 And next up I believe we have CISA director Chris Krebs, yes. So Christopher Krebs is the director of Department of Homeland Security, Cyber Security and Infrastructure. He joined DHS in March 2017 to first serving as senior counselor to the secretary where he advised DHS leadership on a range of cyber security, critical infrastructure and national resilience issues. Prior to DHS he was a member of Microsoft's U.S. government affairs team as the director for cyber security policy where he led Microsoft's U.S. policy work on cyber security and technology issues. Please welcome director Chris Krebs. Thank you. So it's going to be a little free association. I don't do prepare remarks or haircuts or ties or things like that so just bear with me here. But I want to circle back to a few things Matt said. Well first off on the introduction when I came in 2017 into the department I was going to focus on general critical infrastructure cyber security issues. And that was about the time that the previous secretary or the last secretary in the last administration, Secretary Johnson had designated election infrastructure critical infrastructure. So when I came into the department the last thing I thought I was going to be doing was election security. It did not cross my mind and honestly I don't know if I had made the same decision to come in. But at this point standing here in front of this crowd I'm glad because like Matt said there's a whole bunch of opportunity and optimism out there. I have obviously not been as engaged as Matt has been in the election security space but things are changing. Things are changing for the better. And you're going to hear a lot more for the rest of the day whether over at the voting village or some of the congressional leadership that comes through talks about how things have changed and a little bit more. But in the meantime I want to talk about a few things. First I want to start back with that hearing that Matt Blaise mentioned. I was on in that testimony or testified alongside Matt as well. The thing that Matt, did he leave? I hate doing this when he's not here to defend himself but the thing he didn't tell about that hearing was that he had left his prepared remarks in the taxi on the way over or the train coming down from Philly. And so he's furiously scribbling his remarks from memory and you know no surprise anyone that's heard Matt speak before talk about these issues. He nailed it because he's passionate about the issue. He knows it front to back and he knows the things that need to happen. So from my perspective where we were in 2016 was trying to figure out what the heck from a Department of Homeland Security perspective what the heck this issue is. It literally had no idea within DHS talked about this the other night with some former DHS folks that may or may not be in the room. The Election Assistance Commission was not a thing that we actually had an awareness of within the department. So there was a lot of journey of discovery. Maybe that's the best way to talk about 2016 is a journey of discovery to figure out what the attack surface looks like, who the stakeholders are, what are the things that we could bring to bear to support them in executing their mission of delivering safe and secure elections. The more we found out the more that they know how to deliver elections in a resilient manner. But as both Harry and Matt pointed out when you when you put a local jurisdiction in you know out in the far flung reaches of the upper peninsula in Michigan that's you know facing a Russian GRU threat that's just not a that's not a fair fight. There's some clear asymmetry here. So in our run up to 2018 we had a set of priorities and things we wanted to execute against to make sure that 18 would be safer and more secure than 16 and 14 and all that stuff before it. And that really revolved around getting everybody pulling the same direction, working together, understanding that this was a kind of like a no judgment zone. Let's get together, figure out what the problems are, what can the U.S. federal government from a cybersecurity and physical security perspective provide to help the state local and county jurisdictions execute. And that ended up in a handful of things. First and foremost we established an election infrastructure information sharing and analysis center based out of the same model that the multi-state information sharing and analysis center is and got all 50 states on board and about 1400 local jurisdictions by the time of the 2018. Now that in and of itself is not the proof point. The proof point is that through this mechanism we were able to deliver training, exercises, and send information out about not just active threats like here's some IOC's of a cybersecurity threat but it's able to say these are the things that we see the actor doing and that's important I'm going to come back to it. But it's continuing, we continue to see a significant focus and use of spearfishing. So you need to invest in spearfishing. Now that alone is hard at the local levels but it's again it's raising the understanding of what the bad guys are doing and not putting it in a context of an indicator of compromise. So beyond that it was pulling everybody together and actually working through incident response plans so last August it was in fact about this time or maybe next week or so of last year we had the first tabletop the vote exercise and that got 44 states and a bunch of jurisdictions the intelligence community law enforcement department of defense National Guard EAC everybody together in a room in Arlington and then teleconferencing in and the political parties and the vendors everybody and saying okay here's what a scenario looks like what's a bad day and how are we all going to work together do we understand what to expect from each other do I know what the IC is going to give me do I know what the state and local officials expect from me do I know what a governor wants from me and a secretary of state those are the things that we worked through first time it ever happened I actually kind of threw the team under the bus on this because I was up in Harrisburg in May meeting with the acting secretary of state and on the ride up I we kind of talked about it generally but hadn't really planned for anything and I just kind of threw it out there in front of a press conference like yeah we're going to do a tabletop exercise everybody together at the moment and we managed to pull it off we had the second annual tabletop earlier this summer and we got forty eight states involved same sort of drill working through the processes but from a more mature position so honestly state locals came back around impressed us said no I need to know exactly what you're going to do how you're going to engage can you deliver an incident response capability hey I see intelligence community what do you guys actually have is it possible to share something with me so the relationship again every year is getting better but it's also becoming more confident and that's part of what this optimism to me is about it's the confidence and the willingness and the ability to take this problem set on together so when we're looking out at twenty twenty I have to continue that engagement we got all fifty states but if they're eighty eight voting jurisdiction eighty eight hundred voting jurisdictions out there close to about two thousand we got a ways to go so how are we going to continue that outreach how are we going to continue building that level of awareness and then once we get there what the heck are we going to do so case in point ransomware we've seen what happened down in the seven parishes in Louisiana recently didn't touch any election gears or systems as far as we know but the challenge to me is alright let's think about a worst case scenario three four week two weeks before election day two thousand twenty and let's say some nation state or just a criminal actor is like ah this one I bet they'll pay out pretty good for this one so what are we going to do we're going to say do an offline backup update your stuff implement MFA okay it's too late by then also when you roll out we talk about the IT departments that are the election officials and I go out and say update your stuff and they're going to go out and they're going to update their windows machines but if they don't have mature vulnerability management programs do they even know the extent of the things they need to manage so how do we do this together how do I work with all 50 states for instance to help lock down voter registration databases what are the tools that I can do from a scalable perspective and not just me the major vendors are out there what can we do to help vulnerability management in a box pop up a system make sure everybody knows what you need to update in and get on it remote penetration testing more coordinated vulnerability disclosure programs out there 50 states nationwide these are the sorts of things we're not resting on okay we got all 50 states in a ISAC and we were able to deploy an intrusion detection system across all all 50 secretary states offices we've got to continue to be aggressive about the things that we can do to push out support to the local state and local levels and this is about innovating it's about innovating at the edge it's also about differentiating the sophistication and maturity of the stakeholders some states have got it they've invested legislatures have invested in their capabilities there are others that haven't so how do we solve for that problem and I suspect with some of the congressional leadership up here today you're going to hear about this I don't have all the answers on this front I don't and honestly a lot of these policy questions are not my job to answer congress has a role here so what does that look like I'll tell you this much I don't know where for instance the state of New Jersey is going to get their money to update their systems I don't know where some of these other states that have DREs without a paper trail associated with it I don't know where they're going to get the money but they need it to step up their legislatures need to step up and the federal government has a role here too that's the conversation that is happening and has to happen with greater speed and greater aggressiveness in DC and I think it's going to happen I'm confident that when we get into the fall we are going to continue pushing these conversations but ultimately when I look at 2020 the top priority for me is engaging as far and wide as possible touching as many of these state stakeholders as possible and making sure that we have auditability in the system IT key tenet if you can't audit the system if you can't look at the logs you don't know what happened you don't have sanctity across the system so we've got to get auditability and yeah go ahead I'll say it you've got to have a paper ballot backup at a minimum we've got to push auditability and we have to actually push auditing so those are the things that's our those are our top priorities moving into 2020 the last thing I want to close out on here is I believe Harry mentioned it was mentioned it was announced either earlier this week or last week in Harry talked about it I believe this morning and I think Jake talked about it I wouldn't hear but when I was out at RSA sorry the other conference that I had a similar keynote with a much lammer crowd but I had my call to action and first off everybody if you don't have one of these protect 2020 stickers please get on board grab one it's not just about a sticker that you're throwing on your laptop or whatever this is just the ethos this is the ethos of the election security community right now we can all do something here unhacked the ballot is about everybody leaning in we all have one top-line objective and it's not about any single election it's about democracy it's about protecting democracy we cannot leave it up to election officials to the vendors alone it's everybody's job to engage instead of sitting there and I say anybody here is doing it but instead of sniping let's lean in constructively to the conversation go help go volunteer understand what a process actually looks like in your jurisdiction make sure you understand what happens when the lights go out on election day do you know what your rights are to request a provisional ballot there's a ransomware attack we can't let this the fear of Russia or Iran or China or anybody else messing with our elections we can't let that drive us away from the process and stop voting and we can do that first we lean in we help second know your rights know what the fallback measures are I've used this example before some people look at me kind of funny we've got just like any other piece of infrastructure resilience is the key it's not risk elimination it's not a hundred percent security it's resilience so I steal and modify a Mitch Hedberg joke here the process for voting should be like an escalator when it works it's great it gets you to the top seamlessly but when it breaks what happens to an escalator it turns into stairs and you just have to put a little bit more effort to get where you're going with the voting process it should work seamlessly but bad things happen hurricanes hit the panhandle of Florida they figured it out they figured out how to deliver that election same thing happens here if something bad goes down keep calm and vote on that's what we're talking about here know your rights provisional ballots we can get this done so enjoy the rest of the village I'm very glad I was able to talk to you folks today have had a great time at DEF CON thanks again get your stickers