Army Brig. Gen. Joe Hartman, commander of Cyber National Mission Force at U.S. Cyber Command and Cybercom election security lead, and Dave Imbordino, National Security Agency election security lead, participate in a virtual defense readiness condition panel on election security at Ft. Meade, Maryland, August 7, 2020.
Transcript
I embrace aboard and thank you for joining us today with the election security panel with defense. This is a really momentous occasion bringing this many federal agencies all together. On one hand, the timing is perfect. There is a huge election coming up here in the United States in 2020 elections happening around the world. And I think that’s a key thing for us to understand is that while this panel is talking about the U. S. Federal government, how we are responding to our American election, we look at the broader forces that are aligned against democracy in the world. Now it comes down to trust in the system for the democracy work, and those forces are working against places for us and some, while this is going to be the U. S. Government discussing this, I think citizens all over the world and hackers all over the world will be able to take something away from that Just quick logistics. Q and A will be available through the def con discord. So if you quit your questions in the voting village step con discord, those will make it their way up here to me on the stage and we will answer them as best as we can. Starting off, we have Cynthia Kaiser. Hello. I’m Sylvia Kaiser of an assistant second sheet with the FBI Cyber Division. And what that really means is I lied analysis among multiple groups for the FBI. That includes election threats, mostly in the side. And that’s by design. I saw what happened in 2016 and I knew that there was no worlds I want to be and then working right here with people that I get to see all the time. That s o for the FBI in the election stay centered. Way to think about it is early, focused on the threat. So we work hand in hand with RG adjust counterparts, and they’re really focused on the risk to the systems of communication on those systems. But when it comes to the response of incidents or looking at investigations into melodic foreign or investigations into election crimes like ballot fraud, that’s where the FBI will be plays in the space. David, were you now from the National Security Agency straight to be with you today s election security leak? Most of you are familiar with Esa’s mission really divided up into two components are foreign signals intelligence mission, which is all about figuring out what the adversaries robbed. Two. And then we have the cyber security component, which is all about preventing and eradicating rats of the national security systems and figure out how we can attack bot networks in the life. Really, a lot of power from as a comes with combining transmissions. You knowing what the threat is in combining that with the technical analysis of mitigations. In order for us to be a boat, deploy those into my classified space from election security standpoint, I oversee all the activities and partnerships that s a has on election security. I also Kobe something called the Election Security Group along with your heart men. Here, we’ll get into a lecture on the panel on That’s a joint s a cyber man task force for protecting your watches a little bit about me and grew up in Chicago. That’s one representing here, Mr Bark shirt, White Sox and I have also in the craft cocktails I supplied and typical Def Con tradition. Ah, cocktail black men. And for everybody on, I’d like to give a shout out to Johnny Carl for hosting me at Cocktail Con this Tuesday. Really great event. And a community in terms to get the info section unity together. Cocktails talk about security. I also appreciate it. Appreciate it off, folks for happens here. Hey, I’m Joe Hart. May not command the cyber National Mission Force s so far the U. S. Cyber command as day said Khalid, Theologian security group with him. And, you know, the election security group is really partnered with all the agencies you see represented here, and others in defense of the 2020 election were the part of the U. S. Government that focuses only away game. So we’re looking at foreign adversaries. Russia, China, Iran. Any other foreign adversaries has attempted to interfere with our elections, were looking for them in foreign space. And we’re partnered with DHS and FBI in order to ensure that we share information that we find abroad. That makes us safer here in the United States. I’m really glad to be here today looking for your questions. It was more his Turner I’m senior adviser for the executive director at the U. S. Election Assistance Commission were relatively small agency compared to the ones you heard from earlier today. But our mission is focused. We help make sure that Americans all across the country and all across the world have the ability to participate in elections. Whether they’re gonna be in one of the 50 states, six territories were stationed overseas. So our focus is really How do we make sure that those voters have access to the polls and that bacon boat safely securely and make sure they’re both counts? And I’m Matt Masterson. I’m the designated survivor that was held back from the federal panel. So if anything happens, uh, we can maintain federal continuity of operations on election security. I’m in a secret skiff out in the Midwest somewhere. Appreciate the voting village for inviting me and the feds to participate. So thankful Ah, to Bryson for organizing. And if, uh, I know we’re going to address the question of what? What’s the greatest area progress since 2016. Where have we improved? I mean, the fact that you have, ah, unified federal effort working to help support state local election officials on this mission. Space, I think, speaks volumes. I work for the, uh, cyber security and infrastructure Security agency or sista the election security lead Their Prior to that I was a commissioner at the A C where Maurice now sits. Ah, And before that, I was an election official in the state of Ohio. So come from an election administration background have had to learn the intricacies of both the sista Ah, in the i c. And I’m so thankful to everyone sitting up on that stage for their patients with me and working with me and sista to make sure we’re supporting the almost 8800 state local election officials across this country, let alone the private sector that we work very closely with. Ah, and members of academia and not a nonpartisan organization are focusing system eyes to get information support services, everything from penetration testing ah to routine cyber hygiene scans the incident response out to the state local election officials to help support them. Ah, and, uh, engaging with their voters. The reality is, American elections are run at the state local level. Uh, and we want to do everything we can, uh, so that those state local officials could talk to their voters about why the process is secure. Ah, and why they should have confidence that their votes counted his cast really thankful for this panel and super excited to have this discussion to that. Now that’s a That’s a great Segway trust. Is he to the infrastructure, right? The process were collecting votes to determine our democracy starts with that trust, and that begins with transparency and accountability, Which is why that are so critical that have this panel here for the government to talk about. Okay, what’s happened and what have you done? So 2016 is when I think this really grew into the consciousness as a significant issue that everybody understood what exactly happened in 2016? Uh, well, uh, on the cyber side in 2016 Russia compromise multiple different election networks. I that include the state network that two counties and I It’s a part of that. I we possessed that they really sought to a t least enough reconnaissance against all 50 states to try to figure out where it was most vulnerable and where they could get in. Now. They didn’t We don’t think that had any effect on election. Have no intention that they did. And really, where they were focused on but couldn’t have. But within that is obviously troubling because that’s an attack on our election systems. It’s attacking critical infrastructure, and it’s something that now looking at that moving forward. But that’s why we partnered with everybody here toe focus on How do we a hardened networks? So that can’t happen. And how do we work toe counter adversary so they don’t want? And how do we ensure that we can be as transparent as possible? And that’s included. Some various measures, like both FBI and CISA, will now tell a chief state election officials if anything happens on a local election network, that’s a change from 2016. And it’s a necessary change for the transparency. Yeah, I mean, I think since you covered the cyber side pretty well from influence side of ankle spokes tragedy, the infamous Internet research agency controlled farm. So in terms of social media operations, they were conducting twice 16 and 2018 also hacking operations there are always to be very damaging when we look at in terms of kind of evolution between 2016 2018 and 2020 um, you know, mostly fell to stop Russia it’s 2016. Find the elephant fried is broader. That right? It’s 2020. We’re looking at the spectrum of all of our adversaries. Russia, China, Iran, ransomware, actors off. There’s more people in the game morning for each other. Influences. Chief game. Get out now. Social media does. It costs a lot of money. I tried a water you’re near. It is hotline. That’s so that’s something we’re not right for us. In 2016. Um, election security really wasn’t a party mission. It just wasn’t something that we have previously focused on heavily involved in in other operations. And so, while we were focused on on other operations, Russians obviously way learned from that in 2018 between cyber com. And then it’s a way formed what was called the Russia Small Group Really laser focused on Russian interference in the 2018 election. You know, for us that never stopped. So, you know, I got back to the command about a year ago. 2019 and we didn’t start up. You know, this thing called the election security that was already on it. Never stopped working for from 2018 way. Think we’re in a much better position now. Certainly, there were in 2016. The big change between 16 to 18 out of 20 really started with the critical infrastructure designation. That allowed all these federal partners to come together in a way that we’d be able to better protect our election infrastructure. And I think that that really is the key to all of this, which is information sharing, making sure that information it shared amongst a disease but also to the state and local partners as well. The books were actually running their own networks around infrastructure, and so that’s where the A C comes in. We have a relationship for building those relationships with the state and locals to make sure that they understand the information that’s coming through the federal partners and that they realize that they’re part of the solution to the information up to the federal partners. It’s half asshole works. It’s not just keeping those information notices in a silo on keeping the local level. It’s a sharing up and down the back to make sure that the infrastructure is protected because it may not just be attack that happens on the single ST or single county that might be happening. Other places if we’re sharing information and partners don’t know that that tradition is going on. Yeah, just to build off what some of the other Panelists said. For me, the biggest change has really been that level of coordination and support with state local election officials azi many people know when the critical infrastructure designation was made in 2017. There’s a lot of resistance, understandably, from state local election officials and skepticism. Ah, and we sat there on in 2018 on had relationships with all 50 states had information flowing, were deploying Albert sensors. We sit here now on the brink of 2020. We not only have Albert sensors, so intrusion detection sensors deployed across networks in all 50 states. Uh, we have a nice sac and information sharing and analysis center. We’re close to 3000 state local partners receiving information, pushing information back to us. We’re now deploying endpoint protection in many of the states and across localities have additional insight. But really, that ability to coordinate across the federal government to push information back down to the state locals has improved so much. The federal government, I think, is working in a way around election threat information that that I don’t know that it it did around. Other issues were able now to take information and state locals or sharing all kinds of reporting with us and push it across the interagency, the folks that you see sitting up on the stage here. Ah, and then push out alerts and warnings through the I stack broadly to the community on. And that’s just a function that wasn’t there. Certainly in 2016 and is really being honed and improved upon from 2018 to 2020. Ah, and that broad reach. And so that ability to really work with the election officials to understand risk. Our risk understanding is much deeper than it was 2016 or 2018 to the point where as cove it is developed and kind of changed operations within elections offices. We’ve been able to be responsive and understand where the risk is shifting. Ah, and try to help gear our support or information sharing toe. Understand that risk, Jeff so they could take appropriate steps to mitigate that risk and really ensure the integrity election and then turn around and messages to voters, and I think that’s a theme you’re gonna hear throughout this conversation. Really? Reach in that last Ah, that last step of talking to voters about their options about how they can vote about the process And security is really critical in an environment when we know adversaries are trying to undermine confidence in the process. The part of what we’ve learned, which stems from the problem and a lot of what the solution and then has been investigation. This is critical infrastructure. The federal collaboration of the fact that, you know, like this happened where this isn’t the first time you’re all meeting each other. You’re pretty Well, I was stalking a brazen earlier that I’ve been on panels before with people in the government who are all working the same issue. And then you’re meeting the person right before the panel starts. So what? Price had reached out? Seven. Having been a logic theory and I asked, OK, is gonna be on it started checking off names. Okay, talk to the people multiple times for weaker, sometimes every single day today. So it really just shows like how deep the collaboration is spent a lot of time in counterterrorism. You think that’s a mission that you know. It is a vision of that government rallies around by election security. I get water, right? I mean, there’s no better example that this panel is a representation of what’s already happening. This panel it’s not the thing that is driving it right. We are capturing a moment in time. What’s the college way had tried to do this in 2016? We would have been spending the last 30 minutes, all shaking each other so that tell us about the big glass. Not like we’ve never heard of these things. How information sharing isn’t just sharing information, right? But the fact that the information is being shared so that missions are being exit things are happening with, right, those risks are being assessed. Those actions are being taken. It is. I really like you phrase it right way game. I’ll translate that. Everybody, actually, why don’t you translate with you waiting? So So let me translate the away game at the end. I mean, if I could just talk about the collaboration, the relationships and a good example, is like the rehearsal that we did on suit. So look, I’m in the Army has been in the Army long time, just like they spent a lot of time in the SETI fight. And, you know, a lot of times in panelled rooms in places like Afghanistan. And, you know, we operate out of these joint operations, right? And in the joint operation centers were sitting in there. As you can imagine, we love flat screen TV’s lot of flat screen TVs on the wall, and no unmanned aerial vehicles were flying around and other collection assets. All that data is being pumped into the room where you’re immediately able to make sense of it and then make decisions. You know, allocating resources, send in forces doing what and, you know, super Tuesday, if you walked into the the room that we were using as a mission center, you would have seen cyber com personnel you could have seen in ESA personnel, and you would have looked in a chat room and almost every organisation that you could imagine involved in the federal government. Okay, and they are talking about in almost real time. If something goes on on state election infrastructure in North Carolina, you know there’s unclassified chat going up the DHS drops it in a classified chat room. You’ve got analysts from ESA in cyber com and other government agencies immediately Comey hair databases and then almost instantaneously providing information back that says, Hey, this is something you should be concerned about. This is just normal traffic that we see on any day on the Internet. It looks anomalous, think also producing, you know, at the same time, I’ve got defense of cyber elements that are sitting in things we call whole rooms and they’re waiting on a call. You know, if there is something that happens that DHS D tell, you know, they’re praying they have collaborated in the past and we’re ready to pick up the team. Additionally, we have elements that are that are sitting over another off centers. OK? And they were prepared. If we see an adversary that’s attempting to do something in a field, that election, you know, we have the ability to play the awakening, so we have the ability to go out and forms face. Look what’s going on. We have the ability to make you stop feeling next. Really, the focus off of what I think the federal government looks like from the local and state level, all the way up through the national level, to the Department of Defense. And you know, for me is American. Honestly, that was a pretty impressive take its life turn from that. I think it is important to call out collaboration that we have a government, but I think he’s other revolution that’s occurred is the engagement with industry. You’re right, I sure way have a lot of people. Are you working for the federal government doll in here? And I think that’s been a pager. The shift in posture we have for election scary. I mean, it’s awesome when you’re reading about disinformation, that being pulled out. Social media complicating is obviously the soccer security companies really focused, not election threats and trying to talk down half a series and what they’re out to way. Can’t wait. Can’t do this mission without them. Industry help from the state state local election officials, but also start of security companies and how we can, you know, see it off each other way. Learn from what industries putting out. Hopefully we’re providing value as what we’re putting out so people blunders that this is something sides they have right industry has a lot better inside. This case is so Erica critical partner. I think that taking it a step further in that individual local clever, not just a big corporate or company collaboration with federal government, but of people who call in suspicious information because they were worried about it. And they called me Just call FBI that the calling of us and they are calling because they’re worried and they want to do the right thing. And how’s those people call majority of the information that really were able to get to state our goals since 2016 has been because people call us. They have said they were concerned about some things, looked at it and we said, You’re right and we got it out. So there’s there’s that element of that like that corporate industry, responsibility and collaboration. There’s a federal government collaboration, but there’s an individual leverage to all of us that it really is working. Yep, Bryson, if I can just really quick on on that, I think Cynthia raises really good point. It’s appropriate here. Just the fact that there’s now a guide for coordinated vulnerability disclosure for state local election officials in 2016. As a member of the election community, I could tell you that was that was not a known commodity or something that they were even considering. And now we’re progressed where folks like Jack Cable, who I know is on before, have bill relationships with election officials, help them understand the value of vulnerability, disclosure and working Ah Teoh with independent researchers and security experts. In that way, the fact that private industry within the elections community is rolling out, ah, vulnerability disclosure policies and engaging in that conversation, not something that was going on in 2016 and so that the multiple avenues of information multiple avenues of collaboration are really encouraging. I think we have, ah, ways to go. I think there’s lots of room for improvement, certainly on the federal side, to help coordinate on that a state local level, increasing capacity, the ability, the intake and resolve and mitigate those vulnerabilities. Ah, but it’s a drastic improvement from from where we were even four years ago and really speaks to the professionalism of state local election officials in particular, uh, who care deeply about the security of this process in their systems and want to find ways to improve and talk to their voters about the steps they’ve taken to secure it have. This industry in this community has really matured very quickly compared to some others. And I think it’s part due to events like this like that where researchers are coming together talking about you know what’s going on, where their vulnerabilities, what are some ways we can fix that taking a look at other industries like telecoms, aviation, things like that, getting those best practices out of the way kind of quickly. And as Matt was saying, it’s because individuals care. And I think that’s probably the biggest part this that I want people to take away from. This is that elections happen in communities. I think that’s really what it comes down to is everyone gets a sense of how important is that at the very local level, Then all that builds up to build a sense of national urgency importance about the issue and to see the election officials really get on board with this idea that they are part of the defense network to make sure that we don’t have interference of playing, you know, in our elections and to see them. You get educated on the issues and really try to convey their own sense of confidence and their systems because they know what goes into running an election. It’s not all just about cybersecurity. There are administrative tasks thinking todo their other task that some of them or even responsible for and so they care deeply about elections. They want to make sure that everyone who votes has level of confidence that they can feel when they go into the polling place or when they mail in their ballots. So follow questions. So it’s Maurice and Matt Mr Type. This falls from a question from the Internet. On it is we’re talking to a very unique fights today, right? They are citizens of the world. They’re American citizens. But their packers, right? This is the immune system of the Internet that’s there to figure out what we’re expecting, gives things. They’re doing it today in the voting. They’re doing it on the technology. We talked about industry involved that we have individuals willing to take their times actually did into the technology itself, understand what works and what doesn’t, because that gives us better trust and that technical education system. And so the full question here is, when would we start potential and should have a prerequisite for entrance to the PTSD certification process that election system vendors adopt good vulnerability disclosure policies has called out today, so make them widely available for penetration testing. I’ll take that since the sea is in charge of the development and the approval of the BBS key. So those air guidelines that are used by states on and it directs the manufacturers to meet certain requirements that they built their systems in a way that is accessible, insecure and usable. And so I think the idea of a voluntary disclosure policy being part of that would really just be the codification of industry best practices. Now manufacturers know that they’re in competition to help bring a better level of security to these systems that are in use. And so I think that’s already happening. We’ve seen the fruits of that labor already didn’t need to come from a federal agency to help the process along. So to answer your question, it’s already happening. And so as the industry continues to mature, I think that we’ll see more and more wonderfully disclosure policies. And I’m hoping that you folks out there get interested in this sector and actually use them. You find that legal way of record of doing the research and then reporting and responsibility to make sure that the problems actually get fixed. This isn’t about a big bug bounding that you’re going after this isn’t about trying to embarrass anyone. This is about strengthening our democracy literally through strengthening our systems. Bryson, just just add a little bit. Maurice Ah really tackled the meat of the issue, but I agree. I mean, we have had several vendors election system vendors come through our penetration testing process. What we call our critical product evaluation process. Uh, up in Idaho, uh, we have seen the private sector embrace that Now we’re starting to see, I think, the fruits of the work of, of not just the voting village. Ah, but the private sector companies to understand the value and frankly, the marketplace dictating that that improved security Ah, steps towards coordinated vulnerability. Disclosure processes are going to be good for business. Ah, and that’s why you see a reflection in progress being made. The private sector is hearing from customers is responding, and I think we’ll continue to see progress made on that level. I think one step we need to take and I know the A C takes this very seriously, and states need to be thinking about it, too. But to the extent it involves equipment, whether he pulled books are voting systems that they certify, you have to be ready to respond and adjust certification, quickly, adapt to those type of processes. So I think we have a maturing to do sort of in the ah ah, bureaucratic lane to make sure that we can support the private sector as they’re changing and evolving and accepting. Ah, this approach that we support them, ah, in our certification processes and the way that systems need to be field so that all ties back to that. What is the threat China, Iran? Russia had mentioned. How are they a threat? What are they doing? And are they the only threat that we would be worried about? So I’ll start with that one up, I would say those are the mean friends were facing again. I think Ransomware is like one of those wild cards out there that should be fielded by anyone. Theory critical actors. That s o Russia. I think in terms up in evolution what we’ve seen, we talked about the research agency. What? They did it kind of social media accounts, troll farms in terms of 2020 shift seen a ship or words used proxies. I got such amazing intermediaries gonna remember in a technology crowd. Sort of saying Rockies, So, you know, using again I mentioned before laundering information through other individuals into the media space IRA seen seeing death ship tactics. They had set up something in Africa I got in terms of trying having people. They’re trying to put stuff online. Most things about socially divisive issues using covert, absolutely spot sites to feel that get their narrative out. So those that’s kind of a shift attack, it seems Russia side, China I think you scale is something that has been matched in terms of them is a fried balls of a cyber standpoint and from an influence standpoint, certainly on insolence is very active in their regions. Want becoming potentially more aggressive, U S. Bases, something that monitor prepare for but you know, inside for China cyber threat. You know, they’re a little bit different in terms. Off scale rats with targets. They right Every U S. Citizen is targeting China. Just big data ki i I there sitting, collecting, obviously everyone’s i d threat on the sides of standard intelligence type targets. So I think that’s that’s that your heart that, you know, I ran just getting into the game to write in terms of trying to do according to what the other. Yeah. So you know Russia. You know what? All for everyone. You should read the work that came out from the State Department couple days ago. 77 pages, you know, call the pillars of disinformation about various sites operated by Russian. Just ask yourself, you know why in Russia, you know a country where a few people read or write English, you know, they continue to put out a tremendous amount of English language news on these on these French news outlets, you know, that really involved divisive issues that us face. So, you know, again, a tremendous amount of platforms that that the Russians investing CNN ran a great news expose in April of 2020 about the organization that Dave they reference. So 80 trolls and Ghana, led by God himself. Wired is who grew up in Ghana educated in Russia on and appears to have been on the payroll of the production network. So again, it’s about a seven minute watch. CNN did a fantastic job, and that could just provide you some insight into what the Russians were doing there. And then, you know what we talk about private industry, you know, whether it’s Facebook, Google, Microsoft, you know you there. Dozens of articles about how these technology companies have identified this malicious behavior on their on their platforms that they were able to link back to the nation. State adversaries Russia, China, Iran. So, you know, I would tell everybody there’s a ton, a ton of stuff out there. You know, when we put the cyber com then I say we want we want to focus on that classified cyber box. But I’ll tell you, there is a tremendous amount of great information already out there on the Internet. A lot of insight, you know, as a Cynthia talked about. You know, we you know, the U S government for you experts that are out there you know if you see suspicious activity, Healthy hs tell the FBI you know, we the government will do something about it. You know, if it’s a domestic threat, those organizations will address it. If it’s a foreign threat, they’ll tell us. And I don’t mean no. Tell us, like, six months from now, they’ll tell us that day. Don’t tell us early the next morning. You know, we had an incident the other night that, you know, I heard at 1 42 in the morning and, you know, about six in the morning. We had cyber teams looking at the activity. And so again, for you experts out there, you know, uh, you know better than anybody else. If something is weird is going on on the Internet on, I would just ask, get it to share that way The government and I say to just for about a cyber aspect, because there were a lot of anger leveraging trust relationships. I know it’s contacting right, so some of these networks that they might be interested in are very well defended, just like beauty, right? But you know, cos sometimes outsource the marketing department’s. There’s other other soft targets out there. Think takes. That could be lucrative even from an Intel destructive. You know, thanks. Do policy work for our politicians have contacts with officials. So, you know, sometimes going outside bull’s eye again. A lot of a lot of this is compensating, explaining publicly. Don’t see these bastards sprayings your fishing, you name it. They’re they’re using showdown with these groups week. They’re they’re using those tools, get access that is inside a bullseye leverage that leverage in Macau number connection getting a target going out of an important point that that sort of a parting isn’t stuff. It was from spearfishing for looking for those more That’s been continuing apace and we were talking a lot of incidents even right now on and the good news with all those incidents is we have any widespread attacks from those. But it’s interesting because that tracking lot of incidents can feel scary, but it also it gives me a lot of it makes me feel better almost because I know that we’re detecting And, uh, that means we have a lot of false positives that we follow up on. I travel back then, not knowing things were out there But it also means beautiful or a picture. And you know that Fulham picture, as Dave mentioned, is cycle for most and not just ransomware. Other types of incidents as well and an actor swell and way really have to be on guard, not just if it’s coming from Russia, China, Iran, a host of other groups but a threat to its election network for a campaign that is a friend and way need toe be ableto flexible in addressing that, and I getting in front of that head on so that we can make sure that come Election Day. We’re not dealing with a lot of pop up, for instance, spending a lot of time trying to grow. Yeah, I think that that’s this cyber and cyber threats and threats, and it is a dangerous space. We know about actively intact, potentially populism opinions. But no way. We’re just talking before this panel. I think it turns up using influence have made people distrust either electoral outcome, so you could have a ransomware incident in a local level that actually doesn’t even impact like the elections county or any of that someone could that spin an influence campaign that gets reported to make you think it has had an impact and that knocks. Russ results, right? So that’s one of those things that I think is worrisome, even if the cyberattack doesn’t actually have to have a measurable impact conflict. If you want to vote tallies, it’s. But if something people take that, try to stand off information operations. That point, let’s like drive home is that it’s not just about you know what actually happened. Word votes actually change. That’s incredibly difficult to do at scale. Wait, it’s undetectable. But if you can put that message out there that causes people to question and in their local election officials picks up that phone call and they don’t have a good response, for that could be just the imaging eyes. That’s why Eddie A. C. We feel so strongly about making sure that local election officials have the tools have the training they need to partner with the Center for Tech in Civic Life. Taxi provide that basics intermediary, intermediate level of cybersecurity training so that they understand, you know, why is it important? Have two factor authentication? What does it mean to actually have a password? Managers were not reusing your passports basics that most books that are watching us right now are thinking anybody not know how to do that? I have never been taught that if you don’t have understanding of the impact of that, then it might be too much work. But once you understand how much bad stuff that actually prevent, you recognize it’s actually not that difficult. Sex is pretty easy to use it. If you are familiar with tools, and then it gives you the confidence to stand up and say, You know what? Yeah, we heard about the Ransomware, or maybe we got hit with some ransomware but you know, the town down the street. But we’re ready. These are the things that we’re doing. Russell. It’s another thing to talk about. Here is some of the big things, high level things that we’re doing to be prepared so that if we do get a phishing email, you know how to spot it. We know how to stop it. We can recover from those back ups that we actually do get hit with it. And so I think that’s why it’s so important that the local election officials I have little confidence thinking, then reflect back on to their voters when it comes to elections. Yeah, just just real quick on that. Maurice raises some really good points. And it’s why we spent a lot of time insist on something we call the Last Mile project, which is literally a poster project offering both risk assessment and then mitigation advice to the local level. Almost 6000 local jurisdictions specific to their state in their jurisdictions so that they can not only take the steps, whether it’s multi factor authentication or penetration, testing or fishing campaign resilience or creating incident response plans, which we really focused on but then can go and talk to their voters. And we’ve seen some cool approaches to this. We saw one state, the state of Iowa, take their posters after the state fair so that they could talk to their to their voters directly about steps they were taking. We saw the state of Rhode Island work with their libraries to put it up in the library system that they could talk to voters through the library’s about this and in the end. And you know, I think they’ve raises a really important point. There’s resilience to cyber intrusion, resilience and the ability to recover from incidents. But then there’s the resilience that we need to install. Uh, in talking to the American voter way, need voters that they’re prepared, right? That understand the registry. Am I registered? What’s on my ballot? What are my voting options, particularly amongst Cove. It s so that they can have confidence on how they’re going to engage the process. We need ah, voter, that is patient. That understands that perhaps election night results won’t be is complete eyes what we’re used to in a given jurisdiction in that ah, the accuracy of the vote count is the most important thing regardless of the time it takes Ah, and then we need ah, voter that participates that engages, we need ah, you know, 250,000 arm or whole workers across this country in preparation for November in the midst of covert when we have a poll workers that, uh, you know, we’re gonna be unwilling to work either because their age or high risk nature. Ah, and, uh so having people engaged in participating the rally for the for those folks that are listening no one told me anyone would be listening to this. So now I’m a little worried, but anyone that is listening go sign up to be a poll worker if you want to understand the process. Matt Place hits this every time. He’s exactly right. If you have questions if you have concerns. If you want to help secure the process, start off by being an election worker. You’re not gonna get turned down. We need you. Ah, and it’s the best way to learn where the resiliency exists in the process where improvements could be made. Ah, in order to get involved if you can’t be a poll worker, if you can’t take on that risk, there are opportunities to watch pre election testing of systems. We run elections at the local level so you can participate directly with those who run the process. So go get your questions answered, go engage with them and see what kind of support they’re in need of, in particular serving his election worker. It really is the best path to doing this and the best way to learn the process. But if we can have voters, the voters are last line of resilience. Is director Krebs says. They’re the ones that that can really ensure responsive resilience, a resilient process when attempts to undermine confidence or there. There is no such thing as a secure system, right? We never hit a plateau where it’s like up for good. We cannot back home to take the next year off. So quick question from a lot of interested citizens who want to get involved ties to the fact around. OK, so you talked about detection being a key part of that system where exactly they supposed to go figure out where to say something? Well, you can go to your local FBI field office. You could go on Teoh FBI backup and find out contacts or eye contact our FBI. So I watched directly and you could go to multiple other agencies as well, because what we really said is call the ones felt all, and that’s how I we are ensuring that there’s that information sharing across. So there was that. Yeah, I was just gonna say Cynthia’s exactly right. You know, we first of all, if you know of something within your community engaging directly with the local election officials, really critical to help understand did you actually find something or eyes? Something they’re aware of? Otherwise, Uh, the second part is engaging with your state officials. They’re prepared to take it on. They’re the ones that know the process. Know their systems can talk to the vendors if it’s a vendor issue on and then the I sacking this for exactly this reason is, Well, there’s an avenue. Ah, and it happens fairly commonly that if you report to the Election Infrastructure, Information Sharing Analysis Center or directly into system uh, we now have the points of contact that we didn’t have in 2016 to be able to get valuable information to state. Local election officials said they could take action on something that’s identified so that there are avenues again. The state local officials know their systems that best prepared to mitigate a problem. But if you’re not finding success that route that the ice axis FBI field office are available to help you get there. Ah, and understandably, some folks may not want to go out of the federal government, which is why the ICE Act really offers a nice, safe place to begin that reporting offer up the A C as well. You consider email the security at the a c dot gov. Obviously, we have connections with all manufacturers. If you’re having trouble with particular manufacturer having trouble with particular agency, every local official, or just not in the response you want, we’re happy to help facilitate that conversation. And just from a cyber constant, one of the big changes for us is you know, we historically had been focused, you know, working inside skips and one of the things we’ve really done and supported 2020 years. You know, we have organizations now that living outside skills there on Nipper Net or unclassified Internet, you know, they’re in slack channels there, talking to the FBI. They’re talking to be a jest. They’re talking to private industry partners in there, you know, they’re living in that same eco system that many of hopes that are listening to this presentation. Or so we have really tried toe adapt some of our behaviors. So we’re able to, you know, in real time, flat rate our partners across government, you know, on a little different time scheduled in the traditional military one. Because I know most of you are probably not up at 5 30 in the morning. Just like so, Bill Vanina, the director of the National Counterintelligence Security Center, just recently put out an official statement today talking about the very threat that work here. But all the threats were basically laid out in an equal manner. Would you say that? That’s equal? What would you say is the biggest life? I don’t think we need to take any of the threats, like right? I think statement in terms of what you saw out there, it lays out out. Each adversary is approaching problems. Certainly. Russia, China, Randy, they all have attending the audio activities. Maybe your unanswered, your best interests here. So, um, you know, I don’t think I would say like one is scarier than the other per se. Certainly some of these adversaries are more experienced at this in terms about time they’ve been working doing operations. But, you know, from our perspective, you know, I care about all those threats. I take them all seriously because I guess I’m not some of the stuff. It’s very cheap to get into, so I wouldn’t do a value judgment this first. I couldn’t agree more on that and I think that it’s really important. Remember that Are great pictures always informed by collect what we know And you know we don’t have pictures and how we really have to approach all this is what could be the effect from various grills. What could happen closer September October? Because it still is a few months away and way. We need to be prepared for a lot of different things happening within that, and I foot stop again. You know, it doesn’t just after the big three b I other non state actors, I or criminal groups in the light that are going toe undermined people’s confidence in our system. And really, if you ask me, the biggest threat is it’s these constant from or equals campaigns that are going to make people feel there must happen in our system. And that, and that’s really near your eyes. Hey, Price. And just real quick. Everyone in the bedroom actually has to take a drink cause the Fed said foot stomp. So that’s actually one sip for everyone in the bedroom. Thanks, but here I can’t help but feel like you’re cheating the system a little bit. Uh, if you don’t have a drink. I’ve been drink. I’ve been drinking this whole panel. Don’t worry, I’m good. Hey, put up or shut up. Shows your drink. It’s in a water bottle. But so we’re coming close to our end of time. So I want to ask you a final back questions to each of you. Have about a minute you get not Internet connected. Want magic wand? Wait, What did you someone that The magic it is? Yes. That is how it is wireless but wire. And one thing happens for your agency. I don’t know. This isn’t reality, right? This isn’t Oh, if only I could get $20 million to claim that this is what do you wish they process? How did that? Okay, so 2020 is almost Britain. Yellen, ballots start. People start story start happening. 2024 is our next. What is one good thing? And one thing we really need to worry about the future. See, I feel like I do the shortstop. Right. Next. I, um I like you the most. Okay, I So I thinking about I how what I really wish we had more off is I wish we had more people right now with the settler skill set that he could hire quickly and get him on on so that we could. I just expand our scope and scale on speed in which we’re addressing threats. And I think that that goes towards you know, we’re putting so much about the haves against election, and I feel really good about where we’re at on it. But what does that work that you know that the words mean? And I’d like us to know that we have people coming to us, that I want to do the right thing, that I want to protect America and have those skills. Siri Teoh as it was 2024. Whatever. So I hope we keep guys collaboration and the focus alive. I know in my remarks I get a real quick overview of what the bad guys that you know. Part of it is part of that. It was not a cyber investigations looking at influence Side who developed the Ford Influence Task Force. And that effort, I think, has really helped us focus. I’m It’s not just a cyber issue. It’s not just a criminal Justin influence if you like, see how it all works together internal getting the China crime people and looking at it as I want it, that’s new with really consider that station in life moving forward. I think that yeah, that’s Do you know your visions? Yes, Spectrum of of a few years. So but yeah, and I hope we all stay in touch after way. You don’t stay in touch them the next panel before I think that the wand answer is pretty easy for me. Perfect insight and necessary attention. Operations is obviously I think you’re not supposed to say Teoh. Oh, hitting a little bit out since his point, going back a bit to accommodate me before working counterterrorism. A lot of fighting the last war, right? Someone tries that love playing with printer cartridges like government swarms that figure out how to stop that. Then the officer, You know the same thing you’re seeing adversaries of all we’ve seen adversaries come in. So there’s always don’t worry about you know what, you don’t know. But what I’m confident in is that we are position a lot better position now for agility in terms of responding these rest because of the systems we set out the partnerships have. That is certainly something for 2024 we didn’t get building on and not who’s excited it when problems come up, you know, not making sure this remains a boat because I think the def con voting village is very important to keep this running. People’s health from Dennis a specifically way, Have a much we’re investing off or in a white damn brand white, half grand. Excuse me, but it s a cyber Twitter account. Follow it. You’re gonna see more good stuff coming out of that. But you continue to develop on. That’s the incredible thing. I can tell you how excited something people were in our building. Likely saying this. Substrate advisory on the g r u vulnerability. Seeing you know it, least five different soccer security felonies take that information, did it on the indicators in their and their own data sets, figuring out things that you getting about to uncover more adversary operation so that not people excited building. And that’s something you want to do more of it ahead against sitting on that partnership in that dynamic about using each other’s information and building that security of the enterprise raising all those. It sounds kind of Pollyannish. Hey, Bryce. Bucket wave A magic wand. I would leave it, and then we would get killed 19 under control. You know, I just got to tell you, there’s great collaboration, but we could do so much more. We could do so much more with our partners here. We could do so much more overseas if you could get the pendant that controlled. So, please, where you’re basking helps the second piece, you know, where do we see this? In 2024? You do get past questions, but I get the answer you want. So you know, I would rather focus on 2020 20 is not a foregone conclusion. We can have a safe, secure, but bullets, you know, as as an American people we need to mobilize. You know, there are thousands of smart people extraordinarily technically capable, that are watching things session right now. Please will work at the polling stations. Please talk DHS, please talk to the FBI again. You know, we are all ends. We got down. Since people are going to work every day in order to support safe, secure vitamin election. And Alan just ask for everybody. Everybody appreciate that. There’s a greater sense of where we all are in the world today. If I could wait my match one on the A C. I said that we would be doing better to get TVBS G more, more flexible and faster responding to this idea that if we could get you researchers interested in election of the structure and several vulnerabilities report them responsibility, and we get the manufacturers to patch and get those at midfield on much fast turnaround. I really, I think, get a much better position. We’re working toward that. It’s still a process. Yeah, I take some time. I think we can get there by 2024 just to recognize that federal elections over two years. But locals are running elections every few weeks, and so there’s a bigger stake at play because every election that’s run is a chance to show that we could do democracy, right? We’re gonna keep doing it and it’s done very well. Most of the time. It’s just this few times for this will stick ups way, have some trouble and it starts to erode that confidence so better we get at hit those patches. Much better articles this more. Yeah. So the magic wand. I got two answers. I think on I had the advantage of time, which is useful. The first is if there was a way for sista Teoh. Ah, push out. Ah, service agreements or whatever the case may be too. Upgrade election systems. Not just voting systems were motion. The focus goes, but election systems including workstations, off of outdated on supported, uh, software. Uh, I I absolutely want to do that. Ah, you know, it’s not just windows seven we’re talking older on, you know, It’s not that the the local election officials or state officials don’t want to upgrade uh, that they lack either that the eye t supporter resource is, And I’d love to be able to give that to them. The second is getting to 100% audit ability across the nation on having efficient, effective audits. For 2020 we’re gonna be upwards of 92 plus percent of honorable records. But we need a good, efficient, effective audits. Teoh that are transparent. I mean, Neil McBurnett asked the question earlier. He’s making it his mission in life to get to this, and I so appreciate it. If we can if we could provide that public, that transparent auditing process efficient, effective, I think it would be real success. Looking forward, there’s something in elections called the Election wall, where you literally lack the ability to look past the next election. You try and you don’t even know what life looks like beyond that. But if I had to to really ah, you know, push myself through that it would be increasing the amount of support. Resource is Ah, and I don’t just mean money to state local officials to help them meaningfully manage the risk to their systems. Ah, and really take some of the innovative steps that they want to take. Ah, that they that they’re unable to, either because of a lack of I support a resource ing that otherwise would allow them Teoh to serve voters. And then finally, I know I’m cheating. Ah, but but a more resilient American public, a deeper understanding of how elections work. Ah, deeper understanding of what their options are, how ballots, uh, reach them or how they can interact with the process. And then, uh, how we reach our final certified elections again that that prepared patient and participating voters everything. As we look at 2020 I feel the same way. That as well. It’s organized. You’re deft. Can’t look past this weekend. Thank you to all the Panelists for sharing at this age is a lot better understanding the level of cooperation, transparency on the fallibility and the improvement and very much before. But what we do we are all citizens on our voices should be heard. Thank you. Thanks.