 All right, all right, all right, getting ready for the next one, which is addressing the election security threats posed by very small jurisdictions. So we've gone from Bulgaria all the way back to the USA and the state of Vermont. So I'd like to welcome it to the stage over here, John Odom. He is the elected city clerk of Vermont's capital, and I'm going to say it wrong again. Montpelier. For seven years, this capacity, he oversees this election administrator for the city. And part of being elected clerk, John's worked in communications and IT for non-for-profits, political campaigns, and his work's been published in many different areas. And John's a heck of a good guy, had that dinner with him the other evening, so let's give it up for John. Hello all, I don't have any slides, I had slides, but they were stupid. I keep changing what I'm going to talk about, because this has been so great. I was here last year, I learned a lot. I'm learning a ton more this year, so I've been changing what I'm going to say every few minutes. First of all, let me make a point by addressing something. Why would I come to a hacker conference and embarrass myself by putting all my little certs after my name? Well, the basic thing is I cut and paste what I usually put my name on, and I forgot about it. But the point is that I've been talking about this stuff for a while. And I yell at to whoever would listen. I don't get taken seriously. Soon as I got letters to put after my name, I start getting taken seriously by authorities, by secretaries of state's office. I start getting able to publish and governing HuffPo about this stuff. And in the true sense of those who can do and those who can't teach, it also got me a gig teaching malware forensics at the local university. So anyway, the letters come in handy. So very small jurisdictions. I capitalized that, VSJ, because it's on my bucket list to start an acronym somewhere, so I'm hoping it'll take micro jurisdictions of EMJ and that just doesn't work. What do I mean by very small jurisdictions? Well, it's smaller than whatever you're thinking, I guarantee. My own, you know, Montpelier is the capital of Vermont. And I have about 6,000 voters in my town. So as you can imagine, it's a whole different ball game for me than a lot of the folks who come up here in jurisdictions of very large counties or very large cities. I'm doing everything. I go down to my one polling place and I'm checking people in. I'm dealing with registration, of course we have same day registration, which by the way is a great defense against voter database hacking. But what I'm talking about is even smaller than that, okay? We have got in Vermont, as in all of New England, as in Minnesota, I believe, to an extent, Michigan, our jurisdictions are municipal-based, not county-based. You get people up here, everybody's talking about county, county, county, county. County government, to a large extent, doesn't even exist in New England. So we work at the municipal level. And what does that mean in an incredibly rural state like Vermont? You've got municipalities that leave you with 50 or fewer registered voters, okay? I know in New Hampshire there are places with even fewer than that. It's a completely different dynamic. Now what does that mean on the ground? Well, think about who's running those. We're all municipal clerks. So the municipal clerk of, say, Victory, Vermont, and I checked on the database before I got here, I think they have 55 registered voters. At levels like that, your municipal clerk is going to be, I don't want to be agist here, but grandpa or granny, who don't know anything about computers, who maybe have their office open two days a week, whose IT supporters, their grand-nephew, came in after high school and set up their Windows XP box sitting on a cable modem with, you know, out-of-date AVS, and you get the idea, okay? Those people have the same access to the statewide voter database, the statewide voter system that the election administrator in Burlington has. So I probably don't have to tell you what that means. You've got very unsophisticated people. You've got little or no protection. They are open to social engineering, to phishing, probably worse than just about anyone. So you get in there, you get into one of these systems. I mean, privilege escalation is, it sort of goes without saying. So these are the weakest links in the chain. And it's a weak link not just against, you know, being at that level, you know, we're always talking about state actors. Well, at that level, you've got, you know, the traditional malevolent hacker type, you know, the one who wants to cause trouble across the street. Made easier by all these folks. They're using wireless, blah, blah, blah, blah. But anyways, there are so many levels of threats here. What do you do about it? It's a really hard conversation to have. People don't talk about it. And the reason is, it's just too tough. The rules are different at this quantum level. Okay, it's sort of like it suddenly becomes a Heisenberg-y uncertainty thing. Now, living in the upside down like this, it means we don't have a lot of problems. I say we, I'm sort of living on the edge of that. Don't have a lot of problems that folks talk about in elections. We don't have problems with confidence in our votes, because it's everybody's neighbor and everybody knows Granny, and there's, you know, our senses that nobody's being malevolent. We don't have worries about all the ballots getting counted, just because of the same reason. People don't sweat it. And I'm talking about, we don't have a concern about this. I wouldn't say that. I'm just saying in terms of the concerns about voter confidence and trust in the integrity of the system. You don't get disenfranchising from long waits. Now, you know, access, our disability access isn't all that great, but you're talking of scale, it's more easily addressed. This is an alien world to a lot of folks who talk about solutions. Those solutions just don't apply to us, okay? And what are the solutions that folks talk about? You know, we, I heard a lot of this time, people talk about professionalizing election administration. What does that mean and how does it affect? Well, you know, you've got folks like the election center who have certification regimes. I looked at that myself and even me, and I'm not even at the victory Vermont level, I can't afford it. It's not in my budget. You know, it was great that I was able to afford the University of Minnesota's election administration certification. That's great. Most places can't afford that either. It's just cost prohibited. Now, you hear a lot about peer support or what, you know, various names gets called digital defenders, okay? These are, you know, various states are implementing some form or other of IT tech support, or, you know, peer support where people are working with each other, they're holding each other's hands, they're bringing each other around to the latest best practices. That doesn't work when you have 55 voters and you don't have an IT department. That doesn't even work for my level because most of the folks at my level, yeah, we'll have an IT person, but, you know, bless his heart, ours told me that he doesn't know anything about security. I know more about security than he does. So even at that level, it gets tricky. Let's see, and, you know, a lot of those solutions are like, you know, you're bringing the peer down to help with the reading assignment when the folks you're talking to don't even know the alphabet yet. So this stuff doesn't work. Also, these small districts are very parochial. They guard their stuff, they have their way of doing it, and most of the professional development they get are from, in my cases, the folks who are municipal clerks, they get their little bit of professional development from the Professional Clerks Associations, which are in the same boat, and they're all talking to each other. So that's trouble. So what do folks do? You know, what do states do? What can they do? They have trainings, they run trainings, either in person, maybe they're little online trainings, they do them once a year. They're the kind of thing that, if people don't understand, they're gonna glaze over, they're not gonna pay attention, they're gonna forget it the next day. If it's online, they're gonna be doing other things and just clicking through, and there's no follow-up. And I'm not knocking these states that do that because, again, what else are they gonna do? There's just no way to get to these people. Let me just throw some of the other solutions that are up there. Help from the EI Isaac. Again, you gotta have someone who knows what they're talking about. You've gotta have someone at that level who can take advantage of that system. Last I heard last year, I'm the only, Montpelier is the only member of EI Isaac in Vermont, which is great for me because it gets me flown out to conventions and things and put up, I love it. And part of me hopes that other folks don't figure it out. But if there's not an IT requirement and interface with, it doesn't do you any good. A lot of these places, they're using antivirus systems that may be out of date. And I probably don't have to tell a lot of you all in here. I tell my malware forensic students, there are those who think we're moving beyond the age of the antivirus system anyway. At least, this is a conservative. I have heard, and this actually came from someone at DEF CON last year and I can't think of who it was, but an estimate that up to 30% of the malware out there in the wild is, it doesn't have a signature for it. Which means they are, for all intents and purposes, zero day. That's conservative. I have read estimates, you know, 40, 50, even 60. And they're probably being a little hyperbolic. But the point is that an antivirus system is not enough in the best of circumstances. You know, these folks need an IDS and that's something EI Isaac provides. They have this delightful IDS that they're getting out to voting systems. It's called Albert. It's got so many rules. It's crazy. They're constantly updating and I don't know what kind of behavior capacity it has. It might just be a signature base. But I looked, again, I looked into that for us. It is cost prohibitive. So once again, the problem is not getting down to this level. And the good ideas are really thought out and really designed and really implemented for county level, large to medium jurisdictions. So now I've been all gloomy, right? It's like, oh my God, what are we gonna do? I don't wanna be completely gloomy about this. I do wanna get the information out there because again, it is tough stuff that people don't think about. I've sat in with a lot of these conversations and you know, you mention it, people move on to the next thing because it's too hard. Now I think what I would like to see, and I've just started saying this so I haven't really thought through it well enough, I think these solutions that folks are coming up with don't scale down to that quantum level. Maybe they never will. Maybe what we need to start thinking about is starting from the bottom and scaling up. Get to that point where the solution can meet the jurisdiction. And what's that gonna mean? It's probably gonna mean a thoughtful creation of publicly run wide access networks. Now, am I gonna sit here and tell you that WANs are the unhackable, that VPNs are the greatest thing in the world, that they're not still susceptible to a session hijacked and whatever else? No, of course not. But which problem do you want? Which problem would you rather have in which problem is more addressable? And I think scaling up is probably a good idea. Now, some states are starting to do this organically. You look at sort of managed ISP arrangements which cover a certain amount of that for some of these small ones. I know that Google is pushing a product, at least in Minnesota, that would be a sort of collective election management system for some of these very small jurisdictions. Now, we gotta keep in mind public confidence. And I'm not anti-outsourcing. I mean, every time we turn on our computer, we're outsourcing to Microsoft, right? Or wherever, unless you're using a Linux box. But you wanna make it as public as possible so it's accountable so that the folks who are professionally doing it are accountable to their jurisdictions, to their state. And you don't wanna invite the reputation of a place like Google, which is gonna be a problem, give them a position, I think, in managing our entire election structure. If we do that, then a lot of these great programs can be applied. And I think of another way to put that, or another example, you can pipe that training through a publicly divided, if you divide up your state into WANs, you can actually manage that training. You can create a system that includes roles, responsibilities, you know, you're running AD or whatever. You can have a thoughtful, you know, architecture, Bellopagular or whatever you want. It just means that suddenly these small jurisdictions work like everybody else. Now what I'd like to see also beyond that is taking some of the advantage, you know, we can do this in regular jurisdictions now and eliminate some of this database single point of failure. One thing, most states, as far as I know, they're working completely into this statewide database. So you're already giving some of that responsibility to some vendor somewhere. And I'll tell you, with ours, I have dumped a lot of data and nobody's given me a call to say what are you doing. But I think there's an opportunity here also if we scale these networks up to get hold of their own data and become the data owners and create a distributed backup for tampering with the statewide voter database. And we're doing this ourselves with a blockchain pilot project that CIPCA is doing for us, which just creates a verification against tampering at the statewide level for the data at rest. But at the end of the day, I think we're all open to suggestions. That's just the one that I just came up with recently as to how to address the security problems of these very small districts because granny's gonna be there, grandpa's gonna be there, they're not leaving, they're not even necessarily trainable. They're never gonna have the resources to have adequate protection. They're never gonna understand that and this problem will never leave there. Now, I've scared you all to death, I've terrified you, there you go, it's all doom and gloom, but yeah, that's it. I mean, if you all have any questions, yeah. Well, attacks on the system in general, the short answer is I have no idea and it's hard to get that information out. I don't get much information, for example, from the state unless the head of security there is one of my constituents too, so he comes in and sometimes we'll talk shop and I'll hear something about the latest attack that he's taken care of, but they're very tight-lipped, so I don't know, I do know that Vermont was one of those states that got hit by the sequel injection from Russia. I also know that at the municipal level, we've been hit by ransomware at least on a couple occasions since I've been at this job. And I've only been at this job about seven years, but yeah, no, I wish I could tell you, I wish I could tell you, I'd be willing to bet, yes, though. Yeah, we are a paper ballot state and we're very proud of that. Maybe a little too proud. Of course, the problem with paper, how you hack paper is you do subtle attacks so nobody thinks to call for a recount, right, and then the paper just sits in there. Well, that situation doesn't worry me as much. I mean, below 1,000 voters, and we have a ton of jurisdictions below 1,000 voters, those are still hand-count towns. So, and that's pretty cool. And of course, municipal elections, they're all town meeting, not us. No, I mean, I'm concerned more about access directly into the voter registration database. Yeah, yeah, they have, we have a lot of access, I think in some ways even more access than we're supposed to. And so anybody gets that kind of, those credentials, they're in, and again, I'm not really confident that they couldn't escalate their privilege, you know, even horizontally to get into some other towns. There was a hand over here first, I think. Oh, I think you were the next one. And then you, then you. Well, I mean, we have a pretty comprehensive system we work into, again, that doesn't protect you from phishing and some sort of credential harvesting, which is really the big concern for me. There's also, you know, there's a political dynamic here. It's part of the reason why it's hard to have these conversations, including with secretaries of state, is that they generally feel a vested interest in everything's okay, I've got it covered, I know all about it. So you only can dig so far into it with them, unfortunately, I think a lot of the solution has to come to an extent bottom up or at least somewhere in the middle over here. Well, of course, at the municipal level, least privilege doesn't mean anything if you got one person, least privilege is most privilege. Now, least privilege, well, yeah. Now that's something that really should be managed more at the statewide level, but again, if you start dividing into regional lands, then you can actually create some security policy at that level and you can manage it a little more directly, you know. So that would be something I would say, but it's not taken quite as seriously enough. Next one's over here. Well, I have, theoretically, I have read, write access to my particular piece of the database. I have read access all over the place and if I'm thoughtful about it, you know, I dumped the entire statewide database just largely to see if I could and as I say, I never got a call saying, what are you doing, we just had a large data dump. Now, you know, again, it's not as bad as write access, but I can get access to a lot of data when I'm not licensing dogs and you know. Well, and that's actually something we're gonna start doing through this whole little, you know, discrete blockchain thing where we're gonna be grabbing our own data. Now I'm not, you know, I'm not a, you know, a blockchain junkie or an evangelist, but at the level we're doing it, it's a pilot project. It provides some verifiability compared to the statewide. Other systems can do that too, but since this is a pilot project, they're giving it to me for free. So anyways, we're gonna get into some of that kind of thing through that pilot. And I think if it works, you can apply that at different levels. Well, at least I think we should have copies of our own and our own jurisdictions. So, yes, I know that guy. I used to work for the State Democratic Committee, so that was ages, decades ago, but still. As far as I know, they never are. It's like the Alex system, which is the interstate, you know, the attempt to track voters moving from one place to another. I think there's 25 states involved with it. So if somebody re-registers in Kansas, we catch it in Vermont or something like that. And the whole idea used to terrify me until I found out that they're dropping off their data. There's never a direct connection. Now there's a lot of other direct connections I'm worried about. States are connecting now with their DMVs. Some states are connecting their, and I'm talking about their secretary state systems, not the direct voter database, but we're tying in our secretary of states to DMVs. We're tying it into tax departments. So we're creating a wider and wider level of vulnerability and it'd be nice to have that stuff discreet. And I've hit my limit. So I'm going to end it there. Thanks.