Securing our Nations Election Infrastructure

Video thumbnail (Frame 0) Video thumbnail (Frame 2296) Video thumbnail (Frame 2713) Video thumbnail (Frame 3964) Video thumbnail (Frame 4381) Video thumbnail (Frame 7301) Video thumbnail (Frame 10378) Video thumbnail (Frame 12723) Video thumbnail (Frame 14330) Video thumbnail (Frame 17311) Video thumbnail (Frame 21481) Video thumbnail (Frame 22316) Video thumbnail (Frame 22733) Video thumbnail (Frame 26903) Video thumbnail (Frame 27321) Video thumbnail (Frame 27738)
Video in TIB AV-Portal: Securing our Nations Election Infrastructure

Formal Metadata

Securing our Nations Election Infrastructure
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Fair elections are at the core of every democracy and are of paramount importance to our national security. The confidence in our electoral process is fundamental to ensuring that every vote- and therefore every voice- matters. In recent years, our Nation has become increasingly uneasy about the potential threats to our election infrastructure. The activities to undermine the confidence in the 2016 presidential election have been well documented and the United States (U.S.) Government has assessed that our adversaries will apply lessons learned from the 2016 election and will continue in their attempts to influence the U.S. and their allies' upcoming elections, including the 2018 mid-term elections. As the lead agency for securing the Nation's cyber infrastructure, the Department of Homeland Security (DHS) has a mission to maintain public trust and protect America's election systems. In January 2017, the DHS Secretary designated election systems as critical infrastructure. This designation means election infrastructure has become a priority in shaping our planning and policy initiatives, as well as how we allocate our resources. DHS is working directly with election officials across 8,000 election jurisdictions and throughout 55 States and territories, to help them safeguard their systems. As the threat environment evolves, DHS will continue to work with state and local partners to enhance our understanding of the threat, share timely and actionable threat information, and provide essential physical and cybersecurity tools and resources available to the public and private sectors to increase security and resiliency. DHS is committed to ensuring that our adversaries never succeed with their campaign to undermine our democracy.
Cybersex Extrapolation User interface Online help Bit Voting Duality (mathematics) Voting Optics Telecommunication Speech synthesis Self-organization Process (computing) Quicksort Office suite Information security
Cybersex Point (geometry) Email Line (geometry) Multiplication sign Image registration Mereology Virtual machine Voting Software Process (computing) Game theory Information security
Email Metropolitan area network Enterprise architecture Information Software developer Direction (geometry) Image registration Mereology Inclusion map Hausdorff space Optics Internetworking Different (Kate Ryan album) Term (mathematics) Authorization Process (computing) Information security Arithmetic progression Multiplication Computing platform Fundamental theorem of algebra Local ring Physical system Vulnerability (computing)
Email Complex (psychology) Slide rule Variety (linguistics) Line (geometry) Multiplication sign Virtual machine Host Identity Protocol Duality (mathematics) Voting Uniformer Raum Different (Kate Ryan album) Analogy Energy level Process (computing) Information security Social class Physical system Pairwise comparison Information Inclusion map Voting Order (biology) Self-organization Right angle Quicksort Spacetime
Voting Process (computing) Scaling (geometry) Expert system Counting Menu (computing) Chaos (cosmogony) Resultant Physical system
State of matter Confidence interval Virtual machine Image registration Power (physics) Pointer (computer programming) Uniformer Raum Hypermedia Different (Kate Ryan album) Physical system Scaling (geometry) Electronic mailing list Menu (computing) Line (geometry) Data management Process (computing) Voting Software Self-organization Website Right angle Quicksort Local ring Resultant Spacetime
Category of being Suite (music) Raw image format Internetworking Expression Energy level Figurate number Endliche Modelltheorie Information privacy Mereology Arithmetic progression Multiplication
Cybersex Statistics Email Direction (geometry) 1 (number) Mathematical analysis Menu (computing) Line (geometry) Mereology Computer programming Twitter Inclusion map Voting Software Internetworking Software testing Game theory Vulnerability (computing)
Word Goodness of fit Uniformer Raum Multiplication sign Virtual machine Water vapor Mereology Vulnerability (computing)
I'd like to introduce this morning Jeanette manfro with the talk securing our nation's election infrastructure enjoy thank you so much and good morning I was I was hoping you all would sleep in and I could do this with maybe just ten people not terrifying at all to stand up here and see you so first thank you so much for coming both to Def Con and to the speech I wanted to just spend about 15 20 minutes talk to you about how we think of election security and also you know sort of extrapolate a little bit about well how that relates to our approach to critical infrastructure overall I also want to point out that this is my son's first Def Con he's very excited he's six so we'll bring him by the voting village later so for the little closer sorry I'm a wanderer when I speak I'll try to stay still so for those of you who don't know what DHS does and I do apologize upfront I can't help myself I'm gonna say cyber and cyber security probably a lot it's just the way we talk in DC so just accept it I have so in DHS my organization were the office of cyber security and communications and we stood up about 11 years ago to focus on the
purely defensive side of cyber security and we have two main roles and we'll talk maybe about three we can talk about the first one which we spend a lot of time on is protecting federal civilian networks so the way the government runs
it naturally it's somewhat complicated we we we don't do IT governance particularly well and we've made it particularly complicated for ourselves but I will spend 30 seconds and explain it because it may be useful in a trivia game at some point in your future so the the DoD all right they've got they've got their network they're protecting that the intelligence community has their networks are protecting that and DHS is left with the 99 ish federal agencies and yes there are 99 federal agencies and what we do is we work with them to deploy technologies and capability to better protect our networks and what we're evolving towards on the federal side is thinking about instead of individual risk every agency thinking about themselves as owning one part and in their own part much like
many companies think about just themselves as individual risk we're trying to get to think about enterprise risk and think about the government as a whole we have a lot of technologies and and shared platforms and we have a lot of adversaries that are trying to get our information whether that's to steal citizen information or whether that's to
get information about policies or other capabilities that we're thinking about so we have to think differently about how we defend those those systems within our federal government and we're doing a lot of work we've been issuing a lot of directives to improve the security and take advantage of different capabilities that the private sector has developed so that's enough about the federal side the second part is critical infrastructure so while I have the authority and the resources to deploy technologies to tell other federal agencies what they should do and importantly to measure them on their progress with the private sector it's purely voluntary and and I think that's important I think that's the only way that we can be truly successful and amusing the term private sector very broadly and that includes all of you in this room whether you're in a big company or working for for yourself it also includes academic institutions it includes seaton locals as well so we have a broad public-private partnership that we as we refer to it that it has to work together to figure out how we're going to secure and defend our critical infrastructure so if you think about you know one of the most fundamental roles of government is to provide for the security in the defense of its citizens right but the Internet has challenged everything when it comes to how we think about the role of government in defending and securing its citizens and its infrastructure and for all the amazing benefits and the economic development and the social benefits that has come with the development of the internet and the technologies that leverage it it does create of course a lot of vulnerabilities but I think most interestingly for for policy people it really challenges how you think about what the role of government is the role of government we have typically had the the best advantage when it comes to defending our country we don't have that
anymore we have some capability and it is unique for those of you who maybe took an international trade class once upon a time the concept of comparative advantage it applies here but in a different way so the government right we can go places and we can do things and invest in places that either the private sector or other entities are not allowed to or there you don't have the incentives to and and that that can be useful when we're talking about bringing everything together but we don't have that unique advantage and we don't have all the information and so what we've been talking about a lot and they'll get to elections in a second is the concept of collective defense and and what this means and there's a lot of different analogies that that people talk about best athlete comparative advantage but but the concept of that the government is just one player in a community of organizations and individuals that all have some capability that they can bring some of which are better than what the government can bring and so for the first time in a national security space the government is not on the frontlines our companies on the frontlines are citizens on the frontlines all of you are on the frontlines and and that sounds easy to say but when you start to really think that about that that that it just challenges everything you think about well what does that mean the role of DoD what does that mean about the intelligence community what does that mean about the role of the private sector and so what it does mean though is that we have to get past our traditional incentives in the government our incentive is to collect information and to protect that information in order to be able to execute our security defense missions but we can't do that we have to be able to share that information and we have to be able to be transparent and we have to build a level of trust with a wide variety of individuals organizations and entities that we've never had to do before on the
flip side on the on the company side the idea is to monetize information and capability which is fine I'm a capitalist I want us to be a strong economically powerful country but in this space if we're going to truly be able to hold the adversaries at the same level of risk that they're holding us we have to be able to move past that we have to be able to find other ways to to cooperate and we have to think differently about what are the capabilities that each of us needs to bring to bear to this fight so that sort of thinking is is how we think about sort of the entire fight overall if you will our adversaries have been taking advantage of us for a long time they've been taking advantage of our traditional principles for a really long time and we've got to figure out a way to turn it back on them and again that means the government's got to think differently and that means everybody's got to think differently so I want to talk to you specifically about elections though I'm happy to talk about anything from medical devices to our electric grid after the after the event if you're interested so the slide that we've pulled together and this is my first talk I've ever done with a slide so we'll see how it goes this is how we think about elections and elections is more than just the voting machines I didn't know a whole lot about how our voting system worked before DHS got involved and I'll tell you it's tremendously complex the complexity is actually a benefit but so what we started to look at is I mean going back
to 2016 when we we first started to understand that that the Russians were attempting to undermine and so chaos and and discord and undermine our democracy in general which by the way they've been trying to do this for decades it's just the technology has allowed them to do it at a better scale so so we step back we talked with a lot of election experts and we said okay explain how the system actually works and then we worked with intelligence communities and others and we said okay well now if an adversary wants to undermine our democratic process how could they do that and so this is in you know don't think we have some stuff here that's an election day it doesn't necessarily happen on the day of election but the concept of you've got everything from voters trying to register to actually casting the ballots to counting and tallying to distributing those unofficial vote results on election night to the final to the final tally and what we did through this very
comprehensive risk assessment is we found that it's actually really really difficult to try to manipulate the actual vote count itself and and there's
a lot of reasons for that the voting machines are physically secured there we've got you know thousands of jurisdictions across the country that all use different sorts of things and so while you may be able to get into some voting machines and I know a lot of you may be working in the voting village you know you can't really affect that at scale without detection and it would be really hard so we said okay well what are they trying to do they're trying to undermine our democratic process and the confidence that we have in their democratic process and there's a lot of ways to do that without actually trying to manipulate the vote and that's what we expect that they will continue to do so what we look at is and this is how we define election infrastructure there's a lot of other efforts about thinking about social media companies and the role that they play in campaigns but what we're very much focused on is the state and local run process that you and I all participate in I hope all the time and and so this is what we're focused on securing and and again to take an example voter registration it's not so much the data itself it's actually fairly easy to get the data in most states you can buy the data so it's not that we're worried about losing the data what we're worried about is maybe manipulation of the data so so somebody comes to vote now everybody can get a provisional ballot in every single every single jurisdiction in their country but say a bunch of people show up and in your you're told well you're not supposed to vote here but we'll give you a provisional ballot and then the lines start to back up and then a lot of people say something must be wrong here there's a lot of people not on this list they're in the wrong list and so the data itself has just been either manipulated or or lost or
something like that so that's what we're concerned about so we've you know talked a lot about how we can secure those voter registration processes in the actual tallying of the votes thinking about the systems that run the voting machines the election management systems the tallying process all of those making sure that those are secure and and many of those all say state and local communities that run elections they are not the most resourced organizations in this country and now it's not a surprise to you so they're often dealing with old software old technologies and they do the best that they can but how can we help them as a community again this is all of us in this room how can we help them ensure that those those systems are secure that they understand best practices that they know how to prioritize what they need to be doing and then finally thinking about say the submission on election night this was an interesting concept right is that these are not the official election results but say a bunch of states issued you know here's who won the the presidential election our unofficial tally and then a couple of weeks later the official tally comes out it's completely different so the official tallies correct but the unofficial one was manipulated now you have another situation where the the confidence in the process has been undermined so so I want to put this out to you this is a public document you can you can get it online on our website but I wanted you all to think about bigger than just the voting machines themselves this is a bigger process there's more to think about there's more work to do with the private sector the vendors of these these systems who are working with the state and local secretaries of state the election director helping them understand how we work together on this so I I just I wanted to close before I bring up one of my folks here who is running a lot of this activity for us with you know really thinking about kind of where where we started the the election issue has brought the concept of cybersecurity to the fore in a way that nothing else had like I yearn for the days when we were just worried about the electric grid going down and in so as frustrating as may be for us constantly talking about it it has had the power of getting people involved in this space and thinking about these questions about the role of government the role of the private sector the role of it researchers the role of the international community when we start to think that we have had we have adversaries that are trying to undermine our traditional concepts within our country our concepts of democracy our
concepts of intellectual property our concepts of privacy our concepts of ability to do business and to run our government and if we don't come together and we again we don't aren't able to get past our traditional cultures are traditional incentives and figure out how do we come and collectively defend against these adversaries they're going to turn the internet into the model that best suits their concepts which is not free expression which does not protect
intellectual property which does not allow the level of discourse and progress that we have made in our country so it's not just an American issue it is definitely a global issue and and while elections are just one part of it we still have to think about all the rest I encourage you as you all
are thinking about the technology itself and and how do we make the technology better think about the policy side of it and participate in that debate we need more people who understand the actual technology to participate in the policy debate because Shockers not everybody knows how the internet works in DC so with that I want - just clothes I would like - we were in the voting village last year not everybody knew but we've got our team of pen testers and and red teamers here that they're the ones that are doing all of these vulnerability assessments across the country they do it for critical infrastructure we've gone to Ukraine we've we've been everywhere rob come on and I just wanted to introduce him to you they are all proudly wearing I think they're all probably wearing DHS shirts some of them are pretty obvious that they're government officials but but we want to make sure that you get a chance to talk with them and like I said importantly that you engage in both the technology and the policy side cuz we can't just be having this debate in DC so Rob elechi close yeah thank you so yeah there's about 20 of them down here and there's some of the brightest and smartest people that I've worked with so please make sure you find them out what I'd like to reiterate though is we do have a national mission and elections is one part of that so under the assessments program we have three different programs we have cyber hygiene which is basically vulnerability scanning we have risk and vulnerability assessment which is pen testing and then we have operational assurance which is more of a blue team kind of style book under cyber hygiene we have 850 customers under there of which 95 are election related and so what's great about this is we're able to get this data and analyze this data and look at it and say hey we see trends here so we saw trends in the federal government where critical vulnerabilities weren't being closed and we we worked with that we issued some binding operational directives to take care of that the statistics that we're seeing on elections are right in line with our other customers so they're they're no better they're no worse than the other customers they have the same issues and the main issues are that we're seeing old software out on the internet unsupported software PHP that's outdated it's it's the same issue one one thing that we are able to see in a little of our analysis is that the election officials are a little slower than the government and other people on fixing and patching those issues so we're gonna work with them and get the word out and let them know how critical it is and hopefully they'll be able to get the resources to work work and fix that so
it's a it's a it's a resource issue game right so on the penetration testing side it's the same issues when these guys start their campaign what the first thing that they do they do a little background investigation and they send a phishing email bingo they're in so
they're in election places in there in non election places financial water it's the same so we're working on educating people and educating people and getting getting the word out there and the final thing that I want to say before we wrap this up is we just started pide
vulnerability assessment where we're getting election machines in and other critical infrastructure machines in we're tearing apart their firmware we're looking at that and we're working with the vendors going to issue some guidance to them and find issues on those and hopefully will make this more secure so we're here to help and make sure you see these guys there are a lot of good guys thank you and ladies yes okay so with that again please find us we'd like we'd love if you worked for us but if you're not willing to work for us we would love you to work with us like I said we're the only part of the government that has a purely defensive mission and as you can see it's a it's a big one and we're just so happy that you're here that you chose to came to to listen to this talk and that you're you're willing to invest your time and your talents in solving these really critical problems so thank you [Applause]