 Thank you all for joining us. Very exciting to be excited to be introducing Sherri Ramsey for her talk on 2020 Ready or Not. I quickly give her introduction. Sherri Ramsey is a consultant engaged in cybersecurity strategy development and planning, cyber assessments, leadership, partnership development, and marketing and development of cybersecurity tools and security operations centers. Ms. Ramsey is the former director of the National Security Agency, NSA's Threat Operations Center. She led discovery and characterization of threats to national security systems, provided situational awareness of those threats, and coordinated actionable information to counter those threats with the Department of Defense, Department of Homeland Security, and the Federal Bureau of Investigations. She also served as a senior leader in NSA's Signal Intelligence Directorate, Technology Directorate, and Information Assurance Directorate. Ms. Ramsey holds a Bachelor of Science Degree from the University of Georgia, a Master of Science Degree from Johns Hopkins University, and a Master's Degree from the Industrial College of Armed Services National Defense University. She is on the board of advisors for Virginia Tech's Hume Research Center, the University of Chicago Cyber Policy Initiative, and TrueStar Technology. Please welcome Sherri Ramsey. Good afternoon. Oh, come on, guys. You can do better than that. Good afternoon. 20. Ready or not? And guess what? It's coming whether we're ready or not. So this is my first time at DEF CON. You guys are an intimidating group out there, feeling my privilege and my honor to be able to stand here in a room kind of full of like scary smart people like all of you guys are. So we'll just see how this talk goes. So here we go. Once upon a time, everybody's looking at me. I bet you didn't think you'd hear that today, huh? Once upon a time there was a world where our personal identifiable information was not at risk, where companies like Google, Morgan Stanley, RSA, Dow Chemical, Sony, Merck, Maersk, and many, many, many others did not have to worry about being hacked. None of us had to worry about our intellectual property or even our personal property like our pictures and things being encrypted and held for ransom. Who would ever think? Where we would not hear stories about threats to the electrical grid or about the electricity actually even being turned off as what happened in the Ukraine on December 23rd, 2017, when most of that country was plunged into darkness in the cold of winter, two days before Christmas. A world where we did not have to be concerned about the availability and integrity of our financial services, where we didn't have to worry about going to the hospital and perhaps being given wrong test results or erroneous test results or maybe even being given the wrong type of blood because perhaps somebody changed our blood type in a database. And last, but certainly not least, once upon a time we lived in a world where democracies could hold elections and the citizens of those democracies could have confidence in the voting process and the results. We used to live in a world like that, but today I would say that's a fairytale. There's no longer that world. It doesn't exist. Many countries and many industries around the globe have had to learn this the hard way and perhaps even some of us have personally had to learn this the hard way. I don't know about you, but over the last year I've probably gotten four or five letters informing me that my credit card information may have been compromised. Read was compromised, was stolen. By the way, don't use that credit card anymore. It's not any good. We'll send you a new one. So it is something that touches all of us. So all of these things are really important, but today because we are at DEF CON after all, and it is getting to be that time of the year where we're talking about elections again. We'll start to twitch when we talk about that. We're going to focus on election security. And although there's a lot of things that could impact our election security, again, because we are at DEF CON, we're going to focus on the cyber side, the cyber security side of election of our critical elections, that part of our critical infrastructure. It's really critically important that every citizen, that every one of us, every citizen of the United States of America is assured, we're sure that when we vote that our vote is counted and reported just as we cast it. That is a cornerstone in the foundation of democracy that is having fair and free elections where we all can vote and we all can be assured of our vote. The American people's confidence in the vote is though it's reliant on the security and the resilience, and I'll put in resilience because that has to do with cyber security, but as well as other things, the security and the resilience of the infrastructure that makes these elections possible. So first I want to talk a little bit about the problem. You guys probably more than anyone know about it, but I will say when I was preparing for this talk, I actually thought I know a little bit about cyber security, but I did learn an awful lot about the election process itself. And then I want to toss out a few things for you guys to think about as parts of the solution. Some of them you may not agree with, that's all fine. Some of them may be a little provocative. I would like to think that maybe a couple of things I'm going to say, a couple of you might debate those over dinner tonight. So I got to thinking, okay, I'm standing up in front of this group of super, super smart people, and it's really hot out here in Las Vegas. It was 105, I think, when I walked down from the Paris a few minutes ago sweltering. And I thought maybe, you know, this is DEF CON after all, and you guys want to be here to learn some things and have fun. So I'm thinking, okay, what could I do to possibly inspire you not only to think about election security, but to do something about it? Because it's not enough to think about it. It's not enough to talk about it. We really have to do something about it. So I was thinking along those lines, and I was trying to think of all the great speeches that I've heard over the years. There was, oh, God, all of you are too young to remember this, but there was President Kennedy's speech. Okay, I see one person nodding. President Kennedy's speech back in the 60s about how we're going to put a man on the moon. You know, there was Martin Luther King's speech, and then there was the Gettysburg Address. And so I got to thinking, okay, what could I learn from those speeches that might possibly resonate with you guys? And so I'm looking at the Gettysburg Address. You know what was good about the Gettysburg Address? It was very short. How many words was the Gettysburg Address? Do you know, remember that from high school? It was 272 words, I think. And so I started thinking about, oh my gosh, can I possibly, possibly in 272 words say all these things to you? Can we talk about election security? Can we talk about some possible solutions? And how can I motivate you guys? Because you're the ones with the answers. Not me. You're the ones with the answers. How can I possibly motivate you to go do something about it? Okay, so after an hour or two I decided no, that's not going to work. So my talk is going to be a little bit longer, a few more words than 272. So when we think back about the elections of 2016, they really put on display something that people like you guys had been talking about and warning about for several years. And that is that we have some glaring deficiencies in our election systems and our voting infrastructure. And quite frankly, I will say, and I know you heard some passionate folks on the last panel, there are some glaring deficiencies in this, but it's not clear that we actually as a nation have the political will today, or that we're willing to spend sufficient money to really strengthen this process. And so I know a couple of them have appealed to you, go talk to your congressman, go do things. And so I absolutely say that, say yes, you should do that. But you know what, this is now 2019. We're three years past 2016. And what have we done? Have we really strengthened our election and our election systems? No. And the answer is not all that much. And I'd like to think if it was a simple solution, we'd have done it already. You guys would already figured it out and we would have done it. So I don't think there's a simple fix. Because most people actually, quite frankly, think of the election simply as hacking a voting machine. And after 2016, that's actually what we talked about. That's actually what got the most press is, can we hack a voting machine? Oh, no, we could never hack voting machines. There's no way anybody could ever hack all the voting machines in the United States. And I would tell you that they're not going to have to accomplish what they need to do. But when I started looking at all the parts of the election infrastructure, it's a lot more than the voting machines. And so I want to talk about that just for a minute or two, in case there's one or two people out there who like me did not really appreciate all of this. So first, there's the people. And actually, you saw some of the people, some of the people were up here on the last panel, the people, state and local governments, because by the way, the state and local governments actually own the election and the election infrastructure. There's election officials, there's polling officials, there's federal partners, there's the vendors that provide all of the voting equipment, there's vendors that provide all of the IT equipment that supports the voting process. And how many subcontractors do you think all of those vendors have? And then last but not least, guess who the other part of the people are? They're us. They're us, we're the voters. We have to be educated, we have to be responsible, we have to be demanding. And so all of those people are involved in the voting process. So therefore, you can see if you have three people in a room, it's pretty darn hard to get them to agree on something, right? So when you have this many people and we're talking about what's at stake with this much money, it's been a very difficult thing to get everybody on the same page. But in addition to the people, there's all the pieces and the processes. And I'm just going to quickly go through this because I tell you what, I guess I maybe knew some of this, but I just never thought about it. There's voter registration, there's party registration, there's candidate nomination, and there's databases and associated IT systems and processes that go with all of that. We actually have something called an election management system. And no, we don't just have one. Every state has their own. None of them are the same. And these election management systems, they count the votes, they audit the votes, they display election results, they certify and validate the results. And no, by the way, guess what? There's all the associated IT systems, technology, processes that go along with supporting that. Then yes, we do have the voting machines themselves. But you know what? Even think about this. Where do you think all the voting equipment, all that is stored when we're not voting? Where do you think it's been since 2016? Where do you think it's been since 2018? So all got to be stored somewhere, software and hardware. And by the way, what about the polling places? What do you think happens when the polling places are all set up and everything is ready? Do you think somebody stands there and guards them for two or three days ahead of time? Or in some counties, in some states, the election process runs over a period of several days, and this year, next time, maybe even up to a week. Do you think anybody's thought about hiring people to guard them, not just physically, but in cyberspace? Probably not. So we actually need to think about that. Even the announcing of the results. Nobody hand carries a piece of paper to all the news networks. It's all done electronically. So you guys, better than anybody, can see all the vulnerabilities in this process. So let's just talk about just a few of those things. And I'm going to start actually first with the voter registration process and the voter registration databases, which quite frankly, many of the cybersecurity folks that I've talked about have said this is really the most significant threat to election security. So the most significant threat to these databases, we can have an intruder, whoever that may be, who could alter, delete, or add voter registration records. Think about what this would do on election day. It could actually wreak havoc on election day and potentially change the results of the election. And how would that happen? Because voters could arrive at the polling place and they could discover that they're not registered or that their address is wrong. It doesn't match their driver's license. It doesn't match their form of identification. And this could lead to chaos if for no other reason than having lines so long that guess what? Do you think people, everyone could wait three hours, four hours, five hours, even an hour? Most of us have to work. Most of us can't go and spend the entire day. Most of us don't take a day of vacation to vote. We shouldn't have to. So that could result in quite frankly, a lot of votes not being cast. And you know what? That could actually change the election. And actually, the way we, the way a lot of the polling places check the voter registration databases, they have this thing called a polling notebook, which quite frankly is nothing these days but a tablet. What if that tablet didn't work? What if it was hacked? What if it was just old? This goes to the issue of resilience. What if it was just old and they couldn't get it and it just failed that day? Again, total chaos, major headaches, ballots not being cast. Or perhaps even the votes being tabulated incorrectly around the country. And there could be lots of variations. By the way, what if none of the data was altered? What if somebody decided they're going to reinsum that voter registration database that day? What if they went in the day before the election and encrypted everything in the database and said, pay me, name your price, or we're not going to unencrypt it? And I will tell you, I'm actually from Maryland, so most of you know or probably have read about what happened in Baltimore back in May. Guess what? The ransom was $100,000. Baltimore decided not to pay it. Now, I don't know that they'll ever have the guts to come out and say what their version of the official cost of this is. But quite frankly, everything is still not fixed. They're still not back online. And in my professional opinion, they're already way north of $100,000. And you don't think about it. This literally affected people's lives. I mean, I heard stories of people who had saved up for years. They were supposed to go to settlement on a house that day. And now all of a sudden, they couldn't buy their house. And by the way, they had nowhere to live because they had already had to move out of where they were. So huge implications for the ransomware piece. So just think of all of that chaos. Now we get to the old voting machines and actually quite frankly, yes, I think there's a problem here. But probably I think, again, the biggest risk may very well be with the voter registration databases. Today, we've actually made it pretty easy for the attackers or intruders or whatever the bad guys, whatever we're going to call them, because there used to be 17 or 18 companies that made voter registration databases. So you could just say, okay, they're very diverse. They're not the same. But just because of one company buying another, the economics of it all, today 80% of our voting machines come from, do you know how many companies? Two to three. Depending on what you read, two to three companies. So we have just automatically reduced the attack surface for the bad guys. And there are a lot of really, really old machines out there older than a decade. How many of you have laptops and things that are older than 10 years old? But do you depend on it as your only way to get online? Probably not. So we are actually depending as our only way to cast our vote technology that's over 10 years old. And in dog years, that's probably like 50 years or something. So we probably should not count on that. Absolutely, absolutely. Yes, they're not running Linux. And the voting machine vendors, by the way, are not regulated. Think about that. They provide a piece of equipment that supports the cornerstone of our democracy and they're not regulated. They're not even required to notify the customers when they have a security issue. What about that? And today we have a lot, we all thought, oh, this is great. We're all going paperless. Everybody wants to go paperless. How many of you, I don't even hardly get any bills anymore, right? I mean, they just email them to you or just take the money right out of your account and or you can actually log on and look at what your bill is. I get very few bills, paper bills in the mail. Everybody thought that was great. And then they had this uh-oh moment when they wondered, what if we have to have an audit? What if there's a challenge to the election? What if we have to recount the votes? What are we going to do? There's no paper copies anymore. So guess what? There are three states which currently have no paper backup. I'll say them, Georgia, Louisiana, and South Carolina. There's at least 10 other states that still have counties that don't have any paper backup. So there's really no way to audit those election results. So think about this and you guys know about this way more than me. So every one of those machines has to be programmed or downloaded with the current ballot for that year, right? So somebody's going to take a USB stick or something or worse. They're going to go online. They're going to download them over the internet and they're going to download the ballot for this year. Guess what? That is an open door during that time frame. Anybody, probably any of you, that's scary because I'm looking, you, because you guys are just so smart, but there's lots of you out there. Probably any of you could figure out a way to piggyback on that download and go in and make a change to that voter, that voting machine. And by the way, contrary to popular belief, this can't can't actually happen because the download comes from the voter management system, the voting, the election management system, and guess what? Those are connected to the internet by definition because they pass results throughout the voting process. So if an election management system can be infected with malware, then guess what? That malware can then be spread from system to system to system to system, every one of the voting machines. And by the way, people say, oh, well that would never happen at scale across the country. Guess what? Now you can, you can debate me, you can argue with me this is not right. I ascertain it doesn't have to happen across the country. How many places does it have to happen? Maybe one. Maybe one, maybe two or three. If it happens two or three, boy, that's really scary because if there's one place where it has been, it can be proved that the integrity of that vote is not right, what's that going to cause every one of us to do? To wonder about the integrity of every other vote. And it's really hard, as you know, it's really hard to prove that it was not tampered with. It's much easier if we're looking for the smoking gun to say it was tampered with because then you're looking at every single avenue. So that, that would be really hard and that potentially could really cause voters to lose confidence in the elections. And by the way, we, you know, had a little instance kind of of the last election, what would happen this time? And then what about influence? This is the hardest one, by the way. And that is influence to persuade voters to vote or to not vote in a certain way or maybe not to vote at all. And you know what, there are counties, I was shocked at this, you guys maybe already knew this, there are counties across our country, you know what, they use to share election results. They use Twitter, they use Facebook, they use Instagram, and these are real, real counties in real states that share that way. They also often will share instructions on how to vote and what your vote means for particular referendums or particular candidates. So what if that information was changed so that when you read it, you didn't read the right instructions? What happens if social media claims that a particular candidate has already, they're already projecting a win for the election? What happens to the people who are already in line to vote and the lines are long? What do you think a lot of them might do? They might just go home and not vote at all. And as I said, to further complicate matters, lots of them, they actually report results over the internet. The counties report to the states who report all the way up online to the internet. So there's lots of opportunities, as you guys know, for results as they continue to be transferred, for results to be changed or potentially tampered with. And you know what? We're really not the only democracy whose elections are of interest to folks. Many others have or probably will come under attack, those countries who actually, and maybe some countries already have and they just don't know it. So those countries who are technically savvy enough and who have cared to look, who've said we believe there was at least an attempt to tamper with our elections, I have a list here and I'm sure it's not all inclusive. It includes Ukraine, Bulgaria, Estonia, and not just those countries, Germany, France, Austria, the UK. And by the way, I actually just read something that the UK intelligence community is putting out that now they believe there potentially was something that happened nefarious during the Brexit vote. So if you think about all the consternation that that vote has caused the UK over the last couple years, including a prime minister losing her job, what if those results were tampered with? What if there really wasn't even a vote to leave to leave? So 2020, ready or not? So let's just kind of reiterate what's at stake here. I'm going to read your sentence to the Mueller report. So if it's not, it's not political though. So if you don't, if you don't agree with that please listen anyway, the Russian government affiliated cyber actors conducted an unprecedented level of activity against state election infrastructure in the run up to the 2016 elections. And politics aside, I think most cybersecurity experts would at least agree with the content of this statement. And guess what? Now there's evidence that this time it may not only be the Russians, it may be the Iranians, the North Koreans, maybe a terrorist organization, because by the way, anybody can get a cyber capability, all they have to do is have money and hire it, right? I mean, there's lots of folks as smart as you guys out there who are willing to do things for money. And actually, if you think about it, because it's all based on this technology, what if the equipment is just old and it breaks? So we need to think about resilience as well. And again, what's at stake here? If the integrity of our elections is undermined, then we really could lose confidence in the process. And particularly in a presidential election, if we think the person that's moving into the White House isn't the right person, what do you think that would do across the country? We already saw some interesting results after the 2016 election. And I think today, as of today, it was never proven that any votes were tampered with, that anything was actually changed. What about if it was reported that things were changed? What about if it was in Georgia when there's no way they can do a paper recount? How many of us would spend four years thinking the wrong guy was in the White House and what would that call or girl is in the White House and what would that cause us to do? It would really probably undermine our democracy and really cause a really tough time for us. So why don't you guys just fix this problem? Why don't we just fix it? We've had time, we've had three years. What have we been doing? Well, it turns out there's a few obstacles. And I'm going to talk about three of them. Initially, I think there was a concern by the states when the federal government started nosing around that the federal government was trying to take over the elections. And that's something I know the states really pay close attention to. They think it's important. They want to own the elections. They do own the elections. They don't want the federal government mucking around in those elections. And so they thought, well, maybe this is going to be an opportunity for the federal government to use this as an excuse to take over the election systems. So I think that we've worked our way since 2016 through some of that, although I actually just heard some stories earlier today that there are still some states that won't even take money from the federal government because they just don't want to. And so I think there's obviously still issues. I know DHS has collaborated with the National Association of Secretaries of State and numerous other state and local groups. They're starting to share best practices. You know what? And this is all good, and it's moving in the right direction. But I'm worried because there is still a long way to go, and we don't have much time between now and 2018. A second obstacle is resources. First, money. We need to have new equipment to replace aging equipment to make some procedural changes, to buy equipment with more robust security enhancements. We need to monitor the software, the hardware, the databases. We just need to buy up-to-date equipment that has better security features in it. And even though independent locally adjudicated elections are a cornerstone of our democracy, and they're run by state and state governments and county governments, it appears that federal funding is still going to absolutely be needed. And by the way, why not? Because we use this election process to elect our president of our country, not just the governors of the states. So I think federal funding is still needed. It's still needed all around the country. And I really wish that the states, when and if there is any federal funding, I really wish the federal states would absolutely take it. So in March of 2018, two over two years after the last elections, Congress appropriated $380 million to the states for upgrades of election infrastructure and security. That's not a lot of money when you think about it. How many counties are in 50 different states and more territories, and everybody is voting, and there's a lot of equipment that needs to be upgraded. Currently, there's another bill that would put an additional $600 million in the hands of the Election Assistance Commission, which is a federal entity which facilitates federal funds being given to the states. But guess what? Like many bills, this one hasn't passed because it's not just about money to the election, to the state and government elections. There's all these other issues attached to it, and therefore it has not passed the Senate. I don't think it will pass the Senate. So federal funding really, it hasn't come fast enough, and it needs to be consistent rather than, you know what, a one-off investment once every 15 years, because that's how long it had been when the $300 million was, it was 15 years. And by the way, resources are not just money. It's also people. Obviously, it takes money to hire people. But even if there was money to hire people, guess what? There's not enough of you guys. There's just not enough. There's not enough cybersecurity savvy people available, because guess what? You all are the people that are being hired by everyone today. And so there's, how are we going to deal with that? How do we, how do we put better cybersecurity expertise to support the elections? So that's a problem I'm going to toss out at you guys. How can we do that? I know before someone talked about perhaps using the national guard, because I know there's, there's actually quite a bit of cybersecurity expertise there, but how would we do that? The third obstacle we've already alluded to it is partisan politics. Maybe enough said on that one, but we do need some sort of policy. There's been a number of proposed bills, none have passed. Maybe now there's a little momentum, maybe not. But you know, even, and it's not just about the federal government, even getting the states to agree on anything has been very, very difficult. So again, put 50 people in a room and have them try to agree on something. But you know what? We really have to get by this. So Congress did put together this task force and they made some recommendations. I think some of them are on the right track. So I want to talk to at least tell you about a few of those. And oh, wow, a few of those. And then I want to give you some things to think about. So the first is what we need is effective communication. There must be effective communication among the state and local governments between the state and local governments, sharing best practice practices and actionable threat intelligence. And it has to be effective. And what does that mean? That means it has to be timely. It has to be actionable. And it has to be convincing. People have to really want to do this. By the way, there also needs to be effective communication between the states and the federal government. But just as importantly, and this may be controversial, but I'm going to throw it out anyway. Just as importantly, I think there needs to be effective communication from the, from our federal government to the rest of the world. And you know what we need to clearly say? By the way, if you consider an attack on our election infrastructure and try to mess up our elections, then we consider that a hostile attack on our country. And we're going to respond accordingly. But guess what? We have to be prepared to respond accordingly if we do that. And that seemed either one of those things as problematic, but I absolutely think that we need to do that. And we have to mean it. We need to make cybersecurity a higher priority. We need to do training. Maybe we perhaps need a national strategy. We need all kinds of other things. But also what we need to do is delineate specific roles and responsibilities, particularly within the federal government. DHS probably has a role. The Department of Defense thinks they have a role. The FBI thinks they have a role. Guess what? When I worked at NSA in 2012, when I retired, we were talking about those roles. Guess what? In 2019, they're still talking about those roles. And we haven't figured it out yet. But I actually think, and I will, okay, I will remind you, I worked for the Department of Defense. So I think that we probably should consider, when we talked about doing something, putting the rest of the world on notice and doing something, the Department of Defense has just put out a new cybersecurity strategy. And it's called Defend Forward. So perhaps it is time to let the Department of Defense defend our nation when it comes under attack. It has significant implications, though, for DoD's role in defending critical infrastructure. And I think from what we've read in the paper, perhaps they already did a little bit of that in the midterm elections. Defending forward suggests a preemptive action or set of actions instead of a reactive response. Defending forward advocates operations that degrade or stop adversary activity, not when it gets to our networks in the United States, but before it ever gets to our networks in the United States. As I've already said, we need to make resources available. I'm getting the little one, I've gotten the little one minute sign back there, so I'm going to just hurry through the rest of this. At a minimum, the vendors of critical technology should be required. They should be required to follow cybersecurity best practices, and they need to be required to notify if there's any sort of cyber incident. As we've said, these funds have to be available. And then one last topic, that little thing that I want to talk about, and I think, yes, more, we need more than the Department of Defense perhaps defending forward. We need more than DHS facilitating communication among the federal government, among the states, between the federal government and states. I think that the county and state elections, they also need to recommend and adopt a strategy, and I'm going to call it secure and defend. And that is they have to, for their IT infrastructure that supports the elections, they have to practice good hygiene. They have to make it as secure as possible. It's not exciting. It's not sexy. But guess what? If they did even just, how many of you are familiar with the 20 critical controls, which are actually part of the, if they did just these steps, which are very logical, estimates are that it would knock out at least 80% of any of the actors who were trying to do something. And actually, if you go back and look at the cyber incidences over the last year, if systems had followed the controls, if they had been patched up, the numbers way higher than 80% of them. In fact, it's very close to 100% of those efforts would not have worked. Now, maybe they have something more sophisticated up their sleeve, but you know what? Let's force them to use it. Let's don't have them use their easy stuff on us. And then after the networks are made as secure as possible, then we can't just think about operating the networks or let them sit there. We can't just hire system administrators to administer the networks, right? That's a passive thing. What we have to do is think about defending the networks. And I'm not talking about the Department of Defense defending the networks. I'm talking about the people who own and operate the networks defending the networks. So in closing, I will say, you know what? These are not revolutionary changes. They're just kind of basic common sense steps. But if we implement them, then I think not only our election systems and infrastructure, but a large part of our critical infrastructure would become more secure. So the good news is we're talking about it. But the bad news is we have to do more than talk. We have to have action. We have to secure our election systems and really secure our democracy. So 2020, are we ready or not? Tom is running out for us to answer this question. So I think my time is up. Do I have time for any one or two questions? No. Okay. There's another talk. So I will be out in the hall if anybody wants to challenge me or have questions about this.