 Good morning. So for everyone who saw our first keynote, we have a keynote by Tom Press. Tom is the chair of the Democratic Party We are thrilled to be able to have him here at DEF CON. Unfortunately. He's not actually at DEF CON For those of you in the political know, he is unfortunately at the Iowa State Fair eating way too much funnel cake But he has kindly agreed to call into DEF CON to do some remarks for us Which if you will bear with us one moment, we will try and get the Skype up and working. It worked Flawlessly this morning. That's a guarantee that will not work now Tom can you hear us? That I can't come to Las Vegas However, I did want to share with you what we at the DNC are doing to increase awareness around the security threats from disinformation We're monitoring disinformation and developing a program to combat these online attacks The basis for any such program is education and here are the three tips We tell campaigns to help spot manipulated videos online number one Know the source is it a reputable news organization? Do you know who posted it? Can you find instances of the clip or image from other reputable sources? If not, it may be fake number two Be skeptical of video you find online. Are there gaps or unexplained transitions in the video? If so, this may be a sign of deception Number three look for signs of the video has been manipulated Does the speaker's voice sound too low or are they moving strangely? Is there a limited or no blinking in the video? Is there inconsistent coloring or blurring? These all may be signs of manipulation We all have a part to play in stemming the problem of deceptive videos Researchers can use their skills to work with industry experts to develop tech to quickly identify the signs of manipulation Social media platforms can work to develop clear policies and technology that limit the prominence and damage deceptive videos can do and The media can help teach the public about the threat these videos pose While being careful not to feed the trolls and give bad actors the oxygen they crave It's not going to be outrageous videos of Will Smith as Cardi B or of still Sylvester Stallone as the terminator that trip us up It'll be something more subtle like a slowed-down video video Or even a deep fake of Tom Perez talking about cyber security So obviously that was not Tom Perez shocking But more exciting that was the chief security officer of the Demcrack party who agreed to let us video him for About an hour a couple weeks ago in order to do that deep fake So I would like to introduce now Bob Lord the chief security officer of the Demcrack party How many of you actually knew Tom Perez's name before today. Oh Wow, that's actually very good Okay, well, I won't use my next line Okay, but how many of you actually knew his voice I'll see. Oh, no, they worked there. No cheating cheating Cheating not good. Not good. So, you know, I think there's a whole bunch of stuff that is probably on your mind Like why is Bob up here? Why is he doing that? How long did it take? By the way, congratulations to all the people who had to watch hours of video of me Like reading my emails and you can probably imagine what a seesaws face looks like just reading emails and things like that Just doing it's you know, uh That's the sort of thing that they had to sit there and watch so they know my face better than I do. So anyway Why are we doing this? Let me back up a little bit and talk a little bit about our larger program So I joined the DNC about a year and a half ago and I worked at companies like Twitter and at Yahoo and so I was really quite new to the entire space of politics And it really is very very different. What people don't really realize is that the DNC is only somewhere on 200 people Something like that give or take so it's it's not really a huge organization I've worked in organizations where the entire security team is is larger than the entirety of the DNC And we sometimes forget that because it's on TV every night. So you sometimes misunderstand the overall scale So impact is obviously very great But the number of people are there is very small and what I found out when I joined is That Tom Perez the actual real Tom Perez not the fake Tom Perez the real Tom Perez Wanted me to not only work on the DNC to help improve cyber security But to really expand that out to the state parties because they're separate legal entities with their own funding their own staffing And then also the campaigns for the midterm. So I had to really try to figure out what on earth is Bob going to do To try to figure out how to improve security. So we did a number of things We stood up some webinars. So we taught them basic cyber security Which is difficult because I can't put agents on their machines to monitor what's going on and remember They're not remote offices, and I'm not headquarters So this is a real struggle for us to to try to figure out the way that we organize the party is actually very good For being nimble and making local decisions fast but in terms of cyber security it kind of works against us because Organizations with just a dozen people Not likely to go out and hire another dozen cyber security experts and IT experts So it's a real challenge to try to figure out how to nudge them along the path of being more secure One of the things that we did in the last cycle was we sent out like I said webinars We sent out newsletters email blasts when there was something that happened You may have read about one of the email blasts I sent out recently around a Russian app called face app why some things become Interesting in the in the press and others don't I I can only speculate but We do those kinds of things and then we also asked for feedback from people to say hey if you see something really strange Please report it to us because it may be more common than you think there may be other state parties There may be other campaigns that are experiencing the same kinds of problems. So we did all of that We organized our activities into three main buckets. So basic cyber security that makes sense turn on two-factor great Another one is not so intuitive which is around counterintelligence. And so the world is a very Interesting and scary place these days and so we're concerned about people showing up to volunteer for campaigns Who may not have the best of intentions? And even recruiting that would normally take place in person in the United States face-to-face in a bar You've seen the Americans that kind of thing But we're also concerned about Relationships that get spun up via Facebook and LinkedIn and things along those lines The third bucket is the one that you're here to hear more about Which is disinformation and so we started off last cycle with Inviting the social media companies to come in and talk to the campaigns and to the state parties But we really needed to supersize that For for the selection cycle. So that's what we're doing And we've brought on new staff and we're working on training and I'll talk a little bit more about that later so again, why would Bob bother to come out here and Video tape himself reading his emails for a couple of hours and you know a few things that I wanted to do One of the things I wanted to do is is show you a different kind of deep fakes So, you know, I saw people kind of nodding in agreement with what Tom fake Tom was saying because these sound like good things That we should be telling state parties and campaigns, but this wasn't especially funny Although it might be funny to have you know senior executive try to Skype in we had audio problems like that's a normal thing But really this wasn't that funny or dramatic. So this wasn't You know an impersonation of one Hollywood celebrity on top of another one This wasn't Jordan Peele being Obama. Those are funny This was different and this is the kind of thing that I'm much more worried about Which is not the big dramatic things of major candidates saying things But other people whose voices you may not know whose backgrounds you may not know And where you may find it very difficult to really put together the historical context to know that person would not have said that thing You don't know Tom's background You might know a little bit But you probably don't know enough about him to be able to immediately judge the kinds of things that he would or would not do Or say so this is kind of a this is a problem So the other thing is I wanted to be able to put myself out here in this awkward way to meet some of you So I need to be able to establish a link with the rest of the community that you all represent So I'm not a machine learning expert. I'm not an AI expert. I'm not a Sociologist or an ethicist, but there are people who full fulfill all of those functions here in this room And part of I think the thing that the real Tom wanted me to do is not just work to nudge People to turn on two-factor But I think he wanted us to be able to build much richer bridges with with the research and hacker communities So that's a part of why I'm up here And so I hope that we can begin a dialogue that will help us take information that you have that I do not and be able to Take that back to campaigns and candidates and to try to keep our elections safe. So I'm pretty pretty nervous about the 2020 elections. We we've seen a lot of little deep fakes here and there And I suspect it's not going to surprise you to say that I'm worried that things are going to get far far worse and far For far more nuanced And here's the other thing, you know, if you're studying the the world of ethics, you know It occurs to me that there are a lot of people doing a lot of really fun stuff with deep fakes I was watching a whole bunch last night and some of them are genuinely very funny and clever and disturbing and You know, I wonder to what degree creating and distributing these fun videos actually creates you know a second-order effect which Degrades the ability for people to tell what's real or maybe even it may cause them to not try to figure it out it may also cause them to Really start to distrust everything and so when they start to see real media if it doesn't agree with their existing Belief systems they may decide to simply tag it as fake news and inappropriately So I'm certainly not going to be the guy to get up here and say never do deep fakes But it's a question. It's an open question to what degree each of us plays a role in Creating an environment that can then be used by people with bad intentions or not I also want to take a moment just to talk a little bit about The the larger context You know, I've heard a lot of people ask me like oh tell me about how scared you are of deep fakes and I you know, I talked to them a little bit about that and You know, it's sort of like When somebody comes to a security person and says can you talk to me about security? We're so happy that they come to talk to us about security that will just answer the question like yay somebody cares But I think that the there's a larger context here that we should really be thinking about and deep fakes are just one of the things That we worry about so we also worry about the shallow fakes or the cheap fakes, which many many people here are probably Up on but you know, we've already seen all sorts of examples in the wild that are not deep fakes But they're very disturbing cheap fakes. So we're talking about doctored political videos So some things you may have seen recently so the sunrise movement splicing of conversation with senator Feinstein anybody see that Probably everybody come on. You must have seen it. It was everywhere There's the CRTV splicing of video of an interview with representative Ocasio-Cortez Representative gets asserting that women and children receiving money in Guatemala were Honduran migrants being funded by George Soros This actually got traction Isolated clips of representative Omar saying some people did something without the larger proper context These are just editing Tricks so deceptively edited a video of representative Omar saying that she supported Profiling of white males. There's another one which is Doctored videos of speaker Pelosi appearing to slur her words every one. I mean you must have seen that right? Okay, so what what sort of technology did that take I mean it didn't take see-way to do this, right? It was just I mean it just it took somebody with with some very light editing video editing skills So I do want people to be concerned about the deep fakes I don't want them to have the sense of fatalism like there's nothing that we can do about this But I also want them to understand that there are a whole host of things that we actually are very concerned about And we're seeing far more of those take root today, so we can't just focus on one without the other And those of you who are studied psych will know this far better than I do but When we start to see something and believe it and attach the label of truth to it it becomes incredibly hard to unseat that and so a special videos especially Implicated in this kind of thing and and there's some counterintuitive things like the more that we try to convince people That it's fake The more they double down on their existing beliefs and this has been studied widely and it can be replicated in university studies So it's it's very difficult for us to know how to attack it if we simply tell somebody this is a deep fake It may not even if they kind of understand what we're talking about It may not actually change their minds in any meaningful way So we've got some real some real burdens with regard to cognitive biases that that we all have and I think the people who are playing these games are very well whether they're well well aware of them by name or whether they're simply Able to harness these powers to to create this disruption Doesn't really matter, but they're but that's what they're doing So, you know, I think the stuff is is kind of new and so we we get like I said fixated on the the world of The deep fakes, but I was I was doing some research the other day and I saw a reference to Active measures people who knows what active measures are Come on, you've all seen the Americans. Come on raise your hands. So this is You know the Soviet active measures programs led by the KGB and other parts of the organization in Russia were really quite Effective and so these active measures were well documented in the 80s And I was I was looking at a few things and I saw a footnote that's referenced something from 1982 And I was like there's no way they were talking about active measures and disinformation and and forgeries back in the 80s Or were they so I wouldn't actually found the Senate testimony or the House testimony that was that was referenced and it was a CIA Deputy director who is literally laying out exactly what we're seeing today So he was laying out the ways in which they do it. This is a high priority of the Politburo at the time He talked about the funding models he talked about the ways that they had prioritized various kinds of activities and the the terminology was exactly the same that we see today and the the the strategy was exactly the same and You could literally take out The words KGB and put in FSB or GRU take out the word Russia Soviet and put in Russia and the sentence just would hold up So this for me was was sort of remarkable I'd sort of known of this but then actually seeing page after page after page of testimony was was really key And then I saw the second half of this huge document There were dozens and dozens of pages that were all real-life examples of of Soviet forgeries So these were documents that were Fake letters from President Reagan to some diplomat and they were fake And so the CIA had compiled all of these and put them into their into their record So forgeries are really nothing new and I guess one of my concerns is not just the deep fakes And it's not just the cheap fakes But it's the fact that this is part of a larger strategy that can be used against us And it's been going on for a very very long time longer than many of you have been alive And so I think by focusing on the specific tactics We're doing ourselves a disservice because we're going to be victimized by these kinds of things again and again Because we don't understand this as part of a long game so this is a long con and it has a long horizon and people are willing to invest many millions of dollars and many great experts from many different fields to work against us and It's of course not just the Russians There are whole sorts of other intelligence agencies in various countries that are going to be Doing the same thing now that we know that these particular attacks can work So what kind of goals do they have? Classic age-old goals, so they they want to be able to reinforce people's existing biases so if you can If you can present the right news to the right people and Convince them to double down on their existing beliefs rather than to try to understand what other people are saying you're making a big impact If you try to drive a wedge into naturally occurring cracks in a society Then you're going to be able to you're going to be able to move the needle so anything around Immigration or abortion gun control the environment racism any of these things are great fodder for somebody who wants to actively work against us and of course When all else fails just create some chaos, you know put up a disinformation campaign that tells people to vote from home by SMS Like this was a real thing that we actually saw this in the midterms. There was another one which was called the no men midterms So this was a campaign that was aimed at getting men to set out the election and let the ladies take charge This was a real thing And so we actually had to work hard with the social media companies to find these and try to stamp them out Of course they were already out there So imagine using a deep fake for something like this having somebody in a position of authority say something like this Even when you go back and debunk it people are still going to remember it people remember the false story They don't remember the retraction so What would we like to see well one of the ways that we approach this is we currently think of these things as Disinformation campaigns as cyber security problems Yes, it's a content problem too. So it's a quality problem. There are elements of that But at the end of the day, this isn't about people being wrong or being misinformed This is about an active attacker who's trying to do something against us And so this looks enough like the world of cyber security that we really want to find ways to work with people to come up With the right frameworks to understand them. So we sometimes call these our kill chain They sometimes are called attacker life cycles But we need to find ways to define these so that we can work against them find ways to prevent them or detect them And to respond and recover So there's one that we found which is called aim it which is the adversarial Misinformation and influence tactics and techniques boy just rolls off the tongue So anyway, this is an example of somebody who's a group who sat down and they tried to figure out What are the major stages in an attack when it comes to disinformation? And that gives us as you know, we the defenders an opportunity to figure out what it is that we can do against that I think we need more guidelines on what is acceptable editing practices You know the media are very quick to put up things that that they find online But some of them are more clearly doctored than others. And so I think Coming up with acceptable editing practices is going to be a useful thing People in this room are probably able to help with this next one A great deal, which is that we need better ways of detecting these deep fakes But detecting them is not enough. I think we have to detect them quickly So that they can be part of the initial news story And not something that follows on the next day And the other thing is even harder Which is that we need to find ways to make sure that people believe them and they trust these results I don't know how we're going to do that But I'm going to look to many of the people in this room to help figure that out And of course we need the social media companies to continue to find ways to slow the spread of disinformation And to really recognize that they have a role in either Uplifting or or pushing down this information disinformation as they find it There's of course a role for government and And finding a way to To really build out their programs. I think that's going to be key It's not clear who's really in charge from the disinformation standpoint these days And so I think we need to figure out What their role is too and then of course with the media we would like them to keep Improving their ability of educating people. I'd like to see disinformation that is Information that is known to be fake Or stolen or manipulated to be called out immediately and teach people to be more skeptical Then they have been in the past and then finally right now. I don't think there are a lot of deterrents So there's really no penalty for somebody who builds some of these things Maliciously and then spreads them around So why would they not do that if we tolerate it? When there are other kinds of Activities, especially when they're driven by an actual government We have techniques for holding them accountable for calling them out publicly for imposing economic sanctions There are all sorts of tools that that we have at our disposal We haven't really gotten to the point where we are able to hold people accountable and create those disincentives So that's those are some of the things that caused us to want to participate and to be here Today to learn from many of you and to help and give you the opportunity to see us as a possible partner in a way that we can Work together. So those are my prepared remarks and then if I don't know if we have time We can take a question or two. I think we have time for maybe two questions Does anyone have a question they would like to ask Bob? Yeah Yeah, so the question is was around The ethics of some of these these cheap fakes and labeling in particular So I think that there is somebody who's an ethicist coming up later today. I think I think that's right So I'm certainly not going to be able to speak as eloquently, but yeah labeling is a key thing So labeling something as known disinformation Seems like a key thing I would also want to hear from psychologists as to whether or not that creates a backfire effect Whether that actually has these unintended second consequences. So these are these are very good questions I would definitely like to make sure that anytime there is a A foreign government sponsored message that that's clearly labeled as coming from a foreign government that sometimes happens But not always So I think labeling is is probably very key But um, but I would want to hear from people who have actually studied not just the first order effects But the second order effects that's that's we're in new new territory here. So Definitely want to hear from some of those folks Right, so so the question is really around some of the other mechanisms, so I represent the dnc and so when I was talking about us I was um Somewhat talking about the democratic ecosystem, but I think largely as is sort of a proxy for the larger thing So um, uh, we don't have a lot of contact. I don't personally have a lot of contacts with the the folks at the rnc They they may have similar kinds of programs I just don't really know but the one thing I would also mention is that What we saw in 2016 were state sponsored attacks that had a certain flow to them What we're seeing now is that these playbooks are now Organically sprouting up in a lot of different places. And so there are americans who are taking some of these playbooks And and running with them too. So we've seen this this transition That's not to say that we don't worry about all of the other adversaries in cyberspace that we have We're definitely worried about them. They can definitely scale. They can definitely Be funded and they can definitely be Patient a lot of these activities take a long time to really terminate The one that the sea the kgb did in In the 80s One of one of the more impressive ones was one where they Planted a story. I think it was like in an indian newspaper or research paper or something like that And then they were able to wait and maybe nudge things a little bit here And then it started showing up in more mainstream newspapers and then eventually you can go find this online Dan rather is saying that there's concern that the cia may have been the originator of the aides virus With the with the goal of killing black people So this got from from that initial source all the way up So we definitely worry about the large nation states doing doing what nation states do against us But now we have the secondary problem where People are using that same playbook internally. So that's that's another set of headaches that we we have to worry about So unfortunately for time, uh, we won't be able to take another question. Uh, but okay bob. Thank you. Okay. Thank you