 Barbara Simons who's the president of verified voting and I'll let everybody get seated really quick And I'll let you guys do just a couple minutes each on Who you are and your organization and so on and Then Dave Forsey with the National Governors Association and Eric with This is center for that security which is the group that runs the MS Isaac as well as the 20 critical cyber security controls So with that I'll actually turn it over to you guys to be able to Talk a little bit about your organization and and yourself. Okay. All right, so hi everybody. I'm Eric Cameron I'll start out. I guess I'm from the Center for Internet Security and CIS. I'm gonna refer to it as CIS CIS produces a number of free things for the larger cyber security community among them being The top 20 security controls, which are a set of technical controls that any organization can use for free to Enhance the cyber security stance of their organization be it private educational government. You name it everyone's free to use them And so that's one half of CIS secure benchmarks top 20 controls a community that we run for the benefit of everybody and the other half of CIS is the MS Isaac, which is a DHS funded program MS Isaac standing for information sharing and analysis center and the MS Isaac has built a relationship with all of the 56 States and territories throughout the u.s. And we run a network called Albert and Albert is Closely related to the federal network called Einstein, which is used to monitor Dot gov space Albert monitors state local tribal and territorial space And we have sensors throughout the United States in almost every single state and territory in the US So you can think of us one half of CIS as an intrusion detection system that covers the entire continental u.s So that's my intro to what I do and over to you Thank you very much. I Help lead cyber our cyber security work at the National Governors Association for those who don't know the National Governors Association Is a special snowflake? Half of it was actually created by statute. So it's not a 501 C3. It's not a corporation. It is a statutory entity It's called the instrumentality of the states. So every state that's a member, which is virtually every state and territory Pays in dues and it pays for certain services for governor's offices. I work at the other arm Which is called the Center for best practices, which is a 501 C3 So we get money from foundations corporate donors and federal grants to help states with policy problems Specifically I help states with cyber security strategy cyber security governance and cyber security Disruption response. We'd like to say that as everyone in this room knows we have in many ways figured out the technical Methods needed to stop cyber attacks a lot of the state CIOs and CISOs who run the state systems know this The hard part is actually getting people to do it and that's where governance comes in We have become much more involved in the election issue And I'm here to talk more about that, but I'll let you ask questions and I'll leave it to Barbara I'm Barbara Simons. I'm president of verified voting. I'm a computer scientist by training and I got into the whole voting issue around 2003 and Because some of us computer scientists were kind of appalled that Silicon Valley was about to buy paperless voting machines and despite our best efforts they went ahead and bought them, but we got sucked into this and Like many of my colleagues who I've observed over the years the more they get the more they learn the more they get Have to get involved because they just can't believe what's going on And I hope that will happen to all of you here if it hasn't already Because we need all the help we can get I'm very concerned And I know many many of you are too about what will happen to our democracy if we don't fix our badly broken voting systems That's what verified voting has worked on for years We've worked on making voting secure. We focus on the technology. We're basically Mainly a bunch of geeks. We have some attorneys and election officials also who are involved on our board and advisory board But our main focus has been on Making voting technology more secure. We know how to do it. We know it needs to be done. We just have to get it done All right. Thank you everybody. So I guess my first question. I'll go to Eric You mentioned a little bit about the 20 critical critical cyber security controls and I know several of the speakers today I've talked about the need for State and locals to implement basic cyber hygiene. I think that on their networks and their databases Most people in this space would consider basic cyber hygiene to be at least doing the top five critical cyber security controls Do you mind just kind of telling folks what what those are? Okay, sorry So well, let's start by talking about what cyber hygiene is right hygiene meaning Trying to raise the bar for some sort of a system or system of systems to a level where you know It's generally resistant or at least more resistant to epidemiological type threats I that's the way I think of hygiene cyber hygiene and so what are the top five I mentioned the top 20 security controls that CIS produces, but what are the top five? We often tell the top five is the easiest way for any organization to get to that sort of hygienic stance Right where you know that you're taking care of the low-hanging fruit. So the top five CIS controls our asset inventory over what is known or authorized or unauthorized hardware in your environment Asset inventory over what is known or authorized or unauthorized software in your environment secure configuration of that software and that hardware Continual and cyclical vulnerability assessment of that hardware and software of said hardware and software and lastly Figuring out the who should have administrative control and what does administrative control mean in your environment over that hardware and software? So those five topics if everybody let's let's use it since we're talking about elections Those five topics if all election networks are off all election systems were to implement those top five pieces of guidance And the overall hygienic stance of the election system would be enhanced Dustly right so that's that's cyber hygiene or that's the top five for you So I guess Barbara I'll put this to you You know as I think we know you know most state and local governments for various reasons some many of which are out of their control Aren't able today at least to implement those top five controls but a lot of those controls are The actual sensors and so on on the network that can tell you When the bad guys got in what did the bad guys do and so on and so what I think we've seen Reported to Congress and in the media by a lot of folks is like is this term of oh We haven't seen any evidence that votes were tampered with or that the voting registration Databases had deletions or changes or so on but I guess the question is if they're not put doing even these basic five controls and The sensors aren't there to really understand what's going on isn't the more appropriate isn't the more accurate answer Well, we really don't know what happened in the election and have no way of telling what happened until those sensors and so on are in place So Barbara Well actually have a couple of different thoughts Yeah First of all obviously these top five Requirements need to be in place, but frankly They're not adequate. I mean it certainly will not protect against a nation-state attack In fact the top 20 won't it's it's it's much more serious than that I mean the fact that we are here talking about trying to get the top five in place I think is a very sorry reflection on the state of the security of our voting systems in this country I mean I don't mean to take away from what you're doing. It's very important Yeah, so we need much more we need we need a sense of urgency we need sort of like Was it the Chicago project with the bomb was the project for building the bomb was a Chicago Manhattan Yes, but it was a Chicago, but it was called the Manhattan project, right? We need a Manhattan project for our voting systems That's really what we need now in terms of the 2016 election We do know that that at least one voter registration database one Vendor for voter registration databases was hacked and we know for example that that vendor was what was used in Durham, North Carolina where there were major problems on election day As far as I know nobody has gone back to do an analysis of the voter registration database in Durham, North Carolina To see if there were a lot of changes made To people's names or addresses or various information that would send them off to the wrong place to vote and create chaos So we don't know even in that case where we know that the vendor had been hacked In the case of throughout the country on the voting machines Even where there are paper ballots in most cases we did not do an adequate Check to see if any hacking had occurred there and of course where there is where there is no paper It's almost impossible to check I mean we could try impounding the machines and doing a forensic analysis, but it's very hard as I'm sure you guys know It's very hard to do a forensic analysis of a computer And even if you do it and don't find something doesn't mean something wasn't there So the bottom line is we do not know if the 2016 election the votes themselves were hacked or not We don't know if the voter registration database bases were hacked or not And it's unacceptable to be in that state of ignorance We need to make our election such that we know That the correct candidates the candidates who were declared the winners were in fact the winners We do know how to do that, but we're not doing it now Although you were right to hand it to Dave's because my next question is for him but so you know some of this is kind of really technical like the stuff CIS does I think some of the auditing and so on that verified voting talks about obviously really important, but You know oftentimes we hear about what secretaries of state want or County clerks You know suggesting to do this that are the other thing but it seems to me that governors are actually really important to this conversation and I'd really love to hear how NGA or you Dave specifically are thinking About this in terms of the role of governors and so on Okay, so a few caveats Nothing I say here today is in any way Articulating an official position of the National Governors Association or any governor's office Okay, period That being said My team at NGA We're not we don't have technical backgrounds right we're engineers at heart But we do not have degrees in computer science. We're lawyers. We think this is a huge problem We know that governors have a role Because while under many state constitutions the secretary of state is a constitutionally separate branch from the governor the fact is that a lot of the Deployable assets and a lot of the expertise relevant to cyber security resides in state agencies that are under the purview of the governor in Many cases a lot of the back-end systems that are used to run elections like voting registration databases or Actually part of the services that the CIO's office manages. So there's no question that when it comes to actually Preventing attacks and responding to attacks that governors have a role I'd also point out that if you want to make any changes to election law Not necessarily policy, but law you'll need to sign legislation and governors are the ones that sign legislation And if you want them to sign it they need to have buy in I'd also say that the bully pulpit that governors have is Incredibly valuable in terms of raising the profile of this issue at the county level state level and federal level if you want a hava Ahava 2.0, you're going to need governors on your side. So that's why we definitely deserve to be in the conversation So in the same vein I'm wondering from the MS Isaacs perspective if you're seeing governors or other state executives Bringing their CIO or CIS. Oh into the conversation on how to better secure our voting systems both from the back-end database and and network Perspective as well as kind of the front-end stuff the verified voting talks about which is the machines themselves in the ballots So Eric what is MS Isaacs seeing on a CIO and CIS? Oh participation in this So so that's that's actually an interesting question For myself and for my organization because the MS Isaacs interacts daily I would have to say daily with CISOs from all of the states in the US, right? So What are we seeing? Well, we've been seeing since the advent of basically the news cycle with election hacking An uptick in communication from CISOs from state security cybersecurity departments and so forth We're seeing a lot of activity coming from the DHS side at us right regarding setting up committees and so forth and Councils and meetings a lot of activity coming out coming at us from the National Association of Secretaries of State right so we're interacting with an election officials left and right MS Isaacs really plays a middleman role in a Lot of this in terms of we're watching the wire right we're watching what's happening over the internet That's bound for the states and so when stuff like this happens with election cyber hacking Our communication. I'm not sure if this answers your question, but our communication volume basically skyrocketed right regarding this We have been facilitating some meetings I can't necessarily tell you between who but we've been facilitating meetings. We're seeing a big uptick So hopefully that answers your question So then on on top of that I guess my question back to Barbara So, you know if governors are you know showing interest in this than Avi and this CIO and CISO in the state are Are you guys getting more? more traffic from Clerks and secretaries of state asking you guys, you know about best practices and so on and if so You know, what are you hearing? Are you hearing good questions? Are you hearing? Very technical questions or people trying to figure out the right answers to this stuff for or what is the nature of the conversations? Well, I I don't know about traffic to our website and I don't know if we keep tabs on that or not I mean one things that we have on our website is a map of the United States which shows what types of machines are used in every state and Breaking it down to every county and we're really the only resource that provides that so Incidentally, if you want to know what's going on around where you live just check verified voting click on the verifier And you can get that information as far as technical questions coming from election officials and so on Um Individuals involved with verified voting might be getting those questions, but typically we don't get questions sent to the organization itself so Okay, good. So I wanted so that's the end of my questions, but I wanted to get to questions from folks in the audience for the group here, so Sure. Yes, and if you can just yell So I think it's first of all important to know that oh, so I believe your question is What I'm saying makes it sound like we're speaking out of both sides of our mouth And that you're saying that in in the past secretaries of state and governors. This is not a statement from me I'm repeating the question have said that everything's fine I think it's first of all important to remember that Awareness of cyber security as a problem is relatively new at the higher rungs of government in many cases And I think it's important to acknowledge that the National Governors Association rarely makes a policy statement as a Single voice of the governors. So I don't speak for governor's offices. I can't speak for them I do know that the many of the cabinet officials who are in who run state agencies think this is a huge problem and They want resources to deal with it. That is what I can tell you and it is up to us to going forward You know, I came here to DEF CON to see for myself just how vulnerable the systems are and it's clear that they're vulnerable So it is now up to the Center for best practices to do our best job to educate Everybody at the state level that this is a serious problem and then identifying key practical recommendations that we can implement Before 2018 and 2020 that's my job, but I I cannot speak to what governor's offices say An ancillary question to that as I was covering this past election. I Experienced I felt the closer we got to the election the more frequent the response I got from people I was asking about the security the election was we can't question it because if we do people won't vote And I'm concerned as we come to next November and in 2018 It feels like the you know when we get into those final couple of months everybody clams up because there's this fear that Will somehow the electorate will stay home if they don't trust it. I mean, do you think that's going to happen? How can we get past that? So I'll actually take a crack at the first part of that answer if that's okay so in a previous life, I did political campaigns for a living and in fact I was President Obama's national deputy field director in 2008 and We spent an enormous amount of time researching Why people turn out to vote why people don't turn out to vote? What makes people stay home and and so on and we never ever once saw any research that indicated that You know lack of cyber security or something like that Would make people stay home to vote ever in no research not not once And I will say though that it is often Democrats of the party that I'm a part of who make these asinine claims that oh If you say that there's a security issue People will stay home to vote. I will say a group of people that I'm not a Group of which is attorneys are usually the people making that claim on the Democratic side It's our voter protection attorneys who make these ridiculous points and and there's just no evidence to back it up But I'm happy to let somebody else I I've also heard that claim and my my response is We should be truthful with people and we should fix the problem And if we fix the problem then we can say truthfully That you can vote because your vote will be counted correctly what we need our paper ballots and mandatory post-election Manual ballot audits if we put those two things in place throughout the country There's no way to hack our elections because you can't hack paper It's great question three points and I wrote them down to make sure I get them right So the stories the narrative is already out there. So I don't know how pretending I mean that's done cats out of the bag a lot of voters are reading new stories on this every day So we might as well talk about it reasonably and rationally. There's no reason to bury our heads in the sand the concern that I Know that there's a lack of data on that But I think it's a legitimate concern that people won't vote because of this I think that is all the more reason to plan ahead now a lot of the In right before 2016 there were so many questions that were raised and not enough answers And I think the best thing that states can do is to plan ahead have a publicly released plan that shows This is how we are going to deal with any problems that arise and then you're not Forced to make up answers that you might not have questions to Right before an election, right? But I do think that's a good question, but I don't see why we would pretend like people are not already listening To the message, right? That's my answer to that Did that answer your question? Verified voting has done that sort of thing in the past at the state level for example Well, one of the things we've been very involved with is fighting internet voting at the state level Maybe that's a negative, but we've also worked on model language for for for voting But indeed you're right. We do need model language But sometimes one of the things that sometimes happens is that there's there's a piece of legislation that comes along And you think you can stick something in it that'll help your cause I'm sure that happens with the environmental movement too So that's something else that that we do like hopefully there'll be some cyber security legislation coming along And we can say give some money for voting machines because that's a cyber security threat. Hopefully Model language. No, we should have it there That's a very good. I have good suggestion. We should have model language on our website for legislation I'm sorry. I didn't repeat the question. The question was is there model language? As I work at a 501c3 we have to be very careful with lobbying So my particular body doesn't write model legislation. However, we certainly give policy recommendations on a regular basis There are two things you can check out. You can go to meet the threat That you can just Google meet the threat states confront the cyber challenge, which was governor Terry McAuliffe's Cyber security initiative that just ended recently, but we're not going anywhere and then we recently released a governor's guide Governor's guide to cyber security, which is also available online should be accessible through Google by now And we have a whole one pager on election security that includes recommendations that someone might decide to include legislation But we don't have model legislation. No Okay I have not thought of that I'm sure somebody has but it's a very good point and I'm writing it down because I'm going to Go make sure that we think more about it. Oh Yeah, can you repeat the question? Oh the question I think so your question was have we in the context of this discussion We've considered about the census and are you saying that are you saying that the census could be the integrity of the census could Be corrupted. I have heard nor read no one talk about that. So I don't know but I certainly want to look into it I'm not answering that question It's up to states whether they want to So the question is does the National Governors Association believe that states who have not come forward publicly after Being breached whatever breached even means let's recall that often people misuse the term sometimes We're just talking about a port scan and that's not necessarily a breach. Should they come forward? I'm not aware of any law that requires them to do so and National Governors Association would never ask states to do something they don't want to do so that's up to each particular governor Not about disclosure states talk about election security with each other and state officials all the time But not about this particular issue and I wouldn't know that So I can actually speak to that a little bit as well from the MSI sec standpoint since I said MSI sec acts as a Almost like a cyber security proxy in many ways right where we facilitate communication among states and so forth and and so you mentioned a figure That the DHS had let out. I can tell you this from the MSI sec standpoint also from the state standpoint We take the the privacy regulations and so forth of each state very very seriously in fact our entire constituency and everybody who's doing who's Collaborating with us. It's done on trust and so we couldn't the MSI sec could never release that type of information Because each state trusts us as an organization to not do that, right? But so I don't know if that helps lend lend some information to your question or not But at least from the MSI sec standpoint and from the standpoint of how the states collaborate with either with each other from a Cybersecurity standpoint, I wouldn't keep your fingers crossed in terms of that kind of stuff coming out Not sure if that helps but yeah And so the last thing I can say about that is that that avenue that you just outlined where the people are writing letters to There let's say you know secretaries of state or something requesting public information that would be I think the suggested path The MSI sec would say Regular every day citizen should take because the organization like ours couldn't disclose that information just by the nature of what we do We can't disclose that publicly so nor could I was it real quickly a Texas did just just pass a law That is going to require the secretary of state to do a postmortem on the 2016 election So you might want to look into that Who's next? So I don't think that there's anything right now I think that there's a lot of folks who've been talking about this about how do we compel states to to disclose this And I I think there's going to be a lot more conversation about it in the future so I'm almost positive that there is legislation that has been introduced for a federal data breach notification law Almost positive don't quote me on that. But so if that's movement, I don't think there's any chance it's going to pass But if that answers your question Okay, so we have one minute so I didn't want to just give some final wrap-up notes on what's been going on in the in the village Since today so for anybody who wasn't in the room when I announced it earlier Within an hour and 40 minutes The the group in there were able to remotely Gain access to a win-vote machine And with and another group with no prior knowledge of the device at all was able to hack an express pull book And get in and start messing around with the with the database in there that would that would contain a list of voters Since then since I made that announcement around noon today They've gained asked to access to hardware and firmware of a TSX machine And they're currently in the process of reverse engineering the infrared communication protocol of an iVotronic And so they've moved a bunch of the so our our friends in the voting village are Have become a little bit manic about this whole thing And so they've moved the machines upstairs so that they can start working on them tonight actually I think there'll be people some people with a lot of Jolt cola and no sleep mess around voting machines tonight So we're excited about that I Don't know it just says upstairs Probably didn't tell me on purpose Okay, so with that. Thank you everybody who came to this today, and we look forward to seeing folks tomorrow