CyberWire Daily - Election 2020: What to expect when we are electing. [Research Saturday]
Episode Date: September 19, 2020After the 2016 General Election, the talk was all around foreign meddling. Rumors swirled that some votes may have been changed or influenced by state-sponsored actors. Sanctions and accusations follo...wed. Four years later, is the U.S. any more prepared to protect the results of its largest elections? More than you may realize. Talos researchers take a deep dive into election security after spending the past four years talking to local, state and national officials, performing their own independent research and even watching one state plan an election in real-time. Joining us in this week's Research Saturday to discuss the report on this timely topic is Cisco Talos' Matt Olney. The research can be found here: What to expect when you’re electing: Talos’ 2020 election security primer. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
The research started in 2016 in the aftermath of the DNC hacks.
That's Matt Olney from Cisco Talos. The research we're discussing today is titled
What to Expect When You're Electing.
when you're electing.
And now, a message from our sponsor, Zscaler,
the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase
in ransomware attacks
and a $75 million record payout in 2024, these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security. Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context, simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
security. So we started reaching out and kind of fast forward through just, you know, hours and hours and, you know, weeks on site and lots of conversations and reading and learning and,
and honestly, some partnerships and friendships built along the way. And we wanted to kind of, we felt that it was important in today's environment
to try to put out a kind of state of where we are
and why 2020 looks different to us than 2016 from the election side,
from the election kind of infrastructure side,
and try to kind of provide a little bit of feedback
into the election space
outside of kind of the chaos that is there currently.
Well, I mean, let's go through it together
and let's start with 2016.
I mean, what was the state of things
as you were coming into this process?
How did you understand how things stood?
The how I understood it was was i just knew there was this
mysterious thing that elections were and uh they were really important and that they they had some
computerized components i didn't know anything about it but more importantly on the on the
election side you know there are one of the strict joys of this project has been meeting just the everyday men and women who make election works.
And it sounds so corny to say, but they're just your neighbors.
And they're people that you pass at the grocery store.
And they have for decades been worrying about integrity and planning to have an election and knowing they
get one shot at it and knowing it is the very fundamental way that Americans express themselves
in a democratic society. And, you know, they just, they understand the importance of what
they were doing, but what they were presented in 2016 was a piece of threat service and adversary that they hadn't had to worry about before. And it's unfair
to ask the average person that you pass in the grocery store to go against the GRU, but that's
exactly what was going on in 2016. And there was a complete lack of federal to state to local
communications and support in that time. And so when push came to shove,
we were caught flat-footed and unready to face that threat and to, more importantly,
unready to work together to face that threat. And I think the big changes that have occurred
over 2016 to 2020 is in that cohesiveness of response. Yeah, one of the things that you point out in
the research is the importance that we have faith in the system. Yeah, I mean, it is not important
that I think that, but it's also important that our adversaries think that America is stronger
and the West is stronger when the voters in their democracy believe
in what they are doing. And, you know, we had published a previous paper.
My parents are going to be very proud. If you go into Google and type in let's destroy democracy,
I'm actually the first link at the top of the page. And that paper, yeah. And so that paper really goes into
how to think about as a foreign adversary and kind of what is motivating you. And we talk about
in that piece a lot more about why our foreign adversaries, not just Russia, but also China, view kind of democracy as a piece of the geopolitical stage.
And if you're roughly my age, you will have lived in a time where we talked a lot about spreading democracy and bringing democracy to countries.
And that's part of our geopolitical voice.
that's part of our geopolitical voice. And if they can damage that piece, then we are less able to use that voice on the stage. And if they can damage the faith the electorate has in its government in
a democracy, then that government is less able to deal with international issues than they would be
with the full support of the population. Now, in the research, you describe the system and the pieces.
Can we go through that together, what you're getting at with that description?
So the typical work that we do at Talos, I think, is we deal with pieces.
We kind of go, hey, there's this library we know that's popularly used, and we dig and pick at that until we find faults in it,
and then we kind of talk about what we found.
And that's kind of, I would say that's a pretty typical security approach
for peer research, peer security research.
But when you get into trying to think like an adversary
and really trying to defend something,
you have to deeply understand the pieces,
the voting machines and the ballot-assisted
marking devices and the electronic poll books
and the voter registration database,
all those kind of pieces,
plus the typical things you would see
in an enterprise environment with the computers
and the networks and everything else.
And then you have to understand how they're all put together and how they all flow together.
How does the state obey the motor voter law?
How does it get registrations from the DMV into the voter registration database?
What are the regulations for a state when it comes to felons voting?
And how are you notified at the Secretary of State's level that someone has been disqualified
from voting because of their criminal record?
And how are those things processed?
What are these kind of inputs to the system?
How are we authenticating users?
How are you like,
there's all these kind of pieces.
And so, whereas my typical work
kind of is very,
kind of very kind of piecemeal.
This in particular was looking at the system
across of the Secretary of State's. This in particular was looking at the system across of the Secretary
of State's office in the counties and going, okay, this is what this looks like to an attacker. And
here's the areas we kind of need to concentrate. Yeah. I mean, one of the things that impressed me
was that you lay out here is the spectrum of variety that you see state to state.
You know, like a small example is in reading your research,
I had no idea that North Dakota has no voter registration, for example.
Right.
I was having another interview.
I've had a couple of interviews recently with people who are not in the United States.
And they typically are in countries with this strong centralized authority running elections, what we would call like federal running of elections.
And I have to explain to them that when we say we're the United States of America, this is the thing we're talking about.
This is a collection of states that have come together to select a president.
And each of those states gets to decide how they do that.
And to a large extent, it's even more complicated.
When I walked into the Ohio Secretary of State's office, for example, they had maps all over the walls of the 88 counties in Ohio.
And they were all color-coded and different maps meant different things.
But one of the maps that was fascinating was the map of which counties have selected which vendor to go with.
So there's not even within a state
an agreement on which voting vendor to use.
There's different options available to counties
because ultimately it's the counties that run elections.
Secretary of State's offices don't.
And so how do you begin to distill all of this?
How do you and your team wrap your hands around this broad variation across the
nation? Well, I mean, part of it is the way that CISA has approached it, that if I want to talk to
Mississippi or Ohio or Iowa or whoever about their election systems, I have to go there and learn about them first.
It's one of the great challenges of American democracy
in terms of security is that every state is different.
And within every state, every county can be different.
And so voting, like, you know, if you vote in Colorado,
you're probably going to vote by mail.
But if you vote in Georgia, you're probably going to vote in an electronic voting device.
And they're just completely different experiences.
And you cannot, it is very difficult to provide unified guidance when systems are built like that.
And so that's why CISA essentially has spent the last four years traveling state to state, building relationships and assuring those states this is the federal government's role in elections.
It's limited. It involves sharing intelligence and capabilities and analysis.
And this is how we can help you at your request.
And much of what's better in 2020 is for the work of people like Matt Masterson and other folks at CISA that have spent time building those bridges.
So what have the changes been since 2016? What sort of improvements have taken place?
So one of the things that I hadn't tracked but I actually learned today, I was on a show in Ohio about election security,
and Matt Masterson was on that show, and he actually had pointed out that the auditability
of elections has gone up since 2016. So where they had, I think the numbers were something like 85%
of the country's votes cast could be audited in 2016. We're now up to something like 92%.
And so from a technology perspective, we've improved. We've got better voting machines
on average out there than we had in 2016. Improvement where it was needed. And one of
the weird things about our kind of research from a Talos perspective is it is much more about the people than it is about the technology.
And so I would say that the designation in 2017 of elections is critical.
Infrastructure was critical.
The creation of the EI ISAC was critical.
The distribution of Albert sensors to States was critical.
The time spent by DHS and CISA and the National Association of State
Election Directors and the National Association of Secretaries of States to kind of bring the
election community together to sort of coalesce and exchange information and ideas and data and
intelligence about the threat and how different groups are preparing for it. And to build the capacity to respond to those threats and to share that information and
to share resources and capability when necessary is probably the most important part.
So what I would say is, if something were to happen in 2020, the response would be distinctly
different and better than it was in 2016.
One of the interesting things that caught my eye in your research is you have a, there's a graphic with a pair of pyramids.
And one is inverted from the other.
One is the, you know, the pointy end of the top and the other is the pointy end of the bottom.
I mean, it's comparing the resources and the threats and kind of the mismatch there between them.
Can you take us through that?
Yeah, and it kind of goes back to the grocery store thing
where I was saying that these county employees
who you pass unremarkably at the grocery store
and are just honestly just everyday Americans
doing this little part that they had chosen to do
are the front lines against
foreign interference. And so you have the GRU, you know, the Russian intelligence services
going after the United States, but not at the federal level, not against the military,
not against the NSA, not against the CIA, not against DHS, but going against Jackson County or small individual counties.
Some of them are dramatically under-resourced.
So you have this world-class intelligence service
going after poorly-resourced counties in the United States.
And there's this disparity between capabilities.
And so what we have to figure out,
and one of the things that I think we're still figuring out,
but we're further along,
is how do we pull our resources together?
There's this great group in Iowa
called the Iowa County IT Group.
And there are some counties in Iowa
that don't have full-time IT staff.
And so the counties have agreed to share that capability between them.
And if a county were to lose its only IT person,
other county IT staffers would help interview the person coming in for the new position.
So there's a ton of different aspects to this,
but ultimately, on average, you have dramatically
under-resourced environments, under-invested resources, under-invested environments, and
facing heavily resourced adversaries. Yeah, and I, you know, I often hear this question of,
is the way that our elections are spread out, as you describe, you know, the state and county level,
you know, is that a feature or is that a bug?
Can it be both things at the same time?
By having it be so dispersed, diffuse, I suppose,
does that mean that it makes it harder
for a nation state to come at us
because there's so many different systems
they would have to come at us because there's so many different systems they would have to come at sort of and that was certainly the um the early response from election officials were like well
you can't really hack the election because we're all so different but if you look back at the 2000 elections, which was triggered an enormous kind of change in how we do things.
You know, I can't remember the exact numbers, but it was like less than a thousand people stood between Al Gore and him winning, I think, New Mexico and Florida, if I remember correctly.
if I remember correctly, you have to, as an adversary, figure out, look, I'm never going to get Maryland to go for the Republican or I'm never going to get Mississippi to go for the
Democrats. I don't have to worry about those two. I just have to figure out those swing states and
which counties in the swing states I can most easily get in effect. And that's sort of the
thought process that you would go against that.
So certainly there is something to be said for that differentiation,
but I don't think it is as protective as people like to make it out to be.
Now, how has COVID affected things?
As we're heading into 2020, and I think a lot of folks perhaps had expected or hoped that
we'd be farther along than we are. How do you suspect that's going to affect things?
I mean, it is almost, I would say, kind of displaced as the central sort of security concern
for elections. A lot of it has to do with the politicization of the Postal Service and the vote-by-mail systems.
And what we have to understand is we've got five states that have always voted by mail and have worked out just fine for years. So the real concern is you're somewhere around at this point,
at the time that we're recording this, about 44 to 45 days away from some states starting
early voting. And so the question is, in responding to COVID-19 and changing to more
heavily adopt absentee balloting or no-fault absentee balloting or automatic sending of
ballots and all those options, are states able to prepare in the next 45 to 90 days
for that dramatically different look of an election than they had before?
And so it's about changes that should be relatively
simple, but they're changes at scale. And so when you do changes at scale, nothing's simple.
And so that's kind of where we're really looking. So what are your thoughts as we head towards the
election? I mean, what sort of things do you have your eye out for, do you have specific concerns? How do you think we're prepared here?
My hope is that our worst enemies are external to us,
but I'm not certain that that's necessarily the case.
When I initially started this research,
we were definitely focused on kind of external actors and cyber,
and then we kind of realized that the cyber piece
was part of a disinformation campaign
more than it was anything else.
And so then we started worrying about,
well, how do we protect,
how do we help these organizations,
the Secretary of State and local accounting offices,
you know, fight a disinformation campaign?
And then coming into 2020, where essentially we have actors,
both foreign and domestic, engaging in disinformation campaigns. And how do you fight
that? And it's exceptionally difficult. And I can tell you the local county and state resources,
even now here on August 20th, you know, months before the election, are already exhausted in terms of fielding phone calls, answering reporter questions, fighting back misinformation, disinformation.
And it's just going to get worse as we get towards the election proper.
And so I would just, you know, I would hope that politicians and people who are acting on politicians or campaigns or or special interest groups would understand that to play into the disinformation campaign, to try to sway voters with false facts is fundamentally un-American.
And, you know, we our founders had always thought that it properly factually informed electorate was what would get America where it needs to go.
And that's not what they're building right now in many cases.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Our thanks to Matt Olney from Cisco Talos. The research is titled, Thank you. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.