 Thank you everyone for, you know, having a seat on the ground here. We really do appreciate it. It's a way that we can get the most people in this room, and especially for our next speaker, who I think is going to be extremely exciting. You're going to live up to that, right? So I'd like to introduce Alex Halderman from the University of Michigan. He is a professor of computer science and engineering, and a verified voting technology fellow. His research spans computer and network security, applied cryptography, security measurements, censorship resistance, and electronic voting, as well as the interaction of technology with politics and international affairs. So he's here to eat all of our lunches. Thank you very much. At least leave the international affairs of, you know, other people. You're an expert in everything else. So he has helped discover the cold boot attack and the TLS, log jam and ground vulnerabilities. He co-founded the ZMAP project, Census I.O., and Let's Encrypt. He is a renowned expert in election cybersecurity, and has performed numerous evaluations of real-world voting systems, both in the United States and around the world. After the 2016 U.S. presidential election, he advised retail initiatives in Michigan, Wisconsin, and Pennsylvania in an effort to help detect and deter cyberattacks. And in 2017, he testified to the U.S. Senate Intelligence Committee about cybersecurity threats to election infrastructure. He's been named by popular science as one of the brightest young minds reshaping science, engineering, and the world. Alex? I'll get her. Thank you. Thank you so very much for that introduction. I'm here today to talk to you, like many other people, about the security of U.S. elections. But I want to make this a special kind of presentation, and so we're going to do a demonstration, too, a demonstration in which I'm going to actually steal a little election for you. This is quite a technically demanding demonstration to pull off in real time in front of an audience. So I ask for your patience and some wishes of good luck, perhaps. And also, I am going to need a volunteer, someone who can hold a camera steady for me. Yes? Thank you. Please. Hi, what's your name? Hi, Jess. Jess, thank you. Yeah. All right, so I'm going to need you to take this and just I'm going to ask you in a minute to use this as a camera. So before we get to that, though, let's see, many computers that need to work at once. All right, before we get to this, I want to introduce you to the AccuVote TS voting machine. This is an example of a voting machine we use here in the U.S. The AccuVote TS was, at one time, the most widely used electronic voting machine. And it is still to this day the most well studied of any electronic voting machine in the U.S. There have been major code reviews and other security assessments of these machines over the last 15 years by academic researchers, by groups commissioned by states, et cetera. But it's still in use today. In fact, it's used in parts or all of 18 states across the country. Georgia, for instance, uses this machine and its sister machine, the AccuVote TS, in all of the precincts across the state. Now, if we look at other voting technology across the country, it's also a patchwork of different kinds of technologies, of machines like this and others. And in some places it even varies by county. But the AccuVote TS is a good representative machine of touch screen, sometimes paperless, what are called direct recording electronic voting machines. So I'd like to demonstrate the machine for everyone. And I don't think this microphone moves any distance, does it? No. Let's see if we can unhook it that way I can continue speaking. I apparently need to use this for the cameras. Not for you guys. All right, so we'll do a demonstration. So what I'm going to demonstrate on this handy AccuVote TS I brought with me is I'm going to run an election. Now, one thing that happens in every voting machine of all types across the country is before every election, officials need to program in the design of the ballots. Right? What are the races? Who are the candidates? What are the rules for counting the votes? And on every single kind of voting machine, that programming is created on a PC workstation somewhere, either operated by the county or operated by an outside vendor or the state. And it's copied onto the machines by officials on memory cards like the card for your digital camera or USB sticks. In this case, it's one of these PCMCI memory cards. So what I'm going to do is I'm going to load an election into this machine and I'm going to attack the machine. And I'm going to attack the machine merely by altering the programming on the memory card. So I'm going to put the memory card in the slot and this is what election officials would do before any kind of election. No network connection. No network connection to the individual machine. Now, where's my camera person? Would you come up here, please? And I'm going to hit a button here and everyone's going to be able to see what the camera sees. So if you could film the screen here and just follow, you're going to have to come closer. No? All right. The boy, I told you this would be technically demanding. So election officials before a real election might do logic and accuracy testing, just run a few test boats. That's fine. They can do that. But we're going to skip that just for speeding things up. And then after that, they would hit a button here to set the machine for an election. So we're going to do that. I'm going to open a door here. The machine actually has a little cash register style printer. And it's going to print out. It's going to think about it. It's going to print out what's called a zero tape. And this is just going to show that there are no votes in the machine so far. Can you zoom in right there and show zero votes for both candidates? A little down. There we go. George Washington and Benedict Arnold, no votes. All right. Now I'm going to need, let's say, three more volunteers. Yes? Anyone else? Yes? One more. Yes. You guys can be my voters. So come on up. And I'm going to ask each of you to cast a vote in or mock election. So the way voting works on these machines like many other DREs is the voter comes in, checks in at the polling place. You're an authorized voter. Yes? All right. Then I'm going to issue you an activated voter card. This will let you have one ballot. So you can come up to the machine and vote. And we're going to show the voter. Just put it into the slot there. All right. And we're going to run a special election. And this is for President George Washington, the founder of the Republic versus Benedict Arnold, the trader of the American Revolution. Everyone at DEF CON votes for Benedict Arnold. So if you want to be counter here, you better vote for George. All right. So we have one vote. Oh, you forgot to cast your ballot. Got to touch cast ballot. And then it will mark your card as used. And give it back to you. All right. So that's vote number one for George Washington. Voter number two. All right, sir. Here's your voter card. You are an authorized voter. Yes? Sure. Okay. Now it's going to cast another vote. All right. And no influencing my decision this time, right? Okay. Yes. It's a secret ballot. All right. It's two votes for George Washington. It's going to spit out the card. Now here, I'm going to demonstrate a little bonus attack. I'm going to take the card he just used and give it to our next voter. This voter card I actually made myself back at the time of the University of Michigan. That's why it has an ammo on it. It looks just like the real card, works just like the real card, except it also lets you vote as many times as you want. And this will work in the real machines too. All right. So using our infinite voter card, we're going to have our voter number three cast his super secret ballot. All right. George Washington or Benedict Arnold. All right. All right. So the votes are cast. And just to review for everyone, the real election result, two votes for George Washington. One for that trader, Benedict Arnold. So now we're going to end voting. And what I'm going to do, I'm going to take a administrator card and I'm going to put it in the machine. And the administrator card, this is what an election official might have. I'm going to enter my secret pin. That was the default pin. I'm going to take out the administrator card. Now I'm going to hit end voting. And what the machine does after you end voting is it prints out another one of these cash register tapes that has the total votes for each candidate. Here we go. The results of the election, this is the official results that would be signed. And can you please zoom in on that to show the official results down? Oh, Benedict Arnold has won by a narrow margin. But of course we all know that's not the real result. In fact, malicious code that I loaded into the machine by hijacking this pre-election programming process has stolen the result. It's manipulated the ballots and all of the electronic records of the ballots because of fraudulent results to be recorded. All right. For my volunteers, I want to give each of you a print out of these fraudulent results to take with you as a souvenir. All right. Now while this is printing, let me explain some disturbing facts about this machine. People might wonder, is this the current version of the firmware? Well, it's not the most recent version of the firmware, but in fact this version of the firmware and even older versions of the firmware are in widespread use across the U.S. today. There's no requirement that officials keep the firmware up to date. In fact, this version has already corrected vulnerabilities that exist in some versions that are in fact still used. All right. Let me end this projection. All right. Excuse me, I just have to end it on this side so we don't run out of batteries. Very technically demanding. There. All right. I'll take control of this again. Was that a mission? So this machine, this machine I bought on eBay. It was used previously in Ohio and Ohio sold off a large number of them after they were damaged due to a leaking roof in the warehouse, but most of them still work. We have dozens more of this same kind of machine down in the village for people to hack on. All right. So let me put all of this in context and we don't have that much time so I'm going to have to go quick. We have two styles of voting machines in the country. One's like this that are DREs, touch screens and so forth and also optical scan machines that count paper ballots that voters fill in. Both of these though are computers and both styles of machines have been studied in many security reviews over the last decade and a half. I was part of one in California where the Secretary of State in 2007 brought together a group of respected security experts to do a code review of all of the election equipment in the state. This is an excerpt from one of the reports about this machine, the AccuVote TS, and it details some of the vulnerabilities. Multiple buffer overflows, software updates without authentication, interpreted code, things that could be exploited by voters, things that could be exploited from the memory card, inadequate randomization of the ballot so that ballot secrecy can be compromised. You can forge the cards, all of this stuff. This is in 2007 and there are hundreds of pages of elaborate technical documentation about these vulnerabilities. Still, California decertified the machines. They wouldn't use them anymore, but other states continued to use them and as I said, in many cases, without updating the software. And it's not just these debold machines. Since that time, states have reviewed, there have been independent studies, many, many different kinds of U.S. voting machines. In every single case, the reviews concluded that there were vulnerabilities that could be used by attackers to spread malicious code into the machines, often via the removable media, and compromise votes. So, the fact is, across the U.S., something like 41 states use election equipment that's more than 20 years old. Some states still use voting machines that were designed in the 1980s. These machines are often not receiving security updates. They're often not benefiting from the latest technologies and the only safe assumption is that all of them have exploitable vulnerabilities. Okay, but that's just individual machines. So, if individual machines have vulnerabilities, it seems like it's still a problem. It's still not as big a problem if an attacker has to target machines one by one. How could an attacker, potentially a foreign adversary, compromise machines over a wide area and try to influence a national election result? Well, there are various things they might do. Some things very public, like trying to sabotage election reporting, trying to sabotage e-poll books or registration data so that voters show up and find out they're not registered. Those could be extremely damaging, but at least we'd know they'd happened. I think a more sinister and worrisome attack, the attack that keeps me up at night personally, is the one you just saw. What if someone compromised enough machines to subtly change election outcomes and cause the wrong result? Would we ever find out? So, how plausible is that? Well, there are three challenges for an attacker trying to silently steal an election. The first one is just that the technology is diverse and decentralized, every state and county running their own systems. Well, that helps in some ways. It hurts in some ways. So it helps if the election result is not that close. But in a close election that's going to hinge on a set of swing states or swing districts, that just means that the attacker has and can tell from pre-election polls this whole set of places to potentially attack any subset of which might swing the national election. So you scan all the states that are potentially going to be in play, find the ones that are most weekly protected, and strike in all of those. So rather than a diversity protecting us, we have a diversity across the country today of strength and weakness. And that's a major weakness for everybody. All right, the second challenge, though, is that the machines aren't connected to the Internet. Well, thank goodness they're not. At least they're not supposed to be. It's actually not quite true. Some of them do connect to the Internet briefly in order to send back results over 4G networks after the election. But most machines are not connected to the Internet, and that's a great thing. However, they're not as distant from the Internet as they may seem. So we talked about that memory cord that I just used to spread malware into this machine in front of you and steal the election. Well, that memory cord, the programming on it, is created on this election management workstation that's running proprietary software that generates the ballot programming. If an attacker can infect that system, well, they can spread malware to every machine that is programmed from that EMS. And sometimes that's every voting machine in a county. Some places they contract this out to the voting machine vendor. One large voting machine vendor, programs the elections for 2,000 jurisdictions in 34 states. That is an incredibly centralized point of attack. And I've been in the room where they do this programming, and it's just an office somewhere. Isn't that a terrifying thought? Well, many other places, like in Michigan, they contract this out to small businesses in the region rather than to big central providers. So in Michigan, about three-quarters of counties use just three approximately 20-person companies in 2016. This is the website of one of them. And, you know, it's just a typical small business. No HTTPS. Nice detailed photos of their warehouse. And, oh, here's their staff directory, where you can find the picture, job title, and email address of every person in the company. So if I wanted to attack these guys and steal the next election in Michigan, maybe I forge an email from Sue here, to Sue from the admin assistant, from Larry, the president, asking her to urgently open this attachment. That may be all I need to do to get into their network and spread malware to voting machines throughout Michigan and other states in the Midwest. All right, there's just one more challenge. And that's that more than 70% of votes across the U.S. today are recorded on a piece of paper. And that is just great. This is much more than were recorded 10 years ago. And paper turns out to be a very effective and common sense kind of fail site for things like elections. I mean, paper may seem old fashioned, but did you know that if you fly in commercial aviation on a modern jet with satellite navigation, that jet still, by law, has a magnetic compass in the cockpit just in case the computer navigation system fails, right? That's just common sense that in a critical system, you want to have a physical fail site. The brakes in your car, you want them to work even if the engine control units fail. Well, in voting, paper is that kind of physical fail site. And of course, we all know paper can be tampered with too. But in modern election systems that have a paper backup record, what you end up with at the end of the day is an electronic record and a set of paper ballots. You have these two redundant records that each would require a different set of skills to tamper with at a large scale. And as long as we check to make sure that the paper records and the electronic records represent the same election outcome, then it's going to be really, really difficult to tamper with both of those sets of records in a way that wouldn't raise red flags. And in fact, we don't have to count all of the paper in order to do that kind of check. We can just use statistical sampling. There are very efficient statistical sampling methods that have been developed over the last 10 years or so for elections called risk limiting audits, which in an election that's a landslide might be able to confirm that with very high statistical confidence by examining just a few hundred ballots across a whole state. So this is way more efficient than recounting, way more efficient than the kind of Florida auditing we all remember from 2000. There's just one problem. Most states don't look at the paper. Unless a candidate demands a recount or there are other exceptional circumstances, or the states just don't look at enough of it in a relatively close election in order to have reasonable assurance that an attack would be caught. So to review, unfortunately, hijacking an election and influencing a close national contest might be a lot easier than we thought. They're vulnerable voting machines used in places across the country, and an attacker can use pre-election polling to determine which jurisdictions are going to use them and have a close contest. Then target the service providers that program them to spread malware in the pre-election programming process. Just like I showed here, you can influence a small fraction of the votes and subtly change the outcome. And although there may be paper records in place, we know what the procedures are in every state, and the attacker can ensure that their attack is not detected if they plan appropriately. So what do we do to defend against all of this? And I have just a couple more minutes. So the simple defense, and I think the most important defense that we can roll out in a pragmatic form today, is to make sure that every vote is backed by a piece of paper. And that all states audit that paper to a high level of statistical certainty to make sure that it reflects the same outcome the computers gave us. This is called paper ballots and risk limiting audits, and it's a recipe that can be cheaply and practically implemented today. At the same time, of course, we do have to strengthen the technology as much as we can so that people don't hack in and sabotage the machines. We want to make that as difficult as possible. But I don't think we're ever going to get the technology to a point where all of us here can confidently say that we don't think the best attackers in the world, with the resources of a nation state, can't get in and make things go wrong. So how much progress do we have today? These are the states that have all paper, shown in green. The red ones still have some votes that are recorded without a paper backup. That's unfortunate, but we've made a lot of progress. It would cost maybe another 100 to 400 million dollars to get rid of the remaining paperless machines. Auditing is a much worse story. So the states shown here in red don't do audits that are likely to be sufficient to catch fraud, or they may do no audits at all. The ones in yellow do audits that are pretty good, but maybe they're not always auditing. Maybe they're not quite auditing enough to catch some close corner cases. The ones in green are implementing the best practices. Colorado may be leading the way right now with risk-limiting audits that they've been piloting over the last several years. New Mexico and Rhode Island also have or are implementing very good post-election audits. And many other states, we hope, will follow soon, but there's a lot more work to do. Still, this is one of the cheapest cyber defenses imaginable. My estimate is it might cost 25 million dollars a year to audit all federal races across the country. This is an incredibly small expense. So let's just look at states that were close in 2016. This is less than a 5 percent change would have swung the race for presidents in 2016. Still looks like a pretty bleak map of states that have both defenses in place today. So what can we do about it? Well, Congress took a positive step in March when they gave the states 380 million dollars in emergency funding for election improvements. And many states are applying this towards improving different aspects of their election security. Still, it's not nearly enough to foot the whole bill for equipment replacement. And I think replacing the out-of-date election equipment is going to take further help from the federal government. More importantly, though, this money came without any new standards and even without any strong guidance about how states should use it. There's now legislation, though, being considered in the Senate just this month and a companion bill in the House that is bipartisan and may actually pass that has the potential to establish some reasonable floors for election cybersecurity in terms of paper ballots and post-election audits being required or strongly incentivized practices for all states to adopt. This is a bill called the Secure Elections Act. The major question is whether between now and the end of August, this bill gets watered down in committee to the point that it's not offering any reasonable protections. So this is something that all of us and our friends could do today to try to advance election security across the country, especially if one of the senators listed here represents you, please call them today and urge them to make sure that the Secure Elections Act provides for voter-verified paper ballots and audits of that paper by people, not merely audits of digital scans or audits that are automated by other computers that might be tampered with, but we need people to check enough of the paper that we can all have high confidence in our election results. So paper ballots, risk-limiting audits, and general cybersecurity improvements. So patch the software on these machines. Make sure our equipment is up to date and so forth. This doesn't have to be expensive. We can get these improvements in place by 2020 if the states and the federal government act together and act now. But we need everyone's encouragement and help to make it happen. Thank you very much.