 I'd like to introduce this morning, Jeanette Manfraux, with the talk, Securing Our Nation's Election Infrastructure. Enjoy! Thank you so much and good morning. I was I was hoping you all would sleep in and I could do this with maybe just 10 people. Not terrifying at all to stand up here and see you. So first, thank you so much for coming both to DEF CON and to the speech. I wanted to just spend about 15-20 minutes talk to you about how we think of election security and also you know sort of extrapolate a little bit about how that relates to our approach to critical infrastructure overall. I also want to point out that this is my son's first DEF CON. He's very excited. He's six. So we'll bring him by the voting village later. So for the little closer. Sorry, I'm a wanderer when I speak. We'll try to stay still. So for those of you who don't know what DHS does and I do apologize up front. I can't help myself. I'm going to say cyber and cybersecurity probably a lot. It's just the way we talk in DC. So just accept it. I have. So in DHS, my organization, we're the Office of Cyber Security and Communications. And we stood up about 11 years ago to focus on the purely defensive side of cybersecurity. And we have two main roles and maybe about three we can talk about. The first one which we spend a lot of time on is protecting federal civilian networks. So the way the government runs it naturally it's somewhat complicated. We don't do IT governance particularly well and we've made it particularly complicated for ourselves. But I will spend 30 seconds and explain it because it may be useful in a trivia game at some point in your future. So the DOD, they've got their network. They're protecting that. The intelligence community has their networks. They're protecting that. And DHS is left with the 99-ish federal agencies. And yes, there are 99 federal agencies. And what we do is we work with them to deploy technologies and capability to better protect our networks. And what we're evolving towards on the federal side is thinking about instead of individual risk, every agency thinking about themselves is owning one part in their own part, much like many companies think about just themselves as individual risk. We're trying to get to think about enterprise risk and think about the government as a whole. We have a lot of technologies and shared platforms and we have a lot of adversaries that are trying to get our information, whether that's to steal citizen information or whether that's to get information about policies or other capabilities that we're thinking about. So we have to think differently about how we defend those systems within our federal government and we're doing a lot of work. We've been issuing a lot of directives to improve the security and take advantage of different capabilities that the private sector has developed. So that's enough about the federal side. The second part is critical infrastructure. So while I have the authority and the resources to deploy technologies to tell other federal agencies what they should do and importantly to measure them on their progress, with the private sector it's purely voluntary. And I think that's important. I think that's the only way that we can be truly successful. And I'm using the term private sector very broadly and that includes all of you in this room, whether you're in a big company or working for yourself. It also includes academic institutions. It includes seat and locals as well. So we have a broad public-private partnership that we refer to it that it has to work together to figure out how we're going to secure and defend our critical infrastructure. So if you think about, you know, one of the most fundamental roles of government is to provide for the security and the defense of its citizens, right? But the internet has challenged everything when it comes to how we think about the role of government in defending and securing its citizens and its infrastructure. And for all the amazing benefits and the economic development and the social benefits that has come with the development of the internet and the technologies that leverage it, it does create, of course, a lot of vulnerabilities. But I think most interestingly for policy people, it really challenges how you think about what the role of government is. The role of government, we have typically had the best advantage when it comes to defending our country. We don't have that anymore. We have some capability and it is unique for those of you who maybe took an international trade class once upon a time, the concept of comparative advantage, it applies here but in a different way. So the government, right, we can go places and we can do things and invest in places that either the private sector or other entities are not allowed to or they don't have the incentives to. And that can be useful when we're talking about bringing everything together. But we don't have that unique advantage and we don't have all the information. And so what we've been talking a lot, and I'll get to elections in a second, is the concept of collective defense. And what this means, and there's a lot of different analogies that people talk about, best athlete, comparative advantage, but the concept of that the government is just one player in a community of organizations and individuals that all have some capability that they can bring, some of which are better than what the government can bring. And so for the first time in a national security space, the government is not on the front lines. Our companies on the front lines, our citizens on the front lines, all of you are on the front lines. And that sounds easy to say, but when you start to really think about that, that it just challenges everything you think about. Well, what does that mean, the role of DOD? What does that mean about the intelligence community? What does that mean about the role of the private sector? And so what it does mean, though, is that we have to get past our traditional incentives. In the government, our incentive is to collect information and to protect that information in order to be able to execute our security and defense missions. But we can't do that. We have to be able to share that information, and we have to be able to be transparent, and we have to build a level of trust with a wide variety of individuals, organizations, and entities that we've never had to do before. On the flip side, on the company side, the idea is to monetize information and capability, which is fine. I'm a capitalist. I want us to be a strong, economically powerful country. But in this space, if we're going to truly be able to hold the adversaries at the same level of risk that they're holding us, we have to be able to move past that. We have to be able to find other ways to cooperate, and we have to think differently about what are the capabilities that each of us needs to bring to bear to this fight. So that sort of thinking is how we think about the entire fight overall, if you will. Our adversaries have been taking advantage of us for a long time. They've been taking advantage of our traditional principles for a really long time, and we've got to figure out a way to turn it back on them. And again, that means the government's got to think differently, and that means everybody's got to think differently. So I want to talk to you specifically about elections, though I'm happy to talk about anything from medical devices to our electric grid after the event if you're interested. So the slide that we've pulled together, and this is my first talk I've ever done with a slide, so we'll see how it goes. This is how we think about elections. And elections is more than just the voting machines. I didn't know a whole lot about how our voting system worked before DHS got involved, and I'll tell you it's tremendously complex. The complexity is actually a benefit. But so what we started to look at is, and going back to 2016, when we first started to understand that the Russians were attempting to undermine and sow chaos and discord and undermine our democracy in general, which by the way they've been trying to do this for decades. It's just the technology has allowed them to do it at a better scale. So we stepped back. We talked with a lot of election experts, and we said, okay, explain how the system actually works. And then we worked with the intelligence communities and others, and we said, okay, well now if an adversary wants to undermine our democratic process, how could they do that? And so this is, and you know, don't think we have some stuff here that's on election day. It doesn't necessarily happen on the day of election. But the concept of you've got everything from voters trying to register, to actually casting the ballots, to counting and tallying, to distributing those unofficial vote results on election night, to the final tally. And what we did through this very comprehensive risk assessment is we found that it's actually really, really difficult to try to manipulate the actual vote count itself. And there's a lot of reasons for that. The voting machines are physically secured. We've got, you know, thousands of jurisdictions across the country that all use different sorts of things. And so while you may be able to get into some voting machines, and I know a lot of you may be working in the voting village, you can't really affect that at scale without detection. And it would be really hard. So we said, okay, well what are they trying to do? They're trying to undermine our democratic process and the confidence that we have in their democratic process. And there's a lot of ways to do that without actually trying to manipulate the vote. And that's what we expect that they will continue to do. So what we look at is, and this is how we define election infrastructure. There's a lot of other efforts about thinking about social media companies and the role that they play in campaigns. But what we're very much focused on is the state and local run process that you and I all participate in, I hope, all the time. And so this is what we're focused on securing. And again, to take an example, voter registration. It's not so much the data itself. It's actually fairly easy to get the data. In most states you can buy the data. So it's not that we're worried about losing the data. What we're worried about is maybe manipulation of the data. So somebody comes to vote. Now everybody can get a provisional ballot in every single jurisdiction in their country. But say a bunch of people show up, and you're told, well, you're not supposed to vote here, but we'll give you a provisional ballot. And then the lines start to back up. And then a lot of people say something must be wrong here. There's a lot of people not on this list. They're in the wrong list. And so the data itself has just been either manipulated or lost or something like that. So that's what we're concerned about. So we've talked a lot about how we can secure those voter registration processes. In the actual tallying of the votes, thinking about the systems that run the voting machines, the election management systems, the tallying process, all of those, making sure that those are secure. And many of those all say, state and local communities that run elections, they are not the most resourced organizations in this country. And now it's not a surprise to you. So they're often dealing with old software, old technologies, and they do the best that they can. But how can we help them as a community? Again, this is all of us in this room. How can we help them ensure that those systems are secure, that they understand best practices, that they know how to prioritize what they need to be doing? And then finally, thinking about, say, the submission on election night. This was an interesting concept, right, is that these are not the official election results, but say a bunch of states issued, you know, here's who won the presidential election, our unofficial tally. And then a couple of weeks later, the official tally comes out. It's completely different. So the official tally is correct, but the unofficial one was manipulated. Now you have another situation where the confidence in the process has been undermined. So I want to put this out to you. This is a public document. You can get it online on our website. But I wanted you all to think about bigger than just the voting machines themselves. This is a bigger process. There's more to think about. There's more work to do with the private sector, the vendors of these systems who are working with the state and local secretaries of state, the election directors, helping them understand how we work together on this. So I wanted to close before I bring up one of my folks here who is running a lot of this activity for us with, you know, really thinking about kind of where we started. The election issue has brought the concept of cyber security to the fore in a way that nothing else had. I yearn for the days when we were just worried about the electric rate going down. And so as frustrating as it may be for us constantly talking about it, it has had the power of getting people involved in this space and thinking about these questions about the role of government, the role of the private sector, the role of researchers, the role of the international community when we start to think that we have adversaries that are trying to undermine our traditional concepts within our country, our concepts of democracy, our concepts of intellectual property, our concepts of privacy, our concepts of ability to do business and to run our government. And if we don't come together and we, again, we aren't able to get past our traditional cultures, our traditional incentives and figure out how do we come and collectively defend against these adversaries, they're going to turn the internet into the model that best suits their concepts, which is not free expression, which does not protect intellectual property, which does not allow the level of discourse and progress that we have made in our country. So it's not just an American issue, it is definitely a global issue. And while elections are just one part of it, we still have to think about all the rest. I encourage you, as you all are thinking about the technology itself and how do we make the technology better, think about the policy side of it and participate in that debate. We need more people who understand the actual technology to participate in the policy debate because shockers, not everybody knows how the internet works in DC. So with that, I wanted to just close, I would like to, we were in the voting village last year. Not everybody knew, but we've got our team of pen testers and red teamers here that they're the ones that are doing all of these vulnerability assessments across the country. They do it for critical infrastructure. We've gone to Ukraine. We've been everywhere. Rob, come on up. And I just wanted to introduce him to you. They are all proudly wearing, I think they're all proudly wearing DHS shirts. Some of them are pretty obvious that they're government officials. But we want to make sure that you get a chance to talk with them. And like I said, importantly, that you engage in both the technology and the policy side because we can't just be having this debate in DC. So Rob, I'll let you close. All right. Yeah, thank you. So, yeah, there's about 20 of them down here and there's some of the brightest and smartest people that I've worked with. So please make sure you find them out. What I'd like to reiterate, though, is we do have a national mission and elections is one part of that. So under the assessments program, we have three different programs. We have cyber hygiene, which is basically vulnerability scanning. We have risk and vulnerability assessment, which is pentesting. And then we have operational assurance, which is more of a blue team kind of style look. Under cyber hygiene, we have 850 customers under there of which 95 are election related. And so what's great about this is we're able to get this data and analyze this data and look at it and say, hey, we see trends here. So we saw trends in the federal government where critical vulnerabilities weren't being closed. And we worked with that. We issued some binding operational directives to take care of that. The statistics that we're seeing on elections are right in line with our other customers. So they're no better. They're no worse than the other customers. They have the same issues. And the main issues are that we're seeing old software out on the internet, unsupported software, PHP that's outdated. It's the same issue. One thing that we are able to see in a little of our analysis is that the election officials are a little slower than the government and other people on fixing and patching those issues. So we're going to work with them and get the word out and let them know how critical it is. And hopefully they'll be able to get the resources to work and fix that. So it's a resource issue game, right? So on the penetration testing side, it's the same issues. When these guys start their campaign, the first thing that they do, they do a little background investigation and they send a phishing email. Bingo, they're in election places and they're in non-election places, financial water. It's the same. So we're working on educating people and educating people and getting the word out there. And the final thing that I want to say before we wrap this up is we just started a Pied Vulnerability Assessment where we're getting election machines in and other critical infrastructure machines in. We're tearing apart the firmware. We're looking at that and we're working with the vendors. We're going to issue some guidance to them and find issues on those. And hopefully we'll make this more secure. So we're here to help and make sure you see these guys. They're a lot of good guys. Thank you. And ladies, yes. Okay. So with that, again, please find us. We'd like, we'd love if you worked for us, but if you're not willing to work for us, we would love you to work with us. Like I said, we're the only part of the government that has a purely defensive mission. And as you can see, it's a big one. And we're just so happy that you're here, that you chose to come to listen to us talk and that you're, you're willing to invest your time and your talents in solving these really critical problems. So thank you.