1 00:00:00,000 --> 00:00:18,620 *35C3 preroll music* 2 00:00:18,620 --> 00:00:24,779 Herald Angel: Mr. Halderman, professor of computer science at the University of 3 00:00:24,779 --> 00:00:32,598 Michigan. Famous for inventing things like Let's Encrypt, finding the-- 4 00:00:32,598 --> 00:00:33,620 *applause* 5 00:00:33,620 --> 00:00:38,050 Herald Angel: There's more. *applause* 6 00:00:38,050 --> 00:00:49,770 Herald: But wait, there's more! Logjam -- I love buzzword bingo -- and zmap. 7 00:00:49,770 --> 00:00:55,520 And now he's going to talk about American elections. Thank you. 8 00:00:55,520 --> 00:01:00,760 J. Alex Halderman: All right. Thank you so much. It's fantastic to be back at 9 00:01:00,760 --> 00:01:07,259 Congress this year. Two years ago I was here with Matt Bernhard one of my Ph.D. 10 00:01:07,259 --> 00:01:13,000 students and we gave an update about what happened during the 2016 presidential 11 00:01:13,000 --> 00:01:22,460 election. Today a lot has changed and a lot remains the same. And I'm here to let 12 00:01:22,460 --> 00:01:27,830 you know what we've learned about what happened in the 2016 election and what we 13 00:01:27,830 --> 00:01:32,330 still need to do to make sure elections in the U.S. and around the world are well 14 00:01:32,330 --> 00:01:40,990 protected. So, a quick flashback. On November 8th, 2016 Donald Trump became 15 00:01:40,990 --> 00:01:46,210 president of the United States by beating some other person. Now history quickly 16 00:01:46,210 --> 00:01:53,170 forgets the losers in presidential elections. And it really doesn't matter 17 00:01:53,170 --> 00:02:00,170 who Donald Trump beat, because today, for better or for worse, he is the president. 18 00:02:00,170 --> 00:02:06,920 But how close was the election? President Trump likes to talk about how he won by a 19 00:02:06,920 --> 00:02:14,250 landslide, but actually he was the fifth person in American history to win the 20 00:02:14,250 --> 00:02:20,700 presidency while losing the popular vote. In fact his opponent received 3 million 21 00:02:20,700 --> 00:02:26,920 more votes in the election than President Trump did. How can that happen? Well we 22 00:02:26,920 --> 00:02:33,011 have this crazy system called the Electoral College. And in the Electoral 23 00:02:33,011 --> 00:02:38,349 College each state has a certain number of points, and Donald Trump ended up getting 24 00:02:38,349 --> 00:02:43,840 more of those points. But if we want to ask "How close was the election, 25 00:02:43,840 --> 00:02:49,660 really?"... well that depends on the way each state allocates its electoral votes, 26 00:02:49,660 --> 00:02:58,319 and most are "winner-take-all". So we might ask how many votes would, say, an 27 00:02:58,319 --> 00:03:03,590 attacker have had to change in the smallest number of states in order to 28 00:03:03,590 --> 00:03:07,850 change the election result in order to, say, make it a tie instead of a win for 29 00:03:07,850 --> 00:03:14,310 President Trump. And it turns out that if you look at the three closest states, they 30 00:03:14,310 --> 00:03:19,580 could be flipped with a very very small number of votes changing, and changing 31 00:03:19,580 --> 00:03:24,370 just any two of these three states would have been enough to reverse the outcome of 32 00:03:24,370 --> 00:03:29,750 the presidential election. If we look at the next few closest states they also have 33 00:03:29,750 --> 00:03:36,220 very small margins, and any three of these six states would have sufficed to change 34 00:03:36,220 --> 00:03:42,650 the election result. In total just changing twenty seven thousand, five 35 00:03:42,650 --> 00:03:49,519 hundred votes from Donald Trump to Donald Trump's opponent would have changed the 36 00:03:49,519 --> 00:03:55,590 outcome of the U.S. presidential election. There were 137 million votes in total. 37 00:03:55,590 --> 00:04:03,200 That's a change of just 0.02 percent. That is a very close electoral result by even 38 00:04:03,200 --> 00:04:10,450 contemporary American standards. And that's why the possibilities of computer 39 00:04:10,450 --> 00:04:17,019 hacking, voting machine manipulation, information warfare that actually did take 40 00:04:17,019 --> 00:04:24,690 place, some of them in 2016, not only have the possibility to have effected the 2016 41 00:04:24,690 --> 00:04:29,190 election result but stand to have the possibility to affect future election 42 00:04:29,190 --> 00:04:37,050 results as well. And that's why election security is so important right now. But if 43 00:04:37,050 --> 00:04:43,280 we go back to 2016, when I was speaking here two years ago, the main thing I was 44 00:04:43,280 --> 00:04:48,430 talking about were recounts in three states: Wisconsin, Michigan, and 45 00:04:48,430 --> 00:04:53,900 Pennsylvania, that I and other election security advocates had a big role in 46 00:04:53,900 --> 00:04:59,360 orchestrating. Well we realized after 2016 that this was a close and unexpected 47 00:04:59,360 --> 00:05:05,240 election result, but no one was going to go back and check the physical evidence of 48 00:05:05,240 --> 00:05:11,750 the votes: the actual paper ballots in any states that really mattered to make sure 49 00:05:11,750 --> 00:05:16,920 that the computer election results we have been told about were right. Well, when I 50 00:05:16,920 --> 00:05:22,290 and others pointed this out to the public it resulted in an overwhelming show of 51 00:05:22,290 --> 00:05:27,980 support. And one of the third party presidential candidate Jill Stein stepped 52 00:05:27,980 --> 00:05:34,040 in and had the legal standing to demand recounts in states where she stood for 53 00:05:34,040 --> 00:05:38,350 election, even though she had no chance of winning. And she raised through small 54 00:05:38,350 --> 00:05:43,290 donations from the public more than seven million dollars to fund efforts to go back 55 00:05:43,290 --> 00:05:49,419 and count and check the votes to make sure things were right. Unfortunately, a 56 00:05:49,419 --> 00:05:54,840 recount after an American election is a politically fraught process, and in all 57 00:05:54,840 --> 00:06:02,100 three states we found opposition from the apparent winner of the election, we found 58 00:06:02,100 --> 00:06:07,229 challenges in the courts, and only one of those states, Wisconsin, ended up 59 00:06:07,229 --> 00:06:13,039 recounting all of its ballots and found no evidence of fraud. In Michigan the 60 00:06:13,039 --> 00:06:20,580 recounts were halted after only a few days with less than half of the votes counted 61 00:06:20,580 --> 00:06:25,830 after a court challenge by the Republicans. Again, no evidence of fraud 62 00:06:25,830 --> 00:06:31,860 in the votes that were recounted. And in Pennsylvania, unfortunately, like many 63 00:06:31,860 --> 00:06:36,930 states most of the state had no paper trail at all. There was nothing to 64 00:06:36,930 --> 00:06:42,389 recount: just digital records and machines. The courts denied the Stein 65 00:06:42,389 --> 00:06:48,620 campaign the right to have independent experts examine the machines, and in very 66 00:06:48,620 --> 00:06:52,639 few of the places in the rest of the state, the small amount that did have 67 00:06:52,639 --> 00:07:00,270 paper actually did complete a recount. But still there was no evidence of fraud. So 68 00:07:00,270 --> 00:07:05,300 in all there is no evidence that hacking of voting machines -- hacking of actual 69 00:07:05,300 --> 00:07:11,240 vote counts -- changed the outcome of the 2016 election. But there is abundant 70 00:07:11,240 --> 00:07:17,850 evidence that cyberattacks of other forms had a major influence on the election, 71 00:07:17,850 --> 00:07:22,639 certainly could have a huge influence on future elections. And that's what I'm 72 00:07:22,639 --> 00:07:28,940 going to talk about today. So first looking back at 2016 in the two years 73 00:07:28,940 --> 00:07:33,639 since I was last here we have learned a lot more about what really took place 74 00:07:33,639 --> 00:07:42,900 during the 2016 election. Starting just January of 2017 when the U.S. intelligence 75 00:07:42,900 --> 00:07:51,169 community -- the CIA, NSA, and other three letter agencies -- who often in this 76 00:07:51,169 --> 00:07:57,009 community we don't trust, still came out and released a joint assessment in which 77 00:07:57,009 --> 00:08:04,490 they rated with very high confidence the conclusion that attackers linked to Russia 78 00:08:04,490 --> 00:08:10,380 were ordered by Russian President Vladimir Putin to interfere with the American 79 00:08:10,380 --> 00:08:16,000 election in order to weaken Clinton, boost Donald Trump, and discredit the electoral 80 00:08:16,000 --> 00:08:21,479 process as a whole. They called it a significant escalation of longstanding 81 00:08:21,479 --> 00:08:28,860 Russian efforts to undermine the US-led liberal democratic order. So where's the 82 00:08:28,860 --> 00:08:34,448 evidence that this actually happened? And what actually happened? According to not 83 00:08:34,448 --> 00:08:39,328 only the intelligence reports but other information from other sources we can use 84 00:08:39,328 --> 00:08:45,939 to see to see whether it's credible. Well what happened in the U.S. actually looks a 85 00:08:45,939 --> 00:08:51,190 lot like something that happened in 2014 in Ukraine, where, according to other 86 00:08:51,190 --> 00:08:58,220 published reports, attackers linked to Russia engaged in a multipronged attack to 87 00:08:58,220 --> 00:09:04,089 try to undermine the presidential election there. They released targeted leaks of 88 00:09:04,089 --> 00:09:09,740 e-mails linked to the presidential campaign. They attacked the Election 89 00:09:09,740 --> 00:09:14,269 Commission's servers in order to cause them to initially post the wrong 90 00:09:14,269 --> 00:09:19,139 presidential winner. And this was apparently detected and narrowly averted 91 00:09:19,139 --> 00:09:24,319 only hours before the winner was to be announced. And they orchestrated DDoS 92 00:09:24,319 --> 00:09:30,790 attacks to try to delay the election results. In the U.S. in 2016 we saw a 93 00:09:30,790 --> 00:09:36,430 similar multipronged attack of targeted political leaks trolling and message 94 00:09:36,430 --> 00:09:42,550 amplification on social media and attacks against election infrastructure. So the 95 00:09:42,550 --> 00:09:48,279 targeted political leaks, you've probably heard about some of this. You have e-mails 96 00:09:48,279 --> 00:09:54,189 stolen from the Democratic National Committee through a hacking campaign that 97 00:09:54,189 --> 00:10:00,639 involved two different Russian-linked military groups hacking into the DNC 98 00:10:00,639 --> 00:10:06,779 servers, installing customized malware and exfiltrating thousands of e-mails that 99 00:10:06,779 --> 00:10:13,149 were then published by WikiLeaks. Later, John Podesta -- Clinton's campaign 100 00:10:13,149 --> 00:10:20,299 chairman -- also had his personal email compromised, and Podesta's emails were 101 00:10:20,299 --> 00:10:25,100 similarly published by WikiLeaks. Whatever you think about WikiLeaks -- and 102 00:10:25,100 --> 00:10:30,230 government transparency, and I myself am a huge fan of transparency -- there's 103 00:10:30,230 --> 00:10:36,220 clearly something subversive and manipulative about just one side being 104 00:10:36,220 --> 00:10:41,720 targeted, and being targeted by other foreign nations, and having its dirty 105 00:10:41,720 --> 00:10:46,630 laundry aired for the world to see. This is subverting the entire notion of 106 00:10:46,630 --> 00:10:52,730 transparency, turning our need for true information about politicians against us 107 00:10:52,730 --> 00:10:59,279 and manipulating the entire process. John Podesta, since his e-mails were all leaked 108 00:10:59,279 --> 00:11:03,540 to the public, well, we can go and see the phishing attack e-mail that got his 109 00:11:03,540 --> 00:11:09,399 password, and here it is. So this mail sent to John Podesta claims to be from 110 00:11:09,399 --> 00:11:13,680 Gmail saying that someone has tried to sign in with his password and he urgently 111 00:11:13,680 --> 00:11:20,939 needs to change it by clicking here. Well he did click there and Russia got his 112 00:11:20,939 --> 00:11:27,509 password. We also see his staff talking about this e-mail and one of his staffers 113 00:11:27,509 --> 00:11:32,550 recognized that this was a phishing attempt and emailed urgently telling John 114 00:11:32,550 --> 00:11:38,810 Podesta to change his password immediately but he typo'd. In dashing out this e-mail 115 00:11:38,810 --> 00:11:44,019 he wrote that this is a "legitimate e-mail". He has subsequently claimed every 116 00:11:44,019 --> 00:11:47,759 time he's talked about it that he meant to write "illegitimate" not "legitimate". 117 00:11:47,759 --> 00:11:55,410 Well, the rest is history. A couple of extra letters might have changed a lot. So 118 00:11:55,410 --> 00:12:00,199 beyond the e-mail leaks we've seen an orchestrated campaign on social media 119 00:12:00,199 --> 00:12:06,600 through trolls and false identities to try to manipulate people's opinions, to try to 120 00:12:06,600 --> 00:12:12,189 create political divisions between people, to try to amplify certain discordant 121 00:12:12,189 --> 00:12:17,819 messages. That could be a whole talk in itself, and I'm not going to go deep into 122 00:12:17,819 --> 00:12:23,329 the trolling and message amplification, but it's a subject that is an ongoing form 123 00:12:23,329 --> 00:12:29,259 of attack that again turns our tools of communication against us. People need to 124 00:12:29,259 --> 00:12:34,149 know whether the information they're reading is really what other people they 125 00:12:34,149 --> 00:12:40,079 know and are like them think, or whether it's being generated by bots, by attacks. 126 00:12:40,079 --> 00:12:44,870 Alright this kind of artificial amplification and manipulation of 127 00:12:44,870 --> 00:12:51,259 messaging turns us against each other. Finally, and the category of attacks that 128 00:12:51,259 --> 00:12:55,639 I want to talk about most today because I think they're the most relevant for our 129 00:12:55,639 --> 00:13:01,509 community, are attacks against election infrastructure itself: the increasingly 130 00:13:01,509 --> 00:13:06,939 computerized systems that we use to run elections, not just in the US but in 131 00:13:06,939 --> 00:13:12,459 countries around the world. There were attacks against voter registration systems 132 00:13:12,459 --> 00:13:18,350 in states across the country, organized by the same Russian groups. There were 133 00:13:18,350 --> 00:13:24,809 attacks against companies that make technology used in polling places. In all, 134 00:13:24,809 --> 00:13:29,819 the intelligence assessment is that up to 21 states had their voter registration 135 00:13:29,819 --> 00:13:34,569 systems probed. Now of course how can you go back in time and know for sure that 136 00:13:34,569 --> 00:13:38,889 others were not probed, were not compromised. That's very difficult, even 137 00:13:38,889 --> 00:13:44,809 if you are, say, the NSA and are watching everyone's network traffic. However we 138 00:13:44,809 --> 00:13:49,449 know that in multiple states the attackers got in through SQL injection, through 139 00:13:49,449 --> 00:13:53,110 other attacks, and were able to steal hundreds of thousands of voters' 140 00:13:53,110 --> 00:14:06,669 registration records. More information came out later in 2017 through leaked 141 00:14:06,669 --> 00:14:15,019 information from NSA. So this woman, Reality Winner, an NSA contractor, leaked 142 00:14:15,019 --> 00:14:20,410 to the Intercept a series of intelligence assessments that showed the Russian 143 00:14:20,410 --> 00:14:26,129 attacks went even farther, that they executed attempts to break into the 144 00:14:26,129 --> 00:14:30,929 computer systems of at least one election computer software vendor, and then after 145 00:14:30,929 --> 00:14:35,660 breaking into their systems started trying to fish their way into the computers of 146 00:14:35,660 --> 00:14:39,859 local election administrators, the people who actually run the technology on 147 00:14:39,859 --> 00:14:45,399 Election Day. For sharing this information with us Reality Winner is currently 148 00:14:45,399 --> 00:14:52,629 serving a five year prison sentence for violating the Espionage Act. But the 149 00:14:52,629 --> 00:15:01,149 information that she leaked has since been corroborated. In July of this year 150 00:15:01,149 --> 00:15:06,160 prosecutors in the Special Counsel's office -- this is the Robert Mueller 151 00:15:06,160 --> 00:15:12,149 investigation of Russian interference and collusion -- indicted a set of GRU 152 00:15:12,149 --> 00:15:18,329 officers, Russian military officers, in conjunction with the voter registration 153 00:15:18,329 --> 00:15:23,049 system attacks, the theft of email from the Democrats, and the attempts to indict 154 00:15:23,049 --> 00:15:28,220 local election officials. If you're interested in this stuff I highly 155 00:15:28,220 --> 00:15:32,939 recommend you read this indictment. It's about 20 pages of very detailed 156 00:15:32,939 --> 00:15:40,639 information asserting to apparently detailing exactly who these people were 157 00:15:40,639 --> 00:15:46,299 where they worked what they did. Step by step.Now it's scary to think that we might 158 00:15:46,299 --> 00:15:51,460 have such detailed information about crimes that took place in the past. It 159 00:15:51,460 --> 00:15:58,290 doesn't say how we learned, for instance, that this certain officer, Anatoly 160 00:15:58,290 --> 00:16:09,379 Kovalev, was working for unit 74455 of the GRU at 22 Kirabo Street Building, the 161 00:16:09,379 --> 00:16:16,800 tower, and quite how he pulled off each step in the attack that's asserted here. 162 00:16:16,800 --> 00:16:21,930 But as the Mueller indictments advance, as the special prosecutor's case comes 163 00:16:21,930 --> 00:16:30,019 together, we're likely to learn a lot more. And what's to come in 2018 as the Mueller 164 00:16:30,019 --> 00:16:33,540 investigation winds down, I think we're going to learn a lot more about quite who 165 00:16:33,540 --> 00:16:39,050 ordered what, about who in the United States was involved, and about whether the 166 00:16:39,050 --> 00:16:50,589 attacks went even further than we have so far discovered. So that's 2016 167 00:16:50,589 --> 00:16:55,790 and what we've learned about 2016, but I'm here today to give you a 168 00:16:55,790 --> 00:17:04,480 progress report on 2018. So what happened during the 2018 election? Well we saw 169 00:17:04,480 --> 00:17:08,859 several things during the November election this year. According to 170 00:17:08,859 --> 00:17:13,569 intelligence, once again, we have allegations of continued social media 171 00:17:13,569 --> 00:17:19,888 influence operations, this time allegedly linked to not only Russia, but China and 172 00:17:19,888 --> 00:17:27,648 Iran. Now I think it's very difficult to independently comment and establish on 173 00:17:27,648 --> 00:17:31,740 whether these allegations are true or even to understand the full extent of the 174 00:17:31,740 --> 00:17:35,990 social media involvement, because it's just a small set of large Internet 175 00:17:35,990 --> 00:17:41,440 companies that have the raw data that we need to analyze. However the best reports 176 00:17:41,440 --> 00:17:45,559 we have are these assessments from the intelligence community that the social 177 00:17:45,559 --> 00:17:52,890 media influence is ongoing. We also saw sporadic breakdowns of voting machines. 178 00:17:52,890 --> 00:17:57,320 Now patterns of breakdowns of voting machines could be the indication of an 179 00:17:57,320 --> 00:18:02,540 attack. But in 2018 all of them seem to have perfectly natural explanations. In 180 00:18:02,540 --> 00:18:07,450 New York City for instance many optical scan machines broke down and jammed and 181 00:18:07,450 --> 00:18:12,799 caused long lines but apparently it was because it was raining and that causes the 182 00:18:12,799 --> 00:18:18,010 paper to swell a little bit, these machines to mis-feed and so on. So this is 183 00:18:18,010 --> 00:18:26,740 probably just natural failure. We also had unfortunate human error for not the first 184 00:18:26,740 --> 00:18:32,960 time. An election in Florida potentially had the result changed because of very bad 185 00:18:32,960 --> 00:18:40,740 usability design in just the layout of the ballot. So in Broward County, Florida 186 00:18:40,740 --> 00:18:45,759 3.7 percent fewer voters cast a vote at all in the U.S. Senate race than the race for 187 00:18:45,759 --> 00:18:50,850 governor. This was potentially enough because of the demographics of Broward to 188 00:18:50,850 --> 00:18:56,639 change the outcome of the Florida Senate race. Here's why: Here's the ballot. So 189 00:18:56,639 --> 00:19:03,580 this is the race for governor, which most voters filled out, as you would expect. 190 00:19:03,580 --> 00:19:08,380 Right down there underneath that long column of instructions is the U.S. senator 191 00:19:08,380 --> 00:19:13,460 race. So you imagine this ballot. It's much larger than a normal piece of paper. 192 00:19:13,460 --> 00:19:17,809 At the bottom of that is hanging off your desk as you're filling it in. I can see 193 00:19:17,809 --> 00:19:22,260 how 3.7 percent of voters might have completely missed that race in the first 194 00:19:22,260 --> 00:19:29,889 column. Finally we had the old-fashioned political fraud. In North Carolina a race 195 00:19:29,889 --> 00:19:34,540 for the House of Representatives was decided by only about 900 votes. But it's 196 00:19:34,540 --> 00:19:40,000 come out since then that operatives working for the Republican candidate 197 00:19:40,000 --> 00:19:45,070 allegedly stole or manipulated a large number of absentee ballots, and the 198 00:19:45,070 --> 00:19:51,549 candidate there hasn't been certified yet, it likely won't be seated on time. There's 199 00:19:51,549 --> 00:19:55,909 multiple investigations going on into exactly what happened, but it goes to show 200 00:19:55,909 --> 00:20:01,809 you that political fraud is a reality. And even outside the domain of computers it 201 00:20:01,809 --> 00:20:07,049 continues to this day. Now if you can imagine an election can be changed by just 202 00:20:07,049 --> 00:20:11,850 a few people working on the ground, going around collecting people's mail in ballots 203 00:20:11,850 --> 00:20:17,519 and promising to return them for them, well imagine what nation state attackers 204 00:20:17,519 --> 00:20:23,570 could do to a vulnerable and highly computerized online infrastructure. But on 205 00:20:23,570 --> 00:20:36,000 the whole 2018 was, well, eerily quiet. But if we go back to 2016... so the U.S. Senate 206 00:20:36,000 --> 00:20:41,900 Intelligence Committee, a bipartisan group controlled by Republicans in the Senate, 207 00:20:41,900 --> 00:20:47,179 issued its report earlier this year about 2016. They pointed out that they found 208 00:20:47,179 --> 00:20:52,100 that in a number of the states where Russia attacked the registration systems, 209 00:20:52,100 --> 00:20:57,559 the Russian hackers were in a position to, at a minimum, alter or destroy the voter 210 00:20:57,559 --> 00:21:02,029 registration data, which, if undetected, would have caused massive chaos on 211 00:21:02,029 --> 00:21:06,230 election day when people showed up to vote and were told that they weren't on the 212 00:21:06,230 --> 00:21:13,309 election rolls. But those attackers chose not to pull the trigger. And I think 213 00:21:13,309 --> 00:21:18,210 that's exactly what happened in 2018. It was quiet, not because we've adequately 214 00:21:18,210 --> 00:21:22,890 secured our election systems, but because our adversaries this year chose not to 215 00:21:22,890 --> 00:21:28,210 pull the trigger. They're waiting for the bigger prize in 2020 when we're likely to 216 00:21:28,210 --> 00:21:39,080 once again have a close and divisive presidential contest. So what do I worry 217 00:21:39,080 --> 00:21:45,200 about? What I worry about most is not the last war -- registration systems, all of 218 00:21:45,200 --> 00:21:49,990 that -- but the bigger prize: the 2020 election and the vulnerabilities in the 219 00:21:49,990 --> 00:21:57,880 way that we cast and count votes in the U.S. Now I testified about this in 2017 to 220 00:21:57,880 --> 00:22:03,110 the Senate Intelligence Committee and -- that's actually not me. that's that's 221 00:22:03,110 --> 00:22:08,659 former FBI Director Comey-- but two weeks later I was sitting in the same chair with 222 00:22:08,659 --> 00:22:15,059 far fewer TV cameras and testified that the real lesson of 2016 is that the 223 00:22:15,059 --> 00:22:20,470 threats are real and that the attackers will be back. And this is the picture I 224 00:22:20,470 --> 00:22:28,240 painted: so U.S. voting machines have their own extreme set of vulnerabilities. I was 225 00:22:28,240 --> 00:22:33,080 going to bring one of these machines, AccuVote TSX with me here today. This 226 00:22:33,080 --> 00:22:40,049 machine is still used in many parts of the U.S., but my machine has been in Germany 227 00:22:40,049 --> 00:22:46,420 for about a week and FedEx doesn't know where it is. So if it shows up I'll have 228 00:22:46,420 --> 00:22:51,000 it somewhere for people to play with, but my advice is if you have to ship something 229 00:22:51,000 --> 00:22:57,720 urgent to Germany don't send it via FedEx. What I would have shown you though is a 230 00:22:57,720 --> 00:23:01,940 mock election on this machine and the mock election I always like to do to keep it 231 00:23:01,940 --> 00:23:05,851 from getting too political is between George Washington, the father of the 232 00:23:05,851 --> 00:23:10,770 country, and Benedict Arnold, the traitor of the American Revolution. And of course 233 00:23:10,770 --> 00:23:16,620 everyone likes to vote for George Washington. But these machines are so 234 00:23:16,620 --> 00:23:22,799 vulnerable. So I would have shown you an attack whereby I can compromise this 235 00:23:22,799 --> 00:23:28,419 machine and cause it to report the wrong election outcome without having any direct 236 00:23:28,419 --> 00:23:32,929 physical access to the voting machines. Instead all an attacker needs to do is be 237 00:23:32,929 --> 00:23:37,419 able to infect these memory cards that election officials use before every 238 00:23:37,419 --> 00:23:42,409 election to program the machine with the design of the ballot -- that is, the 239 00:23:42,409 --> 00:23:46,220 races, the candidates, the rules for counting. If an attacker can infect the 240 00:23:46,220 --> 00:23:51,330 memory card there are a whole host of different ways that the attacker can 241 00:23:51,330 --> 00:23:57,269 compromise the machine and install malware on the voting machine itself. There is an 242 00:23:57,269 --> 00:24:01,929 unauthenticated software update mechanism that can replace the election software. 243 00:24:01,929 --> 00:24:06,110 There are buffer overflows in the code that's used to read the ballot design and 244 00:24:06,110 --> 00:24:10,999 process it. There's even an interpreted programming language that's used to 245 00:24:10,999 --> 00:24:16,320 generate the reports of who won. So you can just replace the honest counting 246 00:24:16,320 --> 00:24:21,230 software with dishonest counting software right on the memory card, and that's what 247 00:24:21,230 --> 00:24:25,590 will get executed and determine the election results. Any of these ways would 248 00:24:25,590 --> 00:24:31,629 be sufficient. So when the machine counts the votes at the end of the election it 249 00:24:31,629 --> 00:24:36,030 prints out a little cash register receipt that becomes the official record of the 250 00:24:36,030 --> 00:24:40,610 result. That's controlled by the interpreted programming language on the 251 00:24:40,610 --> 00:24:46,000 memory card. And on my machine, no matter who you vote for, Benedict Arnold is going 252 00:24:46,000 --> 00:24:51,139 to win. And that's because the malware I install via the memory card is in complete 253 00:24:51,139 --> 00:24:56,899 control of the election results. And there are more problems than that. So these 254 00:24:56,899 --> 00:25:03,310 voting machines like the AccuVote TSX have been studied by academic researchers, by 255 00:25:03,310 --> 00:25:08,769 independent researchers, by groups commissioned by secretaries of state in 256 00:25:08,769 --> 00:25:13,360 various states around the country. And every time the same machine is studied 257 00:25:13,360 --> 00:25:18,070 again, groups find new vulnerabilities. This is part of the table of contents from 258 00:25:18,070 --> 00:25:23,340 a report I helped to author ten years ago about the AccuVote TSX, and you can see 259 00:25:23,340 --> 00:25:28,380 just this one page of several pages of vulnerabilities in this single machine. 260 00:25:28,380 --> 00:25:33,179 These things are so poorly designed; they're so complex. Each of the voting 261 00:25:33,179 --> 00:25:38,299 systems has on the order of a million lines of source code. And that's on top 262 00:25:38,299 --> 00:25:43,920 of, in this case, on top of an old and unsupported version of Windows CE. There's 263 00:25:43,920 --> 00:25:51,029 no way that these things could possibly be secure. But the AccuVote TSX is still used 264 00:25:51,029 --> 00:25:57,749 in 18 states. In many of these states it's still used with software that predates 265 00:25:57,749 --> 00:26:02,130 that 2007 report I just showed you. We've had known buffer overflows and other 266 00:26:02,130 --> 00:26:06,970 problems in this firmware for more than 10 years and some states still have not 267 00:26:06,970 --> 00:26:14,649 updated the software. That's how bad it is. But it's not just that one machine. So 268 00:26:14,649 --> 00:26:20,460 in the US every state gets to pick its own election technology. There are no federal 269 00:26:20,460 --> 00:26:27,140 rules that requires states to do any particular kind of technology or testing, 270 00:26:27,140 --> 00:26:31,370 and you might ask, especially from the European perspective, why don't we just 271 00:26:31,370 --> 00:26:38,210 count votes by hand like a civilized country. Well here's part of the answer. 272 00:26:38,210 --> 00:26:44,799 This is one example of a ballot from one part of the country and it's eight pages 273 00:26:44,799 --> 00:26:50,009 long. We insist on voting for not only the federal races but the state and local 274 00:26:50,009 --> 00:26:56,870 races and even city races. The joke is even for dog catcher. And this complexity, 275 00:26:56,870 --> 00:27:01,889 well, the counting ballots by hand scales linearly with the number of questions and 276 00:27:01,889 --> 00:27:07,759 our ballots by tradition are just too complicated to efficiently count manually. 277 00:27:07,759 --> 00:27:13,491 So we turn to computers, and about half the country-- well, really there are two 278 00:27:13,491 --> 00:27:20,830 different styles of voting machines that we use. Some of them are optical scanners 279 00:27:20,830 --> 00:27:25,750 where the voter fills in a piece of paper, and it gets scanned in by a computer. The 280 00:27:25,750 --> 00:27:31,460 rest are touch screen machines and others that we call DREs -- direct recording 281 00:27:31,460 --> 00:27:36,490 electronic. On these machines voters cast a vote on the screen; it gets recorded in 282 00:27:36,490 --> 00:27:41,440 electronic memory; some of them will also generate a print out of each vote, but 283 00:27:41,440 --> 00:27:46,890 that's relatively rare. In many cases the only record of the vote is in a computer 284 00:27:46,890 --> 00:27:54,940 memory. So in study after study these machines have been examined, and in every 285 00:27:54,940 --> 00:27:59,510 case, for both the optical scanners and the DREs, where a machine has been tested 286 00:27:59,510 --> 00:28:04,669 by qualified people, well, it's been found to have vulnerabilities that would allow 287 00:28:04,669 --> 00:28:10,510 an attacker to install vote stealing malware and change the electronic results. 288 00:28:10,510 --> 00:28:19,340 Every single case. So how hard would it be to go from hacking these individual 289 00:28:19,340 --> 00:28:25,360 machines to say changing the results of a presidential election? Unfortunately much 290 00:28:25,360 --> 00:28:30,610 easier than we might think. There'd be three challenges to doing this in a way 291 00:28:30,610 --> 00:28:36,960 that would likely be invisible. The first challenge is that the machines are, well, 292 00:28:36,960 --> 00:28:40,679 many different types. They're diverse; they're decentralized. Each state's system 293 00:28:40,679 --> 00:28:44,590 is independent, and thank goodness! Because that means that we don't have just a 294 00:28:44,590 --> 00:28:51,850 single place you can hack into to change results nationwide. Unfortunately, because 295 00:28:51,850 --> 00:28:58,529 of our electoral college system, this diversity of technology can turn into a 296 00:28:58,529 --> 00:29:04,049 weakness in very close elections. So remember I said that just any three of six 297 00:29:04,049 --> 00:29:09,299 states, for instance in 2016, would have been sufficient to flip the outcome of the 298 00:29:09,299 --> 00:29:14,980 presidential election. Well before an election an attacker can scan all the 299 00:29:14,980 --> 00:29:19,730 states, figure out which ones are most weakly protected, and, if they can find 300 00:29:19,730 --> 00:29:24,899 enough weakly protected ones to strike in, that could be sufficient to change the 301 00:29:24,899 --> 00:29:29,960 national results. So the attacker gets to pick and choose, because our diversity of 302 00:29:29,960 --> 00:29:36,009 technology also means a diversity of strength and weakness. The second 303 00:29:36,009 --> 00:29:40,230 challenge is that, as election officials often point out, the voting machines 304 00:29:40,230 --> 00:29:43,960 aren't connected to the Internet, or at least they're not supposed to be. It turns 305 00:29:43,960 --> 00:29:48,950 out that some of them are, because they upload their results over a 4G cellular 306 00:29:48,950 --> 00:29:56,309 modem right after election results are complete. But let's just suppose they're 307 00:29:56,309 --> 00:30:00,710 not connected to the Internet. All right. It turns out that's still not enough to 308 00:30:00,710 --> 00:30:05,799 protect us. So as I said before every election every single voting machine in 309 00:30:05,799 --> 00:30:10,789 the country has to be programmed with the ballot design and that ballot programming 310 00:30:10,789 --> 00:30:15,640 is created by election officials on a computer workstation somewhere, usually an 311 00:30:15,640 --> 00:30:21,650 old Windows PC. Those computer workstations can sometimes service an 312 00:30:21,650 --> 00:30:26,840 entire county, sometimes an entire state. Sometimes they're controlled by 313 00:30:26,840 --> 00:30:32,649 independent external contractors that can perform work across multiple states. And 314 00:30:32,649 --> 00:30:37,369 if an attacker can infiltrate one of those systems they can spread vote stealing 315 00:30:37,369 --> 00:30:44,039 malware on the memory cards to voting machines across the whole region. So how 316 00:30:44,039 --> 00:30:48,369 hard would it be to break into one of these systems? Well in Michigan, my state, 317 00:30:48,369 --> 00:30:54,210 in 2016, about three quarters of counties outsourced this programming to just three 318 00:30:54,210 --> 00:30:59,279 small businesses. These are 10-20 person companies operating in strip malls and so 319 00:30:59,279 --> 00:31:03,929 forth -- the same companies that the jurisdictions buy their ballot boxes and 320 00:31:03,929 --> 00:31:07,989 "I voted" stickers from. Here's the website of one of them. You can see it 321 00:31:07,989 --> 00:31:13,889 doesn't have HTTPS, has lots of nice high resolution photos of their warehouse in 322 00:31:13,889 --> 00:31:19,039 case you want to burglarize it, and, probably most interestingly to an 323 00:31:19,039 --> 00:31:22,759 attacker, they have this nice employee directory with everyone's name, 324 00:31:22,759 --> 00:31:28,799 photograph, job title, and email address. So if I wanted to break into elections in 325 00:31:28,799 --> 00:31:33,679 Michigan I might start by, say, forging an email from Larry the president there to 326 00:31:33,679 --> 00:31:39,491 Sue his administrative assistant and say I urgently need you to open this file. After 327 00:31:39,491 --> 00:31:44,549 she does, of course, it installs my malware on their network, I'm in. I'm one step away 328 00:31:44,549 --> 00:31:49,690 from the election programming system and spreading malware to machines across a 329 00:31:49,690 --> 00:31:56,769 quarter of the state. All right, there's one more challenge. And that's that today 330 00:31:56,769 --> 00:32:01,669 more than 70 percent of US votes are recorded on a piece of paper. And this is 331 00:32:01,669 --> 00:32:07,249 great! This is much more than ten years ago because officials have been listening 332 00:32:07,249 --> 00:32:10,769 to computer scientists and security experts who have been warning about the 333 00:32:10,769 --> 00:32:16,960 dangers of fully electronic voting. And paper might seem like a step backwards, 334 00:32:16,960 --> 00:32:22,500 but it's actually a pretty high tech way of thinking. In any kind of critical 335 00:32:22,500 --> 00:32:26,889 system, if we can afford to have a physical failsafe in case of technology 336 00:32:26,889 --> 00:32:31,649 problems it's a good idea to do that. This is why if you fly on a commercial 337 00:32:31,649 --> 00:32:36,470 aircraft... well, it has a very fancy satellite-guided navigation system, but 338 00:32:36,470 --> 00:32:41,539 also, by law, there's a magnetic compas in the cockpit. It's also why in your 339 00:32:41,539 --> 00:32:47,220 car...well you probably want to have a mechanical linkage between the brake pedal 340 00:32:47,220 --> 00:32:54,280 and the brakes just in case... well, you know. So paper can be a very sophisticated 341 00:32:54,280 --> 00:32:59,460 defense. It's relatively slow and expensive to tally, but it's something 342 00:32:59,460 --> 00:33:05,399 that's verified by the voter and that can't be changed later in a cyberattack. 343 00:33:05,399 --> 00:33:10,350 Meanwhile we also get an electronic record from systems like optical scanners that's 344 00:33:10,350 --> 00:33:16,179 fast and cheap to tally, but unverified. As long as we make sure that these records 345 00:33:16,179 --> 00:33:19,970 agree well then changing the election result would require you to change the 346 00:33:19,970 --> 00:33:23,990 electronic record through a high tech attack. And the paper records through a 347 00:33:23,990 --> 00:33:28,340 low tech attack and in a way that agrees, and that would require a truly 348 00:33:28,340 --> 00:33:33,919 extraordinary conspiracy. And to check that the paper is right... Well we have 349 00:33:33,919 --> 00:33:38,989 high tech approaches to that too. You don't have to count all of it. In fact 350 00:33:38,989 --> 00:33:43,860 over the last ten years computer scientists and statisticians have 351 00:33:43,860 --> 00:33:48,570 developed very sophisticated ways of just spot checking the paper record to make 352 00:33:48,570 --> 00:33:53,100 sure that it's right and these are called risks limiting audits. A risk limiting 353 00:33:53,100 --> 00:33:58,249 audit is a statistical process in which you can count randomly selected ballots 354 00:33:58,249 --> 00:34:01,960 until you establish with high confidence that hand counting all of them would 355 00:34:01,960 --> 00:34:07,539 determine the same winner. There are many ways to do this but they all turn out to 356 00:34:07,539 --> 00:34:12,969 be, or many of them turn out to be incredibly efficient. In a typical state 357 00:34:12,969 --> 00:34:19,809 with a fairly wide margin of victory just spot checking a handful of ballots might 358 00:34:19,809 --> 00:34:23,570 be enough to establish with high confidence that the winner really did win 359 00:34:23,570 --> 00:34:29,359 by a landslide. Of course if the election result is a tie, logically you do have to 360 00:34:29,359 --> 00:34:34,649 look at all the ballots to establish that it is indeed a tie. So the amount of work 361 00:34:34,649 --> 00:34:39,320 you have to do depends on how close the election was. But in all cases you can 362 00:34:39,320 --> 00:34:44,340 find an efficient approach to determining, without trusting the computer systems, 363 00:34:44,340 --> 00:34:50,569 that the paper really does reflect the true winner. Unfortunately, well, most 364 00:34:50,569 --> 00:34:55,179 states don't do risk limiting audits. In fact most states don't look at enough 365 00:34:55,179 --> 00:35:02,620 paper at all to determine that the winner of a close election was genuine. So 366 00:35:02,620 --> 00:35:08,510 hacking a national election would probably be easier than most of us thought. You can 367 00:35:08,510 --> 00:35:13,041 use pre-election polls and scanning to determine which states to target, hack 368 00:35:13,041 --> 00:35:17,531 into the election management systems in the most weakly protected ones, then 369 00:35:17,531 --> 00:35:22,180 infect voting machines with malware to change, say, a few percent of the vote. 370 00:35:22,180 --> 00:35:26,859 The paper records might catch the fraud, but you can rely on the fact that most 371 00:35:26,859 --> 00:35:31,060 states will throw it away without looking at enough of it to determine who actually 372 00:35:31,060 --> 00:35:41,470 won. And that's the sorry situation that unfortunately in 2018 we are still in. So 373 00:35:41,470 --> 00:35:47,859 since 2016, however, there has been a change in mindset. Increasingly election 374 00:35:47,859 --> 00:35:52,640 officials have been listening to the scientific community when we say you need 375 00:35:52,640 --> 00:35:57,549 a paper trail, and they're starting to think that that is correct. Almost all 376 00:35:57,549 --> 00:36:03,329 states that don't have paper trails today at least have people strongly advocating 377 00:36:03,329 --> 00:36:09,599 for replacing the equipment that's there. And most other states, well, they at least 378 00:36:09,599 --> 00:36:13,920 have people starting to look into the security and testing the security of other 379 00:36:13,920 --> 00:36:18,359 election related computer systems, like their voter registration systems, to make 380 00:36:18,359 --> 00:36:24,280 sure that they're shored up. Now you don't have to take it from me that paper ballots 381 00:36:24,280 --> 00:36:29,650 and post election audits are the way to go to secure our election systems. Just this 382 00:36:29,650 --> 00:36:36,030 fall the National Academies of Science Engineering and Medicine -- the authority 383 00:36:36,030 --> 00:36:40,410 on scientific advice to government -- released a report with their highest level 384 00:36:40,410 --> 00:36:45,740 of advice -- a consensus report -- urging the adoption of paper and risk limiting 385 00:36:45,740 --> 00:36:51,270 audits, pointing out that this is a pragmatic, robust, and necessary defense 386 00:36:51,270 --> 00:36:57,420 for elections. This report was written in conjunction with election officials. 387 00:36:57,420 --> 00:37:01,869 People with experience administering elections and it just goes to show you 388 00:37:01,869 --> 00:37:06,606 that at least the election officials who have taken the time to understand the 389 00:37:06,606 --> 00:37:13,766 threat are waking up and starting to pay attention to the path to a solution. The 390 00:37:13,766 --> 00:37:19,460 problem is that that solution will take time to implement. And if we look at which 391 00:37:19,460 --> 00:37:24,890 states still don't have a paper trail, it turns out that there are 14 where some or 392 00:37:24,890 --> 00:37:31,660 all votes still aren't recorded on paper, and it's going to take between 130 and 420 393 00:37:31,660 --> 00:37:35,559 million dollars according to credible estimates to replace all the machines 394 00:37:35,559 --> 00:37:41,410 still in those states. Some of them like Pennsylvania are working to do that now, 395 00:37:41,410 --> 00:37:46,630 but in other states there still are no plans in effect to get rid of the 396 00:37:46,630 --> 00:37:52,600 vulnerable machines. If we look at the national map for post-election audits 397 00:37:52,600 --> 00:37:57,870 though the picture is a lot worse. And this is what concerns me most. Although 398 00:37:57,870 --> 00:38:04,030 many states in 2018 did small pilots of risk limiting audits, the majority of 399 00:38:04,030 --> 00:38:11,860 states still do not conduct audits that can rigorously guarantee the electronic 400 00:38:11,860 --> 00:38:18,799 results of an election. And many still have no plans to do so in time for 2020. 401 00:38:18,799 --> 00:38:22,369 Because risk limiting audits are so efficient, the cost for auditing 402 00:38:22,369 --> 00:38:28,130 nationwide is ridiculously small. It would cost according to my estimates less than 403 00:38:28,130 --> 00:38:33,410 25 million dollars a year to audit every federal race nationally, potentially a lot 404 00:38:33,410 --> 00:38:38,099 less than that. But it requires organizational on the ground. And 405 00:38:38,099 --> 00:38:44,660 unfortunately in our system operations on the ground are conducted by about 13.000 406 00:38:44,660 --> 00:38:51,359 local jurisdictions on Election Day. We need national leadership. We need much 407 00:38:51,359 --> 00:38:57,380 more dispersed expertise in order to get these protections in place, because if you 408 00:38:57,380 --> 00:39:03,450 don't actually look at the paper you might as well not have it in the first place. So 409 00:39:03,450 --> 00:39:09,460 this year did see some movement in Congress. In the spring, as part of the 410 00:39:09,460 --> 00:39:14,650 omnibus appropriations process, Congress gave the states 380 million dollars in 411 00:39:14,650 --> 00:39:20,160 emergency election funding in order to start working to secure their registration 412 00:39:20,160 --> 00:39:24,720 systems and polling places. This was great in that it was money available 413 00:39:24,720 --> 00:39:29,089 immediately, and if you've been paying attention, getting Congress to do much of 414 00:39:29,089 --> 00:39:34,810 anything these days is pretty hard. On the other hand the money came with very 415 00:39:34,810 --> 00:39:41,069 limited oversight, with no standards about how that money should be used, and isn't 416 00:39:41,069 --> 00:39:46,079 even enough to eliminate all of the paperless machines because of the way it's 417 00:39:46,079 --> 00:39:52,490 spread out amongst the states. But it's an important first step. We can look at a few 418 00:39:52,490 --> 00:39:58,040 of the states to see how they're doing, and I pick these as a representative 419 00:39:58,040 --> 00:40:06,050 sample of the diversity of progress. In Maryland, for instance, which until 2016 420 00:40:06,050 --> 00:40:09,620 used AccuVote touch-screen machines, vulnerable to all of those problems I 421 00:40:09,620 --> 00:40:15,859 talked about, finally replaced the machines with paper ballots. That's a huge 422 00:40:15,859 --> 00:40:22,630 step forward. Unfortunately Maryland, instead of auditing them by having people 423 00:40:22,630 --> 00:40:27,000 look at the ballots, decided it would be more efficient to audit them by having 424 00:40:27,000 --> 00:40:33,220 people look at digital scans of the ballots from the voting machines. As I 425 00:40:33,220 --> 00:40:38,430 think everyone in this room probably realizes, but maybe some in a broader 426 00:40:38,430 --> 00:40:45,530 audience would not, it's pretty easy to manipulate digital photographs. In fact I 427 00:40:45,530 --> 00:40:50,690 have work from students in an undergraduate security class I taught this 428 00:40:50,690 --> 00:40:56,049 term who implemented a machine learning algorithm that can take scans of ballots 429 00:40:56,049 --> 00:41:00,970 and just automatically change the marked results to produce whatever outcome you 430 00:41:00,970 --> 00:41:06,720 want, and we'll have more on that in a publication this spring. But 431 00:41:06,720 --> 00:41:12,270 unfortunately these audits are security theater. They might catch human error, but 432 00:41:12,270 --> 00:41:16,859 they're not going to catch a sophisticated attacker who has the ability to manipulate 433 00:41:16,859 --> 00:41:21,900 how the machines are reading the ballots, can be easily fooled by malware. So I give 434 00:41:21,900 --> 00:41:28,700 Maryland on the whole maybe a "C". Pennsylvania, another state that just two 435 00:41:28,700 --> 00:41:32,161 years ago during the recounts was practically a laughing stock of the 436 00:41:32,161 --> 00:41:37,820 country for its lack of paper records of votes and it's byzantine rules about 437 00:41:37,820 --> 00:41:42,990 recounting them, well, today is making really good progress. The state recently 438 00:41:42,990 --> 00:41:47,270 committed to replacing all of its paperless machines with paper ballots in 439 00:41:47,270 --> 00:41:53,819 time for the 2020 election, and it's committed to implementing a robust post 440 00:41:53,819 --> 00:42:00,930 election audits by 2022. Unfortunately, 2022 is going to be too late to secure the 441 00:42:00,930 --> 00:42:06,599 2020 presidential election, and this just emphasizes the need to get moving more 442 00:42:06,599 --> 00:42:12,270 quickly. There were also questions about whether the auditing regime they implement 443 00:42:12,270 --> 00:42:17,240 will be truly statistically rigorous. There are a lot of details to get right, 444 00:42:17,240 --> 00:42:22,340 but on the whole, Pennsylvania has made so much progress. I think out of sympathy I 445 00:42:22,340 --> 00:42:28,261 can give them a "B". All right, now let's look at a top performer. This is the state 446 00:42:28,261 --> 00:42:34,890 of Colorado. Colorado has become a leader in election security, because not only 447 00:42:34,890 --> 00:42:40,819 does it have paper ballots statewide, largely vote by mail which has its own 448 00:42:40,819 --> 00:42:45,260 problems, but that's a subject for later. But Colorado also was the first state in 449 00:42:45,260 --> 00:42:49,090 the country to implement these statistically robust risk limiting audits 450 00:42:49,090 --> 00:42:53,809 statewide and has been doing it since 2017. They've got both of these critical 451 00:42:53,809 --> 00:42:58,800 protections in place, and yes, they actually do choose the random seed for 452 00:42:58,800 --> 00:43:02,839 sampling the ballots during the risk limiting audit by rolling a set of 453 00:43:02,839 --> 00:43:08,140 10-sided dice. So that's a great way to do it in a public ceremony. So Colorado gets 454 00:43:08,140 --> 00:43:15,731 an "A". They're very well protected by these standards. Then there's Georgia. So 455 00:43:15,731 --> 00:43:23,260 Georgia in 2018 voted statewide with the AccuVote TSX voting machine, the one that 456 00:43:23,260 --> 00:43:29,720 FedEx has that I've hacked. They haven't updated this software in their AccuVote 457 00:43:29,720 --> 00:43:37,130 TSX machines since 2005, and they claim that the machines and their election 458 00:43:37,130 --> 00:43:43,510 programming systems are air gapped. But during a court hearing about this earlier 459 00:43:43,510 --> 00:43:47,990 this fall their head of elections described that their system was air 460 00:43:47,990 --> 00:43:52,119 gapped. Yes it's perfectly secure. It's air gapped. The only way you can get into 461 00:43:52,119 --> 00:43:58,080 it is through the bank of modems attached to it. It's air gapped except the bank of 462 00:43:58,080 --> 00:44:03,569 modems. Also it turns out he programs it by moving a USB stick back and forth from 463 00:44:03,569 --> 00:44:11,700 his personal laptop. *Sigh* Georgia also of course doesn't have robust audits, 464 00:44:11,700 --> 00:44:15,770 because, well, meaningful post election audits would require a paper trail, and 465 00:44:15,770 --> 00:44:21,079 none of those machines have paper. This alone would be enough to give Georgia an 466 00:44:21,079 --> 00:44:26,859 "F". Except there's one more thing: their voter registration system also was shown 467 00:44:26,859 --> 00:44:33,839 in 2018 to have some problems. So you're not going to believe this story. One more 468 00:44:33,839 --> 00:44:41,260 story. So in Georgia they do online voter registrations through a Web site. And in 469 00:44:41,260 --> 00:44:49,380 2018 just a few days before the election the Georgia Democratic party learned from 470 00:44:49,380 --> 00:44:54,590 one of it's-- from someone working for them, from a volunteer, about a series of 471 00:44:54,590 --> 00:44:59,500 vulnerabilities in this voter registration system. While it turned out that you could 472 00:44:59,500 --> 00:45:03,990 read and manipulate anyone's voter registration records just by changing a 473 00:45:03,990 --> 00:45:10,750 sequential ID number in a particular URL. There was another URL for viewing a sample 474 00:45:10,750 --> 00:45:14,170 ballot, that if you just change the path of the file it pointed to you could read 475 00:45:14,170 --> 00:45:20,721 any file and the server's filesystem. Well these are pretty bad problems, right? Even 476 00:45:20,721 --> 00:45:24,589 though Georgia apparently had gone through the process of having a security 477 00:45:24,589 --> 00:45:29,610 assessment of its registration system performed and didn't catch these, well... 478 00:45:29,610 --> 00:45:33,760 So the Democrats less than five days before the election learned of these 479 00:45:33,760 --> 00:45:37,910 problems and disclosed them to the Secretary of State's office which is 480 00:45:37,910 --> 00:45:43,400 responsible for running the election system. There is Secretary of State Brian 481 00:45:43,400 --> 00:45:49,569 Kemp, who, also, it turned out, was candidate for governor in a very close 482 00:45:49,569 --> 00:45:54,799 race. So not only was he running the election system, but he was the candidate 483 00:45:54,799 --> 00:46:00,339 in the most important race in the state where the polls were projecting that the 484 00:46:00,339 --> 00:46:06,340 election was going to be a dead heat. So an hour after receiving the security 485 00:46:06,340 --> 00:46:12,190 disclosure, Secretary Kemp's office put out a press release with this headline: 486 00:46:12,190 --> 00:46:16,440 That after a failed hacking attempt they're launching an investigation into the 487 00:46:16,440 --> 00:46:24,790 Georgia Democratic Party and they've called the FBI on the Democrats. So... 488 00:46:24,790 --> 00:46:32,140 Brian Kemp won the election and is now the governor elect of Georgia. So this guy who 489 00:46:32,140 --> 00:46:36,660 did so well handling the security of the voting system while he was secretary of 490 00:46:36,660 --> 00:46:42,710 state is now the head political officer of the state of Georgia. I think Georgia's 491 00:46:42,710 --> 00:46:47,770 "F" just might stick with them through 2020. So... 492 00:46:47,770 --> 00:46:55,510 *applause* H: Thank you. So there is hope though. I 493 00:46:55,510 --> 00:47:01,250 want to end on a message of hope, because despite this, with all of these different 494 00:47:01,250 --> 00:47:07,010 levels of rigor and of readiness across the different states I believe we need 495 00:47:07,010 --> 00:47:12,020 more national leadership, national standards, and national resources thrown 496 00:47:12,020 --> 00:47:18,670 into securing elections. And a bill to do just these things made a lot of progress 497 00:47:18,670 --> 00:47:24,029 in the Senate during the past term. This is a bill called the Secure Elections Act 498 00:47:24,029 --> 00:47:29,890 that was introduced by Senators Lankford, Republican of Oklahoma, and Klobuchar, 499 00:47:29,890 --> 00:47:35,290 Democrat of Minnesota. And it ended up gathering a large number of bipartisan 500 00:47:35,290 --> 00:47:41,400 sponsors, split evenly between Republicans and Democrats. It would have required 501 00:47:41,400 --> 00:47:46,410 states to adopt paper, to adopt strong audits, and to adopt stronger information 502 00:47:46,410 --> 00:47:50,710 sharing practices to let each other and the federal government know if they saw 503 00:47:50,710 --> 00:47:57,869 signs of people trying to break in. This bill made it a long way, but unfortunately 504 00:47:57,869 --> 00:48:03,400 got stuck in the committee after some opposition from the White House just days 505 00:48:03,400 --> 00:48:07,520 before it was going to be marked up and hopefully then made it make its way to the 506 00:48:07,520 --> 00:48:12,760 floor. But this shows that bipartisan cooperation is possible even in this 507 00:48:12,760 --> 00:48:17,069 Congress, and that there are a lot of serious people who now realize that 508 00:48:17,069 --> 00:48:22,160 election cybersecurity is a matter of national security and defense. I think in 509 00:48:22,160 --> 00:48:26,460 the next Congress there's a good possibility that we will see effective 510 00:48:26,460 --> 00:48:31,970 legislation to provide national standards and leadership for elections. But it's a 511 00:48:31,970 --> 00:48:39,299 question of threading a political needle and getting Congress to act. So to defend 512 00:48:39,299 --> 00:48:44,599 our elections we don't need rocket science. We need simple steps like 513 00:48:44,599 --> 00:48:51,420 applying security best practices and expertise to secure registration servers, 514 00:48:51,420 --> 00:48:56,430 adopting a paper record of every vote, and applying simple post-election audit 515 00:48:56,430 --> 00:49:01,860 techniques to make sure the paper record is right. If we do these things well we'll 516 00:49:01,860 --> 00:49:07,569 have a much more robust and evidence-based election system that can detect and 517 00:49:07,569 --> 00:49:13,010 recover from attack attempts. Unfortunately today our dialogue about 518 00:49:13,010 --> 00:49:18,170 elections isn't based on evidence. It's largely based on faith: on faith in the 519 00:49:18,170 --> 00:49:23,641 democratic process, on faith in the people and the technology that's responsible. But 520 00:49:23,641 --> 00:49:29,410 I think voters deserve better. Voters deserve, if they're reasonably skeptical, 521 00:49:29,410 --> 00:49:33,550 to have it proven to them that the election result was right, and that is 522 00:49:33,550 --> 00:49:38,480 possible with simple and practical technology that we have today. All it's 523 00:49:38,480 --> 00:49:43,170 going to take is national leadership to make sure that all states, even states like 524 00:49:43,170 --> 00:49:49,880 Georgia, adopt the necessary protections soon. So what can you do? Well as a hacker 525 00:49:49,880 --> 00:49:55,250 or a computer scientist you can work with your election officials to help explain 526 00:49:55,250 --> 00:50:00,420 the technology, the threats, and the defenses. You can work to explain the 527 00:50:00,420 --> 00:50:05,640 threats to the public, because we all need to understand, just as a matter of modern 528 00:50:05,640 --> 00:50:10,540 civics, how elections can be attacked and defended. You can work to build better 529 00:50:10,540 --> 00:50:15,720 ways to use technology to make voting on paper easier and more efficient. While 530 00:50:15,720 --> 00:50:20,450 technology can help voting in a lot of ways, just... we shouldn't trust it is the 531 00:50:20,450 --> 00:50:26,369 only way in which votes are counted and results are determined. And as a citizen, 532 00:50:26,369 --> 00:50:30,559 well, you can demand that election authorities implement paper and risk 533 00:50:30,559 --> 00:50:34,690 limiting audits. Get involved through activist groups to help campaign for 534 00:50:34,690 --> 00:50:41,040 protections like this, and especially please urge the U.S. Congress to pass 535 00:50:41,040 --> 00:50:45,730 legislation like the Secure Elections Act and similar bills to make sure that 536 00:50:45,730 --> 00:50:51,720 election systems across our country achieve these security properties. You can 537 00:50:51,720 --> 00:50:56,770 learn more from an online course I have for free on Coursera called Securing 538 00:50:56,770 --> 00:51:02,230 Digital Democracy that provides several weeks' worth of material about the history 539 00:51:02,230 --> 00:51:07,589 and the technology of election defenses. But we've got to get going. It's only been 540 00:51:07,589 --> 00:51:12,089 two years, believe it or not, since Donald Trump became president, and it's only 541 00:51:12,089 --> 00:51:16,289 about 22 months until the next presidential election. It's time to get 542 00:51:16,289 --> 00:51:18,480 moving. Thank you. 543 00:51:18,480 --> 00:51:30,660 *applause* 544 00:51:30,660 --> 00:51:39,020 Herald Angel: thank you very much. What I got from this talk is it takes 27,400 545 00:51:39,020 --> 00:51:46,510 people, so we have to scale up Congress. We're going to do a Q&A. And I think we'll 546 00:51:46,510 --> 00:51:52,561 just start with Mic number two because I can see that one. 547 00:51:52,561 --> 00:52:00,410 Question: Thanks for the great talk. What if someone targets the-- *Mic problems* 548 00:52:00,410 --> 00:52:06,899 *Mumbling* Herald: Um, we need mic #2 live. 549 00:52:08,359 --> 00:52:10,869 Question: Does this work? Hello? *silence* 550 00:52:15,519 --> 00:52:18,499 Angel: Try again Question: Hello? Ok great. Thanks for the 551 00:52:18,499 --> 00:52:23,520 great talk. What if someone targets the randomness in your risk-limiting audit? 552 00:52:23,520 --> 00:52:27,431 Q: Doesn't that pose a vulnerability? Speaker: Oh yes. Definitely you need to have 553 00:52:27,431 --> 00:52:31,740 a secure randomness in whatever auditing method you're doing if it's going to be by 554 00:52:31,740 --> 00:52:37,760 a statistical sampling. That's one reason why the auditing techniques that Colorado 555 00:52:37,760 --> 00:52:43,289 practices, they actually have a public ceremony in which officials throw dice in 556 00:52:43,289 --> 00:52:48,520 front of TV cameras in order to pick the random seed. But a lot of thought has to 557 00:52:48,520 --> 00:52:53,260 go into designing that process well, so that it's not only truly random but also 558 00:52:53,260 --> 00:52:57,230 something that people can know and believe is truly random. Thank you 559 00:52:57,230 --> 00:53:06,029 Angel: OK Mic number six Question: Thank you so much for the talk. 560 00:53:06,029 --> 00:53:10,799 You spoke about how in Georgia the disclosure of vulnerabilities was 561 00:53:10,799 --> 00:53:18,150 punished, almost. Is there any talk or movement towards having something like bug 562 00:53:18,150 --> 00:53:23,970 bounties for Election Systems? Speaker: Yes in fact there is another bill 563 00:53:23,970 --> 00:53:29,390 that was introduced in Congress that would do just that, and establish a kind of bug 564 00:53:29,390 --> 00:53:36,441 bounty program. I'm not sure that that idea yet has a lot of legs, but I think it 565 00:53:36,441 --> 00:53:41,819 would help. I think right now though we don't really need all that much more 566 00:53:41,819 --> 00:53:47,369 incentive for people to want to try to help secure democracy. A lot of people, 567 00:53:47,369 --> 00:53:51,829 including I'm sure a lot of people in this room, would gladly volunteer to do so. We 568 00:53:51,829 --> 00:53:55,940 need a way of organizing that effort and making sure that people can discover and 569 00:53:55,940 --> 00:54:00,980 report problems without fear of having it turn into some political weapon to be used 570 00:54:00,980 --> 00:54:05,150 against them. Angel: Mic number one 571 00:54:05,150 --> 00:54:10,930 Question: Hey thanks for the talk. Like the case in Georgia doesn't sound that 572 00:54:10,930 --> 00:54:14,529 terrible because like in Lithuania a couple of years ago we've had this issue where you 573 00:54:14,529 --> 00:54:20,510 just didn't need to change the URL you just did have to refresh the page and here 574 00:54:20,510 --> 00:54:29,230 you go. You have the information about a different citizen. My question is, like, 575 00:54:29,230 --> 00:54:35,799 what if the paper trail leads to the knowledge that the election was rigged in 576 00:54:35,799 --> 00:54:41,200 some particular area like two years after the election or like one year after the 577 00:54:41,200 --> 00:54:43,609 election? What happens then? Does it change anything? 578 00:54:43,609 --> 00:54:49,480 Speaker: A year or so after an election would be a great catastrophe if we only learned 579 00:54:49,480 --> 00:54:53,579 then that the political leaders were not legitimately elected. We don't really have 580 00:54:53,579 --> 00:55:01,630 any precedent for that. That's why the recommendation and what some states like 581 00:55:01,630 --> 00:55:05,200 Colorado are starting to do is, they're implementing stronger audits, is to make 582 00:55:05,200 --> 00:55:09,640 sure the audits are completed as soon as possible, ideally before the election 583 00:55:09,640 --> 00:55:16,769 results is certified. I recently came out with a paper with Phillip Stark and Ron 584 00:55:16,769 --> 00:55:21,640 Rivest that gives an audit system that you can start doing even the moment polls 585 00:55:21,640 --> 00:55:27,849 close on election night and perhaps have, in a not so close election, a full complete 586 00:55:27,849 --> 00:55:33,800 audit by the time results are announced on election night. So it's possible to do it 587 00:55:33,800 --> 00:55:39,900 quickly with sufficient organization. Angel: OK. Microphone number 8 588 00:55:40,770 --> 00:55:50,380 Question: Hi I'm curious about the attribution of attacks. Is there possibly 589 00:55:50,380 --> 00:55:56,730 any instance at which you would be not sure that it was Russia that performed the 590 00:55:56,730 --> 00:56:03,320 attacks, or maybe it was China. So how do you know that it was exactly Russia, or 591 00:56:03,320 --> 00:56:10,799 China or India? Speaker: So all we have to go by really is the 592 00:56:10,799 --> 00:56:16,160 assertions of our intelligence agencies in the U.S. and in some cases like for the 593 00:56:16,160 --> 00:56:21,000 Democratic National Committee breaches the assertions of private security firms that 594 00:56:21,000 --> 00:56:26,560 were involved in the investigations. I agree with you, attribution in general is a 595 00:56:26,560 --> 00:56:32,390 darn hard problem. But if you're willing to accept the credibility of the 596 00:56:32,390 --> 00:56:37,119 intelligence reports and read between the lines just a little bit it looks like the 597 00:56:37,119 --> 00:56:43,279 reason, the basis for their attribution, is largely not technical but based on 598 00:56:43,279 --> 00:56:47,339 intercepted communication of people who were involved in organizing the attacks in 599 00:56:47,339 --> 00:56:52,590 Russia. And I think more information about that is likely to come out as the Mueller 600 00:56:52,590 --> 00:56:58,500 investigations proceed. So I mean there's some necessary grain of salt. You can see 601 00:56:58,500 --> 00:57:04,869 what incentive people might have to try to trump up, so to speak, the involvement 602 00:57:04,869 --> 00:57:08,900 of Russia. But you can also see in the current political climate why at least the 603 00:57:08,900 --> 00:57:14,200 executive branch would have a reason to try to tone down allegations of Russia's 604 00:57:14,200 --> 00:57:20,160 involvement. So you'll have to interpret the weight of the evidence as you will. 605 00:57:20,160 --> 00:57:24,640 Angel: OK, the last question from the Internet. 606 00:57:24,640 --> 00:57:28,650 Angel: We're running out of time. Sorry. Question: Has any organization or group 607 00:57:28,650 --> 00:57:32,079 unveiled a voting machine designed to address all of the security issues that 608 00:57:32,079 --> 00:57:35,059 you have brought up here? Is there a solution to the problem? 609 00:57:35,059 --> 00:57:38,730 Speaker: I'm sorry could you repeat the beginning of that question? 610 00:57:38,730 --> 00:57:43,119 Question: Has any group or organization unveiled a voting machine that is designed 611 00:57:43,119 --> 00:57:46,470 to address all of those security issues that have grown up? 612 00:57:46,470 --> 00:57:52,329 Speaker: OK so there are efforts to develop voting machines that are based on open 613 00:57:52,329 --> 00:58:00,490 source software, that are based on better validated software. Benedita, a researcher 614 00:58:00,490 --> 00:58:07,089 in this area who has done a lot of great work is one person who's recently launched 615 00:58:07,089 --> 00:58:13,740 an effort to do that, although there are others. And I think that will help. But at 616 00:58:13,740 --> 00:58:17,809 the end of the day I think however well- designed the software and our voting 617 00:58:17,809 --> 00:58:22,160 machines is, that can raise the bar for attacks, but it's never going to be enough 618 00:58:22,160 --> 00:58:27,160 to also be able to convince skeptical voters that everything is OK, because, 619 00:58:27,160 --> 00:58:31,109 well, among other things, how do you know that that software is really what's 620 00:58:31,109 --> 00:58:36,530 running in the machines that are counting your votes? So there's a lot we can do to 621 00:58:36,530 --> 00:58:41,750 make voting machines better. At the end of the day they're also going to have to have 622 00:58:41,750 --> 00:58:47,709 that paper trail and those statistical audit so that everyone can believe the results. 623 00:58:47,709 --> 00:58:52,259 Angel: Thank you very much. That concludes the talk. 624 00:58:52,259 --> 00:59:00,219 Speaker: Thank you. *applause* 625 00:59:00,219 --> 00:59:04,940 Angel: I think you'll be around for a few more answers on the Congress, so everybody who 626 00:59:04,940 --> 00:59:08,750 is here can ask questions in person. Speaker: I will and hopefully tomorrow 627 00:59:08,750 --> 00:59:11,799 there'll be a Diebold voting machine somewhere around here for everyone 628 00:59:11,799 --> 00:59:16,220 to hack themselves. Thank you again. Angel: Let's hack that thing. 629 00:59:16,220 --> 00:59:20,380 *postroll music* 630 00:59:20,380 --> 00:59:39,000 subtitles created by c3subtitles.de in the year 2018. Join, and help us!