 All right, it felt like after the last session in that I wanted to get up here go. Let's get ready to rumble Kind of fun, right? But there you go, right? It's all good. So Everybody up and awake this afternoon. My name is Dan Weber. I'm the CEO for the election integrity foundation You're not for profit to fund the voting village. So appreciate y'all being out here today Don't forget to go and if you're on social media in that tag it with at voting village DC on Twitter And use the hashtag hash voting village DC So happy to have you guys in this next session is bootstrapping vulnerability disclosure for election systems We've had three distinguished folks up here on the panel First one is Jack Cable security researcher and student at Stanford University I think he probably have his own session going through everything. He's seen at such a young age He's a coder turned white hat hacker and a rising sophomore at Stanford But you know, you need to hear a couple of these fun ones, right? So the coolest thing is, you know hacker one bug bounding program identified over 350 vulnerabilities and companies including Google Facebook Uber Yahoo and the US Department of Defense and For those of you had the opportunity to go the hacker one, you know saying party the other night with 1800 people We thank them for all the free drinks that we got It's all about dopam drinking and other people's money Katie Trimble is section chief vulnerability management coordination for our US cyber security and infrastructures security agency Sysa Department of Homeland Security and You know, she's gonna go through all the different 16 critical infrastructure sectors and levels of US government organizations that she supports and Then Trevor Timmons CIO for Colorado Secretary of State's office He has been there since 2007 after eight years as deputy CIO and director of software development So we'll welcome all three of them and get to the heart and meet of the matter All right. Yeah, thank you to everyone for coming out today so we're going to be talking about vulnerability disclosure for election systems and This is in part motivated because of some work. I've done Trying to disclose vulnerabilities to various states and local governments So I'll go into the stories there my experiences and how that could be improved But first just to set the stage with vulnerability disclosure and why it's so important. So It already so yet in short vulnerability disclosure is a process that allows External researchers to easily find a contact and channel to report vulnerabilities so if I say find a vulnerability in a company I can Email it to security at that company calm and they can easily receive the vulnerability report and this is It works great in industry I've as a researcher I've worked on programs like Facebook Google even the US Department of Defense yet among states and especially for election systems, we have zero states or Election vendors that allow reporting vulnerabilities. There is one state that has vulnerability disclosure policy though It is not actively maintained and they won't even respond to your emails so we need something that allows people to report vulnerabilities and Be assured that they'll get a response and that the vulnerabilities they report will be fixed and Especially for election systems. We know that this is something that is under active attack by our nation's adversaries so if you read the Mueller report or the Recent Senate Intelligence Committee report you'll see that all 50 states have been targeted especially there One of the by nature public-facing systems the say voter registration databases are common targets There have been several high-profile breaches Due to states targeting these even the Mueller report mentions a common attack vector sequel injection Which was the vulnerabilities I found in these state voting databases. So, yeah, I'm joined here Yeah, but Trevor from Colorado and by Katie from CISA and I'll yeah start off with some of my experiences disclosing vulnerabilities and again the point of talking about this is not to shame these Cities and states for having vulnerabilities. It is completely normal to have vulnerabilities and matters much more What is done once they're reported because? It's normal in industry. It's normal in government everyone has these and we need to have channels for researchers to report them And that's not something we see anywhere with election systems. So room for improvement So it all started with election systems for me when I was registering to vote back in October So I was on my cities voter registration site and noticed that Just putting an apostrophe in one form. I could I well, I received a 500 error and being curious researcher I soon realized that this was a sequel injection vulnerability and It's not like I was actively testing for this But once I'd found it it was then my responsibility to get to the right people so they could fix it So I began the process of disclosing this vulnerability. I reached out to some contacts I had disclosed it to several people including the chief information officer of the respective city and Tried many many times to get to the right people. So that was in October in December I noticed a change they had put a web application firewall in front of the site Which would make it harder to exploit the sequel injection vulnerability, but I could still confirm it was there So they had impact the original vulnerability even though they had received the report so I try again and again didn't get to the right people somehow or they didn't address it and Kept trying to disclose going through alternate routes and may comes along which is then six months later. So I Began trying to think of other ways to disclose I then came to Katie and her team at CISA and then in June I decided to just email one of the email addresses on the actual board of elections just a random public contact email address and doing that I was able to get a response and At least according to them. They hadn't heard anything despite all of my attempts to disclose there's some issues say because the city may be siloed from the Board of Elections, but even then you would think that if a city receives a critical vulnerability report for its board of elections They would try to get the report to them So not sure quite what happened on the back end there But once I was able to make contact they were able to address the report and fix the vulnerability But that was seven months after I discovered it So who knows what could have happened in the time between then and time that actually fixed it So that was in one city then in another state that I was I'm also looking at I Realized that there was another sequel infection flaw. This was the state that I lived in so I was also going to check my voter registration status and Again notice this flaw and what was particularly concerning was this state had been breached three years prior so if you It's public if you read up it was through sequel infections So not only had they been breached through this type of vulnerability But the vulnerability was still there or at least there was a page where it was still exploitable even though they had fixed in one area So this was again incredibly concerning I tried again going to say the CIO of the state some other contacts And a couple weeks later. I hadn't heard anything Based on what I tried in Chicago I also reached out to just a public contact email address for the board of elections and that time gone contact with someone who was Technical and they were able to fix it within the day that they received that and again They hadn't heard anything despite I went to All these various people, but they never got the report to the right people. So without a vulnerability disclosure Policy the process for getting vulnerability to the right people as a public individual is Incredibly difficult and it will remain that way unless we give hackers Security researchers, whatever you prefer a way to disclose vulnerabilities in a way that they can be assured one that they're protected And two that will get to the right people and it'll be addressed. So Yeah, that was my experience is disclosing these vulnerabilities so moving forward what we want is for states and election vendors to start thinking about establishing a vulnerability disclosure policies and giving researchers a way to help out and By allowing a form of public contact We can really begin to foster these relationships that we want to have and we can start to be more constructive when it comes to security So I really do believe that vulnerability disclosure policies are a necessary first step towards being more Transparent and better when it comes to security and that there's something that we're going to need to do and we need to do it before 2020 so with that I'll give it to Katie who will talk through some of the work that she does at syssa All right, so from Jack's story you kind of can see the complexity here and all the different pieces And so we at syssa we have some vulnerability portfolios. So if you're familiar with mitre's CVE program So I run that the NIST NVD program I run that Cert CC Carnegie Mellon program. I sponsor that And then the ICS cert vulnerability handlers. I sponsor that So that work all falls within my office Even with all of that experience so cert CC has existed for 30 years We've been coordinating vulnerabilities for 30 years mitre has existed for 20 years doing CVE work We just had the 20th anniversary birthday party at black hat this past week So we have a lot of experience doing vulnerability disclosure But most that's in products and so even with all of that experience We are still in uncharted territory when when jack finally did get to us It still took us probably two months to find the right people for the cases that he brought to us He had already made all of this context He had already done all of these things and then we tried to back channel in and find out the people that we Needed to talk to which just goes to show that when we're talking about vulnerability disclosure. It's not easy It's not simple. It's not straightforward. It's very complex There's a lot of people and when you don't go to the right people There's this amazing thing that has happened throughout the years and it's these a this this training We've done for social engineering like who would have thought a security awareness training actually works So when we call people, you know big companies and we're trying to find contacts to get vulnerability information To the right kind of the product safety team we call and we say hey I'm Katie from Homeland Security and they go. Yeah, I'm sure you are click And we're like no, but seriously, I promise I am and they're like, uh-huh, and then they hang up the phone So it goes it works and so in this case what happened is it's working Negatively because people think when Jack's contacting them that you know, oh, yeah I'm sure you found some vulnerabilities or I don't know what to do with that Thank you for bringing it to me, but I don't know what to do with it and that happens election systems are very complex We categorize election system vulnerabilities in three ways We look at them when we say there's what there's one there's software hardware, and then there's digital services So software is the so the automated software services that allow you to vote online There's several of them Hardware that's the individual machine that happens to be in your polling station Usually these are air gap systems. These are solid machines Industrial control systems and then there's the digital services sites that's your voting registrations your databases the web services that are available to the public They're all vulnerable But here's the thing about it all of these things are vulnerable in every sector So while we feel very unique in the election sector, I cover all the sectors I deal with everything nuclear power plants fit bits nest thermostats Pixar software you name it we cover it So the challenges that are in election systems are in no way different than the challenges in any other system It's just new and uncomfortable But there's only one way to get through that and that's just to get through it So we are looking at weather or looking at climate not weather So each individual disclosure may be painful in the beginning But once we move through that and get used to doing them and develop processes and get those things because those processes in place It will be so much easier. It'll be so much more straightforward So what I have behind me is the ecosystem and this is DHS's ecosystem. This is specifically designed for products It's not designed for digital services We don't normally accept digital services vulnerabilities because we're not the internet police and I despite you know the fact that I work for Homeland Security I am here to help. I am not a government suit. I'm sorry. I'm wearing a black jacket. I normally don't But my other jacket got like a spine. I don't know anyway So I We are here to help we do try to help We've expanded our scope when it comes to election services because we think it's so pivotal to just daily life for everyone That we really need to take this and run with it as a serious matter So what we've done is we said, okay, we're gonna also take you at the website vulnerabilities We always prefer that a researcher contact the asset owner or the vendor directly in the in the first round But if something happens and that's a negative sort of relationship come to us and we're we will we will take that and we will Try to do everything we can to get that fixed. We're all about getting stuff fixed We believe that things should be in the public sphere should be to shine the light on it The light is the best medicine It's uncomfortable in the beginning, but we promise it'll get better So all of that said there's my soapbox, but let's go through the slide So when we do this vulnerabilities are reported to us by a researcher. We can't go find vulnerabilities on our own There's some legal liability issues that happen with that. You don't really want DHS hacking your stuff It's just not a good idea So researchers bring us vulnerabilities. We work with a researcher. We do the collection the analysis and the coordination We try to independently verify that vulnerability exists That happens at cert CC or Idaho National Laboratories depending on whether it's IT or OT We then notify the vendor we work with the vendor to develop a patch We create a patch mitigation schedule usually it's 45 days and we say at 45 days. We're gonna we are gonna disclose this Once we've originated and worked on that schedule made sure everybody's in agreement. We all hold We reserve the CVE we are CVE naming authorities ourself so we can reserve a CVE Then afterwards when we've reached our deadline. It's time to publish. We all publish at the same time Usually it's within minutes of each other. So the The researcher publishes their advisory the vendor publishes their information with a security bulletin and usually a patch And then we put out our technical alert or vulnerability note at that time The CVE is populated and made public then it flows over into the NIST NVD catalog Quick between NIST and MITRE so if you the difference there is CVE's are kind of like a dictionary. They're just a this is what it is NVD is like the encyclopedia. It's the elaborating and reaching information that describes that vulnerability So quick difference there Okay, so we're gonna hover on this slide for a bit So that's kind of the ecosystem as it as it stands right now for us We're in a learning curve, too We're trying to figure out how do we as a government agency adapt to the change How do we as a government agency do better about reaching out to researchers reaching out to vendors building positive trust relationships? We tell people we don't hoard any vulnerabilities. The Department of Homeland Security does not hold any vulnerabilities My job is to close tickets and I cannot close tickets if there's information. It's not been disclosed I'm counted my performance plan is directly tied to how many tickets I close So if I want to keep my job we publish There are a couple other programs that are Intelligence programs we do not submit to those intelligence programs that one is called the vulnerabilities equities process if you're familiar with that Any vulnerability that comes to DHS from my private researcher does not go into the VEP I know because I run it. I'm the DHS rep to the vulnerabilities equities process as well So in the VEP charter there is a section that says that vulnerabilities that were discovered during the course of incident Response or security research which are intended for disclosure do not make the threshold for VEP That is the exact verbage because I say it so often we do not hold Date vulnerabilities we publish vulnerabilities. We work with vendors to make sure that they have the opportunity to fix things We work with researchers to make sure that their needs are being advocated for I Always tell people I'm not on the side of the vendor and I'm not on side of the researcher I'm on the side of the taxpayer and I'm on the side of the system administrator who needs to fix that system So we try to be the honest broker in the situation and we realize that's a little bit of a shift from typical I'm in a black suit and government official But we genuinely try so I have nine federal employees and three contractors and fifty consultants in seven states And we all have that same ethos. We all want to make this a better place So we have some takeaways here Things that we can do when we look at this there are all of these positive things That happen this is an uncomfortable position to be in because it's new it's so new and we don't know how to handle it But we've done things like this in the past So I specifically look at the medical sector and we say okay. Well the medical sector about five years ago Was very you know hands-off. They didn't want don't touch my software. There's nothing to see here But they actively embraced it. They said you know what we're gonna change some laws here We're gonna make it easier for researchers to do research We're gonna accept those those vulnerabilities and we're gonna fix them and that has made so much difference It's now a routine thing so much so that it's not even newsworthy anymore And that's where we want to go. We want to make it routine There are so many positive things that happen when you just get things out in the light when we try to hold things back That's where the opportunity for negativity lives so we say Researchers positives for researchers takeaways. Okay So yeah from the researchers side Just some thoughts if you're either if you found a vulnerability or if you want to help say your local Government be more proactive when it comes to security. One is to offer help. So there's great resources out there and say volunteering with your local or state election board and really helping to Improve security because the truth is is that often they're strapped for resources and Some free help can go a long way and with that say if there's a vulnerability disclosure policy established Which we can hope to see some soon then participate in those and give states the feedback that they need to get better so really just to continue pushing The organizations to adopt those best practices out there that we've seen in other industries and we've seen how vulnerability disclosure policies can be really effective and to keep pushing organizations to adopt those and foster a type of Relationship that really focuses on working together rather than Say doing work separately. It's with a vulnerability disclosure policy It connects the researcher and the organization so that we both can become more Or well the organization can become more secure. So Trevor. Yeah, if you'd like to so Again, you know, I work for a secretary state in Colorado and a Colorado nor our office today Currently have a vulnerability disclosure policy or a program. That is something that we're changing My eyes were really open to this We've always had people that reach out to us and report issues that they may see with our website and that sort of thing That's the type of thing. I think we we tend to be fairly responsive to and But we don't have that formality around that and and really my eyes were open to this about five six weeks ago You know around the protection of the researcher from, you know Prosecution liability anything like that. I mean, it's the type of thing that we engage with all the time when we have external vendors Coming in and doing penetration tests, you know and doing that sort of thing They're concerned about the impact of what they would do and whether you're gonna kind of nail them to the wall And so, you know, Colorado We're working with our state chief information security officer and within our office to make sure that we've got a solid policy I'll give a ton of credit to Bowwood from the Atlantic Council to Eric mill from the Senate rules committee administration And to the folks at CISA for actually kind of leading the way providing some good advice in terms of how we can do this with You know companies like bug crowd and hacker one and Sinek to actually take this and move it to the next level In terms of a VDP, you know kind of working together with with you and you with us And I want to touch this really quickly on the election vendors in terms of creating those channels There is hope, you know with the designation of elections as critical infrastructure They established this government coordinating council and the sector coordinating council where we're bringing the public sector private sector federal state local resources together to actually talk through some of these issues, you know the folks on the SCC so again, those are the folks on the private side who are providing election systems some voting systems voter registration databases Election night reporting systems all these kinds of things systems and services when they're providing them to states and to locals That's their group. Okay, they've been talking with the folks to the IT ISAC in terms of how those disclosure policies Work within that context, you know with fortune 10 companies that that do this do it well and do it effectively To actually improve the landscape for all of us and so there is hope I mean they're they're talking with those people so we can figure out how this is going to work within the elections within the election side So the last thing before we go to the resources. I just want to say so I always put this quote up And those of you see me brief before you've seen it before So I love this quote. It says vulnerability sounds like truth and it feels like courage truth and courage aren't always comfortable But they're never weakness So the point is that this is uncomfortable. We get it there There are so many moving pieces here. It is it is hard to admit that there are flaws. There are failures there There are vulnerabilities in every system everything has vulnerabilities in it But the the point is that we have to work forward We have to we have to move past that the opposite of love is not hate It's indifference and so when we can't have a conversation because we're so caught up in the in the politics or in the Negativity or in that bad feedback cycle That is the worst place to be we need to be able to have a conversation and we need to move into that conversation from a place of Understanding that it's not weakness just to talk about it. It's it's truth and it's courage So that's that's where we stand on it. We do have some resources that we listed here If anybody wants to talk to any of us where we're happy to go outside and do it I think there's another brief that's that's coming in. We don't want to just let delay them But do you guys have any closing thoughts? Yeah, I would just say yeah, please do come talk to me or Katie or Trevor I really do want to help out as much as I can in say Giving advice for starting vulnerability disclosure policy and making it as easy as possible So yeah, we have some resources up here. The Department of Justice has published a great vulnerability disclosure framework There's disclose.io, which has open source vulnerability disclosure policy terms You can look at other vulnerability disclosure policies out there. So yes, please do come to us and talk and see how the process for starting a vulnerability disclosure policy isn't that hard and By putting it out there you can begin to get external help and begin to know what you can do better and Start really improving security. So yeah, I would like to thank you and Thank you