columbia and it's definitely getting more popular because it is encouraging more people to vote which let's take a step back though the whole goal of this is to get people to participate in government so generally the the more we can reduce the barriers while making it safe you know the more that we should focus on that any other ideas about how to think like a defender

wow I like this we should actually log what's going on and review those logs or anomalous activity let's let's keep that in mind right next scenario so we're gonna talk about election or close to election day activities this is what a warehouse full of election machines looks like dr es direct record electronic voting machines so imagine your job is to do a logic and accuracy test do you really want to go walk up to each one of those machines or would you what would you rather grab your trusty Windows 7 laptop fire up the Wi-Fi and do it all wirelessly from one location if you're not averse area given this scenario how would you attack this

right so Wi-Fi is probably not the most secure thing what blue team I I just see a warehouse full of Dar es how else given this scenario would you uh would you devise to get into those machines and maybe do something of all in the various all right explain that a little more pretend to be a mission yeah so you could have as attack you could imitate like you are one of the machines getting that configuration update and the voter rolls and all that sort of information then you have a complete copy or if it's a firmware upgrade now you have a whole copy of the firmware alright so you're you're doing a little little

intelligence work there you're gathering up some some data some configuration files maybe you want to save it away for for the next election since we do tend to have elections quite often I in the US and you had another idea alright so just go for the straight analog attack just break down a door and start stealing stuff or or breaking it but these are under these are under lock and key under guard how are you gonna get in there oh no don't scare people you want you to volunteer for good also the insider threat any other ideas about how you might want to get into these machines that are got their Wi-Fi access points running

all right so just just go up the supply chain and attack from there and have them ship with some vulnerabilities you can exploit later so maybe this is a minority perspective but as an adversary I wouldn't target the individual machines it's the most high-risk physically it's the most high-risk for evidence if I didn't wanna get caught right when there's a smoking gun it's much easier to from it you know public response and outcry there's much easier software targets that are plausibly deniable easier to perpetrate higher scale especially because there's such a part in the term but such a biodiversity of these makes and models that like you can't really hit that many at a time

it's so partly because a lack organization is just so fragmented you can only give a little bit in a little couple districts at a time even if you could do a class break so to me it's the riskiest attack surface as an adversary in the whole system so it's high risk low reward relatively easier Genpact and the one player I will completely contradict myself as if my goal was to plant a seed of doubt and I only have to spoil one so if I was trying to get the outcome I wanted I would not target them but if I was trying to create chaos or crisis of confidence I would just all the words out of my mouth I was about

the push back but yeah so so right back to the idea of alright who who were the actors and what are their motivations when we're talking about why they would want to attack and this notion that you know there's quite a diversity of machines configurations out there so it might be a little difficult to actually change the outcome of the election but if you're looking to sow some seeds of doubt this might not be a bad place and then also I'll add this a little bit wouldn't this be a great way to plant a false flag you know the the super obvious smoking gun you know who would be so stupid as they try to attack a

machine and leave a bunch of evidence on it don't they know that's not the way to change an election but it'd be really good way to try to blame it on someone else all right last one what picking up a little bit on Josh said fundamentally if you want if you want scale the internet gives you scale and Twitter gives you the scale so you can definitely engage in misinformation programs so for those of you who want to do a little bit of a homework assignment look up September 11 no not that one September 11 2014 and the good people in st. Mary Parish Louisiana over the subject of a highly coordinated multiple mode social

engineering attack that told them that a chemical plant in their community had blown up and there's a chemical cloud over the whole place all of this was false but this was in 2014 the the kicker is that the organization responsible for this highly coordinated attack we may have heard of recently they're called the internet research agency that that's a good sneak peak into two slides ahead so we're gonna we're going to think like a defender on this scenario and then we'll we'll get to another interest of scenario two so we've heard about how you can attack these machines what are some ways you might want to defend and improve the security around these machines that need to be uploaded they

need to be tested before they go out in election day and using paper ballots is not an answer here because we know someone's gonna say it so they're totally secure as is there's nothing else we can okay there we go hardware roots of trust bill materials all right how else can we help defend these machines against adversaries but you said it but you should have a software Bill of Materials so at least know what you have you know what vulnerabilities are in there but then also the OAuth that was mentioned before the do do an application security audit on what can be done and what people said before and the other one you know try

breaking in see what you can do all the list we did on the other day other two ago all right yes if the configuration in a thanks if the configuration information is made publicly available that is here it is it's a configuration here there's black and white we're gonna put this on all the machines and if this is now you know this configuration is not being uploaded to can be good and machine or something is tampered with I don't think I understand the question so if there's some simple minute make a living source it's an open floor model so how about if I meet you in the middle and how about we we published a hash of the

configuration yeah before it's loaded on there and then that hash is made available publicly and then after the election the machines are also available and the hash can be pulled off there so we can do a little matching okay all right so let's use some some existing material and not try to reinvent the wheel let's follow some some basic CIS controls your friend is Center for Internet Security we were friend the Center for Internet Security yeah CI yes sorry CIS hardening guidelines they have them for both servers in Linux and in Windows so if you use those to harden the systems it will go through a nice little you probably even do it with the GPO if

you had the system to put it up and it would run through on all of these systems if you wanted to use it that way or like you said create a golden image and hash that image so that you could verify what happened before and after however my thought on the hash is that most of these systems store data so most likely your hash has changed and how do you how do you reconcile your basic hash to what's happened after all of the voting is take place because that hash has changed because you now have new data yeah these systems are complex but I think I like your idea of hardening them up so let's move on to

our last scenario and make sure we leave enough time for Q&A so here we are it's election night it's after the polls have closed we had in a a little bit of IT help we had a very smart engineer who came up with an idea of let's go ahead and self host the website that displays the public results and then we're gonna Auto tweet those results every 15 minutes so that way people can get off our back and we can hopefully get the results out without the website crashing so put on that adversarial hat again how do you think you might want to to attack this either by going through the website itself or maybe social media so there we

go we have a little bit of a disinformation posting some inaccurate results you notice I I circled a couple of numbers there those results don't match up what do you think the response would be by the public and the media yet the results on the webpage don't match the results on the Twitter feed no social media is always right but then again everything on the internet it's always right so we're a bit of a conflict what are some other ways I might want to attack this scenario

what about simultaneously defacing a major news website told us to correspond with the manipulated data there you go so a little bit of coordination with major media outlet does anyone thinking of two-factor authentication what happens if that legitimate Twitter account gets out of the control of the the officials that are supposed to be posting those results so then you actually have you know a scenario where you can have some additional defacement you can have false information or maybe you couldn't even have some propaganda going out on on the Twitter account any other ways that a self-hosted website might be attacked alright seems like we have a lot of defenders on this one so how would you defend me so make sure you

lock down now this is welcoming that Twitter is involved right or so social media account yep Lonnie down that social media account with two-factor authentication but we're using a hardware like a Yubikey not have not not SMS two-factor authentication like reddit Cockburn well I get down with like a hard way of key like a Yubikey so hardware-based ufa it's really locked down the social media accounts anyway you might want to defend that self hosted web site that's has results up on it I guess some of the methods we described before when it comes to just web application security generally right yeah is anyone thinking me they might want to offload that to maybe a cloud

vendor someone who might be you know in the business of security and making sure that their stuff doesn't get hacked compared to

just you need to do all that stuff we've been talking about all right so maybe a little bit on either one maybe a little due diligence when it comes to to configuration to making sure the security is there so when you're trying to decide between whether to self host or or use a cloud-based provider that the security is actually implemented and they have protocols in place so this is again I you know this is a conversation we can all have together but ask yourself if you haven't volunteered yet you know why you haven't in a lot of case that's gonna be because you didn't know that the opportunity was there but you know I think it's I don't know

whether I I'm the cover came up with this with the five peas right five motivations for hackers profit prestige pride or the other two protectors and puzzlers right and a lot of those people are going to have an altruistic reason to help their community right these are small businesses in your community that just don't have the resources to protect themselves it's not their fault right these are your municipal agencies that don't have the resources to protect themselves it's not their fault and the same thing applies for a lot of states and obviously insuring when it comes to specifically elections ensuring the smooth operation of the election process would presumably be the goal of many in

this room and many at besides and Def Con and blackhat it goes without saying that it's at the bedrock of our Republican form of government we have to have public trust in elections and then finally it's a terrific way to build your network of local state federal and InfoSec community members that's why you're all here there are a lot of people outside this room who aren't who are never going to come here and so how can you build your network with them so these are just some of the benefits of volunteering I'd love to brainstorm with you some more it's also in a lot of cases it's a great opportunity for free training so if you join the michigan

civilian cyber Corps they give you free training a lot of you might think you don't need training but a lot of you might so that's yet another benefit so you won't take this one yeah so next steps for this group so we're thinking of you know if you're out there in the crowd now and you're excited you're motivated what can you do well it's simple you can reach out to your local officials election day is a perfect time it's a perfect event around which you can you can do that outreach you can learn about how elections are run there are plenty of municipal services that happen that you don't necessarily get insight to it's like you

wouldn't necessarily go up and say like hey I'm super psyched learn how trash is collected or please tell me how you know the sewers work that's really gross I have some stories about taxis to work in a city where that was in my department it's exciting for me because I think it's great when we have well-functioning infrastructure but I think elections are one of those things or you know if you're over 18 and you're a citizen like you have a voice that's the way you do it so learn how that process works and quite frankly be upfront about what you can do Election Day is full of opportunity to learn some new skills some of them

aren't very exciting you might just be checking names off of the list but you might also be able to do a little bit of troubleshooting with the machines maybe there's an opportunity to help out before Election Day because you have a certain skill set that these officials are looking for they might want someone to go around that warehouse of D re s two weeks before Election Day and didn't look out for rogue ap's they might want someone who can go out and help them with security audits after the fact to make sure that nothing was tampered with after the election so there are opportunities that if you show interests you show that you have some

skills officials might be open to to that help that you're offering along those lines C T I have developed a tool kit so it's a basic overview but we went over here of the election process it gives you an idea of some of the roles at traditional volunteers can play in an election it also gives you an idea of some of the roles that you can play in an election as a technical volunteer set some expectations about how volunteers are vetted and even gets to the very basics of like here's just a sample email that you can send out to your election officials to show that hey look I'm excited this is how I can help you

out on Election Day can I also mention another good of the way you can help is as we said before the federal government has released 380 million dollars to all the states and territories to spend and a lot of them are spending it on election security obviously vendors are coming out of the woodwork you might work for some of them a lot of election officials don't know what questions to ask these vendors they don't know whether they're being sold snake oil they don't know whether they're legitimate solutions and some of you have the basic knowledge to provide these election officials with here's what you should be asking vendors who are saying they can protect you

right so using things such as the toolkit you can help them provide that kind of me the the recommendations you came up with for how to defend these websites a lot of people work in election offices they won't even get to that right so if you can just give them that we made a huge step forward right because then the secretaries of state and the election directors who manage these systems can go to their CIOs and say well this is what I've been told what do you think so there's a lot of low-hanging fruit out there I'll give you two quick examples of some folks that made a pretty big impact on election so last year Logan lamb using

some research in the state of Georgia he decided to poke around the election website and found that he was able to exfiltrate 15 gigabytes worth of data thank goodness he was not looking to do anything bad with it he actually brought it to the attention of the center that runs elections he got a pretty frosty response several months went by vulnerabilities were not patched as a matter of fact it even warned by the executive director of the election center like me if you go public with this people are going to be very nasty to you and they would quote crush you eventually that led to the election center losing the contract to run those elections but the state of Georgia

specifically the Secretary of State's in a bit of denial about the vulnerabilities so there's a lot of work left to go much part of the loft group 20 years ago they testified in front of Congress about just how bad the situation can be if we don't take security more seriously 20 years later we're still not taking security as seriously as it needs to but Democrats reached out to him in 2016 he tried to respond with some policy solutions about how we can make this better unfortunately they were at the level where they weren't even accepting some of his OPSEC recommendations because it was going to be too cumbersome the downside of that is Trump was elected his name was floated around

as having a larger role in the administration but unfortunately politics kicked in and he was seen as trying to help the enemy which means that a lot of valuable information from the policy perspective was basically being disregarded because of Solon's desire to try to help out everyone so this is just some of a little bit of insight and recognition that there are some things that will happen even if you're going out there with good intentions it's important to recognize that there are larger roles or there are larger things that are going on in play and that if you can get in on the ground floor try to work with the locals in the state you might have a better

opportunity to make some of the changes and it's also important to emphasize that you know a lot of people in government don't understand the people in this room and it's I think Josh mentioned this earlier but it's also really important when you're approaching policymakers to also have a lot of humility when it comes to their requirements right so for instance in some cases if you change software on a voting machine you have to get a recertified and that is a major process so it's not very easy to just patch patch patch right especially if it's three months two months thirty days before an election so there are a lot of requirements that we may not understand

and so it's really important to approach these kinds of partnerships in a humble way and not be too self-confident because this is a pretty self-confident community I think we can all agree so anyway yeah our organizations are here to help specifically I work on the election science cream project of CDT like I said we have the InfoSec toolkit if you're interested in working with election officials we also have a risk basis report where we've done the research and actually reached out to the community and said like hey what are your concerns when you're trying to do research and so I think it's a really good way for you to get some insight onto some of the pitfalls that might

happen so how you can avoid them and then just to show you how much help election officials specifically need we're actually developing resources like 101 level field guides to get information like two-factor authentication password managers VPNs out to election officials because sometimes that's just a level where they're at they may not even know some of these basic terms that you all take for granted and use every day so back to that humility and I'd also interject empathy when it comes to trying to work with officials in your community nga has tons of resources and they have a very broad reach they have the ear of the folks that can make the decision so please if you don't feel comfortable

going directly to your officials come to us we can brain some we can try to work and figure out how you all can have an outsize an impact on your community for example we will be holding a national summit I have to stop in a minute but or will be holding a national summit our third national summit on state cybersecurity next summer I would love to have a panel that's just hackers to talk to all these chief state cabinet officials about what your lives are like what your priorities are how you can engage with them so there are a lot of opportunities for engagement so please please please reach out to me publisher to put our emails up

here anyway so we actually have to stop so I guess if people have questions we can just keep talking or I don't know if there's a session next right nope all right we're gonna talk over beers thank you everybody yeah thank you [Applause]