 Mr. Hellermann, professor of computer science at the University of Michigan, famous for inventing things like leds and crypt, finding the, there's more, but wait, there's more. Talk Jam, I love Buzzword Bingo, and Z-Map, and now we're going to talk about American elections. Thank you. All right, thank you so much. It's fantastic to be back at Congress this year. Two years ago, I was here with Matt Bernhardt, one of my PhD students, and we gave an update about what happened during the 2016 presidential election. Today, a lot has changed and a lot remains the same, and I'm here to let you know what we've learned about what happened in the 2016 election and what we still need to do to make sure elections in the U.S. and around the world are well protected. So a quick flashback. On November 8, 2016, Donald Trump became president of the United States by beating some other person. Now, history quickly forgets the losers in presidential elections, and it really doesn't matter who Donald Trump beat because today, for better or for worse, he is the president. But how close was the election? President Trump likes to talk about how he won by a landslide. But actually, he was the fifth person in American history to win the presidency while losing the popular vote. In fact, his opponent received three million more votes in the election than President Trump did. How can that happen? Well, we have this crazy system called the Electoral College. And in the Electoral College, each state has a certain number of points, and Donald Trump ended up getting more of those points. But if we want to ask how close was the election really, well, that depends on the way each state allocates its electoral votes, and most or winner take all. So we might ask how many votes would, say, an attacker have had to change in the smallest number of states in order to change the election result, in order to, say, make it a tie instead of a win for President Trump. And it turns out that if you look at the three closest states, they could be flipped with a very, very small number of votes changing. And changing just any two of these three states would have been enough to reverse the outcome of the presidential election. If we look at the next few closest states, they also have very small margins, and any three of these six states would have sufficed to change the election result. In total, just changing 27,500 votes from Donald Trump to Donald Trump's opponent would have changed the outcome of the U.S. presidential election. There were 137 million votes in total. That's a change of just 0.02 percent. That is a very close electoral result by even contemporary American standards. And that's why the possibilities of computer hacking, voting machine manipulation, information warfare that actually did take place, some of them in 2016, not only have the possibility to have affected the 2016 election result, but stand to have the possibility to affect future election results as well. And that's why election security is so important right now. But if we go back to 2016, when I was speaking here two years ago, the main thing I was talking about were recounts in three states, Wisconsin, Michigan, and Pennsylvania, that I and other election security advocates had a big role in orchestrating. Well, we realized after 2016 that this was a close and unexpected election result, but no one was going to go back and check the physical evidence of the votes, the actual paper ballots in any states that really mattered to make sure that the computer election results we had been told about were right. Well, when I and others pointed this out to the public, it resulted in an overwhelming show of support. And one of the third-party presidential candidates, Jill Stein, stepped in and had the legal standing to demand recounts in states where she stood for election, even though she had no chance of winning. And she raised, through small donations from the public, more than $7 million to fund efforts to go back and count and check the votes to make sure things were right. Unfortunately, a recount after an American election is a politically fraught process. And in all three states, we found opposition from the apparent winner of the election. We found challenges in the courts. And only one of those states, Wisconsin, ended up recounting all of its ballots and found no evidence of fraud. In Michigan, the recounts were halted after only a few days, with less than half of the votes counted after a court challenge by the Republicans, again, no evidence of fraud in the votes that were recounted. And in Pennsylvania, unfortunately, like many states, most of the state had no paper trail at all. There was nothing to recount. There was digital records in machines. The courts denied the Stein campaign the right to have independent experts examine the machines. And in very few of the places in the rest of the state, the small amount that did have paper actually did complete a recount. But still, there was no evidence of fraud. So in all, there is no evidence that hacking of voting machines, hacking of actual vote counts, changed the outcome of the 2016 election. But there is abundant evidence that cyber attacks of other forms had a major influence on the election, certainly could have a huge influence on future elections. And that's what I'm going to talk about today. So first, looking back at 2016, in the two years since I was last here, we have learned a lot more about what really took place during the 2016 election, starting just January of 2017 when the US intelligence community, the CIA, NSA, and other three-letter agencies, who often in this community we don't trust, still came out and released a joint assessment in which they rated with very high confidence the conclusion that attackers linked to Russia were ordered by Russian President Vladimir Putin to interfere with the American election in order to weaken Clinton, boost Donald Trump, and discredit the electoral process as a whole. They called it a significant escalation of long-standing Russian efforts to undermine the US-led liberal democratic order. So where's the evidence that this actually happened, and what actually happened, according to not only the intelligence reports, but other information from other sources we can use to see whether it's credible. Well, what happened in the US actually looks a lot like something that happened in 2014 in Ukraine, where, according to other published reports, attackers linked to Russia engaged in a multi-pronged attack to try to undermine the presidential election there. They released targeted leaks of emails linked to the presidential campaign. They attacked the election commission servers in order to cause them to initially post the wrong presidential winner, and this was apparently detected and narrowly averted only hours before the winner was to be announced. And they orchestrated DDoS attacks to try to delay the election results. In the US in 2016, we saw a similar multi-pronged attack of targeted political leaks, trawling and message amplification on social media, and attacks against election infrastructure. So the targeted political leaks, you've probably heard about some of this. You have emails stolen from the Democratic National Committee through a hacking campaign that involved two different Russian-linked military groups hacking into the DNC servers, installing customized malware, and exfiltrating thousands of emails that were then published by WikiLeaks. Later, John Podesta, Clinton's campaign chairman, also had his personal Gmail compromised. And Podesta's emails were similarly published by WikiLeaks. Whatever you think about WikiLeaks and government transparency, and I myself, I'm a huge fan of transparency, there's clearly something subversive and manipulative about just one side being targeted and being targeted by other foreign nations and having its dirty laundry aired for the world to see. This is subverting the entire notion of transparency, turning our need for true information about politicians against us and manipulating the entire process. John Podesta, since his emails were all leaked to the public, well, we can go and see the phishing attack email that got his password, and here it is. So this mail sent to John Podesta claims to be from Gmail, saying that someone has tried to sign in with his password and he urgently needs to change it by clicking here. Well, he did click there, and Russia got his password. We also see his staff talking about this email, and one of his staffers recognized that this was a phishing attempt and emailed urgently, telling John Podesta to change his password immediately. But he typoed. In dashing out this email, he wrote that this is a legitimate email. He's subsequently claimed every time he's talked about it, he meant to write illegitimate, not legitimate. Well, the rest is history. A couple of extra letters might have changed a lot. So beyond the email leaks, we've seen an orchestrated campaign on social media through trolls and false identities to try to manipulate people's opinions, to try to create political divisions between people, to try to amplify certain discordant messages. That could be a whole talk in itself, and I'm not going to go deep into the trolling and message amplification, but it's a subject that is an ongoing form of attack that, again, turns our tools of communication against us. People need to know whether the information they're reading is really what other people they know and are like them think, or whether it's being generated by bots, by attacks. This kind of artificial amplification and manipulation of messaging turns us against each other. Finally, and the category of attacks that I want to talk about most today, because I think they're the most relevant for our community, are attacks against election infrastructure itself, the increasingly computerized systems that we use to run elections, not just in the US, but in countries around the world. There were attacks against voter registration systems in states across the country, organized by the same Russian groups. There were attacks against companies that make technology used in polling places. In all, the intelligence assessment is that up to 21 states had their voter registration systems probed. Now, of course, how can you go back in time and know for sure that others were not probed? We're not compromised. That's very difficult, even if you're, say, the NSA and are watching everyone's network traffic. However, we know that in multiple states, the attackers got in through sequel injection through other attacks and were able to steal hundreds of thousands of voters' registration records. More information came out later in 2017 through leaked information from NSA. So, this woman, Reality Winner, an NSA contractor, leaked to the intercept a series of intelligence assessments that showed the Russian attacks went even farther, that they executed attempts to break into the computer systems of at least one election computer software vendor, and then after breaking into their systems, started trying to fish their way into the computers of local election administrators, the people who actually run the technology on election day. For sharing this information with us, Reality Winner is currently serving a five-year prison sentence for violating the Espionage Act, but the information that she leaked has since been corroborated in July of this year, prosecutors in the special counsel's office, this is the Robert Mueller investigation of Russian interference and collusion, indicted a set of GRU officers, Russian military officers, in conjunction with the voter registration system attacks, the theft of email from the Democrats and the attempts to indict local election officials. If you're interested in this stuff, I highly recommend you read this indictment. It's about 20 pages of very detailed information, asserting to, apparently detailing exactly who these people were, where they worked, what they did, step by step. Now it's scary to think that we might have such detailed information about crimes that took place in the past. It doesn't say how we learned, for instance, that this certain officer, Anatoly Kovalev, was working for unit 7-4-4-5-5 of the GRU at 22 Kirova Street building, the tower, and quite how he pulled off each step in the attack that's asserted here. But as the Mueller indictments advance, as the special prosecutor's case comes together, we're likely to learn a lot more. And what's to come in 2018 as the Mueller investigation winds down? I think we're going to learn a lot more about quite who ordered what, about who in the United States was involved, and about whether the attacks went even further than we have so far discovered. So that's 2016, and what we've learned about 2016. But I'm here today to give you a progress report on 2018. So what happened during the 2018 election? Well, we saw several things during the November election this year. According to intelligence, once again, we have allegations of continued social media influence operations, this time allegedly linked to not only Russia, but China and Iran. Now, I think it's very difficult to independently comment and establish on whether these allegations are true, and or even to understand the full extent of the social media involvement, because it's just a small set of large internet companies that have the raw data that we need to analyze. However, the best reports we have are these assessments from the intelligence community that the social media influence is ongoing. We also saw sporadic breakdowns of voting machines. Now, patterns of breakdowns of voting machines could be the indication of an attack, but in 2018, all of them seem to have perfectly natural explanations. In New York City, for instance, many optical scan machines broke down and jammed and caused long lines, but apparently it was because it was raining, and that causes the paper to swell a little bit, these machines to misfeed and so on. So this is probably just natural failure. We also had unfortunate human error for not the first time an election in Florida potentially had the result changed because a very bad usability design in just the layout of the ballot. So in Broward County, Florida, 3.7% fewer voters cast a vote at all in the US Senate race than the race for governor. This was potentially enough because of the demographics of Broward to change the outcome of the Florida Senate race. Here's why, here's the ballot. So this is the race for governor, which most voters filled out as you would expect. Right down there, underneath that long column of instructions is the US Senator race. So you imagine this ballot, it's much larger than a normal piece of paper. At the bottom of that is hanging off your desk as you're filling it in. I can see how 3.7% of voters might have completely missed that race in the first column. Finally, we had old fashioned political fraud. In North Carolina, a race for the House of Representatives was decided by only about 900 votes, but it's come out since then that operatives working for the Republican candidate allegedly stole or manipulated a large number of absentee ballots. And the candidate there hasn't been certified yet, likely won't be seated on time. There's multiple investigations going on into exactly what happened, but it goes to show you that political fraud is a reality. And even outside the domain of computers, it continues to this day. Now, if you can imagine an election can be changed by just a few people working on the ground, going around collecting people's mail in ballots and promising to return them for them. Well, imagine what nation state attackers could do to a vulnerable and highly computerized online infrastructure. But on the whole, 2018 was, well, eerily quiet, but if we go back to 2016, so the US Senate Intelligence Committee, a bipartisan group controlled by Republicans in the Senate, issued its report earlier this year about 2016. They pointed out that they found that in a number of the states where Russia attacked the registration systems, the Russian hackers were in a position to, at a minimum, alter or destroy the voter registration data, which if undetected would have caused massive chaos on election day when people showed up to vote and were told that they weren't on the election rolls. But those attackers chose to pull, chose not to pull the trigger. And I think that's exactly what happened in 2018. It was quiet, not because we've adequately secured our election systems, but because of our adversaries this year chose not to pull the trigger. They're waiting for the bigger prize in 2020, when we're likely to once again have a close and divisive presidential contest. So, what do I worry about? What I worry about most is not the last war, registration systems, all of that, but the bigger prize, the 2020 election and the vulnerabilities in the way that we cast and count votes in the US. Now, I testified about this in 2017 to the Senate Intelligence Committee, and that's actually not me, that's former FBI Director Comey, but two weeks later I was sitting in the same chair with far fewer TV cameras and testified that the real lesson of 2016 is that the threats are real and that the attackers will be back. And this is the picture I painted. So, US voting machines have their own extreme set of vulnerabilities. I was going to bring one of these machines and AccuVote TSX with me here today. This machine is still used in many parts of the US, but my machine has been in Germany for about a week and FedEx doesn't know where it is. So, if it shows up, I'll have it somewhere for people to play with, but my advice is if you have to ship something urgent to Germany, don't send it via FedEx. What I would have shown you though is a mock election on this machine and the mock election I always like to do to keep it from getting too political is between George Washington, the father of the country and Benedict Arnold, the trader of the American Revolution. And of course, everyone likes to vote for George Washington. But these machines are so vulnerable. So, I would have shown you an attack whereby I can compromise this machine and cause it to report the wrong election outcome without having any direct physical access to the voting machines. Instead, all an attacker needs to do is be able to infect these memory cards that election officials use before every election to program the machine with the design of the ballot. That is, the races, the candidates, the rules per counting. If an attacker can infect the memory card, there are a whole host of different ways that the attacker can compromise the machine and install malware on the voting machine itself. There's an unauthenticated software update mechanism that can replace the election software. There are buffer overflows in the code that's used to read the ballot design and process it. Why, there's even an interpreted programming language that's used to generate the reports of who won. So, you can just replace the honest counting software with dishonest counting software right on the memory card, and that's what will get executed and determine the election results. Any of these ways would be sufficient. So, when the machine counts the votes at the end of the election, it prints out a little cash register receipt that becomes the official record of the result. That's controlled by the interpreted programming language on the memory card. And on my machine, no matter who you vote for, Benedict Arnold is going to win. And that's because the malware I install via the memory card is in complete control of the election results. And there are more problems than that. So, these voting machines, like the AccuVote TSX, have been studied by academic researchers, by independent researchers, by groups commissioned by secretaries of state in various states around the country. And every time the same machine is studied again, groups find new vulnerabilities. This is part of the table of contents from a report I helped author 10 years ago about the AccuVote TSX. And you can see just this is one page of several pages of vulnerabilities in this single machine. These things are so poorly designed, they're so complex. Each of the voting systems has, on the order of a million lines of source code. And that's on top of, in this case, on top of an old and unsupported version of Windows CE. There's no way that these things could possibly be secure. But the AccuVote TSX is still used in 18 states. In many of these states, it's still used with software that predates that 2007 report I just showed you. We've had known buffer overflows and other problems in this firmware for more than 10 years. And some states still have not updated the software. That's how bad it is. But it's not just that one machine. So in the US, every state gets to pick its own election technology. There are no federal rules that require states to do any particular kind of technology or testing. And you might ask, especially from the European perspective, well, why don't we just count votes by hand like a civilized country? Well, here's part of the answer. This is one example of a ballot from one part of the country. And it's eight pages long. We insist on voting for not only the federal races, but the state and local races and even city races. The joke is even for dog catcher. And this complexity, well, the counting ballots by hand scales linearly with the number of questions. And our ballots, by tradition, are just too complicated to efficiently count manually. So we turn to computers. And about half the country, well, really, there are two different styles of voting machines that we use. Some of them are optical scanners where the voter fills in a piece of paper and it gets scanned in by a computer. The rest are touchscreen machines and others that we call DREs, direct recording electronic. On these machines, voters cast a vote on the screen. It gets recorded in electronic memory. Some of them will also generate a printout of each vote, but that's relatively rare. In many cases, the only record of the vote is in a computer memory. So in study after study, these machines have been examined. And in every case for both the optical scanners and the DREs, where a machine has been tested by qualified people, well, it's been found to have vulnerabilities that would allow an attacker to install vote-stealing malware and change the electronic results every single case. So how hard would it be to go from hacking these individual machines to, say, changing the results of a presidential election? Unfortunately much easier than we might think. There'd be three challenges to doing this in a way that would likely be invisible. The first challenge is that the machines are well many different types. They're diverse, they're decentralized. Each state's system is independent and thank goodness because that means that we don't have just a single place you can hack into to change results nationwide. Unfortunately, because of our electoral college system, this diversity of technology can turn into a weakness in very close elections. So remember, I said that just any three of six states, for instance, in 2016 would have been sufficient to flip the outcome of the presidential election. Well, before an election, an attacker can scan all the states, figure out which ones are most weakly protected, and if they can find enough weakly protected ones to strike in, that could be sufficient to change the national results. So the attacker gets to pick and choose because our diversity of technology also means a diversity of strength and weakness. The second challenge is that, as election officials often point out, the voting machines aren't connected to the internet. Or at least they're not supposed to be. It turns out that some of them are because they upload their results over a 4G cellular modem right after election results are complete. But let's just suppose they're not connected to the internet. All right, turns out that's still not enough to protect us. So as I said, before every election, every single voting machine in the country has to be programmed with the ballot design. And that ballot programming is created by election officials on a computer workstation somewhere, usually an old Windows PC. Those computer workstations can sometimes service an entire county, sometimes an entire state. Sometimes they're controlled by independent external contractors that can perform work across multiple states. And if an attacker can infiltrate one of those systems, they can spread vote stealing malware on the memory cards to voting machines across the whole region. So how hard would it be to break into one of these systems? Well, in Michigan, my state in 2016, about three quarters of counties outsourced this programming to just three small businesses. These are 10, 20 person companies operating in strip malls and so forth. The same companies that the jurisdictions buy their ballot boxes and I voted stickers from. Here's the website of one of them. You can see it doesn't have HTTPS has lots of nice high resolution photos of their warehouse in case you want to burglarize it. And probably most interestingly to an attacker, they have this nice employee directory with everyone's name, photograph, job title and email address. So if I wanted to break into elections in Michigan, I might start by say forging an email from Larry, the president there, to sue his administrative assistant and say, I urgently need you to open this file after she does, of course, it installs my malware on their network. I'm in and one step away from the election programming system and spreading malware to machines across a quarter of the state. All right, there's one more challenge. And that's that today, more than 70% of US votes are recorded on a piece of paper. And this is great. This is much more than 10 years ago because officials have been listening to computer scientists and security experts who have been warning about the dangers of fully electronic voting. Now, paper might seem like a step backwards, but it's actually a pretty high tech way of thinking. In any kind of critical system, if we can afford to have a physical failsafe in case of technology problems, it's a good idea to do that. This is why if you fly on a commercial aircraft, while it has a very fancy satellite guided navigation system, but also by law, there's a magnetic compass in the cockpit. It's also why in your car, well, you probably want to have a mechanical linkage between the brake pedal and the brakes, just in case, well, you know. So paper can be a very sophisticated defense. It's relatively slow and expensive to tally, but it's something that's verified by the voter and that can't be changed later in a cyber attack. Meanwhile, we also get an electronic record from systems like optical scanners that's fast and cheap to tally, but unverified. As long as we make sure that these records agree, well, then changing the election result would require you to change the electronic record through a high tech attack and the paper records through a low tech attack and in a way that agrees. And that would require a truly extraordinary conspiracy. And to check that the paper is right, well, we have high tech approaches to that too. You don't have to count all of it. In fact, over the last 10 years, computer scientists and statisticians have developed very sophisticated ways of just spot checking the paper record to make sure that it's right. And these are called risk limiting audits. A risk limiting audit is a statistical process in which you can count randomly selected ballots until you establish with high confidence that hand counting all of them would determine the same winner. There are many ways to do this, but they all turn out to be or many of them turn out to be incredibly efficient in a typical state with a fairly wide margin of victory. Just spot checking a handful of ballots might be enough to establish with high confidence that the winner really did win by a landslide. Of course, if the election result is a tie, logically you do have to look at all the ballots to establish that it is indeed a tie. So the amount of work you have to do depends on how close the election was, but in all cases, you can find an efficient approach to determining without trusting the computer systems that the paper really does reflect the true winner. Unfortunately, well, most states don't do risk limiting audits. In fact, most states don't look at enough paper at all to determine that the winner of a close election was genuine. So hacking a national election would probably be easier than most of us thought. You can use pre-election polls and scanning to determine which states to target, hack into the election management systems in the most weakly protected ones, then infect voting machines with malware to change, say, a few percent of the vote. The paper records might catch the fraud, but you can rely on the fact that most states will throw it away without looking at enough of it to determine who actually won. And that's the sorry situation that unfortunately in 2018, we are still in. So since 2016, however, there has been a change in mindset. Increasingly, election officials have been listening to the scientific community when we say you need a paper trail and they're starting to think that that is correct. Almost all states that don't have paper trails today at least have people strongly advocating for replacing the equipment that's there. And most other states, well, they at least have people starting to look into the security and testing the security of other election related computer systems like their voter registration systems to make sure that they're shored up. Now you don't have to take it from me that paper ballots and post-election audits are the way to go to secure our election systems. Just this fall, the National Academies of Science, Engineering, and Medicine, the authority on scientific advice to government released a report with their highest level of advice, a consensus report urging the adoption of paper and risk limiting audits. Pointing out that this is a pragmatic, robust and necessary defense for elections. This report was written in conjunction with election officials, people with experience administering elections. And it just goes to show you that at least the election officials who have taken the time to understand the threat are waking up and starting to pay attention to the path to a solution. The problem is that that solution will take time to implement. And if we look at which states still don't have a paper trail, turns out that there are 14 where somewhere all votes still aren't recorded on paper. And it's going to take between $130 and $420 million according to credible estimates to replace all the machines still in those states. Some of them, like Pennsylvania, are working to do that now. But in other states, there still are no plans in effect to get rid of the vulnerable machines. If we look at the national map for post-election audits, though, the picture is a lot worse. And this is what concerns me most. Although many states in 2018 did small pilots of risk limiting audits, the majority of states still do not conduct audits that can rigorously guarantee the results of the electronic results of an election. And many still have no plans to do so in time for 2020. Because risk limiting audits are so efficient, the cost for auditing nationwide is ridiculously small. It would cost, according to my estimates, less than $25 million a year to audit every federal race nationally, potentially a lot less than that. But it requires organization on the ground. And unfortunately in our system, operations on the ground are conducted by about 13,000 local jurisdictions on election day. We need national leadership. We need much more dispersed expertise in order to get these protections in place. Because if you don't actually look at the paper, you might as well not have it in the first place. So this year did see some movement in Congress. In the spring, as part of the omnibus appropriations process, Congress gave the states $380 million in emergency election funding in order to start working to secure their registration systems and polling places. This was great in that it was money available immediately. And if you've been paying attention, getting Congress to do much of anything these days is pretty hard. On the other hand, the money came with very limited oversight with no standards about how that money should be used and isn't even enough to eliminate all of the paperless machines because of the way it's spread out amongst the states. But it's an important first step. We can look at a few of the states to see how they're doing. And I picked these as a representative sample of the diversity of progress. In Maryland, for instance, which until 2016 used AccuVote touchscreen machines, vulnerable to all of those problems I talked about, finally replaced the machines with paper ballots. That's a huge step forward. Unfortunately, Maryland, instead of auditing them by having people look at the ballots, decided it would be more efficient to audit them by having people look at digital scans of the ballots from the voting machines. As I think everyone in this room probably realizes, but maybe some in a broader audience would not, it's pretty easy to manipulate digital photographs. In fact, I have work from students in an undergraduate security class I taught this term, who implemented a machine learning algorithm that can take scans of ballots and just automatically change the marked results to produce whatever outcome you want. And we'll have more on that in a publication this spring. But unfortunately, these audits are security theater. They might catch human error, but they're not going to catch a sophisticated attacker who has the ability to manipulate how the machines are reading the ballots, can be easily fooled by malware. So I give Maryland on the hall maybe a C. Pennsylvania, another state that just two years ago during the recounts was practically a laughing stock of the country for its lack of paper records of votes and its Byzantine rules about recounting them. Well, today is making really good progress. This state recently committed to replacing all of its paperless machines with paper ballots in time for the 2020 election. And it's committed to implementing robust post-election audits by 2022. Unfortunately, 2022 is going to be too late to secure the 2020 presidential election. And this just emphasizes the need to get moving more quickly. There are also questions about whether the auditing regime they implement will be truly statistically rigorous. There are a lot of details to get right. But on the whole, Pennsylvania has made so much progress. I think out of sympathy, I can give them a B. All right, now let's look at a top performer. This is the state of Colorado. Colorado has become a leader in election security because not only does it have paper ballots statewide, largely vote by mail, which has its own problems, but that's a subject for later. But Colorado also was the first state in the country to implement these statistically robust risk-limiting audits statewide and has been doing it since 2017. They've got both of these critical protections in place. And yes, they actually do choose the random seed for sampling the ballots during the risk-limiting audit by rolling a set of 10-sided dice. So that's a great way to do it in a public ceremony. So Colorado gets an A. They're very well protected by these standards. Then there's Georgia. So Georgia in 2018 voted statewide with the AccuVote TSX voting machine, the one that FedEx has that I've hacked. They haven't updated the software in their AccuVote TSX machines since 2005. And they claim that the machines and their election programming systems are air-gapped, but during a court hearing about this earlier this fall, their head of elections described that their system was air-gapped. Yes, it's perfectly secure. It's air-gapped. The only way you can get into it is through the bank of modems attached to it. It's air-gapped except the bank of modems. Also, it turns out he programs it by moving a USB stick back and forth from his personal laptop. Hi, Georgia also, of course, doesn't have robust audits because, well, meaningful post-election audits would require a paper trail and none of those machines have paper. This alone would be enough to give Georgia an F, except there's one more thing. Their voter registration system also was shown in 2018 to have some problems. So you're not gonna believe this story. One more story. So in Georgia, they do online voter registrations through a website, and in 2018, just a few days before the election, the Georgia Democratic Party learned from one of its, from someone working for them from a volunteer about a series of vulnerabilities in this voter registration system. Well, it turned out that you could read and manipulate anyone's voter registration records just by changing a sequential ID number in a particular URL. There was another URL for viewing a sample ballot that if you just changed the path of the file it pointed to, you could read any file in the server's file system. Well, these are pretty bad problems, right? Even though Georgia apparently had gone through the process of having a security assessment of its registration system performed and didn't catch these. Well, so the Democrats, less than five days before the election, learned of these problems and disclosed them to the Secretary of State's office, which is responsible for running the election system. Their Secretary of State, Brian Kemp, who also it turned out was candidate for governor in a very close race. So not only was he running the election system, but he was the candidate in the most important race in the state where the polls were projecting that the election was going to be a dead heat. So an hour after receiving the security disclosure, Secretary Kemp's office put out a press release with this headline, that after failed hacking attempt, they're launching an investigation into the Georgia Democratic Party, and they've called the FBI on the Democrats. So Brian Kemp won the election and is now the governor-elect of Georgia. So this guy who did so well handling the security of the voting system while he was Secretary of State is now the head political officer of the state of Georgia. I think Georgia's F just might stick with them through 2020. So, thank you. So there is hope though. I wanna end on a message of hope because despite this, with all of these different levels of rigor and of readiness across the different states, I believe we need more national leadership, national standards and national resources turn into securing elections. And a bill to do just these things made a lot of progress in the Senate during the past term. This is a bill called the Secure Elections Act that was introduced by Senators Langford, Republican of Oklahoma and Plobuchar, Democrat of Minnesota. And it ended up gathering a large number of bipartisan sponsors split evenly between Republicans and Democrats. It would have required states to adopt paper, to adopt strong audits and to adopt stronger information sharing practices to let each other and the federal government know if they saw signs of people trying to break in. This bill made it a long way, but unfortunately got stuck in the committee after some opposition from the White House just days before it was going to be marked up and hopefully then make its way to the floor. But this shows that bipartisan cooperation is possible even in this Congress and that there are a lot of serious people who now realize that election cybersecurity is a matter of national security and defense. I think in the next Congress, there's a good possibility that we will see effective legislation to provide national standards and leadership for elections, but it's a question of threading a political needle and getting Congress to act. So to defend our elections, we don't need rocket science. We need simple steps like applying security best practices and expertise to secure registration servers, adopting a paper record of every vote and applying simple post-election audit techniques to make sure the paper record is right. If we do these things, well, we'll have a much more robust and evidence-based election system that can detect and recover from attack attempts. Unfortunately today, our dialogue about elections isn't based on evidence. It's largely based on faith, on faith in the democratic process, on faith in the people and the technology that's responsible. But I think voters deserve better. Voters deserve, if they're reasonably skeptical, to have it proven to them that the election result was right. And that is possible with simple and practical technology that we have today. All it's going to take is national leadership to make sure that all states, even states like Georgia, adopt the necessary protections soon. So what can you do? Well, as a hacker or a computer scientist, you can work with your election officials to help explain the technology, the threats and the defenses. You can work to explain the threats to the public because we all need to understand, just as a matter of modern civics, how elections can be attacked and defended. You can work to build better ways to use technology to make voting on paper easier and more efficient. Well, technology can help voting in a lot of ways, just we shouldn't trust it as the only way in which votes are counted and results are determined. And as a citizen, while you can demand that election authorities implement paper and risk limiting audits, get involved through activist groups to help campaign for protections like this. And especially please urge the US Congress to pass legislation like the Secure Elections Act and similar bills to make sure that election systems across our country, achieve these security properties. You can learn more from an online course I have for free on Coursera called Securing Digital Democracy that provides several weeks worth of material about the history and the technology of election defenses. But we've got to get going. It's only been two years, believe it or not, since Donald Trump became president. And it's only about 22 months until the next presidential election. It's time to get moving. Thank you. Thank you very much. What I got from this talk is it takes 27,400 people. So we have to scale up Congress. We're gonna do a Q and A. And I think we'll just start with mic number two because I can see that one. What if someone targets the... If not, we need mic number two live. Oh yes, so definitely you need to have secure randomness in whatever auditing method you're doing if it's going to be via statistical sampling. That's one reason why the auditing techniques that Colorado practices, they actually have a public ceremony in which officials throw dice in front of TV cameras in order to pick the random seed. But a lot of thought has to go into designing that process well so that it's not only truly random, but also something that people can know and believe is truly random. Thank you. Okay, mic number six. Thank you so much for the talk. You spoke about how in Georgia the disclosure of vulnerabilities was punished almost. Is there any talk or movement towards having something like bug bounties for election systems? Yes, in fact, there is another bill that was introduced in Congress that would do just that and establish a kind of bug bounty program. I'm not sure that that idea yet has a lot of legs, but I think it would help. I think right now though, we don't really need all that much more incentive for people to want to try to help secure democracy. A lot of people, including I'm sure a lot of people in this room would gladly volunteer to do so. We need a way of organizing that effort and making sure that people can discover and report problems without fear of having it turned into some political weapon to be used against them. Mic number one. Yeah, hey, thanks for the talk. Like the case in Georgia doesn't sound that terrible because like in Lithuania a couple of years ago we had this issue where you just didn't need to change the URL. You just didn't have to refresh the page and here you go. We have the information about different citizens. My question is like, what if the paper trail leads to the knowledge that the election was rigged in some particular area? Like two years after the election or like one year after the election, what happens then? Does it change anything? A year or so after an election would be a great catastrophe if we only learned then that the political leaders were not legitimately elected. We don't really have any precedent for that. That's why the recommendation and what some states like Colorado are starting to do is they're implementing stronger audits is to make sure the audits are completed as soon as possible. Ideally before the election result is certified. I recently came out with a paper with Philip Stark and Ron Rivest that gives an audit system that you can start doing even the moment polls close on election night and perhaps have in a not so close election a full complete audit by the time results are announced on election night. So it's possible to do it quickly with sufficient organization. Okay, mic number eight. Hi, I'm curious about the attribution of the tax. Is there possibly any instance at which you would be not sure it was Russia that who performed the attacks or maybe it was China? So how do you know that it is exactly Russia or China or India? Well, so all we have to go by really is the assertions of our intelligence agencies in the US and in some cases like for the Democratic National Committee breaches the assertions of private security firms that were involved in the investigations. And I agree with you attribution in general is a darn hard problem. But if you're willing to accept the credibility of the intelligence reports and read between the lines just a little bit it looks like the basis for their attribution is largely not technical but based on intercepted communication of people who were involved in organizing the attacks in Russia. And I think more information about that is likely to come out as the Mueller investigations proceed. So I mean, there's some necessary grain of salt and you can see what incentive people might have to try to trump up so to speak the involvement of Russia. But you can also see in the current political climate why at least the executive branch would have a reason to try to tone down allegations of Russia's involvement. So you'll have to interpret the weight of the evidence as you will. Okay, the last question from the internet. We're running out of time, sorry. Has any organization or group unveiled a voting machine designed to address all of the security issues that you have brought up here? Is there a solution to the problem? I'm sorry, could you repeat the beginning of that question? Has any group or organization unveiled a voting machine that is designed to address all of those security issues that you have brought up? Okay, so there are efforts to develop voting machines that are based on open source software that are based on better validated software. Benedita, a researcher in this area who has done a lot of great work is one person who's recently launched an effort to do that, although there are others. And I think that will help. But at the end of the day, I think however well designed the software in our voting machines is that can raise the bar for attacks, but it's never going to be enough to also be able to convince skeptical voters that everything is okay because, well, among other things, how do you know that that software is really what's running in the machines that are counting your votes? So there's a lot we can do to make voting machines better. At the end of the day, they're also going to have to have that paper trail and those statistical audits so that everyone can believe the results. Thank you very much. That concludes the talk. Thank you. I think you'll be around for a few more answers. I will. On the Congress, so everybody who's here can ask questions in person. And hopefully tomorrow, there'll be a debald voting machine somewhere around here for everyone to hack themselves. Thank you again. Let's hack that thing.