 I'd like to introduce Joe Kanairi. Joe, yeah, I almost got it there. I've been practicing for the last 30 minutes. So instead of reading his bio to you, which I've been doing all day, and today I asked him, what's the most important thing I can tell you all about his background? And he said this, not only do I break things by trying to find ways to fix them as well. So that's what's going to be the focus to his talk today, isn't just how to break all the machines that we use in the election ecosystem, but how can we make it better, how can we fix it, trustworthy elections, Joe? Right on, thank you. I think I'm supposed to use a microphone. I can be very loud. I am an ex-professor, so I can be very loud, but I'll stand here maybe and use a microphone. Is that all right? Everybody hear me? Right on. Thank you all for coming. It's four o'clock on a Friday. Everybody here wants a beer, right? I want a beer. Right on. All right, let's have a beer afterwards. As mentioned, I've been working in this area, relating to elections and election security for 20 years now. I grew up in Florida and I witnessed what happened in 2000 in Florida and that's what got me interested in this topic, that and being a computer scientist. And the main thing I focused on over the years is a branch of computer science and mathematics that focuses on how do you build systems that are actually correct and actually secure. That's my day job these days. After leaving academia some five years ago, I went to a company called Galois, which is in Portland, Oregon, and it's basically the top performer in the world for the kinds of things I do. Galois spins out companies based upon work we do primarily for the government, the DOD, DARPA, intelligence agencies and the like, and we've spun out our, what, fifth company in the past few weeks? Is that right, Dan? Something like that. Fifth or sixth, and the one we spun out prior to that is a company called Free and Fair, which focuses on the topic of elections. Now this talk I'm gonna give today is about trust and trustworthy elections and how can we get from this horrible state of affairs we are in today, and I'm saying this is a guy with thick skin who's been doing this crap for 18 years now. How do we get to a productive place in the future? So let's look at the word trust and trustworthy to see where we start, right? If something is trustworthy, then it's able to be relied upon to be honest and truthful. So when we go in and we look at the machines that are in the voting village right now, machines that people like myself and others have hacked repeatedly, we find regularly those machines are not trustworthy. They are not honest and they are not truthful about their behavior. It also means that something is worthy of confidence and unfortunately the place we've got today, especially with regards to our voting infrastructure that's technical, not necessarily social, is that we don't really have confidence in it. So I always like to look at things constructively and say, well, this is where we sit today, how do we move forward? But the problem I have here, and I apologize for the flickering, I don't know what's causing that, has there been a thing today? Is that honest and truth are hard to come by these days? As we all know, we're confounded by not just a historical record of how machines behave or how foreign actors have behaved and the like, but we have this massive foreign and domestic disinformation campaign that's going on right now. And it's really caused a lot of distrust in not just our government, but also corporations, our institutions, the press, science, which really harms me and my heart and each other. So I've been thinking about how do we move forward on this? Because we've really lost trust on both sides. And when I say both sides, I'm not talking about America and Russia. That might well be true and that's something that we have to pay attention to. But I'm talking about the relationships between cyber security folks, infosec folks and elections officials, right? We've just been real dicks. Sorry, should I say that on camera? But we've been really not very nice at times. We throw rocks inappropriately. We're not constructive about how we engage with elections officials here in the United States and worldwide. It's about infosec professionals and appointed federal officials our interactions with folks at the top of various agencies has not always been productive for one reason or another. And it's about our interaction with vendors, right? Every single vendor knows my name. They don't like me. They don't take my phone calls in general. Even if you wanna be constructive with them because you've made them look bad in the past. So how do we flip this around? Now to reflect upon the problems I have with matters of trust and how we communicate with each other, we can look at the means by which we cyber security professionals talk, especially in the media, and that's easy low hanging fruit. That's not the way you should behave on occasion. But we can also look at statements in note out of various government entities. In particular, their statements been put out over the past couple of weeks from the National Association of Secretaries of State from the National State Elections Directors Organization. Statements have been made by DHS, the EAC and the FBI recently. And statements made by elected election officials. You rarely see statements made that are controversial, so we say, by appointed elections officials. I'll show you a couple of examples here. So these are the two statements that came out from NASA and NASA that Alex, sorry, Secretary Padilla, I've known him for 20 years, so I have a little trouble with calling him Secretary. These are the two statements put out by these national organizations that are responsible for the collections of Secretary of State, who in the main run elections in America and from the National State Elections Directors entities. And if you read both of these statements, you'll find both of them. And this is just one line out of a whole document. Makes me as an InfoSec professional a little uncomfortable. At times there's a bit of dissembling, a little pivoting, a little politics gets mixed in and there's no surprise around that. I want to get past this. How do we move past this to be able to work with leadership of these two organizations and others to build trustworthy elections? Now how does one earn trust? Well, here's the two core things that we do about earning trust in the company that we run at Galois. Tell the truth and be authentic in your telling of the truth even if it's a hard truth to tell and provide evidence about what you do. Don't let people trust you. Those are the only two things that we do reliably for every single client, whether it's an industry or government about every interaction we have. And the first is about being authentic about how you communicate. And I mean that both in a verbal sense, a written sense and a technological sense. And the second is about using a reason to justify the decisions you make and the outcomes that you have. For example, when I interact with, say, a DARPA program manager, and one of my DARPA program managers is in the room smiling at me right now, and they say something that's not right or is boneheaded or is based upon inaccurate information, some people will just nod and smile because they want the money. I won't do that. We won't do that. You have to be authentic about that communication. You're not a jerk about it, but you need to educate and inform and build a trusting, a deep trust relationship with them. Likewise, anytime we ever build a system for the feds, DOD, intelligence, DHS, everything we provide to them has to be open source, open hardware with evidence of its correctness and security. At no point in time can we ship something that say, trust me. They'll say, screw you. This is gonna go on a device that matters. This is gonna go up in space or something like that. Now, in order to have trust in the outcome of an election, here's the rub. Here's the thing that got me interested in elections in the first place. As an infosec professional, for me to trust the election, I need to not trust any person, machine, or company involved in the election. Fundamentally, I need evidence of the election's outcome that I can trust by distrusting every entity involved in that election. And we don't have that today. In space, right? The way we run elections in America today and overseas, in general, means that you have to have trust in many people who work together and watch out for each other, which is great as far as a process. We have to have trust in millions of machines in the field that we really shouldn't have trust about. And we have to have trust in companies that sell those machines and that support those machines. Now, I'll quote Reagan here, since a lot of the pushback I get is from the right. Let's go ahead and try to trust these entities in terms of running elections, but let's trust and verify. How do we verify that our elections are right? Now, Dwight's gonna get exciting because I'm gonna talk about work we did with Colorado and the like on one aspect of how do you verify an election, but this has a multi-dimensional facet to it. So let's channel Reagan now and figure out how we can build trust among these entities. Here's a list of vendors I'll throw up there first. And the reason I do that is a lot of folks don't know how many vendors there are that are registered and active at the federal level in America today. Because what you always hear about is, like when I say I'm in elections, people say de-bold, right? They immediately jump to a company that no longer exists, hasn't been around forever, has a bad reputation, was in the media in the mid-2000s. All true. These are the companies that are active today. And sure, it's the case that ESNS dominates the market and has circa two-thirds of the machines out there, but there's a lot of entities in play doing work in this area. I, as an infosec professional, despite my knowledge of technology and having hacked machines and the like, I have to tackle this problem by not trusting these vendors, right? I have to work from that assumption. And the trick here is how do I go from a place where I have distrust of the vendors and they don't trust me because I've hacked their stuff in the past to moving to a place of trust? I'll tell you how we're doing that. The problem is, historically, based upon my 18 years in the field, is that vendors aren't authentic. They don't provide public evidence of their systems' correctness of security, and they often disassemble about their information so as to sell things. We need to help them get past that. We need to get them to a place where they can be authentic about their systems. They can be authentic about their capabilities and their weaknesses. Part of this couples to certification, what I'll talk about in a minute, but part of it just has to do with the evolution in thinking strategically and communication-wise with leadership of these organizations. So some of them we've had success with that on. We've talked to leadership of various voting systems companies to help them understand where they are today, where they can go in the future so that they can get away from running away from the truth. Now Free and Fair is a company that I mentioned before, is sort of a Galois spin-out. For its full transparency here, it's not an official spin-out yet. It's still Galois doing businesses free and fair, but it's an independent entity that basically is taking all of my past work as a professor in the world of elections since circa 2000 and Galois' work on national security and national critical infrastructure for the feds and putting those two universes together. And now, in some sense, we're a vendor, right? Like it or not, we did work for the state of Colorado in building their risk-limiting audit system, which is now being used by them and further developed as being used by other jurisdictions in awesome trials that I'm very excited about. You're excited about them too, right? But it's like, Orange County runs an audit and I don't even have to lift a finger. It's a miracle. So by virtue of that work, as well as the fact that we've built some demo products and we have been writing proposals for various RFPs, we're now a vendor, even though we're not yet on that federal list. We're not on that federal list because we haven't submitted a system for certification as of yet. So before I go into what we're doing as a vendor, I wanna roll back and think just for a moment about some talks I gave to NASS and NASSID in 2015 and 2016. And this riffs on what we're productively doing now. I was asked to give invited talks at the National Association of Secretaries of State. So all the Secretaries of State are in the room listening to me wank on about something. And I went to the NASSID as well. So all the state elections directors are in the room. So at NASSID they asked me to give a talk about what can we constructively do to be better about how we run elections just in case there's gonna be security problems. And note the date. This is in February 2016. And I'm happy to share my talk with anybody. But the key recommendations I made in that and the reason it's called the best election money can buy even though that's kind of a funny thing, right? Ha ha, buying elections get it. Is that elections officials have no money, right? You have to do as much as you possibly can with as little resources as you have today. And the main suggestion there was to use risk limiting audits. Risk limiting audits are the gold standard of how you double check an election's outcome on the cheap is what it boils down to. And there's now two and a half states that have it in law and are using it in practice. A whole bunch of other states have it in bills in their legislatures. And every bill at the federal level in America mandates risk limiting audits. If we could just get co-sponsors and we could just get them into law. So that's wonderful to see us going from there to here. Now the reason risk limiting audits are good is whether or not somebody causes trouble in your election, Russia or insider, or whether you just have an operational problem and things get screwed up, risk limiting audits helps you catch it. It helps you remedy it. It helps you narrow your focus and figure out where the problem is. And it's super, super cheap compared to a full recount, for example. So that was an asset talk. Now the NAS talk was called the future of voting. And in that state, the Secretary's estate were interested in this question. Let's say I'm running an election and I wanna make absolutely certain that my election outcome is correct. And I wanna get a confidence in every voter that their vote was accurately captured, accurately recorded and included in the final tally. How do you do that? Because today we have no means by which to do that in a precise evidence-based fashion. We have to trust a wonderfully evolved and polished infrastructure of people working together, processes, some technology thrown in, and then we hope the election outcome represents the actual will of the people. And so the key outcome there was me summarizing to Secretaries of State of All Things, the state of affairs in research in the academic world in something called verifiable voting. The idea that you can vote and you, as a citizen, can check after the election is done that your vote is accurately recorded and included in the final tally. So you can guess where things are heading next based upon that framing. We're gonna build trust where the elections. We need elections that are independent of the people, the trust in processes, companies and organizations, and independent of the technology. You need to be able to trust the outcome of an election and distrust the code running on those crappy machines in the other room. That core property is called software independence. Software independence means that if something goes wrong in the election, whether it's accidental or purposeful in that code, we will catch it after the fact. And the lovely thing is that the new VVSG2 standards that we hope to see turn into reality any day now as soon as we get a third commissioner at the EAC mandate software independence. Huzzah, I keep fighting that battle. The vendors keep fighting back. So that's where it sits today. We'll see where it lands in the end. The two key ways to have software independent elections where you don't need trust in the software's correctness. You don't need trust in the way people do their business. You don't need trust in your elections officials are exactly risk limiting audits, which are trust but verify. Trust the folks who run the election, but we're gonna double check it anyway because we all think it's a sensible thing to do to make sure that our elections outcomes are proper and verifiable elections, which is verify your trust. Verify the fact that you trust that the elections are run properly and they're running these risk limit audits, but you're really curious that your vote was actually counted. I live in the state of Oregon. We've been vote by mail forever, right? We're the first mover in America. There are no polling places in Oregon unless you're a disabled voter or unless you really, really wanna go into the county clerk's office and vote, which you can do. Everybody gets a ballot in the mail. Everybody fills it out at home. Pupportedly everybody who's filling it out at home is the person they say they are. You sign the back of your envelope and you stick it in a ballot box at your library or stick it in the mail. Now, as I know personally, every local elections official in Oregon, and yet I can't have confidence that my vote was actually tallied, right? It's going in a random box in a post office or it's going in the mail and that's going into a giant system. And even though I know I signed that piece of paper, I also have problems with the fact that my neighbor may have signed a piece of paper on a ballot but they filled out their wife's ballot or their parents' ballot or something like that. So these two things are key to remedying even my distrust in voting in Oregon. Now I have to riff on XKCD because Randall put out this just this week. And you'll understand the riff on this. So who's seen XKCD? Who's seen this particular thing? All right, let me explain it to the ones who haven't. Geek comic strip, people like me read it. And this is about whether or not we should be basically using technology in elections in certain ways, right? Since somebody can't read it, maybe in the back, I'll go over it real quickly. So in the top left panel will say, asking aircraft designers about airplane safety. And I should say I work on airplane safety too so this resonates with me. Nothing is ever foolproof but modern airplanes are incredibly resilient. Flying is the safest way to travel. I think about this often because these electric scooters have been rolled out in Portland right now and people are all zipping around town without helmets on. I'm looking forward. Well, no, I'm not. Never mind. Asking building engineers about elevator safety. Elevators are protected by multiple tried and tested failsafe mechanisms. They're nearly incapable of falling. Elevators are an interesting case study in computer science. We use it for teaching all the time, especially safety critical stuff. Asking software engineers about computerized voting. And when they say computerized voting, they mean a DRE with no paper ballot trail. That's computerized voting here. And the software engineer responds, that's terrifying. And the reporter says, wait, really? And the software engineer states, don't trust voting software and don't listen to anyone who tells you it's safe. Why? I don't quite know how to put this but our entire field is bad at what we do. And if you rely on us, everyone will die. Right? The reporter then says, they say they fixed it with something called blockchain. Whatever they said, don't touch it, bury it in the desert, wear gloves. And I should say, this is something that we repeatedly say for years, including to our federal clients who get sparkly eyed and think suddenly blockchain is a magic pixie dust solving DOD problems. So I can't say I completely agree with every nuance of that amusing illustration which is a critique of the world of how we build software systems today that really rubs me wrong as a guy who builds systems that should work forever. But the subtext is this, when you touch the illustration, it pops this up in a little pop-up. There's lots of very smart people doing fascinating work on cryptographic voting protocols. We should be funding and encouraging them and doing all our elections with paper ballots until everyone currently working in the field has retired. I agree with that. Now let's turn that into practice. Let's solve the damn problem. Here is what I say every time I go to Capitol Hill, every time I deal with my particular senators and representatives. Federal bills are mandating paper ballot records and risk limiting audits. Those need to become law. We need to get at least one of those out of Congress next year so that we can get rid of all these DREs in the field and we can do risk limiting audits of every federal election in America. It's gonna be cheap. It's gonna be operational. There's already free software that does it. And moreover, the remarkable thing about it is that if we do risk limiting audits for every federal election in America, you have a trickle down effect and you automatically end up auditing all your local elections too. So you get those for free. Secondly, authorities and the public need to treat elections as nationally critical infrastructure. If we don't do it today, given what we've seen over the past two-ish years, we're hosed, period. New federal standards have to mandate that all elections technology needs to be secure. Right now the vendors are fighting tooth and nail that only voting systems must be secure. And they said, don't pay attention to e-poll books. Don't pay attention to voter registration systems. It's remarkable. They now demand that public evidence of correctness and security would be there. And cybersecurity professionals have to constructively work with folks so that we rebuild trust in each other. So to do that, spending has to change. Alex already made a big point of this. We're spending, these are actual numbers, approximately $10 billion on political advertising, TV buys, digital newspapers, for the single election in 2016. Greater than three billion a year on lobbying, well under 100 million a year on all cybersecurity and election in the entire country, and less than 10 million a year on R&D. How many orders of magnitude is that? You can do the math. It's ridiculous. So spending has to change. And the vendors have to change. The vendors have to change their attitudes. So since we're now a new vendor, here's my public declaration. And I challenge the other vendors to cut and paste for me, right? Steel, use this as you will. Hell, we'll even come and work with you for free to help you do it. We promise to openly publish all our source code, all our hardware designs, under familiar and open sources licenses. We already do that right now. You can go to GitHub. There's something like 20 odd repositories there. You can download stuff for free. And because of the brilliance of Colorado and deciding they would do the RLA with open source, you can grab that too. We will work directly with the authorities, potential customers, anti-customers. I don't care who, to understand the systems features and to do as much security auditing as they want on those public artifacts. We will always delirectly tell the truth about our systems even when it's bad news and provide verifiable evidence for all of our claims about our systems. And we, starting next year, will start bringing systems to DEF CON to let people hack on one way or another. All right? So. And that's, and I should say, we have systems we can roll up right now to do that. We already have, for example, an open source implementation of the Starvote system for Travis County, Texas, that you can download, install, and run right now and hack to your heart's consent. I'd be happy for you to do it. So that's our public declaration. But most importantly beyond that is that we promise to always tell the truth and we always will provide evidence. And let's see if we can convince the other vendors to do the same. That's all I have to say. So we are going to take a minute or two to just get the next presentation set up. While you do that, perhaps it will take a question, or just a moment to take it. Are there any questions? Yeah. Are your other talks available online? The talks were not recorded, but the slides are, some are available online and some are not. We have a repository of such things on GitHub and it's probably easier to point people to them. But yeah, that's easily done. Happy to do it. I should say also every proposal we've ever written for authorities is public as well. Push that out of our, right on Twitter. Yeah, we'll push it out on Twitter. That my phone has been counted. Are they actually considering any publishing and database contains all of the ballots in it? Maybe having a number on the audience ballot that I can look up in that database, we'll see if it's in there. So your idea is, it's an excellent question. Your idea is at the core of how those systems work. There is a publication of every ballot in the election, but it's cryptographically encoded so that you can't sell your vote, you can't point to your ballot and the like. But it gives evidence to everyone of exactly which ballots are in the election. Moreover, you can add them up yourself. You can double check the count yourself is a core part of these cryptographic voting systems that were mentioned by Randall. All right, thanks for your questions. I'll be around until noon tomorrow and I have colleagues here with me if you wanna talk to them about it too. Thank you.