 Hello everyone my name is Jack Cable and I'm Alex here. We are both election security technical advisors for the U.S. Cybersecurity and Infrastructure Security Agency also known as CISA. CISA is essentially the nation's risk advisor. So in the case of elections we advise state and local governments on how to conduct elections securely. We also provide cybersecurity services to assess their systems and ensure that they are secure. So our goal for this talk is essentially to explore how election security has changed since March with the pandemic because of course elections are going to be looking a little different this year with an expansion of mail and balloting across the country, a reduction in polling places due to poll worker shortages or seeing consolidated polling places and of course in-person voting is going to have to operate much differently so that is safe with the pandemic. So all of this compiled together we want to think about how election security changes on the steps that we're going to explore today. Thanks for the intro Jack. So what we'll do first is sort of talk through specifically why this election looks different than any other election we've had before. So the first thing and this has been publicized quite widely is a lot of the country is moving towards mail and balloting as a stable option for everyone. So you're going to see a large increase in the folks who decide to exercise their ability to do mail and balloting. So what this means operationally is well some states already did a lot of mail and balloting like California or Washington. Some states it's not part of their tradition for the most part. So that is changing with this pandemic and so you're going to see a lot of states ramp up their capability to provide mail and balloting quite quickly in the coming months. They already have the summer and also in the lead up to November. So that there's a lot of specific infrastructure that's specific to mail and balloting and Jack's going to go into that later and so these systems are being introduced quite quickly and potentially there are going to be some ramifications of that. A second component here is in-person voting as Jack mentioned before it looks is going to look quite different this year than it has in the past. And what that means is you know for example there's quite a shortage of polling place staff and so the reason why there is a lot of the folks who staff the polls for the most part are elderly and with COVID-19 there are heightened risks associated with that. So there are some estimates that 500,000 to one million new poll workers will be required to staff the selection. In addition shortages like that and other sort of research shortages because of the pandemic are going to require consolidating polling places significantly in some places and what that means is a lot of places are moving to more of a super center model where sort of a city stadium or some similar large public place will be used to allow for social distancing and also just simplify logistics significantly and so that that looks quite different. So the big tagline here is for the average voter what this means is there's probably going to be quite a bit of confusion with regards to how the selection will work, what is and is not safe, what is and is not valid and so with that confusion we've seen the past few years what happens is disinformation, disinformation risk significantly increases. People are more likely to think something isn't valid or something is something that might be false is actually true or vice versa so there's just going to be a lot of confusion going on and so we think that increases the risk to disinformation regarding the voting process and so now Jack is going to go more into the specifics of these changes. Great so yeah as Alex said just to explore some more of the specific areas of technology that are being expanded out or say remain important in some significant manner and in this slide we won't be talking directly to the risks we'll get to those in a little later but this is just to lay the groundwork for what types of technologies we can expect to be used for the 2020 election recognizing that it is going to be conducted differently than other elections in the past so the first area of technology is voter registration systems that are used to track who's registered to vote say their address of registration, other information associated with that of course these systems are nothing new they've been used for years play even a large role in in-person voting when you show up to the polling place in order to check your name in the poll book in order to make sure that you're registered to vote but the role that they play in mail and elections is a little different because now they are used as a source to either determine where mail and ballot applications are going to be sent or where mail and ballots themselves are going to be sent so the security of these systems is going to be integral into ensuring that the election can run smoothly. Other voter facing online systems are also key we're seeing expansions of different systems related specifically to absentee ballots for instance portals to request an absentee ballot or to track your ballot a lot of these systems either didn't exist before this election or existed but were used in a lot smaller capacity so we can expect all these to have increased load and as a result increase cybersecurity risk associated with them and then of course there's other voter facing systems such as election night reporting which will remain key throughout the election as they have in the past then the third point is talking specifically to the absentee ballot pipeline so this isn't necessarily what is actually facing the voters but rather the technology that's going to be required to conduct a primarily mail in election which is what many states are shifting towards and this will require anything from the ballot printing and distribution process and vendors in that in order to ensure that people actually get their ballots and that they are correctly coordinated along with processes for ballot return verifying voters signatures tabulating ballot scanning them all this has to be conducted and for a lot of states this will be an additional challenge because like Alex said we're seeing perhaps in some 10 times as many mail-in ballots compared to previous years and when this happens there's an increased risk state for technology strain just because in a lot of cases there's limited technology to process these ballots so it increases the possibility that some technical error can occur so that's just kind of laying out what is going to happen what technologies we're seeing rolled out and we'll get more to these specific risks in a bit. Thanks Jack yeah and so now now talking more about the specific risks here so obviously with any technology it could fail right each of these each of these technologies are meant to do a certain thing and they're part of a pipeline any of them might might be hacked or fail so you know traditionally when we think of election security we think of hackers you know what can hackers do how can they SQL injected database or cross-site script or something like that while those risks definitely still exist one one change that this rapid change in infrastructure is going to cause to the risk landscape is reliability is a significant concern now a lot of these systems are going to see a usage pattern that they have not seen before and anyone who deals in computer systems knows that when you when you have a system that is old or sort of has been used for a while and it sees a new usage pattern the potential for operational failure is is significant so you know you know the hacking risk absolutely does still exist but what we what we assess is that the the you know it just could fail as part of the operation of the system a good example of this that isn't quite related to the 2020 election exactly is the Iowa caucus situation that happened in February the Iowa the Iowa caucus was run by the Iowa Democratic Party so it was not run by the state of Iowa but and so therefore you know those risks maybe don't directly translate but you know this was an app that failed not because of a hacker but because of the use of the app right so so there are reports that sort of the folks who were needing to operate this app were not properly trained the user experience of the app did not quite work the backup system that was in place in case the app failed was not thought through quite quite enough so you know while there was not a hack of this app it absolutely did fail at its job and there's actually polls that suggest that voters to this day still don't really know who won the democratic Iowa caucus because of what happened during the caucus night so you know that that sort of thing happening on election night is absolutely possible and so you know thinking through the reliability concerns is really really important another point that jack already made that sort of i'm just pointing out again here is you know voting registration databases have been important uh and paramount to running elections for a long time but in particular with the increase of vote by mail uh those systems those databases uh are what decide where a mail-in ballot is sent and so obviously ensuring the sanctity of those systems and the accuracy of those records is very very important to making sure that this election runs smoothly so yeah great then just to get into some of the more specific risks to the infrastructure that we're seeing then to start with voter registration systems um of course as we saw in 2016 these these systems are a ripe area for attack we saw the successful compromise for instance of Illinois state board elections voter registration system in 2016 by Russian actors and while there's no evidence that votes were retained or that sorry that voter registration records were changed we do know that voter registration records were exfiltrated and we saw targeting of all 50 states in addition to that um so basing on what we've already seen and what we can expect for 2020 we certainly do think that um there are heightened risks here say given both the conventionality integrity and availability of these systems for instance modifying voter registration records would result in perhaps a mail-in ballot application or mail-in ballot itself being sent wrong address um and availability concerns as well um could prevent certain people from getting their ballots um along with this we also assess that there is risk with other voter-facing online systems um for instance absentee ballot request absentee ballot tracking systems can also be targeted um then one other um online-facing system that we've seen a bit of expansion not too many states but some have come forward with this is electronic ballot return also known as online voting um and for this SZA does assess that online voting is higher risk than say in person or mail-in voting just because there is no paper trail so you cannot it's feed the same level of optimality um so that is SZA's um risk assessment there um and all this is to highlight um with voter registration systems with other online-facing systems that there is just um a shifted attack service um that attackers may be targeting so it's important that we prioritize these when we're thinking about how best to secure the election before November keeping in mind that election officials do face significant resource constraints running an election is incredibly difficult um and is our role is the role of the public to support election officials in that process um so we'll get to in a little more exactly um both election officials can do as well as what hackers in this audience can do to ensure that the election does run smoothly safely and securely um but um kind of just to play out that this is something that everyone can play a role in um and everyone can help with um and then third um component here is the mail-in ballot pipeline um so this is talking about everything from distribution of ballots um wide range of vendors who are responsible say for um compiling these records for printing the ballots for mailing them out um and really just to footstomp what Alex was saying before that the biggest risk to this process is not necessarily the say an actual attack against these systems but rather a routine technical failure um because these systems are going to be strained um and operated at increased levels um so we assess that the biggest concern especially for the mail-in ballot pipeline where many of these systems are not internet connected um the bigger risk is just your routine technical failure rather than um say an actual attack although of course we do know that these systems are being targeted continue to be vigilant in looking for and preventing these attacks great and then the next slide which we were talking about before is the risk of disinformation and this um really just goes to show that um the biggest risk towards an election outcome is not an actual um attack rather distrust in the results um because as we explored operational hiccups are not unlikely um and in fact we can probably expect that somewhere in the country on election day some technical error will go wrong but what is important to keep in mind here is that this does not mean that the results of the election are invalid this does not mean that we say don't actually know what happened there is a paper trail in fact compared to 2016 when 82 percent votes were cast with a paper trail we now expect that 92 percent votes be cast with a paper trail in 2020 which is a significant improvement and what that means is that votes are increasingly audible so we can actually ensure that um the tabulated result is accurate um we recommend for instance risk limiting audits um all those procedures in order to ensure that election outcomes are valid but the key thing to emphasize here is that we can expect some hiccups to occur but that does not mean that something um went wrong or that the results are invalid um but the bigger risk here is that the public perception of these hiccups we saw for instance in the primaries in Georgia that routine technical failures occurred with poll books um and this led to um some public distrust in the election events um so this is kind of a case study in what can happen in November that we can expect technology to go wrong and um of course it is possible that there has been a tech but that's not the most likely case what is most likely is that rather there's a routine error um as all these technologies are being rapidly expanded that something just went wrong um so the main the main takeaway here from a public perspective is that we need to be resilient and we need to understand that there are controls in place um that it's actually incredibly difficult to actually change votes um because there's a wide range of election systems and it's very difficult to actually change those but the bigger risk is people's perception um so just kind of viewing that um we need to be thinking about how we can make people more resilient um because when something say when a routine technical error goes wrong how are we going to respond and how are we going to get the point across that the election is still valid that the results are accurate even though some part of the election um may have gone a little different than what we expected so now we're going to get more into the concrete actions that we can take um I'll give it to Alex to introduce this great thanks Jack yeah and so um so something that we think about it says a lot is how can the election infrastructure community coordinate within itself to share best practices and sort of mitigate threats that they see on the horizon um so one of the one of the main things that as an election administrator that you can do um is join an uh information sharing and analysis center uh or an ISAC and so um something that uh we have done in the past few years is stand up an EI ISAC that is actually separate from SZA however it's a it essentially coordinates between uh like-minded officials and government that administer election infrastructure and sort of share threats and and do threat analysis um it's critical to sort of do this sort of information sharing and and you know if you're an election administrator joining this community is quite beneficial to you um because you know no one is doing this alone everyone faces the same threats around the country and so communicating about that is just is critical and this also part of the MS ISAC the multi-state ISAC and so um the second point here is uh SZA as the nation's risk manager provides free services to those who uh administer critical infrastructure and election infrastructure as part of that um so we do things like remote penetration testing uh vulnerability assessments and other various services that often cost quite a lot on the private market uh we we will perform them for free for you um so uh we've seen a huge uptick in using these services in the past few years as the election threat has become more publicized uh so we've made a lot of progress here but there's always more that we can do and so uh you know talking to us and enlisting these services is a big step that election officials can take great and our third recommended action acknowledging that there are many resource constraints um is just to accept outside help uh for instance the audience watching this today attending the DEFCON voting bill it is full of cybersecurity professionals who want to help ensure that elections can run smoothly and securely um so we recommend states to take advantage of whatever volunteer resources there are and the first one to highlight here is the election cyber surge which was recently announced by the University of Chicago in coordination with the DEFCON voting bill which is essentially establishing a volunteer core of cybersecurity professionals who want to help state and local election officials to better understand cybersecurity risks to perform cybersecurity services all for free um so this is a really fantastic resource to take advantage of um and the second is to launch a vulnerability disclosure policy and vulnerability disclosure policy essentially says how um outside hackers friendly hackers of course can report vulnerabilities to you um so that you can fix them and accept their support um so the great thing is that there's already a community of people who want to help you and all you have to do is tell them exactly how to do that um so we'll talk about this a little more when we discuss the product that SZA recently launched which is guidance to election officials to launch a vulnerability disclosure policy but we believe that this is a really great way to accept the free volunteer help that is out there great and then probably um more relevant for most of this audience is how actual hackers can help um protect elections ahead of november um and one of the best ways you can do this is offer to help your local election officials just because they are quite constrained many um operate with small budgets even lower for it or security um so any free help can really go a long way um so you can start perhaps by reaching out to your local election officials see what areas might be able to help them um volunteering for the election cyber surge is another great way to be paired with staying local election officials to answer questions um provide security services as needed um so anything that you can do on that front would go a really long way the second point here is perhaps less of a security solution but more um just a way to help the overall election run smoothly and not serving as a poll worker um if you are healthy in a position to do so um because as we mentioned there are large poll worker shortages so one of the most impactful things you can do is to serve on a local level as a poll worker help ensure that elections are running smoothly um and helping people vote um so that's a really great way to be directly involved in the election process um and our third point here is to participate in vulnerability disclosure policies um because we recently announced our guidance to stay in local election officials so some vulnerability disclosure policies may be rolling out in the future so I would keep an eye out for any of these that do pop up and help election officials when they put these out there and are asking for your help great and so uh you know as CISA employees we would be remiss to not mention uh the various services and resources that CISA provides in the space so as as mentioned before uh CISA provides um you know risk assessments uh for free and so availing of those is really useful um additionally uh we have this protect 2020 plan that uh CISA has released outlining our strategy to sort of protect this election there's a lot of great resources on there including how to stand up vote by mail systems um safely in the coronavirus age how to how to conduct in-person polling uh in-person polling uh safely and uh this is in conjunction with the election assistance commission there's a lot of great resources on that page and then in terms of some more specific areas that we think might be useful um the first is a vulnerability reporting guide which I mentioned um that CISA just recently released and this is a really great resource that discusses in depth if you are an election official how you can stand up a vulnerability disclosure policy and start receiving this volunteer help from um security professionals um so it's a really great way to engage the outside community in order to help secure your systems um so we encourage anyone um who's interested to follow this guidance um and please do reach out to us if you have any additional questions on how to smoothly allow people to report vulnerabilities to you great and with that um that's the conclusion of our talk um we've listed here our protect 2020 page again that has some really great resources on some of the core details on conducting elections um our emails are listed here if you are interested if you have any questions or just want to learn more um I believe there will also be q&a and discord so we'll be watching that but overall thank you to everyone for attending this talk um we're hopeful that together um as say election officials as federal government as the hacker community we can all work collectively to help ensure that we have a safe and secure 2020 election so thank you and please do reach out if you've been in questions