 Hi, I'm Bryson Bort and thank you for joining us today with the election security panel with the fence. This is a really romantic occasion, bringing this many federal agencies all together on one hand. The timing is perfect. There is a huge election coming up here in the United States in 2020. There are elections happening around the world and I think that's a key thing for us to understand is that while this panel is talking about the U.S. federal government, how we are responding to our American election, when we look at the broader forces that are aligned against democracy in the world, that all comes down to trust in the system for the democracy to work. And those forces are working against places more than the U.S. and so while this is going to be the U.S. government discussing this, I think citizens all over the world and hackers all over the world will be able to take something away from that. Just quick logistics, Q&A will be available through the DEF CON Discord. So if you put your questions in the voting village DEF CON Discord, those will make it their way up here to me on the stage and we will answer them as best as we can. Starting off, we have Cynthia Kaiser. Hello, I'm Cynthia Kaiser, I'm an assistant section chief with the FBI Cyber Division. And what that really means is I lead analysis among multiple threat groups for the FBI that includes election threats, mostly in the cyber arena. And that's by design. I saw what happened in 2016 and I knew that there was nowhere else I wanted to be and then working this threat as we came into 2020 and I'm really excited to be here with people that I get to see all the time I've been doing. So for the FBI and the election space, a good way to think about it is we're really focused on the threat. So we work hand in hand with our DHS counterparts and they're really focused on the risk to the systems, the remediation on those systems. But when it comes to the threat response of incidents or looking at investigations into malign foreign influence or investigations into election crimes like ballot fraud, that's where the FBI really plays into space. David Bordino from the National Security Agency. It's great to be with you here today. I'm an NSA election security lead. Most of you are familiar with NSA's mission, really divided up into two components, our foreign signals intelligence mission, which is all about figuring out what the adversaries are up to. And then we have the cyber security component, which is all about preventing and eradicating threats to national security systems and figuring out how we can protect DOD networks in the light. Really a lot of power from NSA comes with combining those missions, knowing what the threat is and combining that with the technical analysis and mitigations in order for us to be able to deploy those into unclassified space. From the election security standpoint, I oversee all the activities and partnerships that NSA has on election security. I also co-lead something called the election security group, along with Richard Hartman here, which we'll get into extra on the panel. And that's a joint NSA cyber command task force for protecting the elections. A little bit about me, I grew up in Chicago, that's what I'm representing here at the Miski Park, sure, no white socks. And I'm also into craft cocktails. I supplied a typical DEF CON tradition, a cocktail of Black Manhattan for everybody. And I'd like to give a shout out to Johnny and Carl for hosting me at cocktailcon this Tuesday. Really great event and a community in terms of getting the InfoSec community together. Talk about cocktails, talk about security. So I appreciate it and I appreciate the DEF CON folks for having us here today. Hey, I'm Joe Hartman. I command the Cyber National Mission Force, so part of US Cyber Command. As Dave said, I co-lead the election security group with him. And the election security group is really partnered with all the agencies you see represented here and others in defense of the 2020 election. We're the part of the US government that focuses on the away game. So we are looking at foreign adversaries, Russia, China, Iran, any other foreign adversaries who's attempting to interfere with our elections. We're looking for them in foreign space and we're partnering with DHS and FBI in order to ensure that we share information that we find abroad that makes us safer here in the United States. Really glad to be here today and look forward to your questions. My name is Maurice Turner. I'm Senior Advisor for the Executive Director at the US Election Assistance Commission. We're a relatively small agency compared to the ones you've heard from earlier today. But our mission is focused. We help make sure that Americans all across the country and all across the world have the ability to participate in elections, whether they're going to be in any one of the 50 states, six territories, or stationed overseas. So our focus is really how do we make sure that those voters have access to the polls and that they can vote safely, securely, and make sure that they're both counts. And I'm Matt Masterson. I'm the designated survivor that was held back from the federal panel. So if anything happens, we can maintain federal continuity of operations on election security. I'm in a secret skiff out in the Midwest somewhere. Appreciate the voting village for inviting me and the feds to participate. So thankful to Bryson for organizing. And I know we're going to address the question of what's the greatest area of progress since 2016? Where have we improved? I mean, the fact that you have a unified federal effort working to help support state and local election officials on this mission space, I think speaks volumes. I work for the Cyber Security and Infrastructure Security Agency, or CISA. I'm the election security lead there. Prior to that, I was a commissioner at the EAC where Maurice now sits. And before that, I was an election official in the state of Ohio. So come from an election administration background, have had to learn the intricacies of both CISA and the IC. And I'm so thankful to everyone sitting up on that stage for their patience with me and working with me and CISA to make sure we're supporting the almost 8,800 state and local election officials across this country, let alone the private sector that we work very closely with and members of academia and nonpartisan organization. Our focus at CISA is to get information, support services, everything from penetration testing to routine cyber hygiene scans, the incident response out to the state and local election officials to help support them and engaging with their voters. The reality is American elections are run at the state and local level. And we want to do everything we can so that those state and local officials can talk to their voters about why the process is secure and why they should have confidence that their vote was counted as cast. So really thankful for this panel and super excited to have this discussion today. Matt, that's a great segue. Trust is key to the infrastructure, right? The process for collecting the votes to determine our democracy starts with that trust and that begins with transparency and accountability. Which is why I thought it was so critical to have this panel here for the government to talk about, okay, what's happened and what have we done? So 2016 is when I think this really grew into the consciousness as a significant issue that everybody understood. What exactly happened in 2016 and 2018? Well, on the cyber side, in 2016, Russia compromised multiple different election networks that included a state network that included two counties. And as a part of that, we've assessed that they really sought to at least conduct reconnaissance against all 50 states to try to figure out where was most vulnerable and where they could get in. Now, we don't think they've had any effect on election. We have no information that they did and really where they were focused on, really couldn't have. But within that, it's obviously troubling because that's an attack on our election system since attacking critical infrastructure. And it's something that now looking at that and moving forward, that's why we partnered with everybody here to focus on how do we aid hardening networks so that can't happen and how do we work to counter adversaries so they don't want to do it and how do we ensure that we can be as transparent as possible. And that's included some various measures like both FBI and CISA will now tell a chief state election official if anything happens on a local election network. That's a change from 2016. And it's a necessary change for the transparency that you noted. I mean, I think Cynthia covered the cyber side pretty well from that one side. I think most folks are tracking the infamous Internet Research Agency control farm. So in terms of the social media operations that they were conducting in 2016 and 2018, also hack and leak operations that are always could be very damaging when we look at in terms of kind of evolution between 2016, 2018 and 2020, it was mostly focused on Russia in 2016. But the threat is broader than that. It's for 2020 we're looking at the spectrum of all of our adversaries, Russia, China, Iran, ransomware actors. There's more people in the game and they're learning from each other influences, chief game to get into now with social media. It doesn't cost a lot of money. You can try to wander your narratives online through different media outlets. So that's something we're laser focused on for 2020 as well. Yeah, Bryce, I think for us, you know, in 2016, election security really wasn't a priority mission for the Department of Defense. It just wasn't something that we had previously focused on, heavily involved in other operations. And so while we were focused on other operations, the Russians obviously focused on our elections. We learned from that in 2018 between Cybercom and NSA, we formed what was called the Russia Small Group, really laser focused on Russian interference in the 2018 election. You know, and for us, that never stopped. And so, you know, I got back to the command about a year ago of 2019 and we didn't start up, you know, this thing called the election security group that was already working. And it never stopped working from 2018. And we think we're in a much better position now, certainly than we were in 2016 or 2018. The big change from 2016 to 2018 and now in 2020 really started with the critical infrastructure designation that allowed all these federal partners to come together in a way that we'd be able to better protect our election infrastructure. And I think that that really is the key to all of this, which is information sharing, making sure that information is shared amongst agencies, but also to the state and local partners as well. The folks are actually running their own networks, their own infrastructure. And so that's where EAC comes in. We have relationships, we're building those relationships with the state and locals to make sure that they understand the information that's coming to them from their federal partners and that they realize that they're part of the solution to, you know, feeling information up to the federal partners is how this all works. It's not just keeping those information notices in a silo and keeping them at the local level. It's a sharing up and down this fact to make sure that the infrastructure is protected because it may not just be an attack that happens on a single state or a single county. That might be happening other places. And if we're not sharing information, then the partners don't know that that coordination is going on. Yeah, just to build off on what some of the other panelists have said, for me, the biggest change has really been that level of coordination and support with state and local election officials. As many people know, when the critical infrastructure designation was made in 2017, there's a lot of resistance, understandably, from state and local election officials and skepticism. And we sat there in 2018 and had relationships with all 50 states had information flowing. We're deploying Albert sensors. We sit here now on the brink of 2020. We not only have Albert sensors, so intrusion detection sensors deployed across networks in all 50 states. We have an ISAC and Information Sharing and Analysis Center with close to 3,000 state and local partners receiving information, pushing information back to us. We're now deploying endpoint protection in many of the states and across localities to have additional insight. But really that ability to coordinate across the federal government and push information back down to the state and locals has improved so much. The federal government I think is working in a way around election threat information that I don't know that it did around other issues. We are able now to take information and state and locals are sharing all kinds of reporting with us and push it across the interagency, the folks that you see sitting up on the stage here, and then push out alerts and warnings through the ISAC broadly to the community. And that's just a function that wasn't there certainly in 2016 and is really being honed and improved upon from 2018 to 2020 and that broad reach. And so that ability to really work with the election officials to understand risk, our risk understanding is much deeper than it was 2016 or 2018 to the point where as COVID has developed and kind of changed operations within elections offices, we've been able to be responsive and understand where the risk is shifting and try to help gear our support, our information sharing to understand that risk shift so that they can take appropriate steps to mitigate that risk and really ensure the integrity of the election and then turn around and message it to voters. And I think that's a theme you're going to hear throughout this conversation, really reaching that last step of talking to voters about their options, about how they can vote, about the process and securities. Really critical in an environment when we know adversaries are trying to undermine competence in the process. So part of what we've learned, which stems from the problem and a lot of what the solution has been, has been the designation of this as critical infrastructure, the federal collaboration. I mean, the fact that panel can like this happen where this isn't the first time you're all meeting each other. You all know each other pretty well, right? I was talking to Bryson earlier that I've been on panels before with people from the government who are all working the same issue and then you're meeting the person right before the panel starts. So when Bryson reached out and said, we're going to have a ban on election security and I asked, okay, who's going to be on it? And he started to tick it off names. And I'm like, okay, I talk to these people multiple times per week or sometimes every single day or multiple times a day. So it really just shows like how deep the collaboration is. I spent a lot of time in counterterrorism. You think that's a mission that, and it is a mission that the government rallies around but election security, I get exploded out of the water in terms of how much we all talk to each other. Right, I mean, there's no better example that this panel is a representation of what's already happening. This panel is not the thing that is driving it, right? We are capturing a moment in time of what's been accomplished. If we had tried to do this in 2016, we would have been spending the last 30 minutes all shaking each other. I'm like, oh, we're using it. What do you do? I think I've, what exactly is that? Tell us about the Midwest, Matt. Like, we've never heard of these things. Sorry, that was a shit. Yeah. Okay, and how information sharing isn't just sharing information, right? But the fact that the information is being shared so that missions are being executed. Things are happening with it, right? Those risks are being assessed. Those actions are being taken. And that is, I really like the way you phrased the show, right? We're playing the away game. I'll translate that for everybody. No, actually, why don't you translate with the away game? Yeah, so let me translate the away game at the end. I mean, if I could just talk about the collaboration and the relationships. And a good example is like the rehearsal that we did on Super Tuesday. And so look, I'm in the Army. I've been in the Army a long time, just like Dave. I spend a lot of time in the CT fight and a lot of times in panel rooms and places like Afghanistan. And we operate out of these joint operation centers, right? And in the joint operation centers, we're sitting in there. As you can imagine, we love flat screen TVs. A lot of flat screen TVs on the wall. And unmanned aerial vehicles are flying around in other collection assets. All that data is being pumped into the room where you're immediately able to make sense of it and then make decisions, allocate resources, sending forces, doing what? And Super Tuesday, if you walked into the room that we were using as a mission center, you would have seen Syracom personnel. You would have seen NSA personnel. And you would have looked in a chat room and almost every organization that you could imagine involved in the federal government is in a chat room. Okay, and they are talking about in almost real time, if something goes on on state election infrastructure in North Carolina, there is an unclassified chat going up to DHS who drops it in a classified chat room. You've got analysts from NSA and Syracom and other government agencies immediately co-ing their databases and then almost instantaneously providing information back that says, hey, this is something you should be concerned about or this is just normal traffic that we see on any day on the internet. It looks anomalous because we're paying a lot more attention to it right now because there's a distinct on Super Tuesday going on. At the same time, I've got defensive cyber elements that are sitting in things we call war rooms and they are waiting on a call. If there is something that happens that DHS needs help with, they are trained. They have collaborated in the past and we're ready to kick out a team out. Additionally, we have elements that are sitting over in other ops centers and they are prepared if we see an adversary that's attempting to do something in a field with that election, we have the ability to play the away game. And so we have the ability to go out in foreign space, look at what you're doing and we have the ability to make yourself feel good. And that's really the focus of what I think the federal government looks like from the local and state level all the way up through the national level to the Department of Defense. And for me as American, honestly, that was a pretty impressive experience. Take a slight turn from that. I think it is important to call out the collaboration that we have in the government but I think the other evolution that's occurred is the engagement with industry here, right? I'm sure we have a lot of people who are working for the federal government down in here and I think that's been a major component of the shift in posture. We have for election security, I mean, it's awesome when you're reading about disinformation networks being pulled out and social media companies, obviously the cybersecurity companies really focus on election threats and trying to hunt down adversaries and what they're up to. We can't do this mission without them and without industry help from state local office collection officials but also the cybersecurity companies and how we can feed off each other. We learn from what industry is putting out and hopefully we're providing value at and what we're putting out so people can leverage that in the systems and insights they have, right? Industry has a lot better insights than the government does in a lot of these cases. So they're a critical partner in this morning for sure. And I think that taking that a step further even that individual level collaboration, you know, not just a big corporate or a company collaboration with the federal government but people who call in suspicious information because they're worried about it and they call DHS, they call FBI, they call any of us and they are calling because they're worried and they want to do the right thing. And because those people call, the majority of the information that really we're able to get to state and locals since 2016, it's been because people called us, they've said they were concerned about something, we looked at it and we said, you're right. And we got it out to everybody. So there's this element of that corporate industry responsibility and collaboration. There's a federal government collaboration but there's that individual collaboration too with all of us that it really is working well together. Yep, Bryson, if I can just really quick on that. I think Cynthia raises a really good point that it's appropriate here. Just the fact that there's now a guide for coordinated vulnerability disclosure for state and local election officials. In 2016, as a member of the election community, I could tell you that was not a known commodity or something that they were even considering. And now we're progressed where folks like Jack Cable, who I know was on before, have built relationships with election officials, helped them understand the value of vulnerability disclosure and working with independent researchers and security experts in that way. The fact that private industry within the elections community is rolling out vulnerability disclosure policies and engaging in that conversation, not something that was going on in 2016. And so the multiple avenues of information, the multiple avenues of collaboration are really encouraging. I think we have a lot of ways to go. I think there's lots of room for improvement, certainly on the federal side to help coordinate on that. At the state and local level increasing capacity, the ability to intake and resolve and mitigate those vulnerabilities. But it's a drastic improvement from where we were even four years ago and really speaks to the professionalism of state and local election officials in particular who care deeply about the security of this process and their systems and want to find ways to improve and talk to their voters about the steps they've taken to secure it. Yeah, this industry and this community has really matured very quickly compared to some others. And I think it's a part due to events like this, like DEF CON where researchers are coming together talking about what's going on, where are their vulnerabilities, what are some ways we can fix it, taking a look at other industries like telecoms, aviation, things like that and getting those best practices out of the way kind of quickly. And as Matt was saying, it's because individuals care. And I think that that's probably the biggest part of this that I want people to take away from this is that elections happen in communities. I think that's really what it comes down to is everyone gets a sense of how important it is at the very local level. And all that builds up to build a sense of national urgency and importance about the issue. And to see the election officials really, get on board with this idea that they are part of the defense network to make sure that we don't have interference playing in our elections and to see them get educated on the issues and really try to convey their own sense of confidence in their systems because they know what goes into running an election. It's not all just about cybersecurity. There are administrative tasks they need to do. There are other tasks that some of them are even responsible for. And so they care deeply about elections. They wanna make sure that everyone who votes has a level of confidence that they can feel when they go into the polling place or when they mail in their ballot. So follow up questions to Maurice and to Matt. This follows from a question from Neil McFernan. And it is, we're talking to a very unique audience today, right? They are citizens of the world. They're American citizens, but they're hackers, right? This is the new system of the internet that's there to figure out what works best. And here's the thing. They're doing it today in the voting village. They're doing it on the technology. We talked about industry involvement. We have individuals willing to take their time to actually dig into the technology itself to understand what works and what doesn't because that gives us better trust in that technical implementation of the system. And so the full question here is, when would we start potentially having a prerequisite for entrance to the BBSG certification process that election system vendors adopt good vulnerability disclosure policies as called out today. So make them widely available for penetration testing. I'll take that since the EAC is in charge of the development and the approval of the BBSG. So those are guidelines that are used by states and it directs the manufacturers to meet certain requirements so that they build their systems in a way that is accessible and secure and usable. And so I think the idea of a vulnerability disclosure policy being part of that would really just be the codification of industry best practices. Now the manufacturers know that they are in competition to help bring a better level of security to these systems that are in use. And so I think that that's already happening. We've seen the fruits of that labor already. It didn't need to come from a federal agency to help the process along. So to answer Neil's question, it's already happening. And so as the industry continues to mature, I think that we'll see more and more vulnerability disclosure policies. And I'm hoping that you folks out there get interested in this sector and actually use them. Find that legal way of doing the research and then reporting it responsibly to make sure that the problems actually get fixed. This isn't about a big bug bounty that you're going after. This isn't about trying to embarrass anyone. This is about strengthening our democracy literally through strengthening our systems. Yeah, Bryson, just to add a little bit, Maurice really tackled the meat of the issue, but I agree. I mean, we have had several vendors, election system vendors come through our penetration testing process, what we call our critical product evaluation process up in Idaho. We have seen the private sector embrace that. Now we're starting to see, I think, the fruits of the work of not just the voting village, but the private sector companies to understand the value. And frankly, the marketplace dictating that improved security steps towards coordinated vulnerability disclosure processes are going to be good for business. And that's why you see a reflection in progress being made. The private sector is hearing from customers, is responding and I think will continue to see progress made on that level. I think one step we need to take, and I know the EAC takes this very seriously, and states need to be thinking about it too, but to the extent it involves equipment, whether you pull books or voting systems that they certify, you have to be ready to respond and adjust certification quickly, adapt to those type of processes. So I think we have a maturing to do sort of in the bureaucratic lane to make sure that we can support the private sector as they're changing and evolving and accepting this approach that we support them in our certification processes and the way that systems need to be fielded. So that all ties back to them. What is the threat? China, Iran, Russia have been mentioned. How are they a threat? What are they doing? And are they the only threat that we need to be worried about? I'll start with that one. I would say those are the main threats we're facing. Again, I think ransomware is like one of those wildcards out there that could be fielded by anyone. I'm theory criminal actors, et cetera. So I would say more to that. So for Russia, I think in terms of public evolution, what we've seen, we talked about the Internet Research Agency, what they did in kind of social media accounts and the troll farms. In terms of 2020, we've seen a shift more towards use of proxies. I guess I should maybe say intermediaries and when we're in a technology crowd instead of saying proxies. So, using, again, I mentioned before, laundering information through other individuals into the media space and the IRA, seeing that shift tactics. They had set up something in Africa I got on in terms of trying to have people there, trying to put stuff online, posting things about socially divisive issues, using covert influence websites to be able to get their narrative out. So that's kind of a shift attack that we've seen from Russia side. China, I think, scale is something that has been unmatched in terms of that. As a threat, both from a cyber standpoint and from an influence standpoint, certainly on influence, they've been very active in their region, Taiwan, Hong Kong. Then becoming potentially more aggressive in the US space is something that we need to monitor and be prepared for. But in cyber, for the China cyber threat, they're a little bit different in terms of the scale and the breadth of the targets they go after. Every US citizen is a target in China just because of the big data, PII that they're interested in collecting. Obviously, everyone's my IP threat, besides just the standard intelligence-type targets. I think that sets that immediately apart. And I ran just getting into the game too, right in terms of them trying to do social media influence and learning from what the other adversaries are doing. Yeah, so Russia, I would offer everyone, you should read the report that came out from the State Department a couple of days ago. 77 pages called Pillars of Disinformation about the various sites operated by Russian. Just ask yourself, why in Russia a country where few people read or write English? Do they continue to put out a tremendous amount of English-language news on these French news outlets? That really involved divisive issues that are US-based. And so, again, a tremendous amount of platforms that the Russians invest in. CNN ran a great news expose in April of 2020 about an organization that Dave referenced. So, 18 trolls in Ghana led by a guy named Seth Wiredu, who grew up in Ghana, educated in Russia, and appears to have been on the payroll of the Progosian Network. So, again, it's about a seven-minute watch. CNN did a fantastic job and that can just provide you some insight in what the Russians are doing there. And then, when we talk about private industry, whether it's Facebook, Google, Microsoft, there are dozens of articles about how these technology companies have identified this malicious behavior on their platforms that they're able to link back to the nation's state adversaries, Russia, China, Iran. So, I would tell everybody that there's a ton of stuff out there. I know when we talk to Cybercom and NSA, we want to focus on that classified cyber box, but I'll tell you there is a tremendous amount of great information already out there on the internet that can provide you a lot of insight. As Cynthia talked about, we, the US government, for you experts that are out there, if you see suspicious activity, tell DHS, tell the FBI, we the government will do something about it. If it's a domestic threat, those organizations will address it. If it's a foreign threat, they'll tell us. And I don't mean they'll tell us like six months from now. They'll tell us that day, they'll tell us early the next morning. We had an incident the other night that occurred at 1.42 in the morning, and about six o'clock in the morning, we had cyber teams looking at the activity. And so, again, for you experts out there, you know better than anybody else if something is weird is going on on the internet. And I would just ask you to share that and the way the government will take action. Yeah, I'd say too, just from a cyber aspect, because I know we're talking about a lot of the hacker community. Leveraging trust relationships, it's common technique, right? So some of these networks that they might be interested in are very well-prevented, just like the DOD, right? But companies sometimes outsource their marketing departments. There's other soft targets out there, I think, takes that could be lucrative, even from an Intel perspective. Think tanks do policy work for politicians. They have contacts with elected officials. So sometimes going outside the bullseye. And again, a lot of this is common techniques exploiting publicly known CVEs, password spraying, spear phishing, you name it. They're using Shodan, they're using Burp Suite. They're using those tools. They can get access to a network that maybe isn't inside the bullseye. Leverage that, leverage an account, leverage a network connection to get into the targets they're going after. And I think that's an important point, but that type of targeting hasn't really stopped from 2069. So spear phishing or looking for those networks that might be connected to the targets that they more desire, that's been continuing pace. And I mean, we're tracking a lot of incidents, even right now. And the good news with all those incidents is we haven't really seen any widespread impacts from those. But it's interesting because tracking a lot of incidents can feel scary, but it also gives me a lot of, it makes me feel better almost because I know that we're detecting every tremor. And that means we have a lot of false positives that we follow up on. I much rather that than not knowing things are out there. But it also means being a fuller picture. And part of that fuller picture, as Dave mentioned, is on cyber criminals and not just ransomware, other types of incidents as well and actors as well. And we really have to be on guard, not just if it's coming from Russia or China or Iran or a host of other groups, but a threat to an election network or a campaign network is a threat. And we need to be able to be really flexible in addressing that and getting in front of that head-on so that we can't make sure that come election day, we're not dealing with a lot of pop-up threats and we're spending a lot of time trying to figure out really what happened. Yeah, I think that access of cyber, the cyber threats and influence threats is a dangerous space. And we know about Hack and Leake and how that can impact potentially the voter populace in their opinions. But we were just talking before this panel, I think, in terms of using influence to make people distrust either electoral outcomes. So you could have a ransomware incident in a local network that actually doesn't even impact like the elections counting or any of that. But someone could then spin an influence campaign when that gets reported to make people think it has had an impact and then not trust the results. So then that's one of those things that I think is worrisome, even if the cyber attack doesn't actually have a measurable impact in terms of the conduct of the election or the voting tallies. But if someone's able to take that and then try to spin off the information operations and have an influence, that's not gonna be the case. That point I'd just like to drive home is that it's not just about what actually happened, where votes actually change. That's incredibly difficult to do at scale in a way that's undetectable. But if you can put that message out there that causes people to question and then their local election official picks up that phone call and they don't have a good response for it, that can be just as damaging. So that's why at EAC we feel so strongly about making sure that local election officials have the tools, have the training that they need. So we partnered with the Center for Tech and Civic Life, to actually provide that basic intermediate level of cyber security training so that they understand why is it important to have two-factor authentication? What does it mean to actually have a password manager so you're not reusing your passwords? These are all basics that most folks that are watching us right now are thinking how can anybody not know how to do that? So they should never have been taught that or if you don't have an understanding of the impact of that, then it might be too much work. But once you understand how much bad stuff that can actually prevent you recognize, it's actually not that difficult. It's actually pretty easy to use it if you are familiar with the tools. And then it gives you the confidence to stand up and say, you know what? Yeah, we heard about the ransomware or maybe we got hit with some ransomware but the town down the street. But we're ready. These are the things that we're doing. For us it's one of the things we're not gonna talk about, but here are some of the big things, the high level things that we're doing to be prepared so that if we do get a phishing email, we know how to spot it. We know how to stop it. We can recover from those backups if we actually do get hit with it. And so I think that's why it's so important that the local election officials have a little confidence that they can then reflect back on to their voters when it comes to elections. Yeah, just real quick on that, Maurice raises some really good points. And it's why we spent a lot of time at CISA on something we call the last mile project. Which is literally a poster project offering both risk assessment and then mitigation advice to the local level, almost 6,000 local jurisdictions, specific to their state and their jurisdiction so that they can not only take the steps whether it's multi-factor authentication or penetration testing or phishing campaign resilience or creating incident response plans which we've really focused on but then can go and talk to their voters and we've seen some cool approaches to this. We saw one state, the state of Iowa take their posters out to the state fair so that they could talk to their voters directly about steps that they were taking. We saw the state of Rhode Island work with their libraries to put it up in the library system so that they could talk to voters through the libraries about this. And in the end, I think Dave raises a really important point. There's resilience to cyber intrusion, resilience and the ability to recover from incidents but then there's the resilience that we need to install in talking to the American voter. We need voters that are prepared, right? That understand their registry, am I registered? What's on my ballot? What are my voting options, particularly amongst COVID so that they can have confidence on how they're going to engage the process? We need a voter that is patient that understands that perhaps election night results won't be as complete as what we're used to in a given jurisdiction and that the accuracy of the vote count is the most important thing regardless of the time it takes. And then we need a voter that participates, that engages. We need 250,000 or more poll workers across this country in preparation for November in the midst of COVID when we have poll workers that are gonna be unwilling to work either because they're age or high-risk nature. And so having people engaged in participating the rally for those folks that are listening and no one told me anyone would be listening to this so now I'm a little worried but anyone that is listening go sign up to be a poll worker if you want to understand the process. Matt Blaze hits this every time and he's exactly right. If you have questions, if you have concerns, if you want to help secure the process, start off by being an election worker, you're not going to get turned down, we need you. And it's the best way to learn where the resiliency exists in the process where improvements can be made in order to get involved. If you can't be a poll worker, if you can't take on that risk, there are opportunities to watch pre-election testing of systems. We run elections at the local level so you can participate directly with those who run the process. So go get your questions answered, go engage with them and see what kind of support they're in need of, in particular, serving as an election worker. It really is the best path to doing this and the best way to learn the process. But if we can have voters, voters are our last line of resiliency as Director Krebs says they're the ones that can really ensure a responsive resilient process when attempts to undermine confidence are there. There is no such thing as a secure system, right? We never hit the plateau where it's like, oh, we're good, we can all pack up, go home and take the next year off. So quick question from a lot of interested citizens who want to get involved ties to the fact around, okay. So you talk about detection being a key part of that secure system. Where exactly are they supposed to go to figure out where to say something? Well, you can go to your local FBI field office. You can go onto FBI.gov and find out contacts or contact our FBI side watch directly. And you can go to multiple other agencies as well because what we've really said is a call to one's called all. And that's how we are ensuring that there's that kind of information sharing across the board here. So there was, sorry, Colin. Yeah, I was just gonna say, Cynthia's exactly right. You know, first of all, if you know something within your community, engaging directly with the local election officials is really critical to help understand, did you actually find something or is this something they're aware of? Otherwise, the second part is engaging with your state officials. They're prepared to take it on. They're the ones that know the process, know their systems, can talk to the vendors if it's a vendor issue. And then the ISAC exists for exactly this reason as well. There's an avenue and it happens fairly commonly that if you report to the election infrastructure, information sharing analysis center or directly into CISA, we now have the points of contacts that we didn't have in 2016 to be able to get valuable information to state and local election officials so that they can take action on something that's identified. So there are avenues, again, the state and local officials know their systems. They're the best prepared to mitigate a problem. But if you're not finding success that route, that the ISAC, CISA, FBI field office are available to help you get there. And understandably, some folks may not wanna go to the federal government, which is why the ISAC really offers a nice safe place to begin that reporting. I'll offer up EAC as well. You can send an email to security at EAC.gov. Obviously, we have connections with all the manufacturers. If you're having trouble with a particular manufacturer or having trouble with a particular agency or your local official or in just not getting the response you want, we're happy to help facilitate that conversation. And just from a cyber-concept standpoint, one of the big changes for us is, we historically had been focused, working inside skiffs. And one of the things that we've really done in support of 2020 is, we have organizations now that live outside skiffs. They're on NipperNet or unclassified internet. They're in Slack channels. They're talking to FBI. They're talking to DHS. They're talking to private industry partners. And they're living in that same ecosystem that many of the folks that are listening to this presentation are. And so we have really tried to adapt some of our behavior. So we're able to, in real time, collaborate with our partners across government on a little different time schedule than would be a traditional military one. Because I know most of you are probably not up at 5.30 in the morning, just to frankly. So Bill Evanina, the director of the National Counterintelligence Security Center just recently put out an official statement today talking about the very threat that we're covering here. But all of the threats were basically laid out in an equal manner. Would you say the threats are equal? Which one would you say is the biggest in life? I don't think we need to take any of the threats lightly. I think the statement in terms of what you saw out there it lays out how each adversary is approaching the problem. Certainly Russia, China, Iran, they all have intent and they all do activities that they think are advancing their best interests here. So I don't think I would say one is scarier than the other per se. Certainly some of these adversaries are a bit more experienced at this in terms of the amount of time they've been working, doing operations. But from our perspective, I care about all those threats. I take them all seriously because again, some of this stuff is very cheap to get into and to execute. So I wouldn't do a value judgment on those sorts. I could agree more on that. And I think that it's really important to remember that our threat picture is always informed by what we collect, what we know, and we don't have perfect pictures in here too. And how we really have to approach all of this is what could be the effect from these various groups? What could happen closer to September, October? Because it still is a few months away and we need to be prepared for a lot of different things happening within that. And I put stuff again, it doesn't just have to be the big three. It can be other non-state actors or criminal groups and the like that are going to undermine people's confidence in our system. And really, if you ask me what the biggest threat is, it's being a constant grumpy or influence campaigns that are going to make people feel like they're less confident in our system and that's what people would vote less. And that's really where, you know, eyes do have a night. Hey, Bryson, just real quick. Everyone in the Fed room actually has to take a drink because the Fed said foot stomp. So that's actually one sip for everyone in the Fed room. Thanks. Here's. Matt, I can't help but feel like you're cheating the system a little bit because you don't have a drink. Oh, I've been drinking this whole panel. Don't worry, I'm good. Hey, put up or shut up. Show us your drink. It's in a water bottle, but it's vodka. So we're coming close to our end of time. So I want to ask a final sort of grab back questions to each of you and you have about a minute to respond. So you'll have people. You get a non-internet connected wand, a magic wand that you can wave. What is your one-way chain wand? Is that the magic? It is, yes, that is how it is wireless, but wired. And you can have one thing happen for your agency. Don't, this isn't reality, right? This isn't, oh, if only I could get that $20 million to fund that. This is what do you wish from a process perspective? High to that debt is, okay. So 2020 is almost Britain. The vellum ballots start in a month. People start voting, those start happening. 2024 is our next big one. What is one good thing and one thing we really need to worry about in the future in 2024? See, I feel like I'm through the shortstopping right next to you. I like you the most. Okay, okay. So thinking about what I really wish we had more of is I wish we had more people right now with the SIRS skillset that we could hire quickly and get them on so that we could just expand our scope and scale and speed at which we're addressing threats. And I think that that goes towards, we're putting so much of what we have against the election and I feel really good about where we're at on it. But what does that take away from some of the other, did that delay other work? And that worries me. And I'd like us to know that we have the people coming to us that want to do the right thing, that I want to protect America and have those skills necessary to be able to help us in that. As a look for 2024, what I want to keep. So I hope we keep the collaboration and the focus alive. In my way marks, I gave a real quick overview of what the FBI guys, but part of it is, part of that focused on cyber investigations, looking at influence. We developed the foreign influence task force and that effort I think has really helped us focus on, it's not just a cyber issue. It's not just a criminal issue. It's not just an influence issue. Like seeing how it all works together, internal, getting the China people to talk to the Russia people, to talk to the cyber crime people and looking at it as one threat. That's new within the federal government to really consider it in that space. And I want to keep that moving forward. I think that, yeah, that's the ideal. You asked like a spectrum of a few of them here. So, but yeah, and I hope we all stay in touch after we put this in our review mirror. If you don't stay in touch, then the next panel is gonna be more awkward. That's true. I think the wand and answer is pretty easy for me. Perfect insight and adversary intent and operations is obviously a great thing to have. Dave, you're not supposed to say that you don't have that. You know what I mean? So, I mean, that's just gonna be important. Hitting a little bit on Cynthia's point and going back a bit to a comment I made before in terms of working counterterrorism, a lot of times you're fighting the last war, right? Someone tries to blow up a plane with printer cartridges like the government swarms to figure out how to stop that, depending on the adversary who's on it. This same thing here, we've seen adversaries evolve. We've seen new adversaries come in. So, there's always, you know, worry about, you know, what you don't know, but what I'm confident in is that we are positioned, a lot better positioned now for agility in terms of responding to these threats because of the systems we've set up, the partnerships we have. That is certainly something for 2024. We need to keep building on and not losing sight of it. You know, when new problems come up, you know, not making sure this remains a focus, I think the DEF CON going village is very important to keep us running. We need people's help. From NSA specifically, you know, we have a much, we're investing a lot more in the White Hand brand, the White Hand brand, excuse me. But, you know, NSA, cyber, Twitter account, please go follow it. You're gonna see more good stuff coming out of that. But, you know, continuing to build on that could be a critical thing we're gonna invest in moving forward. I can't tell you how excited some of the people were in our building, like Lee Mayne, the cybersecurity advisory on the GRU, on the mail vulnerability, seeing, you know, at least five different cybersecurity companies take that information, pivot on the indicators in there in their own data sets, figuring out new things that you need to know about, you know, to cover more of adversary operations. So, you know, that got people excited with building. And that's something we do want to do more of. And I had, again, just hitting on that critical partnership and that dynamic of us, you know, using each other's information and building, you know, that security of the enterprise raising all those. It sounds kind of falling out, Ash, but I think it's really, really important for the program. Hey, Bryce, if I could wave a magic wand, I would wave it and we would get COVID-19 under control. You know, I just gotta tell you, there's great collaboration, but we could do so much more. You know, we could do so much more with our partners here. We could do so much more overseas if we could get the pandemic under control. So please wear your mask and help us do that. The second piece, you know, where do we see this in 2024? You do get past the questions, but I get to answer the question a lot. So, you know, I would rather focus on 2020. 2020 is not a foregone conclusion. We can have a safe, secure and credible election. You know, as an American people, we need to mobilize. You know, there are thousands of smart people, extraordinarily technically capable that are watching this session right now. Please go work at the polling stations. Please talk to DHS. Please talk to the FBI. Again, you know, we are all in. We've got thousands of people that are going to work every day in order to support a safe, secure and credible election. And I would just ask for everybody's help to do that. I like the restaurant, I really do appreciate that. It's a greater sense of where we all are in the world today. If I could weigh my magic wand on EAC, I'd say that we would be doing better to get the VBSG more flexible and faster responding. So this idea that if we can get you researchers interested in election infrastructure and discover those vulnerabilities, report them responsibly and then we can get the manufacturers to patch and get those out in the field and much faster turnaround. I really, I think we'd be in a much better position. We're working toward that. It's still a process that takes some time, but I think we can get there by 2024. And just to recognize that the federal elections are over two years, but locals are running elections every few weeks. And so there's a bigger stake at play because every election that's run is a chance to show that we can do democracy right. We're going to keep doing it and it's done very well most of the time. It's just those few times where those will take ups, we have some trouble and it starts to erode that confidence. So the better we can get at getting those patches, much better off the whole system will run. Yeah, so the magic one, I got two answers I think and I had the advantage of time, which is useful. The first is if there was a way for CISA to push out service agreements or whatever the case may be to upgrade election systems, not just voting systems where most of the focus goes, but election systems, including workstations off of outdated and unsupported software. I absolutely want to do that. It's not just Windows 7, we're talking older and it's not that the local election officials or state officials don't want to upgrade. It's that they lack either that the IT supporter resources and I'd love to be able to give that to them. The second is getting to 100% auditability across the nation and having efficient effective audits for 2020. We're gonna be upwards of 92 plus percent of audible records, but we need good efficient effective audits that are transparent. I mean, Neil McBurnett asked a question earlier, he's making it his mission in life to get to this and I so appreciate it. If we can provide that public that transparent auditing process, efficient and effective, I think it would be a real success. Looking forward, there's something in elections called the election wall, where you literally lack the ability to look past the next election, you try and you don't even know what life looks like beyond that. But if I had to really push myself through that, it would be increasing the amount of support resources and I don't just mean money to state local officials to help them meaningfully manage the risk to their systems and really take some of the innovative steps that they wanna take that they're unable to either because of a lack of IT supporter resourcing that otherwise would allow them to serve voters. And then finally, I know I'm cheating, but a more resilient American public, a deeper understanding of how elections work, a deeper understanding of what their options are, how ballots reach them or how they can interact with the process and then how we reach our final certified elections. Again, that prepared patient and participating voter is everything as we look at 2020. I feel the same way that as Bill has organized for DeafCon that I can't look past this weekend. So thank you to all of the panelists for sharing with your organizations and doing, I have to say it is a lot better understanding the level of collaboration, the transparency on the fallibility and the improvement and very much looking forward to what we can do. We are all citizens and our voices should be heard. Thank you. Thank you. Thank you. Thanks.