BSidesCharm 2025 - Beyond the Breach: Securing Political Parties in the 2024 U.S. Election

[Music]

Before I get into like any of this, I just want to flash. Well, one, I want to correct something. I think the program says 2021. I forgot that we got coed out that year. Three years ago, I was up here for my very first conference presentation ever uh at Bides 2022 that I submitted in 2021. Um so before I get into anything, I just wanted to say how thankful I am for for Bides Charm, for the group here, the community. I love the student focus. I love coming up to Baltimore. This is where this all started. And so getting to come back almost three years to the day um now with somebody else on stage with me um

to talk about what happened in 2024, what happened in 2021, it means a great great deal to me. Um so I'm really really excited to be here at Vice Charm to talk about this. So I'm Andrew, this is Veronica. We're here to talk about what happened with election security in 2024. Little bit of background. Uh, I used to do some fun stuff with the government. I was a part of what was called the election security group at US Cyber Command. We worked a little bit with the NSA as well. Um, I got to do fun things. The mustache was redacted at the time behind the mask, as was the name tag, but I promised that was me.

Um, I've since left the army, which is why you don't see that government disclaimer at the bottom anymore, which means I now I can say whatever I want about this. Um, now we've got this little project um that you're going to hear a little bit about that we've gotten to contribute to over the last couple years um and gotten to go out and work with campaigns with state and local parties and found a way to keep doing this incredibly complicated, frustrating but awesome thing called election security. And I've gotten to do it after the government and it's been a lot of fun. So, when I started this, this came out of some grad school research back in

2020, 2021. Here's what the world looked like back then. We were coming out of the 2020 midterms. It was still kind of recent history with 2016 and that whole debacle. Things were crazy back then. Election security was pretty fresh in people's minds. We had this conception of what could happen to highlevel campaigns for president, for senate if they got hacked, but it was still kind of pretty early on in election security's history. Since then, the problem looks a little bit different. This threat has mutated in a way that has just been astonishing to watch. The rise of AI has enabled both cyber criminals, nation state sponsored threat actors, and election security specific threats in a way that I don't

think a lot of us saw coming. It has totally changed the threat landscape for campaigns. We're going to talk a little bit about like how a campaign works and like help you understand sort of what this political thing looks like because I'm pretty sure there's like two people in the audience here who've worked at all with campaigns before. Yes, I'm looking at you, Tim. It's a really weird space, but the thing is that you've got this the background noise of cyber crime and your typical threat activity that just like targets any type of small business of which a campaign basically is one. Then you've got nation states looking to spend in 2024's case um almost half a billion dollars on this.

For context, the Biden campaign spent about 1.6 6 billion on the 2024 uh elections. I don't know of any other asymmetry quite so big as in election security. When you have local and state campaigns that spend maybe a few thousand dollars if they're lucky enough to get it, but you have motivated state sponsored threat actors spending orders of magnitude greater. The difference between attackers and defenders in this field is it's wild. But we're going to get into all that. So, as this on perfect um so as Andrew said, my name is Veronica. Um I'm effectively a lay person. I'm actually um in the legal space. I'm in law school right now. So, sorry to disappoint you guys. Um there

is somebody who will be a lawyer up here. Um and also in this style of law school, I'm going to cold call in this room. I'm just kidding. We're going to take volunteers. We want to give you some basics as to um understanding what political campaigns look like, the scale of them across the US and also the tech stack that goes um behind them. Chat DPP did me so dirty on that image. I did not give it a picture of myself. I just asked it to generate something. Yeah, even the laptop is scary. Okay. So, does anybody want to answer this first question? How many elected positions do we think there are in the United

States? You can shout it out. Thousands. Okay. Thousands. Million. Hundreds of thousands. That's That's closer. That's closer. There are 500,000 elected positions in the United States. And what percent of these do we think are local positions? 70. Okay. Well, I hate to inform you, 99.9% of them are local positions. And what percentage do we think that they're on uncontested? 90s. Yeah. Well, it's 70%. So, um well above 50. And our final question to take um take us out is what percent of them are filled by people who are angry about something? 100. Yeah. So, we wanted to give you guys this context um to understand the scope and scale of what we're dealing with, especially because we want to focus on

that fact that 99% of these um elected positions are local, which means that there are people like me who don't have tech backgrounds who are building up these campaigns very quickly and taking them down just as quick. When we when we think about campaigns and we think about elections, um I think we really quickly tend to like envision the the Biden Harris campaign, the Trump campaign with billions of dollars of receipts with hundreds of staff headquarters across the country. It's a really well thousands. Yes. It it's a a really really sophisticated operation. Um that is the like the top 0.001% of those like that amount of campaigns. like the pyramid is vanishingly small at the tippy top.

499,000 of those campaigns have nowhere near that level of resourcing. And again, because they're so local, this is like people in the room going out and running for office. This happens in our communities for school boards, for sheriff's offices, for judges. It's something that kind of gets at the heart of this election security problem because it's intensely local and personal. But specific to the problems we're talking about today, try to think more about those local and state level races that aren't as resourced and aren't as capable or aren't as staffed as those big campaigns are because that's just such a small amount of them. So when we look at political campaigns and the um tech that they're using, we

know that um a whole ecosystem of apps and websites are going into um these campaigns. And because of that there is um a high likelihood of uh of people using um personal accounts or um email addresses um creating Gmail addresses and then signing up their campaign for um various apps like Slack, using Facebook, using Instagram um and these donor web pages where um a lot of personal information not only about the politicians or the local government um individuals who are running but also about the people who support them is um available on these web pages and you have strapped for resources um digital directors like I guess that's supposed to be me um who don't

necessarily know how to manage all of this data. They don't know um the most sanitary way of keeping um their accounts clean. They don't they don't have the resources that everybody in this room has. Um I know I didn't before I started working with Andrew. So So remember like we're talking about local small campaigns where you've got a candidate and then maybe a part-time campaign manager if you're lucky who's probably related to you in some way. Um a campaign is basically a startup. It's a startup that's going to exist between 3 to 12 months and no matter what happens at the end of that 12 months, even if they win, they're shutting down. They're spun up very, very quickly.

You're asked to set up a website, email accounts, a tech stack that in sometimes is is familiar to you, but in a lot of ways, we're talking about some of the tech that's definitely not. It comes up really, really quick. And if it loses, campaigns die in about two to three days. Staff goes on to find other jobs. Volunteers go back to their day jobs. and the campaign goes away. It's a really, really fast-paced world and it's brutal. This is not an industry that's fun to work in. It takes a lot of passion and it takes a lot of interest to want to be in this space to go work at a campaign that is stressful,

underpaid, overworked and hard. The modern campaign tech stack is really complicated. You have a lot of overlap with startups. You have productivity and collaboration tools, communication platforms like Slack. Then you have this ecosystem um called Civic Tech. Things like NGP van, Win Red, Act Blue or Nation Builder. Tech platforms that have been built specifically for campaigns that handle things like text messaging that handle access to voter roles. campaigns out there, even local campaigns like the ones we're talking about in this room, have access in a lot of cases that same type of voter information that the presidential campaigns or Senate campaigns have. It's this weird slice of tech that only serves the political campaign industry. But because we're talking

startups that exist for just a couple of months and we're talking organizations without a lot of digital experience, this is where a little bit of that risk starts to creep in that's unique to political campaigns. And it affects not just the folks working there, but it affects anybody who's donating to or contributing to those campaigns. So when I was looking at this problem, I started local. I started by looking at websites and I wanted to understand how do I find every political campaign and party domain in the country. Out of all 500,000 of those candidates, most of them actually don't need a website. Um, a lot of times you can just go out and knock on 50 doors

and that's enough to win a local election. Most of these races are decided by a few dozen votes. But if I wanted to understand, okay, like what does the digital ecosystem look like for campaigns in the country? Step number one, find all of the mains out there. Not as trivial as it might sound. Um, number two, um, how do I like in mass at scale find what's wrong with them? There's a lot of interesting things I could look at. Um, other than just running like end mapap against every single political campaign domain in the country, which I didn't think was a good idea, I wanted to look specifically what was that risk at the local level where a lot of times those

ties to the the major party offices, the state or national level wasn't quite as close. And then the most important one, how do I actually get campaigns and party offices to give a [ __ ] about it and do something? Um, that's the most important part of this problem. And for all the early career folks and students in the audience, it's really, really fun to build things to solve those first two problems. And I'm going to talk about that. We're going to talk about the tech that went into this, like some of the problems and little CTFy things you see out there. The hard part and the really impactful part is taking a problem and

finding a solution and doing something about it. It's also way more rewarding and you get to meet a lot of really cool folks along the way. make a couple friends. But that's how you really get to impact. It's not enough just to talk about a problem. You have to offer something and try to solve it. In case you didn't believe me, here's what some state party websites look like. Does anything about this stand out as odd to you? I've redacted a couple of them even though these are available publicly on the web. actually, right? Why would I put addresses, phone numbers, personal email addresses, in some cases tabulated nicely in a spreadsheet for me to download um

directly on their website? What do you mean? There is no requirement by the election commission.

Yeah, exactly. There's there's no requirement for it. And often times it's a lot easier just to use what you have existing in your stack. Remember, we're talking about campaigns with two to three people that like one of them's part-time, one of them is related to the other one. Why am I going to pay to set up an email service on top of my domain that's just going to complicate things? I've already got a personal domain. remember also like what we're talking about here. We're not talking about small businesses. Like I don't know of any corporation or any type of organization that would do this. And it seems kind of silly to all of us in the

room like working in security. We can point the finger and say like this is ridiculous. Why are we doing this? Remember there is one reason and one reason only why campaigns exist. I hate to burst a bubble but it's not just to represent your issues, right? It's not to advocate for voters's interest. Campaigns exist to win elections. Every dollar spent by that campaign has to translate into votes, has to translate into a win. The goal of a campaign is to drive towards winning that election. The reason why this happens is because campaigns have made the decision and and I would argue the correct decision that being accessible and being reachable by their constituents, by their voters, donors,

and supporters outweighs what they understand as the risk of doing something like this. We're talking about organizations that are like fundamentally by like their purpose is to be publicly reachable. They are there to handle contact from voters to reach out to donors. Being able to be contacted and get people involved at a local level, that's their most important aspect of existing. So, anything that we talk about solutionwise has to respect the function of these organizations. We can't just point the finger and say, "Hey, like why are we doing this? Why is this happening?" and stop and stop. But um here's the Maryland version. I dropped these in earlier. Um again, you can go on the web and find

these today. So I wanted to figure out, okay, like so what if this is happening at the scale that I had a feeling it was happening across the country. Like so what? What's the big deal? If I list all the cell phones, personal email addresses, in some cases, addresses, state committee voting records, what's the big deal of doing that? What does the risk actually look like? My first attempt at answering that question was this little thing I called Hookshot. It still lives on my GitHub today. Um, basically a um largecale web scraper that um would go through campaign spending data, go through available national party data to find campaign domains, state party domains, and local party domains and then

correlate what I found on websites against thread intel sources and APIs like have I been pawned? um where I can say okay well given the amount of emails I find on a website what's the actual risk to the organization this was the early early version u then I told chat GPT to make it even better um here's the version that exists now there's a public version on my GitHub but then there's also the cloud-based version that I run sort of out on my own that looks at this daily now um a cloud-based elections threat platform that goes out and scrapes every campaign and every party domain in the country about every 90 minutes. Um, I look at domains that are

expiring. I look at the domains that are getting reregistered. I look at campaign domains and websites. I see personal emails on there. I can go back to the internet archive and pull off old emails. I can look for file attachments that existed from a site that used to be there but now has gotten sandwiched between two or three other election cycles. The Frankensteinian nature of these text acts is wild. Literally, you have WordPress sites from 2004 with pages that still exist as artifacts on some of these pages and you can go back through and find them. And guess what? Like back then there was even more emails. Sir,

um I I hope so. Yeah, that's sort of the the goal of it is to be a to be a tool. No, no, no. It's it's good. So, um I would where the public version stops is um on feeding that information into any type of exploitation. Um I did not link this into any of the like hack and leech sources that I have access to. Um this just merely identifies for and I'll show you the output of it. Exactly. Exactly. No, no, no, no. That's that's a great question. Yeah. Um remember dealing with campaigns and dealing with political cyber security. Um, half of the time someone getting hacked is funny if you're on the other

side. Um, but when it happens to your party and your campaign, it's a lot less funny. And so like dealing with bipartisan campaigns and working with them, um, it's a highly fractured ecosystem where just saying the wrong thing, putting out something and saying, "Hey, here's the list of all Democratic campaigns and all their private email addresses," um, immediately alienates half of your potential partners in the space. Um, it's a really, really complex space to be nuanced in, especially when we're trying to speak truth to decision makers. If you ever want to wonder what a CTF problem looks like in the wild, just go look at some old state party websites. Um, I found some interesting

cryptography that Cloudflare was putting in place. Um, sort of the the deacto standard for website protection right now is Cloudflare. even have a a program for it called Cloudflare for campaigns where they give free access to one of their business tiers to political campaigns. It's an awesome program. The problem is that someone there has figured out that hey, maybe listing personal email addresses on websites is not the best idea because somebody with different intentions could just go on and scrape all those emails. So, we're going to encode them and require JavaScript to render them in the page. That way, if I go look at it through my web browser, totally fine. I can see the

email. But a web scraper that goes and tries to pull it down just gets this long encoded string, it's not that hard to undo that. Uh, as it turns out, they're not doing any type of actual encryption. They're just, this is like the classic example of security through obscurity. Um, we saw some private Google Drive files that get linked in the source code of pages. Remember, when you just start stacking more pages on top of each other, you get these old orphaned links that exist on these websites. We got a lot of um old air tables being exposed. Elsite ids. Um that's a sort of another little web widget for doing table storage off of the location of the

website. Um so we built all this into the engine to detect and find these things and then go out and either download the data from them um pull off whatever was being hosted there or in some cases just identify when this existed. And here's what it looks like across the country. So what Andrew in his research and uh me and some of our other teammates uh found out is that this is a bipartisan issue. This is a national issue and there are way more exposed and breached accounts than we had anticipated to find. Um so it is not a east coast versus west coast, north versus south, red versus blue issue. this affects everybody and

it affects everybody equally. Um, and our team is really committed to that mission of understanding the bipartisan nature of this um this problem. We we didn't want it to become something that Well, it can't because it affects everybody. Yes, sir. Um, I'm just trying to look at the colors and I'm wondering is there a correlation where a state that happens to be politically red has more attacks on blue and vice versa or is there these are these are just two completely random colors I decided to put on the map for one. Um, but to to to to answer your question, um, the difference, if anyone's curious, um, between your average number of emails listed on a

Democratic party website versus a Republican party website, um, is, I think, like one or two, it is statistically negligible. The um, the average exposure rate, so say I've got 10 email addresses on my website. The average number of those email addresses that I can find in data breaches in the last three years between Republicans and Democrats identical. It is a highly highly like bipartisan issue. To your question, I think specifically as far as like the differences between some of those states. Um this just reflects that level of exposed and breach accounts that we found on state and local websites. Doesn't model anything about anybody trying to weaponize that or looking at like attacks on those

websites would be another interesting data source. Yes sir. Um the exposed accounts I understand what how are you defining breach in a database accounts that I have a password for found on a breach in the last three years. Okay. So exposed is can I find Yep. Can I find either public available on the website or in a one of those like little hanging elf site tables or air tables that I can find. Breach means I found a password for it. Sir,

no that's exposed and exposed. Uh the color scheme if it happens to match up to anything might reflect perhaps the difference between two major parties. The goal there to show sort of how just the similarity is. There was another hand up I saw over here somewhere. Someone else have a question on that? Okay, cool. Another thing we wanted to look at, I mentioned this earlier, um Cloudflare based web website protection. I wanted to look at um two main issues that have like kind of the three things that we ask campaigns to look at. It's using a password manager and looking at basic account security. It's setting up website security and then having some email security solutions. Kind of the

three most common attack vectors that we see against campaigns. Those things tend to make you harder than the rest of the pack to catch up with. And remember, we're starting at just like a baseline of almost no security and trying to build up something. So two of the things that we wanted to look specifically at were whether or not email services have demar enabled and then whether or not the website has Cloudflare website protection or another type of DOS protection on it. What we found was demark rates were still pretty low. The issue here is that a persistent risk for campaigns is that somebody can bogart on their web their email domain um whether it's an old one or a current

one and send out a message to potential donors and voters and say hey donate to this link but the link goes to a campaign that is not actively engaging in electoral activities. Um demark helps to prevent something like that. Cloudflare. This was kind of an interesting one that pointed towards the the difficulty of getting tech, particularly security, to trickle down from the state and national level down to the local level. We're seeing more and more folks jump onto that Cloudflare for campaigns program, which is an awesome, awesome program that Cloudflare does for free for campaigns uh through an awesome nonprofit called Defending Digital Campaigns. But that risk was still especially present at the local level. So to me this pointed to still a

lot of work getting done just in making campaigns aware of the problem and the available free solutions they have to deal with it. So if you remember we identified those three problems. Um the third was how how do we make people care about this? Um everybody in this room understands um first how silly it might seem to use your personal AOL account to set up a campaign domain. Um, but that's not necessarily true for the general population. People don't necessarily, you know, I'm from Virginia. Sorry to the Maryland people. Um, a small local um a small local um campaign run by, you know, um a woman in her 60s and a man in his 70s might not understand exactly

what's going on. And if you approach them, um the talk before us talked about um approaching things with um empathy and kindness, especially to clients. Um approaching people and saying, "Hey, I have the password to your AOL account." Um surprise. Um that might not be the most uh the most effective way to gain trust. So, um, we we I I think the reason why Andrew brought me on to this project is because I'm a a words person. That's pretty much the only thing I know how to do as a future lawyer. Um, and we brainstormed the best way to get this information out. So, the first way that we wanted to do that was to do industry

partnerships. So, looking at people who already had some sort of um backing behind their name, an organization that people trusted. So we approached digital defending digital campaigns DDC um which is a uh nonprofit that uh provides uh security cyber security to um elections um and campaigns and um we partnered with them and they were so kind as to take up our um research and and help distribute it um to to their constituents. Um and through that we gained a little bit of um a little bit of what's the word. So the the lesson for any future entrepreneurs and maybe the students in the room is you might have a great idea. Someone else probably also had something like ideally probably

pretty similar um before you go and and try to bring that places um go talk to the people who know how to do that. Um DDC is this awesome nonprofit that exists like solely for the reason of helping campaigns with cyber security. Um a lot more trustworthy to campaigns than Andrew and Veronica. So look for the people who have those trusted relationships already in the industry you're looking at and find ways to help solve problems that they have. That's sort of the approach that we took with trying to build this. Yeah. So, we wanted to make cyber security campaign friendly. Um, so Andrew in his uh basement tech lair came up with the idea of voter guard. Um, and

it's essentially a uh how we we're reluctant capitalists. Um, but we're not full. This is my my future billion dollar election security empire you're talking about. But yeah, we we came up with just this entity effectively to get this information out. Um a a landing page where people could come for resources. Um and we created these little uh scorecards effectively to really understand to to provide to people so that they could understand their risk um for what could happen um or just identifying the cyber security risk that they um could experience. And that was our way of trying to make this a friendlier situation. Um try to gain trust with people and present it to um

the general population in a way that was digestible and easily understood. Um and try to get the point across. So question scorecards. Is there any state that sticks out as like the most secure or the least secure or is everyone roughly? Um, remember that like we have both a Senate and a House of Representatives which means that there's a lot more electoral activity in certain states. There's also states that have much more competitive races than other states. Um, the thing is that it's not like as as we have more and more major elections, we're starting to realize that it's not just the races for House and Senate that are at risk. It's also down ballot

campaigns, especially at the local level, that are of interest because they rely on websites that are run in their county um to tell them when the polls like open and close and they're like they're all kind of at risk. I the thing with um that that question like it's a it's a great question, right? How do you like how do you call the baby ugly? Um particularly to the like the parents in this case. Um the scorecards was our answer to that rather than like going to a specific state and saying, "Hey Maryland, like you guys are so much worse than the rest. You're especially worse than the other side, too." Like that was one way to do it, but I think

that leans towards the unhelpful side of of FUD. But instead, just like trying to like contextualize like here's what you've got. We understand why you're doing this. understand like hey like how this kind of basic works but communicating this through a trusted P partner in this case DDC um who could help also provide some additional context that was how we tried to solve that problem because the reality is that every state's risk is a little bit different and a little bit unique um some were worse offenders than others just whether in terms of magnitude um or in terms of level of exposure um or how old on average their WordPress site was but uh on average across the or there

was we even looked at third parties a little bit. There's no statistical difference in the level of exposure between the two major parties and any third party or any state. It's it's like the most bipartisan problem out there. Should we show them what happens when Yeah. Okay. Was anybody here at the talk in 2022 by any chance? That's awesome. That's so so cool. Um well, okay, then for the two or three of you, you've seen this example before. Um, I always like to use this to kind of highlight how this risk is getting missed. Um, this was back in September 2021, which is incidentally like right after I started doing this research. Um, Anonymous took down the Texas State

Republican Party website for a couple days. Whole big thing. They put a bunch of Pokemon on there and some other things. Um, I realized that I had looked at the website like before this happened, like right before it happened. Um, because right about then is when I started kicked off like the whole hook shot monitoring thing. What I found at the time was a couple hundred private accounts, about half of them had been breached at the time, what I would say is probably pretty run-of-the-mill for a state party. Um, a lot of emails, a lot of exposure, but not anything that I thought was outlandishly risky. And then I looked at it after and it had somehow gotten

worse. I'm not saying this is how Anonymous got in and did this, right? like there was concerns with with their service provider as well. But like what this pointed out to me is that this risk was getting missed even after millions of dollars in IR and investigations. Somebody was looking at this and saying like, "Yep, this isn't a problem. Let's go back and put the private emails back up on there. Remember why campaigns do this. They have to be reachable and they have to be accessible." But nobody came in here and tried to understand why this organization was doing that. We're so quick to point the finger and say, "Hey, we need this firewall. We need this

appliance. We need this incident response process." It's harder sometimes to come in and take the time to understand what an organization's doing and find a riskinformed solution that still lets them do that, but helps to quantify and eliminate some of the risk they faced. The number of state parties that do this through a form now is starting to go up. That's I think trending in a good direction, but a lot of them still look a lot like Texas after they got hacked. So, what would I do differently next time? Um, I spent a lot of time just looking at the problem. It was really interesting to me. Um, I I was just fascinated by why they did this. I

wanted to understand more about it. I spent so long just looking at that problem before I ever started thinking about, okay, like let's build something to fix it. Um, the scorecards took an embarrassing amount of time to think of because I was so fixated on like, oh, if I just show somebody the numbers, they'll they'll get it. They'll want to fix this. Uh, don't go it alone. It's way more fun to do this when you have other folks on a team who can bring energy and bring the same passion you have for it. Uh, and the more people you bring in, the more people that get brought in. Um, not working on this alone has been one of the best

experiences. um learning how to build a team, learning how to find partners to solve problems. Uh I said not to email the DNCO directly, but um if you do, he might email you back. Um at least the former one now, Steve. Yeah. Who ended up being a really good resource for us to just say, "Hey, like I think maybe you should think about it this way." But uh if you do, he might answer your email and you might get a little more help than you had uh had expected. Um most importantly um ask for help. Whether you are trying to start a business, trying to start a research venture thing, starting a new job, ask for help. There are a lot of

people out there who want to help you and want to see you succeed. Uh the best way to get them into your corner is to just ask for a little bit of help. And we have the I want you, Uncle Sam illustration there as just one final request. Um, this is me speaking outside of my uh voter guard official capacity and as somebody who cares very deeply about law as a law student. Um, you all have special skills in this room and as we said, these campaigns are underresourced and understaffed. So, if that's something that you feel um if you feel nervous about what we've talked about, if you feel inspired, if um you haven't been

listening, um maybe tune in now, please go volunteer um with with organizations that you care about, um with politicians that you care about. We don't care um how you do it, where you do it. Um but just use the skills that you all have honed in this room. I don't have them. So, as somebody who doesn't have them, um I'm just asking all of you um to to go and and make a difference. This is such a um such an well easy for you, hard for me thing to address and um and that's a way that you can make such a big difference in your community. So, I think we got some time for some

questions if anybody's still got some. Yes sir.

I'll quickly summarize. Do you guys see any sort of standardization or baseline certification uh coming from the data that you presented uh in this type of space so that people aren't building on top of tech from 2004 when I middle school? It's a great question. Um part of the problem is structural because any standard that you put out has a ceiling of about 50% adoption. Um because only one side's going to do it. If you try to standardize and say, "Hey guys, you should both be doing the exact same thing and using the exact same platform," it's going to be tough. Um, so I I think there's a there's a degree of that. I've been really really

encouraged by um I'll give I'll give Steve a shout out here on the the DNC side for a lot of his work in trying to standardize some of the tech ecosystem for a party starting at the national level. But uh it may surprise you to learn that in a lot of cases the national party and the state party offices don't always get along. Uh they don't always see issues or organization the same way. So it's a really tough challenge even for the parties themselves to solve. Um I think the best way we can get after that um maybe not necessarily a blanket standard across the board is just more awareness and more education about this and that's

really a big part of what we tried to track tackle with providing research to DDC with providing reports to the community on this. Tim, did you have a hand up? Yeah. Okay. Stop right here. Um, so in social science, the biggest problem that you have when you map any data is that you end up looking at something that is just a population density map. And so looking at this uh graph here, even though I have to do linear interpolation between both graphs um together, you still end up with something that looks vaguely like a population density graph. The one standout that there are two pieces of standout information that look weird to me here. Why is there why is

Tennessee such a standout and why does Yo Indiana like Yeah. Well, okay. I know why Indiana. I know I like we know why Indiana. The one that's um it's tough to see on here, but it's actually this guy right here. Yeah. That's a really interesting standout. Um, it has to do in some cases with how wellorganized the state party is. In in some cases, they're they're honestly like victims of their own success in organizing where Well, I I'm what I was trying to pull at is that um you're you're basically um scraping uh the data from the websites uh and then correlating and matching it with basically the equivalent of like the have I been pawned database, right?

Mhm. Okay. That's part of it. Yeah. All right. Uh, great. No, go on with what you were saying. I was going to say in in in some cases the parties end up being victim of their own organizing skills where in Massachusetts case um they are an exceptionally wellorganized state party at least from like from the outside looking in that has well yeah I know some like insiders might have like different views on that but um very very organized with their county parties and their borrows where it's just better like the tech stacks are more reachable they're more mature um which means that they have more information listed on the county and city websites that tends to

reflect on a darker density because there's more county parties in the state that are better organized and more digitally integrated. How far back uh of basically the have I been pone data did you look at? So if you had data from like 200, let's go ahead and say four, that's possibly like useless, right? Like Oh, yeah. Yeah. This is just the last this is this map is the last three years. I've looked at it starting as far back as like 2016, I think, is when I the earliest versions of the websites that I pull and find emails on, but this is just the last three years of breaches. All right. Thanks,

Uh I'm sure this is a obvious answer to this question but is this an inherently American problem or do we see these exact or is it standardized across the world like when we talk about other democracies across the world uh do we have similar amounts of exposure and breaches is it different statistically at all or are we all just kind of doing the the thing wrongly? Um, I looked a little bit at local and regional Canadian political parties. Um, and the map is pretty similar. Um, we've only done a tiny tiny bit of looking at the EU. Their political tech ecosystem is a little bit less developed than ours. There's not as much spending on

elections and a much tighter rules about how much they can spend. Um, they don't have quite the robust tech ecosystem that we have in the United States for politics. I looked at Canada though and it and the levels of exposure. There's not quite as much emails listed, but levels of exposure are pretty pretty similar there as well. Awesome. Thanks. having some

local having having interacted with some like local organizations and and campaigns before at a local level. I know a lot of them you can like give them all this information, but as you said like their main job is to get elected, right? Uh how do you get them to actually take the step? Like you can show them all the information, but a lot of them might just throw up their hands and be like, "Well, I can't worry about this." Well, you can't force people to do what they don't want to do. But I think that the way that's that's what we've been brainstorming is how do you convey a problem to people to make them care

about it? And I think the approach that we've been taking is by identifying the fact that it's not just their information that becomes part of the problem. It's everybody that they care about. Um because it's not it's not just, you know, is your website secure or unsecure. Is is your email going to get hacked? It's people might not show up to the polling place because somebody might put up on your website, hey, polls are closed actually at 2 p.m. today. Don't show up. And that, you know, ends half of the day voting. So identifying the problem in that way is not like a scared straight tactic, but in a way of just identifying like how serious of an

issue it is. is and I think that's why we have that call to action that I was saying is like you all have the skills. So if somebody throws up their hands and they're like we don't know how to how to do that then you know hopefully people in their community can volunteer. We also through voter guard have like a little consulting wing of things where people can come to us and ask us questions of like how do I set this up? How do I um how do I do all the things that we've been talking about? So, um, good question. A couple over here.

Thank you. Um, great presentation by the way. Thank you very much. Um, this may be a real hard question to answer or maybe propose to you, but the one thing I haven't seen here, it might be out of your control, but have you had thoughts about how do we address maybe the social aspect, social media, and what is it that you're doing about that? And what kind of things are you're basically trying to inoculate or advise your customers? Yeah, it seems like a really wide and fat question and I apologize, but that seems to be like usually like the Achilles heel. It's it's also like one of the first things campaigns ask about is like, hey, like

what am I doing on social media? Am I doing enough with accounts? Um the the three things that like the DDC tends to try to hammer home with campaigns that we try to echo because I think it it it addresses most of the major risks again like state and local is setting up two-factor um using secure like form of two-factor authentication, setting up some email security and then having some basic website security. The fourth one would probably be looking at account specific security for social media platforms and some of the other civic tech platforms. And this is like this is basics. This is cyber hygiene 101. It's changing passwords. It's not using a phone as your like your

two-factor authentication mechanism. Stuff like that that DDC has done a really good job of putting these into like very digestible, understandable guides for the campaigns. That's usually what we try to message is just, hey, let's let's focus on the basics. Let's just get you set up and secure so you can run for six months and then securely spin you down after. Okay. Thank you very much. You're welcome. All the way over there. Thanks. Um I'm really curious about this uh sort of adjacency to information warfare and some of the things we've been seeing like uh over the last decade say um with regard to say Russian misinformation now Chinese misinformation. I remember hearing a story a number of years ago about um

Estonia how Estonia was reacting to some uh Russian misinformation. they had, you know, it was it was almost like the the organism was developing its own immune system to to these new attacks, right? And it seems like this is it's not exactly what you're talking about, but it's almost adjacent. I'm kind of curious um what your thoughts are if if this kind of fits into that paradigm or where this where you see that going and and so on. Yeah. You know, that's a it's a great question. Um the short version um what I would say is like when I was at CyberCom when I worked at you know the other side of the building um what we focused on was

threat actors on um the potential for APS trying to hack election related infrastructure or political parties and focusing on the the foreign adversary. And I felt like the thing that was really really tough and difficult to deal with legally and policy-wise for the federal government but for like even local governments is working with political parties. The the rules that which that govern the way the government can interact with political parties are in some cases like unflinchingly rigid. Um and a lot of times it's because they're dealing with our money and our votes. So it's it's rigid for a good reason. But it this is the hole the DDC has tried to fill is how can we bridge

the private sector working with political campaigns because it's tough for the federal government to the thing that I you know to answer your like on the IW perspective. The thing that scared me you know when I was looking at election security as as a fed it wasn't the the national vote count being hacked. It wasn't, you know, the the presidential campaigns being hacked and then of course, you know, 2024 happened, but um it was these local county offices where you have 50 or 60 votes in a swing county in a competitive state that get even just the allegation of being influenced because a website went down or a website had misinformation planted by a threat actor who has an email

address and a web browser because that's in most cases all it takes to weaponize this information against a local party that does not have anywhere near the resourcing or skills to deal with an AP. Really enjoyed your talk. Um, when you talk about local um, political campaigns and I think about my city and county elections, sometimes those candidates will only have a social media account like a Facebook page that's public. Beyond websites, did you look at those to see if there was any exposure in their content? We looked at a little bit of that. Um, it's tough because of platform restrictions. Um, I tried to look at Facebook and LinkedIn and integrate that into web scraper. It's a

little tough. Um, I'd say the part of that that I looked at specifically was um, how are campaigns securing those and looking at um, in some cases the emails associated with the campaign's Facebook page and whether or not I had a password for it. and and we're talking stuff like MAGA 2024 or website password Pennsylvania 02 2024, right? Like very very basic stuff. Um, so I I never really figured out the the part of Facebook groups or Facebook pages quite so much as it was a little bit easier to look at the websites. It's a great question and like the social media part will always be an important part of the campaign tech stack. So I think it ought

to be looked at. It wasn't really a major part of those numbers though up there. Do we have time for one last one? And we've got a question up here in the front. Great talk. Not what I thought you were going to talk about. I'm glad I came. But if there's is there somebody that you'd recommend as a resource for people who are um besides Matt Blaze who's investigating if the elections themselves were actually honorable um both in 2020 and 2024. Anybody but me. No, no, I know it's not you. I'm asking if you can nicely tell me where to go. Um I could nicely tell you where to go. In other words, just tell me where to go. Period. I you know

what I meant? Yeah. Um it's difficult right now where a lot of my like former colleagues and folks that I've worked with on the federal side are unfortunately no longer in those roles um due to some decisions being made about election security and election integrity. It's it's a tough time. Um I still think that most of Sizz's projects and content on spotting misinformation and election integrity are fantastic. Um unfortunately a lot of them are now no longer available. But those guides are out there for spotting misinformation and looking at election integrity. Sizz is where I would start or really just anybody more qualified than I am. Okay. I'd be happy to take any other questions, talk to anybody about this

stuff after. Thank you so much for for [Applause]

coming. Thank you. [Applause]