Transcript

Speaker 1:
So with that, I'm going to turn you over to Amelie Koran, who is the moderator for the panel. I'll let her introduce the panel subject and her cohort here with you.

Amelie Koran:
Hi, everybody, welcome to ShmooCon 2020. Great to have you all here. All right. So, our panel today is on election security. It could be topical. I don't know, maybe. But we've got a great panel out here today. On my left here actually is Kimber Dowsett, mzbat on Twitter, works for Trust. Next is Casey John Ellis, caseyjohnellis at Twitter as well for Bugcrowd. I'm trying to remember, it's like everything's moved around. Jack Cable, jackhcable, independent security researcher, and then Tod Beardsley, todb on Twitter at Rapid7.

Amelie Koran:
So as you all know, if you're American citizens or not, the election's coming up. We've got a little over eight months until the next election. Many years we've been finding issues with disinformation campaigns, voting hacking, all sorts of stuff that's been in the news. Today's panel here is to kind of like have an open and honest discussion about where we are with things we can actually take care of between now and then, stuff that we may actually end up having to put on the backlog to address after the upcoming election, but also discuss some of the challenges that we have anywhere from the local election locations, so your cities, your towns, state levels, but also where the federal government stands in assisting fair and secure elections. So with that, to set the stage here, I'm going to let each one of them kind of introduce where they stand on the topic. And to my left here is Kimber and I'll let her do the introduction there.

Kimber Dowsett:
I didn't know that's what we were doing.

Amelie Koran:
We agreed at the bar.

Kimber Dowsett:
All right.

Amelie Koran:
Your position on the election security.

Kimber Dowsett:
My position is the most important clearly because I'm going first.

Casey Ellis:
You'll weigh up the equities.

https://www.youtube.com/watch?v=HBFVcxBvEVs

Kimber Dowsett:
Right. So I'll just take this opportunity to say that I fully believe that there should be partnerships between security researchers and voter registration systems and election systems that actually encompass a lot of different things, including voter registration. But I take the stance that while I myself believe that transparency is the only way for a government to have the trust of its people. As security researchers, if we do reactionary disclosures of vulnerabilities, we run the risk of actually harming democracy by making people think their votes don't count. If they really feel like, "Oh no, it's hacked, everything's broken. This researcher said he popped the machines at DEFCON. My vote doesn't count anyway.", and they don't go to the polls, then we as researchers have done the biggest disservice to the American people and democracy.

Amelie Koran:
Casey?

Casey Ellis:
Yeah, so the accent you're hearing is from Australia. I can't actually vote here, so technically this is foreign interference.

Amelie Koran:
Technically.

Casey Ellis:
Sorry. Now look, my position on this, Australia is a Western democracy as well, coming here and getting involved in this issue a few years back. Obviously, what happens in the U.S. as really the modern owner of the democratic kind of ideal in the Western world, I think, or the role model at the very least, yeah, whatever happens here will trickle downstream to other countries that are doing the same thing. So I've got a personal interest from that standpoint.

Casey Ellis:
Really, my kind of stake in this and it's part of partly informed by what I do at Bugcrowd is the role of the security researcher not just to resolve and help resolve the technical issues that exist within machines but also within all of the other stuff. But also the fact that we need to actually restore, I believe some confidence in the American population that are at this point, generally nervous about the Russian Boogeyman and feeling like they can be hacked. They don't really know what that means, but they know it's possible. That in and of itself exposes a vulnerability for disinformation, which I actually think we can be a part of helping resolve in 2020. So that's my position.

Amelie Koran:
Cool. And Jack?

Jack Cable:
Yeah, along similar lines, I come from the perspective of a hacker who's trying to make the election system better. And it's clear that there's a lot to be improved. And yet part of where I'm coming from is looking at the problem as a whole rather than some of the wounded insight the security community has had into state voting machines, but really realizing that this is much, much broader than just that and seeing where hackers can best play into that, and one key part to that is starting these vulnerability disclosure policies at both state and local government levels, as well as with the election vendors. And they're coming along. And I think that that's one of the key ways that we as a community can interact with them and really work together to security systems rather than kind of existing in these two separate worlds.

Amelie Koran:
And finally, Tod?

Tod Beardsley:
Thank you. I'm last so all the good opinions are taken, I guess. I work a lot with vulnerability disclosure, coordinated vulnerability disclosure, specifically. I care a lot about that process really of like how researchers communicate their findings to vendors, to someplace like a cert, to DHS. And so I've been working in that area some, but I have a pretty solid IT operator background and so I care a lot about like the IT infrastructure that like Jack says is not just voting machines. I actually don't care hardly at all about voting machines. I think there are good people doing great work there already. I think that's covered. I don't think that's where we need to spend our our time. It would be great if they were super secure, but they're not and they will get there eventually because we're starting to do coordinated vulnerability disclosure with the vendors. I care a lot about the IT infrastructure that is not just state and county and local, but also campaigns. I care a lot about what campaign IT security is doing. It's disheartening when CSOs quit and have fiery letters about their quitting. But yeah, and I think I'll end there for now.

Amelie Koran:
Okay. All right, cool. So the title of the talk here is Hacking Democracy on Securing the Elections, so it's a big ocean to boil. So our opening question here right now is given the breadth and depth of talent on this panel, which as you now have been introduced to, what is the most important issue to focus on addressing before the next primary cycle, the fall election so forth? And what can actually be done both in the medium, short and long term between now and then and what do we basically have to focus on afterwards? Anyone want to kind of-

Kimber Dowsett:
I'll start by saying, I think this may be the thing we all agree on that it's not voting machines.

Casey Ellis:
It's also not voting machines. Absolutely. My job here is done.

Amelie Koran:
All right. So we all agree it's not voting machines, so it's less of a technical attack on this point. However, given that the election systems are vulnerable, thinking like an attacker, what would be those things you would go after right now if it's not voting machines?

Casey Ellis:
Yeah. Interesting conversations around the voting machine issue, but not with that as the thing that would actually be targeted in and of itself, like the idea that you can buy one of these things off eBay, make it look like it's infected with WannaCry and tweet that in the right places. The kind of exposure that exists and the weakness that exists in the population around disinformation to affect turnout or to manipulate turnout, that's one example. I think, even things like election night security feeds, sorry, information feeds, data feeds, between the election officials and the media manipulating that make people feel like they've won convincingly before they go out and vote and maybe they don't do that. So you can manipulate the outcome in that way.

Casey Ellis:
I think there's just a lot of different ways to monkey with this stuff. And the way that the community's tended to think about it is direct manipulation of records. That's a pretty expensive attack. If I'm a bad guy that's wanting to do something in this space, that's probably not the thing I'm going to go after first, if there's all these other things available. So I think that 2020, it's taking the heat out to some degree from under the pot with this fear that exists around interference. And then hopefully doing that in ways that can be sustained to have an actual security impact, looking forward to 2024, and so on.

Amelie Koran:
And Jack, for some of our prep that we did beforehand, you have a little bit of the other perspective on this.

Jack Cable:
So if we look at what happened in 2016, in the Russians interference in our election, we see that they're targeting three areas. They're targeting the election infrastructure itself with attacks on safe public voter registration systems. They're targeting campaigns and the entities that surround those, for instance, the hack of the DNC and the subsequent leak of those documents, which probably have the largest impact of anything that the Russians did, by leaking true information that then had real effect on the primary. So there was that. And lastly, there were these large scale disinformation campaigns that targeted voters over social media.

Jack Cable:
So we can expect all these in 2016, and likely at a much more sophisticated and much more scaled level and not just from Russia. So for thinking about what the most pressing threats are, I think we have to think along all three of these lines. It's hard to say if any are more important than the other, it just is how successful they can be in doing any of these. So in 2016, for instance, the attacks on the infrastructure didn't have much impact. They read some of the information, but nothing really happened. And that's all to say that this could change in the future if they do something that exploits a vulnerability in either voter registration system, election night reporting system in order to actually change people's opinions. And all this really isn't to change the outcome of the election. It's to change people's thoughts that go into the election and to change our thoughts about our democratic institutions as a whole. So it's broader than just any one election. It's to weaken our confidence in these systems, and that's really what's being targeted here.

Tod Beardsley:
Yeah, and I feel like 2019 at least was kind of a dress rehearsal for 2020 when it came to exercising municipalities' backup and recovery systems. There were a whole lot of... there was a spate of ransomware attacks during that period that continues today. And I think that if I was an attacker and I wanted to disrupt an election and disrupt turnout, I would make a big obvious splash with DDoS and encrypt all the things maybe a week before the election because we've seen that it takes a while to get off the block when it comes to recovering from something like that. So if you are responsible for counting IT, I think now's the time to exercise your backup and recovery.

Amelie Koran:
So as part of that, it's infrastructure, it's process workflow and procedures. And I know we were talking while getting prepped for this panel, talking about the vulnerability disclosure policy. And I know, kind of not so much a heated discussion, but a very intense discussion. And Kimber, you had a recent meeting with some folks that could be looking at this for state and local areas. Any details on that?

Kimber Dowsett:
Sure. Yeah, I do share a similar passion with Jack to see vulnerability disclosure policies here, from henceforth referred to as VDPs, rolled out at state and local levels. So I've faced some of these challenges in the federal space as other feds in the room have who have worked on the VDP issue and it comes down to budgeting and resources. So yes, I did have the opportunity to talk to some state folks quite recently this morning about this issue and you know what, the state has the same challenge with resources and budgets.

Kimber Dowsett:
So if you think about VDPs in general, probably most of you have seen one, they may have a reporting mechanism that's as simple as an email address, security@shmoocon.com, let's say. And you think, "Well, why wouldn't they just set that up?" But there has to be a person actually checking that inbox. So there you've got to resource. Okay, well now the vulnerability comes in. How are you going to fix it? Well, hopefully, you've got some sort of incident response workflow in place at the state or local level. So now you've taken in this report, and now how many people have to be deployed to work on the issue that you've just rolled out. So you can see why the state and local municipalities are hesitant to roll out a vulnerability disclosure policy because they know it's a cascading effect of all the resources and time, money, people, knowledge. And let's face it, a lot of folks with a lot of knowledge to fix this stuff aren't gung ho to go work in the private sector anymore. So that's my take on this.

Amelie Koran:
Okay. So given that, I mean it being a kind of a challenge, not just financially but other resource via staffing, time, people, what are you your organization's kind of doing and engaging with those parties, who do we need to basically influence and address, basically engage and address to start solving these? Is it the state level officials? Is it federal? Is it some of the companies that produce the software and hardware?

Kimber Dowsett:
Yes.

Amelie Koran:
Okay, down the line.

Kimber Dowsett:
Yeah. Yeah.

Casey Ellis:
You know for sure. Yeah, I think the thing that's not commonly understood or known is that because of states' rights, elections, both state, local and federal are carried out under the state umbrella and not the federal one. So the ability to enact federal policy that creates changes in this space is actually limited by that. And the reasons for that being the way it is are good. In this particular problem set, it's difficult because you can't centralize the solution. So that they are just as done, the things that they've been able to do with the fund and putting resources out and saying, "Hey, we can't make you do stuff. But if you do these things, here's some money that you can use to spend on that.", which I think has been a good approach.

Casey Ellis:
And really, the thing that we've been talking about with the states and the local folk, it's okay, where are you up to in terms of adopting a vulnerability disclosure policy as a part of that? Do you have the ability to actually ingest what might be found and then take it and remediate it? And if you don't, what are the other solutions that might exist that can actually help accelerate that? Because there's a huge spectrum of capacity and capability with the people that are actually looking after this stuff. It ranges from very large entities to the nephew of half the IT guy that works for a particular county. So how do you cover as much of that as possible and create solutions that are available, depending on what they're up to.

Jack Cable:
And yeah, on the front of vulnerability disclosure, the good news is that people are starting to take action. So we have both the state level for those who administer elections. They have begun stating their intentions to launch these vulnerability disclosure policies. So today, an official from Colorado announced that he and several others are going to be launching vulnerability disclosure policies soon. So we can expect several states to start out first and then slowly more and more should follow as this becomes a standard practice. And I think really just one several start, we'll see, "Hey, this isn't so bad, getting free vulnerability reports from friendly people who want to work with us to make us better."

Jack Cable:
That's a pretty good deal. So I think that's promising. And then on the front of the election vendors, they are also getting together and starting these policies. So they have under the IT ISAC, so ISAC is a strange, weird thing, an Information Sharing and Analysis Center where all the vendors get together and they discuss their practices. So they're considering starting vulnerability disclosure policies. So we're seeing across the board that they want to do better, both from vendors and states. And I think that actual props on that actual stuff is happening. And we can hope to see that soon.

Tod Beardsley:
Yeah, and we see this curve in every industr when it comes to vulnerability disclosure. Younger hackers in the room may not remember a time when Microsoft was very not interested in hearing about vulnerability reports and now they're very interested in hearing about vulnerability reports. But that's old news. Thanks, Katie. And I do think that for one, states and counties, they are going to come, we're going to have to kind of drag them in kicking and screaming, screaming, and screaming. And two, we also, as the researcher reporting these things, we need to keep in mind that these vulnerability reports are emotional events. And so having some empathy for the folks who are responsible for maintaining these systems will go a long, long way. I think it's unfair right now. It's still unfair to say, "Well, you should have known this." So I would hope that I can use use this soapbox that I'm sitting on right now. It is a soapbox, super uncomfortable, to encourage people to to be maybe a little less combative, not too much, like your bug, your choice. But when reporting vulnerabilities, just take into account things like is it a Friday night? Is it right before a three day weekend? Things like that go a long, long way on helping get credibility for future vulnerability reports and future vulnerability reporters like you.

Amelie Koran:
Kimber?

Kimber Dowsett:
I just want to take a quick step back because we jumped right into this discussion making some assumptions that folks in the room knew about elections in the big picture, like elections in capital E. So I just want to clarify that even though we talk about the 2020 election, which is an election everyone will be talking about, the President of the United States, the systems we're talking about though, each state handles their own voter registration. They roll their own systems for that. They are handling even the local municipalities are reporting up to the state. The state isn't always dictating what the local municipalities are doing or how they're handling their money or their systems. So the focus here is on state, I'm just clarifying for folks in the room, because that's where it's all happening. This landscape lives at the state level and it's not consistent across states. It's not even consistent across counties. So I just wanted to kind of say that.

Amelie Koran:
I think we were talking about this for the prep was the voting machines are the only ones that are actually the patches and upgrades are certified by the FEC. And that in itself is another process we'll talk about, but the poll books, the voter registration stuff, that is literally a roll your own type kind of thing. Each municipality kind of goes out and contracts with whatever vendor there is. So 50 states, how many counties, how many districts, that's how it is, so excuse me-

Kimber Dowsett:
Casey?

Jack Cable:
No, that's yeah, the area of certification, that's a challenge because you have to talk to the vendors, so the EAC, Election Assistance Commission certifies the voting machine vendors and they provide voluntary certification that states can opt in to select vendors based on. And what's challenging with this is that even say if a vendor just has to patch a security vulnerability in their voting machine, the machine has to go through the whole certification process again. So in that sense, certification is both a positive because it does enforce certain controls. Some of those are security related, but also can be really damaging to the process if a vendor can't get a patch out in time. So that's one of the major points of pain for voting machines themselves. And then the other systems are kind of just the Wild West. There's no certification. States can roll out whatever they want. And because of that, there's much less stringent controls around what can be enforced.

Casey Ellis:
Yeah. And that's sad about the EAC because it's a difficult problem that they have to solve, given the distribution of all the different ways.

Tod Beardsley:
What does EAC stand for?

Amelie Koran:
Hurting like an entire field of cats rather than just a couple in your house.

Casey Ellis:
And then trying to keep all the versions tracked and all those sorts of things. They have received a funding increase, and they are doing work on what's referred to as the de minimis change provision within the requirements of certification for voting equipment. So the whole idea of if you're missing a patch, you're not actually changing the things that they're meant to be certifying, which is the interface that's meant to keep the whole thing fair. Those sorts of things are being looked at, I believe, at the moment to be able to allow that whole process to work a little bit more smoothly.

Kimber Dowsett:
Can I just chime in with a little ray of hope too? Because it wasn't that long ago, folks in the room, you have to know about, like IoT healthcare devices and the problems we had with reporting vulnerabilities and then with having patches issued for medical devices. It was the same sort of thing, getting something through FDA approval in under 18 months was impossible. And then by the time you got your patch approved, there were already three more patches. And so you were still always behind. And FDA's made some improvements. So I like to look at that as a framework for a way that we've shown that we can kind of learn and that we can help the government learn with us through responsible, I hate the word responsible, coordinated disclosure with medical devices, so if we can work to kind of tackle that same thing with this, we'd see maybe hopefully, some of the same strides in patching faster.

Tod Beardsley:
Yeah, and that kind of story probably was, isn't any more, but it was news to folks that that live in counting IT. We heard a lot of caterwauling about like, "Well, we can't patch because EAC, which is the Election Assistance Commission." We've been down that road with medical devices and working with the FDA to make sure that we could actually patch things in a timely manner, which is-

Casey Ellis:
Which is the Food and Drug Administration.

Tod Beardsley:
Thank you. Thank you, Casey.

Amelie Koran:
Or DC, not everybody knows the acronym, so yeah.

Tod Beardsley:
We went down that road with automotive, like the automotive manufacturers have a super long window for certifying, getting things certified and safety tested and all that. And we've been able to compress that kind of time with patching there. So this is not an intractable problem. And if anyone gives you that excuse, say, "No, we can do this."

Amelie Koran:
So obviously, as you're mentioning here, this isn't just a solely technical approach. It's looking at like workflows and policy, and lots of people involved to kind of achieve that success? I mean, kind of the things we've done with I am the Calvary, create a branch there potentially for election committee stuff, and so forth. However, one of those cases is, as you mentioned, Kimber, about the fact that there is a ray of hope. So I'm kind of curious with your interactions individually or engagements with the companies, essentially who's really been, in your opinion, who's really been making some headway here? Who are the shining stars, the ones that basically say they got this, this is not necessarily best practice, but this is the kind of rolling in the right direction. Is there any particular state methods that's been tried, you've had experience or success with?

Tod Beardsley:
I'm a big fan of how Illinois is doing things to call out, like a good example. Illinois has rolled out the cyber navigator program, which sounds awesome and so Gibson-y and what that is, is a giant chunk of money that they have earmarked specifically for building out networking gear and also building up the training and how to interface with other parts of the government so they can do things like run elections. That was pretty much their mandate. I think it was great. It's expensive. I don't think every state nor every county can do that. But I am hopeful, and I was given hope this morning when we met with the National Association of Secretaries of State or NASS. When I asked, I was like, "Hey, how many here have heard of or care about the cyber navigator program.", and hands went up and lots of nods. So I'm like, "Cool, you guys are doing it." So that that part has been really great for me. I'll keep going.

Amelie Koran:
Oh I was just wondering if anyone else in the room, they're deep in thought.

Casey Ellis:
I'm trying to call out examples here. Yeah, so the state of Colorado on the issue of researcher rights, the interface between the security community and the overall election ecosystem, not just the voting machines, because it's not about just voting machines. We should have worn t shirts, but that's fine.

Casey Ellis:
They're doing a lot of work not just to figure out their own position and how to sanely move forward with that type of thing, as I said before, both for the sake of funding issues, but also for the sake of creating confidence in the voter base. They're actually doing a fair bit of work around educating other states. And at this point, I think that side of the solution, everyone's kind of standing around the pool, saying, "Yeah, it seems like a good idea.", but they're waiting for the first person to jump in. And what Colorado is doing is trying to get a bunch of people to jump in at the same time to kick that off, which I think is a really smart way of approaching it.

Casey Ellis:
And what it does is it allows people that are actually on the coalface and thinking about the remediation, the response, the actual stuff that has to happen downstream of this, they can collaborate because they all share sets of issues that needs to be considered as a part of that. I think with the manufacturers themselves, there are some that are actually leaning forward and launching disclosure programs. Time will tell in terms of how they're doing with actually receiving the input from those and using it. But the fact that they've signaled that and they're engaging with the community proactively, that conversation kind of got off on the wrong foot. And we've had to do a little bit of work to repair, I think the trust that they have in the hacker community in general, but we're at a point now where that's starting to cross zero and get positive.

Amelie Koran:
Oh, yeah, really.

Kimber Dowsett:
I was just going to tag in about Colorado because they're my favorite, because they do mail in ballots, which shuts all you all down, but I also think it opens up for folks in rural areas to participate in ways that they wouldn't be able to participate otherwise. So mail in ballots, that's what I like. On the flip side of that, West Virginia is experimenting with blockchain. And we're not going to make any sounds here now.

Amelie Koran:
You can't make a drink, that's too much liquor.

Kimber Dowsett:
We can't do that.

Amelie Koran:
It's got to be moonshine, too.

Kimber Dowsett:
But the West Virginia, Colorado contrast in the way that states are handling elections should tell you everything you need to know about how states are rolling this out. They're making it up as they go, doing what they think will work best for their constituents.

Tod Beardsley:
Which is kind of the story of the internet, right? I'm not worried about that. It will all work out in the end. Also, there's no end.

Jack Cable:
And one other entity that's playing an increasingly supportive role in this is the organization CISA, the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security. And they've ramped up their efforts since 2016 in response to all that happened, in order to provide states with the support they need to better secure their infrastructure. So they offer for instance, free scanning and pen testing of these election system. States just have to ask and they get that support for free. So CISA has been playing a large role in securing the actual infrastructure and yeah, another entity that is helping on this front.

Amelie Koran:
So we did a thought experiment, while we're getting prepped here,  to kind of talk about a little bit of one of the reasons that Jack is here is he's had experience trying to report a vulnerability up to one of the vendors. And I didn't know if you'd like to share a little bit of that process and what that provides as some of the challenges going forward from here.

Jack Cable:
Yeah, so the way I got into the area of election security was when I was registering to vote myself. I came across a vulnerability in my state's voter registration system, which was pretty bad. It was a SQL injection flaw. And the process of actually going to disclose that to the state was a lengthy one. It took about six months to actually find the right person to disclose it to and get it so they can fix it. And that was kind of my introduction to seeing where vulnerability disclosure can go wrong. And seeing that it wasn't necessarily the fact that there was no one I could talk to. It was just I didn't know who to reach out to. And to the average person who stumbles across a vulnerability in one of these systems, it's not clear that you have to go, say to a certain entity that actually manages the elections rather than just the state government, or whatever to someone just from the outside.

Jack Cable:
So I think that's a major point of having a vulnerability disclosure policy is making it as accessible as possible for someone who's from the outside, doesn't know anything about how government works, what the EAC says, all of these crazy acronyms are, and they're able to disclose the vulnerability and get to the person who can fix it. So yeah, I think that that's a major point why we really need these policies because otherwise, people just aren't going to know what to do with these. It's inevitable that people are going to find vulnerabilities and they need a way to be able to quickly tell someone about it.

Amelie Koran:
So shifting gears a little bit, you were talking, we mentioned about this disinformation campaign, some of those soft threats earlier on here. Generally, for seemingly non technical threats, such as disinformation spread through various means, Facebook, social media, your parent reads a newspaper written by a really awful author, what are better approaches to attacking these soft vulnerabilities, either addressing them through word of mouth to basically use the spread of intelligent folks to go and try to combat that there? Or do they require new approaches? Are these things that we haven't really thought about because we've just been exasperated? And are there ways we can tackle them now or we're just going to give up? Is there a chance to do something between the primaries and the next election or is it something we're just going to have to throw on the backlog?

Casey Ellis:
Yeah, I mean, I think the biggest antidote to that is really to dilute the impact of misinformation by actually going out and voting in the first place and for as many people to do that who intend to do that to go and get it done. And regardless of the wacky stuff that might happen on the internet and then the news around it, basically don't let anything prevent you from completing that, even down to, Jack raised the threat model of someone monkeying with the voter registration systems, like if you rock up and you're an American citizen, you can cost a provisional ballot. So there are escape routes, even if there is actual interference that's identifiable on the day.

Casey Ellis:
So I think that's the big one. I think the issue of the suspension of disbelief that we all seem to have kind of grown accustomed to in terms of where we get our news from collectively, it's interesting. Facebook have come out and talked about some of the privacy data stuff and being able to disconnect different things and actually try to educate to some degree people on where their information is going. I mean, honestly, the platforms that are doing this stuff don't actually really have an incentive to solve this problem. Because the more polarizing content there is on their platforms, the longer people are going to have their eyeballs on there. And that's kind of the whole reason they're there. So yeah, I kind of like the idea of turning the internet up to stupid for a little period of time and see if we can get the frog jump out of the pot. And people have actually reengaged critical thinking. That's like my off the cuff solution for this one, but it's not a great one.

Amelie Koran:
Thank you for being on this.

Kimber Dowsett:
So I think for sure, go vote. No matter what, go vote.

Amelie Koran:
I think that's the central message for us here.

Kimber Dowsett:
That's our message. I don't care who you vote for. Just go vote. And so I think that one of the things that we can do as researchers, some of you have probably participated in interviews with reporters. they're going to ask questions meant to get clicks. They're looking for the hot, "Oh, this state was hacked and the state didn't know for three weeks because nobody at state level had clearance to receive the vulnerability that happened." So if you can kind of think of it in the way you do improv and just add the yes and, well, yes and we worked really hard to remediate those vulnerabilities, or here's what we're looking at in the future, or yes, the voting machine fell in two minutes but this voting machine actually isn't in service and kind of correct some of the misinformation that's getting put out there that's really just meant to incite fear and get clicks and don't be part of that system. The market's flooded with bad information. So if we can flood it with truthful information, good or bad, but let's be truthful, but never deter folks from voting as you're putting out your message. So that's my soapbox.

Amelie Koran:
And a bunch of us here and some of the folks out in the audience participated in Hackers on the Hill on Thursday, we got a chance to talk to some legislators and their staff. I know for at least for the ones that we went with, they had election security as part of those topics. Are there other folks, how would we engage the campaigns? They're on TV all the time, they're buying ad time, they're in front of people, they're going out in primary, or Iowa I guess, come Monday. If you have time in front of them, what's the thing you would tell them to do, since they have a bully pulpit in a way to help out this then?

Kimber Dowsett:
I talked last time.

Jack Cable:
I think if we're thinking about what campaigns can do, a clear first step is to think about security. It's concerning that zero of the campaign's have a CISA at all. So who is going to be securing these systems that play an increasingly important role and we know are being actively targeted by foreign actors trying to influence our elections. So I think that that's a clear step we need to be thinking about. If they're not thinking about it, then it's hard to imagine that they're doing security very well. So on one end, we need to make sure that campaigns themselves are secure. The other end of that is making sure that campaigns commit to following certain practices, for instance, not disseminating misinformation that they're aware of, or for instance, after an election ends, claiming that was interfered in, in order to say maybe that the election wasn't legitimate.

Jack Cable:
So I think that campaigns need to commit to be as open as possible not to spread false information about the security of these elections. We've seen in some smaller state elections, such as in Georgia that this has led to elected officials or those who didn't win elections casting doubt on these elections. So that's really the role to secure their own systems and then to ensure that even if they don't win, they're not criticizing the security of our election systems.

Tod Beardsley:
Yeah, plus one. The purpose of elections is to convince losers that they lost and if a candidate, supporters are going to go on Twitter and be done, and do that.

Amelie Koran:
You have winners though complain that they lost even though they won.

Tod Beardsley:
Right, sometimes, but like when a candidate does that, that is super damaging. That is anti democratic. We currently live in an environment where we are announcing winners and losers on election night, weeks before the vote has been certified, but some exceptions, asterisk 2000. Usually the candidates will make their concession speeches, and that is their opportunity to show grace and humility and better luck next time, buddy. And I'm hopeful that in the coming elections, primaries and general alike, the losers of those elections take the loss. And please don't blame the cybers because that's not helpful for anyone.

Amelie Koran:
So, we're getting closer to the end here. But this is kind of the stage where you're up here and this is the call to action, everybody here. So my question to the panel here as we start to wrap up, what are things that the average human being here with some skills and maybe not, go back and tell mom and dad while you're doing tech support on them, what is the message that they can kind of carry out either to perform as an individual or the message that they can, this group of people can actually go and do.

Tod Beardsley:
I'll go again. I think that if you, so people in this room are some of the most likely people to find vulnerabilities in systems that are election and election adjacent, so like voter registration, counting websites that tell polling locations, things like that. If you happen to find vulnerabilities, don't be frustrated. You will probably have a little bit of trouble finding the right person to talk to, right Jack? But if you do run into that, reach out to CISA. I mean, for today, I think that's probably the best clearinghouse for this kind of stuff. Election infrastructure is critical infrastructure. It is in their mandate to deal with. CISA at Department of Homeland Security is very researcher forward. They love us guys. They really do. It's weird. I know they're from the government, they're here to help kind of rings hollow. But for them, in my experience at least, and I've been around a couple blocks on vulnerability disclosure, they are more than willing to help and at least listen to you. So if you run into problems reporting those, go to them.

Jack Cable:
Yeah, I would definitely echoed the sentiments on vulnerability disclosure. I would say that even as a first step, if you find a vulnerability, just try contacting, say, the Board of Elections or whoever it is that hosts them, and most of the time they're receptive, and they want to do better. And then yes, CISA's a great fallback. And I would say that second, the key thing to keep in mind is that elections are a multi layered system, and there are fallbacks for when stuff goes wrong. So if, say for instance, a voting machine breaks down, or there's ransomware on it, there's paper ballots. If someone tries interfering with that, most states now, one use voting machines that make paper ballots into, they perform some type for audits, many more are now performing risk limiting audits.

Jack Cable:
And like Casey said before, for instance, if a voter registration site is compromised and someone changes all the records, you have a right, guaranteed by law to cast a provisional ballot, and that cannot be interfered with if voter registration databases changed. So there are these fallbacks, that in the worst case scenario, we can still vote, we can still be confident that our elections worked as trusted. So because of that, I think the key thing to keep in mind, which is what we've been saying this whole panel, is that yes, there are vulnerabilities. Yes, our elections are going to be targeted. But the key target is people's perceptions of the elections and not the elections themselves. So keeping that in mind when we talk about these, when we talk about voting systems, when we talk about vulnerabilities, we clearly need to be doing research, we need to help better secure them but we always should come around with the caveat that it's not going to be the end of the world.

Casey Ellis:
Yeah, for sure. I think the role because the role that probably everyone in this room plays in their family and in their peer group is that you're the critical nerd, who if there's something wrong with something, you'll be the person in the group that speaks up about it, which makes it really powerful when you understand some of those things that actually exist as backstops to preserve the integrity of the process. And use that as your own opinion, if you buy into it, obviously. But hopefully you do, that you should still go and vote even if things get weird on social media or you start reading things that are funny or whatever else. I think it's a personal decision in terms of your own conviction on the subject, but I think the role that the security community can play specifically for 2020 is to use the network effect that's available in a group this size to actually educate others that yeah, no, you know what, this has been like the most important thing that we can do is to actually show up.

Amelie Koran:
Kimber?

Kimber Dowsett:
So this is where I'll get on my community soapbox and say when you go to vote, most of the folks in the place where you go vote are volunteers. And that means there are volunteer opportunities like right now in your local communities to go help with that. Yes, help the poll workers or there are a slew of other things that happen at the places that you go vote. And then second to that is campaigns, I know that none of us have a whole ton of extra time on our hands, but if you really want to help your local candidate, volunteer for their campaign and tune them up.

Amelie Koran:
No, no, Mick.

Kimber Dowsett:
But that's the thing, particularly local governments, those folks are running for office on their own dimes. And they're like just boots on the ground with more volunteers. This is not a thing that we can just fix with code. I wish we could, but this is going to take a movement of people actually giving a shit about security in your local community, your state, and then at the federal level. And I mean, you're going to have to stop bitching about how broken it is and go help fix it.

Amelie Koran:
So that's the thing. I mean as part of a call to action, most of us are probably or some of us are going to hacker summer camp. You got some time. If you see any of us are going to be there, come back and give us a report card. I want to know, we want to know what you've done. We've given you the tools, we've given you the information Yeah, I think one of the talks yesterday, Bruce was talking about his call to action. There's just some people that will go and do it. But this is important for our democracy. This is important for our country. This is important for your family, your loved ones, your friends. So go from here, grab a drink and go, what the hell can I do? So that's me trying to address the panel here and the crowd. But I think we've got a lot of tools here to go for it. So one of the things is here, we've got a little bit of time left. I don't want to necessarily take questions, we'll go to the bar while they're setting things up here.

Amelie Koran:
But anyone from Cincinnati is kind of used to Jerry Springer. So he always had a closing statement. So I want to at least also let any folks here just kind of not necessarily stick to the script. But if you got about four minutes to kind of rapid fire, like, what are you going to do personally, with this knowledge now?

Casey Ellis:
Make it as easy as possible to formulate policy that allows for any organization of any size, like federal down to the local level, to instantiate a sane vulnerability disclosure policy, and then to be able to assist them with whatever they're up to in terms of their ability to actually do that, help them get to the next step.

Kimber Dowsett:
So this morning, actually I was at the NASS meeting also and have offered to volunteer my time with a couple different secretary of state offices to help roll out some bare bones VDP policies with very limited scope, so don't get excited. There's no bounties, sorry Casey. But just to help them start to think about ways to help people report vulnerabilities to their states.

Amelie Koran:
Jack or Tod?

Jack Cable:
Likewise, yeah, I'm planning on helping both states and vendors and starting vulnerability disclosure policies. Then personally, I'm also in talks to work with CISA on these election issues in order to address kind of some of these technical flaws at scale.

Tod Beardsley:
In my local community, I am a poll volunteer, poll worker volunteer. It is like a 16 hour day and it's super fun and it's crazy and if you're a little bit extroverted, it goes a long way. That's super fun, and I love talking to people about voter security while they're standing in line to vote because I'm in the position to well actually then, so it's very gratifying.

Amelie Koran:
All right, well, thank you very much, our esteemed panel Kimber, Casey, Tod and geez, I just blew that one. But anyhow-

Kimber Dowsett:
Jack.

Amelie Koran:
Jack. Yes. Long day. I've got a tattoo fresh I'm in pain. So you see me like-

Tod Beardsley:
Yeah, super badass too.

Amelie Koran:
I did it on a dare but anyhow, thank you for coming.

Tod Beardsley:
Best tattoos are dare tattoos.

Amelie Koran:
Go out and vote. Go out and help your community and thank you for coming to ShmooCon on the panel.