Cybersecurity & the Elections Panel Discussion, Oct 2018

Cybersecurity & the Elections Panel Discussion, Oct 2018


WENDY FREITAG: I want to
welcome all of you that are turning in today,
both here in the room and I know that we have
several folks online to hear a group of
very talented speakers. I think we’ve assembled some
fantastic speakers on the topic of “Election Systems Security– Are We Ready for Midterms?” My name is Wendy
Freitag, and I’m the director of the Masters
of Infrastructure Planning and Management graduate
degree program, which is in coordination
with the College of the Built Environments in the Department
of Urban Design and Planning here, at the University
of Washington. We offer a cybersecurity and
communications systems course in our degree program that
allows students to understand how they can reduce the threats
and risk from cyberattacks to infrastructure systems. We annually welcome multiple
cybersecurity scholarship students to our
program, as there is an increasing
demand, as you all know, for cybersecurity professionals. As I’m sure most
of you are aware, prior to the 2016
federal election, a series of
cyberattacks occurred on information systems of
state and local jurisdictions. Subsequently, in
January of 2017, the Department of
Homeland Security– and we have a great
speaker today, Pat Massey, from the Department
of Homeland Security– designated the
election infrastructure used in federal
elections as a component of US critical infrastructure. Under federal law,
critical infrastructure refers to systems
and assets for which, in capacity for destruction,
would have a debilitating impact on security,
national economic security, national public health or
safety, or any combination of. Most critical
infrastructure entities are not government-owned
or operated. There are 16 critical
infrastructure sectors with election
infrastructure designated as a subsector of the
government facilities sector. We chose this topic
today because it marks the 15-year
anniversary of being October designated as National
Cybersecurity Awareness Month. And with election
ballots due to drop– at least in the state of
Washington– in about a week, this seemed like a
very timely topic. We have lined up an
outstanding panel of experts to discuss what
efforts are being made to secure our
election systems and also talk about what still
needs to get done to improve elections in the future,
as cybersecurity is a fast-evolving threat profile. Now I have the great
pleasure of introducing Barbara Endicott-Popovsky,
director for the Center of Information
Assurance and Cybersecurity here at UW Bothell, who,
with her talented team, has done the lion’s share of
coordinating this event today. I want to thank Tom Muehleisen
for really organizing all the fantastic speakers. Zach is our social
media gentleman. And I’m sure Barbara will
have a few other folks to– oh, and also Morgan Zantua,
who did a huge amount of work to organize this event today. One final note before
I bring up Barbara– for those of you attending
the event using our Facebook Livestream, please
let us know if you are having any sound
or visual difficulties. This is a first time try
using Facebook Live today. And we want to make
sure that, for those of you outside the room today,
you have a great experience. And with that, I’m
to bring up Barbara. Thanks. [APPLAUSE] [SIDE CONVERSATION] BARBARA ENDICOTT-POPOVSKY:
Can you hear me back there? I hope this doesn’t
echo too much. I want to thank Wendy for
that kind introduction. I’m very fond of the Master
of Infrastructure Planning and Management program
on the Seattle campus, because it has been nursed
through a long period of time when people were
wondering, why do we have to care about our
infrastructure being protected? We have to worry about floods. We’re looking at what’s
happening in Florida. But what is this
new vulnerability of our infrastructure that
we’re having to cope with? The MIPM program is
offered entirely online. As such, it has had
great appeal to military. And in fact, that degree
was a joint effort between the Washington
National Guard many years ago, 2005, and
the University of Washington. And we’ve been
offering it ever since. And a large number of the
students that attend that program– and I say attend in
quotes, because they’re logging online– are dialing in from many
different parts of the world. We’ve had students
dialing in from Estonia. We’ve had students– that’s
a tough time zone in Europe– students dialing
in from Germany. We’ve had people logging
in from Afghanistan. So I can’t say
where all the people are that are involved
with the online delivery of this program. We have 200 alums that
have been informed. And we have a class of around 30
students, I believe, this year. So we’re dealing with a virtual
audience that you can’t see. This is new for academia. And this is where
academia is going. You see lots of different ads. I won’t talk about
the competition. But the University of
Washington is there, too, reaching out to students in
an interactive, online manner, because, as I said, this is
where education is going. So you’re seated here with– could be as many as a couple
of hundred students that are participating virtually. Not only that, we are
capturing this event so that we can offer it for
download off our website. We have a Center for Information
Assurance and Cybersecurity website. Our headquarters
is here at Bothell. And we’re very grateful for
all of the Bothell support that we’ve had for the
Center, many of whom are here in the audience. Really appreciate
the Gray Hat Group. They were mentioned earlier. But this is a
student group of kids that are willing to spend
their own extra time to learn about cybersecurity. Since this is October,
Cybersecurity Awareness Month, they will repeat the event
from last year, which is called I Hack You,
which will be taking place towards the end of the month. And it will draw on kids
across this campus– and Zach, I think you invite them from
all over the university. We have three campuses here at
the University of Washington. They actually have a student
group called Batman’s Kitchen that practices competition
on the Seattle campus. And our Bothell students
are an active part of that. Zach is the president of
Bothell’s Gray Hat Group. And he offers leadership in
getting students involved in these other activities. So what we’re doing here
is addressing the need for a pipeline– we’ll
talk about this later– of people who know and
understand cybersecurity. I would imagine you’ve
been reading in the news that we have a dearth of
talent in cybersecurity. We don’t have a pipeline. And just think about it. If you’re a K-12 and
you’re a counselor in K-12, did you care about
cybersecurity when you were preparing
for your career field advising high school students? No. This is relatively new. And so students
will come to campus, not really sure
about how they can pursue a cybersecurity career. We have emerging academic
programs in cybersecurity. Bothell has a master’s
degree in cybersecurity. We have a professor from that
program here, Marc Dupuis. You can wave your hand, Marc. And we’ll have some
others here that are going to come in and out,
because classes are going on. And we have classes that
start about 9:45 our time. So we have a growing cadre of
cybersecurity professors here and professors that
have become interested in cybersecurity that
are offering courses and pathways for students. We have active
partnerships with companies in the local area like
T-Mobile, on the leading edge of preparing people for
cybersecurity careers at their company. You’re probably
aware that of all the critical infrastructures,
the ones that you probably worry about most
are communications and the electric grid,
because it’s in everything. Well, T-Mobile you read about. They’ve had some issues,
as have the other telecoms. They are a target of
nation-state and criminal activity. And so they have to
be up on their toes and very ready to
respond to what’s coming at them in this
world that we’re in. The Department of
Homeland Security has stepped up to this, as
has the Department of Defense. I can remember growing up. I hate to date myself. But we thought of
war as over there. In fact, there was a
famous song, “Over There.” That’s not the world we live
in now, because over there is now right here, because
we’re no longer protected by two oceans on either side
or soft, friendly countries north or south. We are accessible. And as we go further and further
into the internet of things, we’re going to see more
and more devices hooking onto the internet,
demanding that they be addressed and managed. So our world is putting us
right next door to adversaries that we used to only read
about in the newspapers 10, 15, 20 years ago. They’re right next door. I have to say that– and I hope you take
this in the right way– that I was a little pleased
to see the attention on our electoral
systems, because it got so much attention
that it woke people up to the realities of
what I’m describing, that we really do live in
an interconnected world where we have to be concerned
about nation-state and criminal activities that can intrude
on our personal lives, our local governments,
our local industry, our local organizations. And so to the extent that this
effort with securing elections has brought people’s
attention to our cybersecurity challenges,
I’m really glad for it. And I think I see
the interest growing. I see that in the
professional community. I see that among folks
that perhaps, in the past, have thought, oh,
that’s an exaggeration. Oh, it can’t be that bad. It is that bad. And so today we’re
going to be talking about the extraordinary lengths
that our federal government has been going to protect
infrastructure. We’re going to talk about
the incredible lengths that our very own National
Guard has been doing to protect infrastructure. I’m very proud to be
part of Washington state. Everywhere I go in the country,
I hear about our Guard. Our Guard has been
at the vanguard of dealing with cybersecurity
issues in the homeland. They have really wrestled with
the very difficult problems that we have now that we’ve
knitted the sectors together. And what do I mean by that? Well, the industrial
age was very good at dividing things up. We had assembly lines. We had organizational
structures that put the engineers
in one place, HR in another, the legal
departments over here. The whole structure
of infrastructure for organizations with
the industrial age was organized in specialties. And we put boxes around them. And so for any of
you that have ever done a program at
your organization that deals with bringing
interdisciplinary folks together or bringing
organizations together that really have
different missions, you know that that’s
not easy to do. Over time, our organizations
have been hardened as far as their
boundaries are concerned by the very technical
infrastructures that have made our lives easy. And I saw that working for a
very large airplane company in the Pacific Northwest
that was attempting to bring all of their
technical systems together so they could
talk to one another so we’d have efficiencies. But over time, since the ’50s,
since the early IBM computers, these different
organizations were talking to different
IT systems that had developed their own
definitions, their own ways of doing things. And, oh, my goodness,
you would have thought we were skinning people alive. I’ve never seen people
get so emotional as going through that process
of trying to decide how these systems would
talk to one another. People had to change
their definitions. They had to change the
way they did their jobs. We had some interesting
challenges, which I won’t go in– well, I will say one. We had two managers,
very well-educated, get into an actual fistfight
over data definitions to the point where
they were on the floor. One had someone else’s tie. And it was one of these things. I mean, it’s really
hard to explain. And you wouldn’t think
that that would happen. But there was such an attachment
to the way we do things here. And the change is we’re going to
make a difference in how people were measured for bonuses. Now you’re talking about
real stuff here, folks. So I don’t want to
trivialize what I’ve seen and what I’ve
experienced and what we’re going through
right now as a country as we knit things together. So let me talk about
even bigger sectors– military, industry,
academia, and government. We have them in separate
places, do we not? And we’ve given them
separate purposes. And we have a constitution
that divides them up. And they say the
military does this. And industry does that. And academia does this. And the government does that. Guess what? Our systems are now putting
these folks together. And the bad guys
don’t worry about whether they’re hacking into
dot edu, dot gov, dot com. It’s all the same. You disrupt the United States. So here we are, like the British
in the Revolutionary War, playing with a Marquess
to Queensberry Rules. Do you remember that? The Redcoats lined up. And the settlers
hid behind trees. And guess who wins. So here we are,
playing by the rules. Hey, wait a minute. You can’t hack into dot edu. You can’t hack into dot com. I mean, that’s
private sector stuff. You need to only hack dot mil. Well, do you think that
that goes over with hackers? No. So we’re all interconnected in
ways we haven’t been before. And what I applaud the
Washington National Guard for is they’re wrestling with
this new problem that we have. They’ve come up with ways
to collaborate across sector with private industry, with
utilities, so that they work out ahead of time the
rules of engagement, how they’re going to pen test,
or penetration test, their systems so they know
whether they’re safe or not. And it’s that same Guard that
has been working actively for the governor of this
state to protect our election systems. And my hat goes off to them. Because as I started this
little diatribe, everywhere I go in the United
States, conferences, I have people who want to know,
who is that Tom Muehleisen? Who is that Billy Rios? Who are these people in
the Washington National Guard that are doing all
this interesting things? I’m serious. Your reputation and your
legend precedes you. Someone actually came out here
from a think tank from Maryland to try to figure out
how we do that here. We kind of cooperate. I don’t know if you’ve
noticed, but there’s a whole lot of places in this
country where cooperation doesn’t happen. And somehow there’s something
out here in the Northwest that allows us to cooperate
across these cross-sector lines. And so my hat’s off to you. I’m very proud to
be in a place where we can develop models
that describe how we do it and that we can
disseminate to others. So without further
ado, I would like to introduce our
chancellor, who is not able to be with us today. There are important
things that chancellors do towards the end
of every weekend. One of them is, dare
I say, Marie, we have Husky events
on the weekends that are extremely important
to the university and its survivability
in terms of financing. And so he is doing
his duty this weekend. It is not with us. He regrets that, because I
should tell you that Wolf was– Wolf Yeigh, our
chancellor, Dr. Yeigh– was an intel person. He was from the military. He was in the Navy. And I don’t think he’s
ever recovered from it. His heart belongs
to the military. And he really
appreciates the mission of the Center and cybersecurity
and what it means. And he’s been very
supportive here, at Bothell, for the programs
that we put in place. So we have a few
words from Wolf. WOLF YEIGH: Hello. My name is Wolf Yeigh. I’m the chancellor
here at University of Washington Bothell. On behalf of our campus, I want
to extend our welcome to all of you for today’s event. Thanks for coming. Today’s event is co-hosted
by University of Washington Bothell, our Center for
Information Assurance and Cybersecurity, and the
Master of Infrastructure Planning and Management
from the Urban Planning Department in the School of
Architecture at UW Seattle. I also want to thank our
Congresswoman, Suzan DelBene, for joining us and contributing
her insights to today’s discussions. In recent years, we’ve
become painfully aware that critical infrastructure is
subject to online cyberattacks. To respond, our Center
for Information Assurance and Cybersecurity
has been focusing to address this challenge. They include a creda
with National Security Agency to explore online critical
infrastructure protection as well as MOUs with Washington
National Guard and T-Mobile Corporation to
collaborate in this space. But more recently, protection
of our election systems has been front and center. We are fortunate to be in a
state where our leaders are stepping up to this challenge
in meaningful ways recognized across the country for their
proactive and effective approaches. UW Bothell is proud to
be co-host to this event with our partner, the Master
of Infrastructure Planning and Management, presenting the
work and plans within our state and to make election
infrastructure in Washington as safe as possible. I hope you will benefit,
enjoy, and learn from today’s presentations. I regret being out of
town for this event but expect to hear all
about it when I return. Thank you, and have a great day. TOM MUEHLEISEN: Hi,
I’m Tom Muehleisen. And I was asked about
a month and a half ago to put together a talk
on election system security, because I’ve been
working in cybersecurity for a number of years as a
member of the National Guard and, now, in private practice. And I do know some folks. And one thing I was
keying in on was that the most important
people I wanted to have speak at this event were
not technologists like myself. I didn’t want to talk
about bits and bytes and blinky green lights
and whether or not we can keep them all green. That’s really not
what this is about. I wanted people who were
responsible for things, the people that had
authorities over things. And I was so fortunate. I was at an event. I believe it was
about a month ago. And I ran into the
elections director for King County, which is a
tiny little county wedged up by the Puget Sound. It’s got 1.3 million voters. A third of Washington
state’s eligible voters are in King County. And she agreed to
come up and talk about the challenges she faces. So as you listen to this, if you
happen to work in technology, look at this from a
context perspective. What does my boss care about? What are the things driving her? What is she trying to get done? What is she responsible for? So without further
ado, I’d like to invite Julie Wise, the elections
director for King County. [APPLAUSE] [SIDE CONVERSATION] JULIE WISE: Good morning. I’m really excited to
be here this morning. I appreciate the opportunity. Of course, I’ve got
to take just a minute to talk a little
bit about myself, especially as an
elected official. So I am your elected King
County director of elections. I was elected in 2015 to
serve a four-year term of 2016 through 2019. Prior to my election, I
was the deputy director at King County Elections. And believe it or
not, I’ve actually been with the
department for 18 years. I’m both certified
at the state level and then the national level
as an election administrator. And then also just briefly,
I’ll talk a little bit about King County,
the scope, so you have a little bit of
context about the size and complexity of King County. And then I’m going
to go into about the security of elections, both
the physical and cybersecurity. So as Tom mentioned, King County
has 1.3 million registered voters. And we conduct the elections
for all of the jurisdictions in King County. So what I mean by that is that
we run all of the elections. We have four elections a year. And we run elections for
all of the cities, schools, cemetery districts, water
districts, fire districts. And that is 191
jurisdictions in King County. We continue to be,
although we probably won’t be able to say this for
much longer with California going to vote by mail as
well, that we are the largest county that conducts
our elections completely vote by mail. But again, as we see
Colorado, Utah, and California also moving to vote
by mail, we probably won’t be able to say
that much longer. And we do have one third
of Washington voters. And we’re the 13th largest
county in the country. So our vision is to be the
leader in inclusive elections. I truly believe that my role
as the director of elections is to remove any barriers
to voting and increase access for voters. So things like drop
boxes, pre-paid postage, multiple languages that we
produce our materials in– those are all ways in which
we have, in the last 3 and 1/2 years, removed some of those
barriers for our voters here in King County. But then, at the end of
the day, really our mission is to conduct fair, accurate,
secure, open elections. So securing the vote– really the importance of
the election security, it’s paramount to retaining the
public’s trust in our voting systems. As a person who was at
King County Elections in 2004, when you
may have remembered a very tight gubernatorial
race that made national news, I’ve been around
elections industry where you lose that integrity
and that trust from the voters. And still, even
14 years later, we are still rebuilding that trust. So I know and respect
how paramount accuracy and retaining the
public’s trust is. It also helps to protect our
democracy and our institutions. Really our democracy is at its
best when everyone is engaged and everyone is voting. It ensures the privacy
of your ballot. No one should know who you
voted for or how you voted for or be able to tamper with
your vote in any way. So I’ll go for a minute, kind
of this national context. It’s been mentioned
multiple times already. But in January of
2017, secretary of Department of Homeland
Security designated election systems as a critical influence
structure, which I think is really important
and really vital. I know several are going
to speak more about that. So I will pass on that slide. And you’ll hear a lot more
of that later this morning. So in 2016, I’m sure
none of you in 2016 heard anything with
elections and security in the same phrase at all. As you can imagine, as
an election administrator in the last 18
years, I have never experienced so much
interest at a national level and a local level. I probably did nothing
shy of about 40 interviews around election security
for the 2016 general presidential election. As we know from our
secretary of state is that Washington was
one of 21 states targeted by hackers in 2016. Those are in the months leading
up to that general election. And the targets really
included and really were focused on the voter
registration database. So when I talk about elections–
we’ll go into this a little bit further in just a minute– is you really think about
security of your voter registration rolls– all of our names
and our information and then actually the tabulation
side of elections where you’re actually having the votes. And those are really two
separate systems, if you will. So the targets were really
focused on voter registration systems. And the attempted attacks on
our state were unsuccessful. We, of course, in King County
are looking at attacks daily. The most common type of
attacks seen recently involve phishing emails. These emails seek to gain
access to the accounts of senior leadership
at King County. I’m happy this morning that the
elections IT director, Margaret Brownell, will be
here on a panel to speak in more detail about
what King County Elections is doing. Also not national context,
any of these pictures of what we saw on our
computer, do we remember them? I know it was two years ago. So we had a lot of different
contexts that we were actually looking at and a lot of things
coming our way in regards to elections,
which, in my world, I would love to have 100%
of our voters registered and 100% of them turning out. That’s my goal in life. And so whenever I see anything
that’s going to undermine that, it’s very concerning to me. Any time I see anything
that would preclude voters from wanting to participate
is very concerning. So what are we doing here
at King County Elections? And what have we done? Really to fulfill
our mission, we’re really looking at security
in two different ways– physical security and
our system security. After 2016, I recognized that
me doing 40 interviews telling our voters that our system
is secure, it’s accurate, it hasn’t been
hacked is one thing. But it’s a lot more
meaningful when it comes from other people. And so we have had nothing shy
of four audits in our office– a cybersecurity audit,
a physical audit by the Department of
Homeland Security, an audit on our
processes and procedures, and an audit on following
all the hundreds and hundreds of
laws that we have to follow in Washington
state in regards to conducting elections. So we’re working across
King County departments and with national
and state agencies, because this is a group effort
to ensure that our election systems are secure and safe
across all of our platforms. When we talk about the
physical security first, I think the physical security
is always incredibly important. It’s been almost a decade since
we’ve had polling places here in King County. So imagine having
physical security over 500 or 600 polling place
locations across the county. I feel rather fortunate that
we have a state-of-the-art facility for King County
Elections where we have over 50 security cameras monitoring
the building 24/7. And our building was
actually designed, all 90,000 plus
square feet of it, was specifically
designed for elections. You don’t see that
across the country. You often see election offices
in courthouses or annexes as part of the
government buildings. So this building was
specifically designed. And our consultant
was an individual who worked on casinos. We have badge only access to
the ballot processing areas. And where we actually
store our paper ballots, you have to have both the
badge access and biometric. We also have six web
cameras in our facility. So in case you just are really
interested in watching people work, you can watch us work. So what that means
is that we have web cameras across our
facility so that you can see us opening ballots,
scanning ballots, doing signature verification. So that’s available
right on our website. Another really
cool thing that we have at King County Elections is
we have a fifth of a mile loop that is literally transparent. It’s plexiglass. And it’s welcome and open to the
public Monday through Friday, 8:30 to 4:30. So whenever we’re working,
people are welcome to come in, can give them self a
self-guided tour, again, to watch all of the
processes that we’re doing. We want to provide that
level of transparency so that you can see that we’re
not doing anything nefarious and that we’ve got
political observers as well. We have lanyards,
colored lanyards, to say where people
should be in the building. So we have a lot of
visual cues and a lot of layers of physical security
in our elections department. So as I said, in regards
to physical security, we asked the Department
of Homeland Security to come and do a physical
audit of our building. I’m really proud that we
are the first elections office in the entire nation to
ask DHS to come in and provide that audit. And they did so
November 30 of 2017. Again, their focus was
really, at that point, physical security
of the building and the security
of the materials. And what do I mean by materials? I mean ballots, because,
again, in a vote by mail world, all of the ballots come
to that one facility. So we needed to make sure that
we had security in the building and of the actual materials. Of course, due to the
confidentiality of and nature of the assessment,
a high level summary of options for
consideration based on potential
vulnerabilities were really kicking up our message
of if you see something, say something not just to our
staff, but also to our voters. And what we really
heard and was really great feedback is that you
have all these plans in place in case of a
situation that arises. But you need to
exercise them regularly. And so that’s the
feedback that we also got from the Department
of Homeland Security, was to not only just have
your business continuity plan and look at them regularly,
but also make sure that you exercise it annually. And so those are
some of the feedbacks that we got from the Department
of Homeland Security. Otherwise, they
really thought that we had an exceptional system. I will say it’s kind of funny
that, being the first elections office, they didn’t have
anything to compare us to. So they actually had
to compare us to– I’m blanking on what they
compared us to, Margaret. Nuclear, nuclear sites. So that was kind of interesting. But we’ve been
provided a dashboard by the Department of
Homeland Security that can– actually, we can put in
metrics of different things that we want to provide
as far as security. And we can see the light going
from red to yellow to green. So we have a great tool
with the Department of Homeland Security. And I know that
Pat Massey is here to talk more about their role. So the second component that we
spoke about is cybersecurity. The cybersecurity is separate
systems for maximum security. One of the things
that I will really want to point out in
the top right corner is the tabulation system. When I say tabulation system,
do you know what I mean by that? That’s the actual machine
that you’re running ballots in that are actually counting
your votes for what candidates or for what issues. That system is completely,
entirely on a closed network. It’s air gapped network. It’s not connected to anything. And I think that that’s
really important. One thing I don’t
have on this slide but that we really see a
lot in the national news and we kind of
get lumped into it is these electronic
voting machines. King County does not have
electronic voting machines, where you put in your votes and
then we upload memory cards. We don’t do that in King County. Every single ballot is on paper. And that seems a little
bit old school, I know. But you are able to go
back to that paper record to do recounts by
hand, to do audits. And for a federal
election like this, we’ll have that information
for a couple of years. We have to keep all
of that paper form. So I think that that’s
really important in the vote by mail world. And then again, the system is
on a completely closed network. It’s in a secure location. I don’t even have access
to the actual room where the tabulation
computers are. And again, you’ll
see this common theme is in the physical
security and also in the cybersecurity, layers
and layers of security, where you have to have
two people with two different credentials to
enter the actual tabulation computer– so a lot of
different layers of security. So again, what
else are we doing? The tabulation system, again,
is on a closed network. We’re regularly monitoring for
threats and phishing attempts. And we’re scanning all
of our email attachments. We have regular cybersecurity
training for our staff. And voter registration database
is constantly monitored. In Washington state,
we have 39 counties. And those 39 counties each
have their own iteration of their own voter
registration database. So we have our own 1.3
million registered voters. And we have a backup that
of every single night. And we have our team
monitoring to make sure that we don’t see anything suspicious. But we also have
another point where we have the secretary
of state’s office that keeps the voter files
for all 39 counties that is scrubbing that to see if
there’s any voters that are not eligible and remove
them from the system. So again, we have multiple
layers of security and data. So quality control–
we do regular testing before every single election
on all of the machines that we’re going to run
any ballots through. We do what we call a
logic and accuracy test. And we would do that to ensure
that the machines are actually counting ballots and voter’s
intent as it should be. That is a public test,
or audit, if you will. We have observers that come in. As you can see from
these pictures, there’s media that is there
as well, filming that. And we have what the
results should be. We run in those ballots. And then we compare
together to make sure that those results match. The secretary of state also
comes to certify those election equipment as well. But we also do a batch audit. We go back to the old
school, and we pull out those paper ballots. And we do a paper
manual recount, again, to ensure that the machine
is working and counting votes as it should. So we hand count for
every single election thousands of ballots to
ensure that there’s no issues. We have official observers. This might seem a
little old school, too. But it’s really
an important part of the process in elections. We have observers
from both parties. The Democratic and
Republican Party have observers at our
election facilities that are watching and
observing all of the processes. They’re trained about
what the staff are doing. And they’re there to watch
and to bring up any concerns or issues that
they have with any of the processing of ballots. And again, if you
have an opportunity, I would encourage you
to come down to Renton. We’re on Southwest Grady Way. And come and actually
see our process. It’s really an
impressive process. It’s more complicated
and complex than I think people realize. And it’s a really
awesome thing to see. But if you can’t, though,
you can also go online. And starting next week, we
will be processing ballots. So you can see us hard at
work on those web cameras. Again, it’s all about
partnerships and security. We’ve got King County
as a government agency. And we’ve got their
own IT department. We’ve got the secretary
of state’s office, who is proactively addressing
security threats. Unfortunately, Secretary
Wyman or director [? Lori ?] [? Geno ?] couldn’t
be with us today. But they will be having a
news conference on Tuesday of next week at the
King County Elections facility at 9 o’clock. The governor and the
secretary of state will be talking about
election security. And it’ll be a live
Twitter feed, too. So you can ask questions. So if you get a chance
to tune into that, too, I think that will
be really exciting. It’s specifically about
election security. Of course, we are partnering
with the Department of Homeland Security. And the Washington State auditor
has an actual cybersecurity team that did an
audit in our office as well as a third party– so lots of partners in this. I will, just because I’m
the director of elections and I can’t help myself, I
have to put a plug out there that it’s not too late
to register to vote. If you’re not currently
a registered voter, you have until October 29 to get
registered for this November 6, 2018 election. It’s a really
important election. Every election is important. But if you’re not registered
yet, you still can do so. And ballots go out next
week, on Wednesday. So people, you’ll
start seeing them in your mail on Friday,
Saturday, and Monday. Encourage you to vote. You have pre-paid postage now. And we have 66 ballot drop
boxes across King County. So a lot of options
to return your ballot. But we need your voice. We need to hear your voice. And so I encourage
you all to vote. Again, my name is Julie Wise. I’m the King County
director of elections. You’ve got my phone
number and email there and, of course, my
social media handles. Follow us. Engage. Ask questions. Thank you again for the
opportunity to be here. [APPLAUSE] TOM MUEHLEISEN: All right. If you recall, I didn’t
use these exact words, but Semper Gumby means
always flexible, right? So what we’re going to
do now is we’re going to move ahead of the schedule. And she is ready? OK, cool. So as I said before, I
was going to bring up Pat. But we’re going to wait,
because you guys are really fortunate that the
congresswoman for your district has the bandwidth to come
in and chat about this. What you may not know is
she has the background to chat about this. So let me go ahead and
lay some bio down on you. Congresswoman Suzan DelBene
represents Washington’s 1st district. She was first sworn into
Congress on November 13, 2012. What you may not know is
that prior to that she worked in biotech, got her MBA at UW– and no, I’m not going to say
go dogs, because I’m a coug. But OK, moving on– into a successful career
as a technology leader and innovator. This is unusual if you
know your electeds. She has more than two decades as
an executive and entrepreneur. She helped start drugstore.com. She served as a CEO and
president of Nimble Technology. Most recently, she was nominated
as the co-chair of this year’s Congressional
App Challenge– yes, that kind of app– a national competition for
middle and high school students interested in
application development. Congresswoman DelBene
serves on the House Ways and Means, which,
if you pay attention, that’s not a tiny
committee, and serves as co-chair of the
Internet of Things caucus. I’ll also share a
couple of things that you may not have noticed. She has two bills out right now. One is Information Transparency
and Personal Data Control Act. The second one that
applies to this discussion is the Mental Health
Telemedicine Expansion Act. So not only do you
to hear the person that you elected to fight
for you on these issues, she actually knows what
she’s talking about, which is a pretty rare thing. Without further ado,
this is Suzan DelBene. [APPLAUSE] [SIDE CONVERSATION] SUZAN DELBENE: I was
going to say go Huskies. TOM MUEHLEISEN: Oh, no. SUZAN DELBENE: There we go. There we go. Since I’m a Husky and
you brought that up, I couldn’t resist
the opportunity. Well, it’s great to be
here, in particular talking about an incredibly
important issue when we talk about elections and
the integrity of our elections as we come up to
Election Day here soon. I know a lot of
folks in this room and who are watching
online are cyber experts and, at the most
basic level, operate in a world based
on facts and data to understand what’s
happening and knowing that if we ignore
facts and data, we can really end up
facing a catastrophe where we make the wrong decisions. Or we don’t take actions
where we need to take actions. Unfortunately,
those facts and data are not the basis of how
things have been operating in Washington DC lately. I’ve been extremely troubled,
as a technology and science person, that we’ve strayed away
from a tradition of looking at facts, objective facts, being
grounded in scientific method and to a new universe where
we even have a term called alternative facts,
where you can make up whatever is most convenient
to your cause and use that to justify a decision. It should come as no
surprise that even when we talk about election
security that that somehow seems to be something
that’s partisan, something that absolutely
should not be partisan. Because to even work together
on such a critical issue, it seems that if we can’t agree
on the premise of what we’re working on, we’re going
to struggle to come up with great solutions. And great solutions
would be things like bipartisan
legislation that would require, for
example, backup paper ballots, other basic
election integrity measures that I know experts, like
many of you, are working on and have recommended. Those have stalled. They stalled in the Senate with
the White House being opposed. And policymakers have been
fractured along political lines with respect to a path forward. So we’re getting down
again to a matter of weeks from an election. And we’ve done little
to make sure we continue to do everything possible
to reassure Americans that we have done
everything possible to make sure our ballots
are secure when they cast their votes in November. So what are the basic facts? Well, we know there’s consensus
across the US intelligence apparatus that we’re facing
a tangible, serious risk to our election systems
from cyberattacks. In September 2017, we learned
that the Department of Homeland Security had notified 21
states that they were targets of hacking over the course
of the 2016 election, Washington state
being one of them. And while it wasn’t revealed
exactly who was responsible, many analysts have pointed
to Russia as a likely actor. At this year’s
DEF CON, attendees focused on election security. They found almost 2,000
files completely unrelated to voting on the hardware
of a voting machine. And everyone here
today knows that when it comes to cyber
threats, the only constant is that attacks are
evolving at lightning speed, like much of our technology. And we have to either
evolve faster or accept that we will see
cyberattacks escalate and have greater impact. So that’s where
all of you come in. This topic really goes
beyond technology. It’s about harnessing the
incredible talent and ingenuity that we are so fortunate to
have here, right in our region, and applying it to protect
the fabric of our democracy and perhaps help restore
trust in government. This started out as
a bipartisan issue. And it’s incumbent
upon every policymaker to make sure that
we look at the facts that we can’t possibly ignore. We should make sure that
we are doing everything possible to support legislation
that would provide funding to help support state
officials transitioning out of outdated systems. And I’ll continue working
with my colleagues to advance that measure
and other measures that help make sure we have
strong election systems. I’m very eager to
learn about the work that all of you are
doing and the ideas you have right here at UW Bothell. And I hope that
we in Congress can look at the important
contributions that you and people are
making across the country to make sure we inform those
policies going forward. So thanks for inviting me to be
here with you for a few minutes today. And have a great afternoon. [APPLAUSE] [SIDE CONVERSATION] TOM MUEHLEISEN:
Before I get started with my intro of
the next speaker, I do want to recognize–
because folks don’t necessarily understand how these
things come together. This started as an
idea that Wendy had. And you heard from
her in the first hour. Wendy had this idea. Hey, it’s Cybersecurity Month. And we sure know a lot
about that in this region. Let’s put together a talk. That got the Center for
Information Assurance and Cybersecurity involved. But when it came time
to actually doing this, where to do it
and with whom to do it, we really needed the
student piece of it. And the Gray Hats stepped up. Morgan called. And they stepped up immediately. So Zach, if you would stand
up quickly, turn around. This is you guys. And so Gray Hats showed up. That’s why we’re here. That’s why we’re able to put
this thing on the way we are. Thanks, man. So Zach’s the president. And I just want to make
sure we did a shout out, because that’s super important
that we have all three legs of that stool. Or the darn thing
would just fall over. OK. So next, next up–
remember, I wanted to talk to people that were
in charge of things and people that were responsible
for things. And so I was asked to put
together these speakers. And I know people
because of my old job. And I know a guy named
Dave Holcomb, who’s been a protective
services advisor for DHS for a number of years. And you don’t need to
know what a PSA does. I can give it in a nutshell. He goes out and
does the assessments that Julie was talking about
from the physical side. And they come in– not
necessarily him individually. He doesn’t actually
sneak through things and put on war pain
and crawl up and try to sneak in your building. But he has guys that do that. And I’ve known him
for a number of years. And then, also, they recently
hired a cybersecurity advisor that does a similar kind of
thing, but on the nerd side. But I ran into Dave at one
of these type of events. In fact, it may have
been the same event that I asked Julie to speak. And he actually was
interested in doing it. The cool thing was that his boss
said, no, I’ll take this one. Now we’re getting somewhere. You’re going to have
enough doers on the panel. So when we get done
with this next talk, we’re going to get down a little
bit into the weeds, or at least point down to where
the weeds are. But we still need to
look at the people who have the responsibility
for a thing, have the authorities related
to that responsibility that let them take certain actions
in our homeland security. So think about what
that word means. And then you think
about the people that are responsible for that. So we’re fortunate that
the– this is your cue, Pat– that the regional director for
region 10’s DHS [? NPDB ?] is able to give this talk today
to give us that national view and then [? maybe ?] it down
a little bit onto Washington state and cybersecurity. Thanks so much, Pat. PATRICK MASSEY: All
right, thanks, Tom. Thanks. [APPLAUSE] Good morning, everyone. Thank you for being here. I appreciate the opportunity to
speak with you today and talk about some of the
things that we’re doing in the Department
of Homeland Security to support the election
officials like Julie at the state and local level. So I will get right into it. So I think everyone
knows that, in 2016, the Russian military
intelligence attempted to hack into state election networks. So because of that, early
2017, if you can hear me, the Department of
Homeland Security officially designated the
election infrastructure system in our country as
critical infrastructure under the National
Infrastructure Protection program. So what does that mean? Well, that designation
carries some benefits. So it let’s us share
information a little bit more readily, classified threat
information, with state and local election officials. That lets us establish what’s
called an ISAC, an Information Sharing and Analysis
Center, which I’ll talk about in a second. And it lets us provide some
voluntary cybersecurity assessments to state
and local officials. So what it does
not do, it does not impose any sort of federal
regulation or requirement on state or locals. And it certainly doesn’t
give the federal government any authority over elections. Under our constitution,
the states are responsible
for our elections. And the state and local
governments carry them out. So we talk about
election infrastructure. When we think of
the risk, we got to think of the entire
ecosystem, the big picture. We’re talking about voter
registration, vote capture, vote recording, vote tabulation. So that’s the threat. And there’s a lot of moving
pieces to the election infrastructure in our country. And what’s interesting, and
I think why we’re here today, is that pretty much every aspect
of our election infrastructure system either depends on some
sort of electronic device or it’s connected to a
network or it has software. So that’s the vulnerability. Again, the takeaway from this
slide, the real eye chart, it’s really complicated. So 18 months ago, I
didn’t know anything about elections– just like
you– about how they work. But there’s a lot of
moving pieces to it. So it’s that complexity. And it’s ensconced in all that. Again, it is software, internet
facing websites, and so forth. So again, there’s a lot
of different threat actors that threatened all
of our infrastructure, but certainly what
we’re up here talking about today, election
infrastructure and a lot of motivations. So the threat actors
we always talk about– upper left hand corner
are the nation-states, our nation-state adversaries– in this case, Russia,
which was caught, potentially others that
may get some bad habits. It’s interesting that
nation-state actors were not really in the threat model
when the security for elections were established. Our security for
elections are mostly to foil corrupt candidates. We don’t want people
stealing votes or elections, to make sure it’s
very transparent. One person, one vote. So we have to keep doing that. But now we have to also,
as our society pivot, to face a new threat. And that’s what
people like Julie and others at the state level
and us at DHS are trying to do. And of course, the
possible motivations are many, really, at the
bottom right hand corner. The ultimate goal is
to undermine our trust in our democracy. They want to undermine
the integrity of the vote. And then, by doing
that, you undermine our form of government. So again, the threat
vectors are really two-fold. Why we’re here today is to talk
about that left-hand column. And I know many
of you know this. And the threats are
the basic stuff. [? I said, ?] SQL injection. That was the means
by which the Russians tried to hack into the
state election systems. Spear phishing is still
the most common threat. It’s very common. And there’s a lot
of vulnerabilities across the election
infrastructure, vote capture, vote tabulation machines,
that I think the panel is going to talk about. And there’s two strings
for all that, too. So one is– and I’ll
talk about in a second, the technical controls,
the managerial controls. But there’s also a
public information aspect that people, like
Julie again, and others have to worry
about in case there is any sort of successful attack
or breach of our elections What we’re not talking about
is what you guys have all heard about over the past few years. It’s the influence operations. The Russians and others have
a pretty robust disinformation campaign. There was indictments
that were handed down to 12 individuals, Russian
intelligence officers, for doing this a
couple of years back. They’ll continue to do this. But that threat on
that side of the column is a lot harder to mitigate. And at least the
cybersecurity, it’s a known. We know what to do. We know what the controls are. There’s a range of things. On that disinformation campaign,
people posting false Facebook news stories and bots
that broadcast these out to thousands of people,
it’s a much harder point of attack to fight against. So election officials
that I stated before, I think you all know this, that
pretty much the entire election system involves some sort of
electronic device or software that’s vulnerability
to exploitation. The biggest risk
are with components that have a connectivity to the
internet, for obvious reasons. But you can see
everything that Julie– it’s a little bit less
in Washington and Oregon because it’s to
vote by mail state. So we’re very fortunate
on many fronts that here, in Washington, I
think the risk is a little bit less than most other states. But there’s a lot of
components that go into voting. It all involves software,
internet connectivity. Again, that’s where the big
risk is, for any adversary to get into there. So the good news is, a
little bit of the good news, it would be very
difficult for an adversary to change or manipulate the vote
without us knowing about it, without detecting it. That doesn’t solve the
problem that it happens. But we’ll probably know. So that’s a good thing. But look, at the end of the day
all across our society, for all the critical infrastructure
sectors and for election, what the foundation
is really about is creating that cybersecurity
culture in every organization. And you students are
going to get jobs soon in the private sector. And that’s going to be your
job to do that, because people my age aren’t doing that. So we’re counting on you. So when you get out there,
there are all the policies, the procedures,
the controls, that cybersecurity becomes everything
that you do every day. It’s not something
on the periphery. Every six months, you
got to take some course. But it’s central. If we don’t do that,
we’re not going be able to protect our
infrastructure in this country. It’s as simple as that. So a lot of things here on the
controls and mitigation, update software patches. Do everything you can to keep
your patches current to keep the bad guys out. And again, there’s a lot
of these things that are, of course, are very important. A lot of the technical
controls, hopefully you’re studying and learning
about some of those. And that’s one strain that
a lot of us are focused on is in that sphere. And again, the second
point for all this, too, is that public information. If an attack does
happen or even before, we’ve got to provide
good information to citizens that government,
we’re being transparent. There is a risk. Here’s what’s happening. So there’s two streams– the cybersecurity but also
that public information and awareness. So there is some good news. That’s a lot of bad news,
a lot of slides teeing up some of the risk and the
problems and the threats. But there has been a lot of
great progress over the last 18 months or so. And these are just
some of the examples. So at the federal
government, we’ve stood up a ETF, an
Elections Task Force. So federal interagency, FBI,
and the Department of Justice, Election Assistance Commission,
DHS gathers every week for a big meeting,
talk about the threats to our election system. Are we doing enough
to protect networks? On election
infrastructure, security– Government Coordinating Council. I know it’s a long acronym. But that’s a body
of 27 officials. 24 of them are state and
local election directors. So they meet periodically
to do the same– talk about the risk,
share threat information, talk about what they’re doing
as far as good practices to secure their networks. The corollary of that is the
EIS Sector Coordinating Council. So these are people
in the private sector. So there’s a lot of vendors
that provide systems to state elections. They’re providing a lot of the
equipment that capture votes, vote tabulation, and so forth. They have their own counsel
in the private sector. And they’re meeting now to talk
about the threats and risk, the risk to the supply
chain, and so forth. And then about 18 months ago, a
year ago, another long acronym, the EI-ISAC, Election
Infrastructure Information Sharing and Analysis Center– so for each of the 16
critical infrastructure sectors for energy and
transportation, water and wastewater,
there’s an ISAC– so a group of professionals
that work in that space that meet and share information. What are the threats
that we’re facing? What are our vulnerabilities? What are the way to
mitigate those threats? Can we share information? And that’s what
the EI-ISAC does. So all 50 states
are part of that, the secretaries of state’s
office that runs elections. About 1,500 counties are
members of the EI-ISAC. So they’re getting information
on threats that are network. Here are some bad IP addresses. Here’s this hack of this system. And then my
organization, DHS, we’re providing free and voluntary
cybersecurity assessments. So we do things like phishing
campaign assessments and cyber hygiene scans of networks. Penetration test, we get down
to that level to test networks. And we give reports to the local
and state election officials to say, hey, here’s
your vulnerabilities. You may want to try to
strengthen your systems. So with that, again,
at the end of the day, I think what we all want
is citizens of our country are to have elections
that have integrity, that the integrity
is rock solid. Again, it’s the foundation
of our free way of life. And we can only
get that securing our critical infrastructure,
election infrastructure systems, if we
all work together. Collective defense is
what we all talk about, that the federal
government can’t defend all these networks alone. Local and state
government can’t do it. The private sector, whether
a big corporation or small and medium-sized businesses, to
the military, civil society– academia plays a big role. So if we all work
together, all collaborate, we can defend our
nation’s infrastructure. So with that, I thank you. [APPLAUSE] [SIDE CONVERSATION] TOM MUEHLEISEN:
Cooperate to graduate. OK. So what we’re going to now
is we’re going to transition into the panel. If my panelists would come
up and do mic checks– as they’re coming up, I’m going
to explain how we got here. So Tom gets asked by his friend
Barbara, that’s Dr. Barbara, to pull together some speakers. And we’ve now listened
to people that are responsible for
things, one of whom actually has
authority over things, and what they’re doing about it. And that gives you the context. Go on and come up and sit down
and start checking your mic. It gives you the context. So what’s your boss,
Julie, doing about this? Well, she told you. If you’re doing assessments,
what’s your boss, Pat, doing about this? Well, he told you. Now we’re going to talk
about the everybody part of the equation. So we gathered folks. And the way I wrote it up in the
presentation and in the notes I sent them, we’ve gathered
people from dot com. Raise your hand, Billy. He’s also a dot mil. But for this, he’s a dot com. We gathered people
from dot gov– Margaret. We gathered a
person from dot mil. And then of course, the
gracious and wonderful Barbara from dot edu. And then we looked
at the problem. And so we’re going to
ask some things that are very much focused down
on this security problem. And I’m framing it as
a security problem, not a cybersecurity problem. So we’re going to look at
this as a security problem. All right. Let me go ahead
and bring this up. Panel discussion, pedal faster. All right. So if you haven’t
picked up on it– and again, for the recorded
audience, I’m Tom Muehleisen. I’m a retired Lieutenant Colonel
from the Army National Guard. I started my career
in the infantry, which is breaking things,
blowing things up. And then you get
too old for that. And I ended up in cybersecurity
as an information operations officer. So when Pat was talking
about influence operations, those were the ones that I and
the people that I worked with, for, and who worked
for me were preparing to perform all over the world. And so when I say about
penetration tests, that they all succeed, I
say that with authority. The only thing that
limits a penetration test is the rules of engagement. Keep that in the
back of your brain. The only thing that’s
going to limit you is your rules of
engagement on the pen test. Are those rules of engagement
going to limit your adversary? Maybe, maybe not. So as you think about
it in that context, some of the questions
we’re going to ask are related to things that
each one of these members are able to answer. So we’re going to
introduce things. And I’m going to have to
keep you guys to you maybe even less than five,
if we can do that, so we make up a
little bit of time and talk more about the topics. You’re going to have
questions from me that are focused on you. If we have time, we’re going
to get a presentation that talks about some of the election
systems that are used elsewhere in the country that
Billy Rios has prepared, do some follow-up, get some
things from the audience– and I know you
guys are in class. You may have to leave while
we’re in the middle of talking. That’s totally cool. And then we’re going to
go ahead and close this. All right. So here, as you’re
introducing yourself, Barbara, I want you
to think of answering this question if you can. What is the role of academia
in elections or voting system security? And what areas of research
could address this problem set? Go. BARBARA ENDICOTT-POPOVSKY: OK. I don’t think I have this on. TOM MUEHLEISEN: Yeah,
that was the whole do a mic check when you
come up and sit down part. This is like being in
the studio audience. This is what it’s really
like to be a studio audience, because this is never going
to make the final cut. Technology is hard. It’s kind of scary. You can’t make this stuff up. It’s awesome. BARBARA ENDICOTT-POPOVSKY:
Can you hear me? AUDIENCE: No. TOM MUEHLEISEN: That’s awesome. We’ll get one– BARBARA ENDICOTT-POPOVSKY:
Can you hear me now? OK. Yes, let’s think about
the role of academia and what we can provide in this
problem space, cybersecurity. And I think it’s twofold. I mentioned earlier
that when you folks went through high school,
there most likely was no one in the advisory
office that understood careers in cybersecurity or how
you could prepare yourself for the same. And if you’re anything like
the students that I’ve taught, you’re far more
aware of that world, cybersecurity, than your
instructors and your advisors are, because you grew
up with this stuff. You get it. So I think that academia
has a role to play. And I’m thinking now of
four year schools like this, research institutions. We have a role to play to
help fill that talent gap. And so eventually we’re
going to see a pipeline that goes all the way back to K-12. We’re not there yet. And we have this
huge gap to fill. So what the Center of
Information Assurance and Cybersecurity, which is
headquartered here at Bothell, has been doing is
building programs that can jumpstart students
into cybersecurity career fields and prepare them as
efficiently as possible to be productive in those
cybersecurity careers. Towards that end, we
have done two things. One, we have developed totally
online programs that are not for credit, but are designed
to deliver information to students with an interest
and to returning adults. And those two programs, we
have a certificate program that is 100% online this year. And we have a MOOC. You’ve heard of those
Massively Open Online Courses. You can take it for free. You can take it
for $75 a course. And both of those
programs were designed to prepare you for
thinking about the problems that you face in industry and
government once you graduate. This goes beyond thinking
about textbook problems, which I’m assuming, for
students here at Bothell, you’re getting exposed. I know that one of
your professors, a couple of your professors
that are sitting here, who are teaching cybersecurity
in the classroom. And so that should be
giving you foundation. What we’re doing is filling
that gap between graduation and when you’re ready for work. We’re trying to close
that gap more quickly and make you more
productive from day one, when you go to work for these
companies that are desperately needing expertise. Towards that end, we
have a co-op program where we have a
partnership that we’ve experimented with T-Mobile. And it is selective. We have this year
10, 12 students that are going through that program. They get paid half-time to
work a year at T-Mobile. And then, at the
end of it, there is a decision whether
you want to stay, whether they have
a space for you. But regardless, you
have a resume builder. And believe me, there
are other companies sitting in the wings that
want to be part of this. This is not internships. This is cooperative learning,
very specific cybersecurity assignments designed to
transition you quickly into the workspace. So that’s one thing that I think
universities can do now to take care of that talent gap. We need to be
focusing our efforts. That’s what we’re
doing in the Center, towards accelerating readiness
to fill that talent gap. The second thing I think we
can do in the research area has got to do with
solving problems like the ones that were
presented with– well, they got the right stuff. And now they can leave– solve the problems like
were outlined previously by our prior speakers,
where they were talking about the electoral systems
and the very pragmatic problems that we need to solve for
the purposes of coming up with procedures, checklists– I hate to use that term– TPPs, I guess, is
the military term? TOM MUEHLEISEN: TTP. BARBARA ENDICOTT-POPOVSKY:
Oh, TTP. Sorry. They’re going to give me a
shovel and have me dig ditches. There’s a definite role
for the universities to step in on the
applied research side to define the rules
of engagement, not just the technologies
that we’re going to use. We’ve been inventing
those all along. Our technical researchers,
our professors have been involved in those
kinds of contributions. But we need to be
focused on contribution to the rules of engagement,
how we help organizations operationalize cybersecurity. I had a call, just real quick,
I had a call about last week where we had a vendor
that is selling what amounts to doorstops. They’re selling equipment
that’s expensive, that’s supposed to do
really great things. But the people that
are buying them are treating these things
like they’re magic talismans. You put them on a table,
and they magically solve your cyber problems. No. You have to engage in creating
the context in which this operates. The rules, the training
for the individuals, the policy objectives,
all of those things have to be thought through. And that’s a mental engagement. And that’s defining the
context and the rules. And I think that
our research efforts could contribute in that way. Sorry. TOM MUEHLEISEN: OK, yeah, you
totally blew five minutes. This never happened. You know, I knew better when
I had you come up first. And I said five minutes. And there you went. OK. So Margaret, you’re focusing
question– but please, I think a lot of folks
already knew Barbara. But they may not know you. So go ahead and introduce
yourself, where you come from. But then be thinking
about, what is the role of government in this process? MARGARET BROWNELL: Hello,
I’m Margaret Brownell. And I’m the IT division director
at King County Elections. I have a staff at King County
Elections of IT professionals of six people. But then I’m also very
fortunate that I’m backed up by the entire King County IT
technology department of about another 465 people. So on-site in
elections, we focus on our applications, on our
workstations, on cybersecurity. And then the King
County IT department provides our infrastructure
for us, the network. They have an IT
security department. All the monitoring comes
from King County central. But the question is, what’s
our role in helping on this? And really our role, first, is
to conduct elections that are accessible and beyond reproach. And to do that, we
have to be transparent. And so everything we do
at King County Elections, we invite people to
come in and look at us, observe us, see us,
ask us questions. By not only vote by mail
accessible, but we also have the technology
to come out to voters that need help,
go to our centers if they need help reading
it, seeing it, hearing what’s on the ballot and voting– so providing that technology
for people so that everyone who can vote has
the ability to vote. The other things
that we have to do is, of course, the
security of that. So we have to
secure our ballots, making sure that whenever
there’s a ballot, we always have two people
with every single ballot. So that, again, that’s
a beyond reproach so that we know where
every ballot is. We know every ballot has
that level of security, having things locked up
when people aren’t there or when we’re not needing to
physically touch the ballots. We also have the
physical security of the buildings and
our lanyard system, where we color code
where people should be, what they can be doing. But then you have the
security of our systems, which is what we’re
really here to talk about. And so the cybersecurity,
the security of our systems– and again, we have
two primary systems. We have the voter
registration system. And we have the tabulation–
or think about the system where results are tabulated. And then we post
from that system what are the
results, making sure that those systems don’t touch. So the tabulation system, yes,
it’s on an air gapped network that every access
into that system, physical access
into that system, is blocked by devices that
people cannot pull out without a special coded tool– so just ensuring that we have
those safeguards in place, ensuring that all of our
systems are monitored. And then I think, as King
County, as Julie stated, we are the 13th largest
county in the country. There’s over 3,000
counties in the country. So being 13th, that’s something. And so part of our
responsibilities at the state and national level to
participate in like the [? EI-SAC ?]
that Pat mentioned. We’re also implementing what’s
called an Albert sensor so that we can send from King County
to the [? EI-SAC ?] traffic information from us,
so they can analyze it. The more information they get
from the different counties, we can assess and
see if we’re getting national threats or
regional threats that are focused on elections. So basically I’d say
for our split stance from the government,
it’s to be transparent, to be accessible, but also
to secure everything we do. TOM MUEHLEISEN: You
know what I love about you guys is that when King
County says it’s transparent, you literally mean
it’s transparent. We got a wall. It’s transparent. You can stand and
watch us do our work. So if you get a chance,
go down and check out what they’re doing. They’re not kidding. So next, the perspective we
wanted to go to is dot com. And we’re lucky
enough to have access to Billy Rios, who has been in
all kinds of areas in dot com. He’s going to get to it. But he’s very much
entrepreneurial, which is kind of cool because
he’s also a dot mil guy. So Billy, if you would–
oh, your focusing questions are, what assistance
can industry offer? And how do solution
providers frame the problem? BILLY RIOS: Hey, everyone. I’m Billy. I’m actually a University of
Washington alumni, a lifetime alumni. I graduated in 2000,
many, many years ago. But one of the neat
things is I actually had some experience with dot mil. I’m a drilling guardsman. And I think someone had
touched on this earlier. There’s actually a lot of
really tricky authorities that you’ll have to
go through in order to do these types
of assessments. So for example, Ben,
over here in uniform, can’t just show up
to an election site and do an assessment
against a voting machine. In fact, if all the proper
wickets aren’t checked, he could actually go to jail,
because it could be illegal. And so I think one of
the really neat things that industry can provide
of the voting industry is that, in the
commercial world, we’re not subject to
those restrictions. And so I have a
presentation hopefully I can give a little
later where, if I want to go to eBay and
buy a voting machine and hack it in my
garage, there’s nothing stopping me from doing that. If I want to take independent
research that I’ve done on voting machines
and insecurities that I’ve seen in
voting machines and present that
someplace, there’s nothing that stops
me from doing that. I can brief DHS, which is what
I’ve done a couple of years ago about vulnerabilities that
we’ve seen in voting systems. Nothing stops you
from doing that. So from a flexibility
standpoint, there’s a lot that I think
commercial industry can provide the election systems,
given that we haven’t done the work under
NDA or something like that. So that’s definitely something
I hope folks can understand. And it’s one advantage that I
think the commercial industry can provide the security of
our voting systems that some of the other places can’t. TOM MUEHLEISEN:
Thank you so much. So the last piece
of it, we’re going to talk about dot mil,
which, in this state, actually means something. We have a relationship,
partnerships that we built over
years with military, largely in National
Guarding– quite frankly, namely the Air National Guard. And with us today,
we’ve got Ben, who’s going to talk
about a couple of things. What is the role of the
National Guard in this process? And then what steps
have already been taken? Because he led a team that
did some pretty cool stuff. Go ahead, Ben. BEN KOLAR: Thanks, Tom. So like I said, I’m Ben Kolar. I’m the mission commander
for the assessment that the Washington
Military Department’s doing with the secretary of state. So we actually had a joint
team of several very talented and expert operators that were
able to assess the systems that the secretary of state
uses for the voter registration databases and the tabulation
results and that sort of thing as well. So the unique thing about
the Guard in this context is that we’ve been able
to pull, certainly, from expert talent in
the private industry, because a lot of our personnel
that were on the team serve full-time in
the private industry, but then were under the
orders of the governor to help in a military
capacity to help assist with that assessment. So throughout the course
of this assessment, we’ve been able to take
a methodology that’s a three-pronged approach. And I want to quickly
talk about what we’ve been working on and doing. So the three different
approaches that we take is a sequential approach. Simply put, it’s survey,
secure, and protect. So the survey piece
of it is really just taking a holistic
look at that system to identify risk in that system. Looking at vulnerabilities,
doing code analysis, doing pen testing, looking
at vulnerabilities, looking at policy,
looking at cloud security, all that type of stuff. And they’re able to
capture all those things and provide recommendations
to the secretary of state’s staff, the people that own those
systems, to mitigate that risk. From there, we can
actually take the knowledge that we’ve accumulated over the
past several weeks and couple of months and be able
to actually assist them in providing them
recommendations to actually have them mitigate that risk. So we’ve learned a long time
ago that giving somebody a vulnerability
report is not enough. You need to follow
up with those reports and make sure that the risk
is actually being mitigated. So we’re able to provide
them the assistance they need to make recommendations and
actually go back and validate that the vulnerabilities
that we discovered were actually mitigated
at that point. So we’re able to validate
that those risks no longer are there. The last piece of it, and
arguably the most important, is the secure piece of it. So during a specific time
frame, in this instance, it will be during
the election cycle, we’ll actually have a group of
individuals from the National Guard sitting on station
on those terminals, looking at the traffic
and being able to prepare to respond to any incidents
or anything that we see. So we’re going to be
able to provide expertise to identify [? anomalous ?]
traffic and potentially respond at the request
of any of the system owners in that building. So we’ve been very
fortunate to work with them. And I can, with a high
degree of confidence, say that we’ve been
able to mitigate a lot of different type of
risks that we’ve uncovered. And it’s been great to
see the leaning forward from the different
system owners to be able to want to
work with us and be able to improve their systems. TOM MUEHLEISEN: And
that’s fantastic. You may not have the
context for this, but understand this
is a rare thing. This doesn’t happen
in many other states. This state was the first state
to have its guardsmen activated into state active duty
to perform an assessment on critical infrastructure. The next assessment
they did was actually of the state auditor’s
office, who now have– and that was the purpose– now have a cyber audit team. Well, that’s because
they watched what we did, and they made it better. And that type of partnership
doesn’t happen everywhere. So it’s pretty impressive
that we’re able to have Ben and more impressive that
your government actually is engaging with
its National Guard to make itself more secure. OK. So the next part of this
is questions from Tom. And we’re going to try to
shoot for, Barbara, five minutes per question. OK. So I’ve already
suggested who ought to be lead for a specific
question, which means they speak first, Barbara. All right. I’m just making fun of her. OK. So I’m going to start
with the first question is for Margaret to lead on. Uh oh. Go ahead, Barbara. Do you need to say something? BARBARA ENDICOTT-POPOVSKY: No. TOM MUEHLEISEN: OK. See it works. It really does. You can mentor up. OK. So dot gov leading, but
then people coming in– because this is an
important question, especially when
you start looking at this from the
cybersecurity perspective. Think of the CIA triad. Since this is largely
an integrity issue, perception is very,
very relevant. What steps can we
take as a community and as security practitioners
to mitigate this threat to the process? Now, Margaret, I know you
already talked about it once. But go ahead and say it again. But get a little tighter
down on the security part, if you would– a little, just a little. And don’t worry. You got Billy right next to you. You can jump right in. MARGARET BROWNELL: OK. Well, the first thing
is, one, get involved. And I have to [? be ?] a
little bit about myself. I’ve actually only been involved
in elections for 14 months. So I have gone through
four election cycles with King County. And I am fascinated. When I interviewed for
it, for the position, it’s, I want this job, because
I want to help save democracy. It’s pretty powerful. The first thing is, if
you want to help us, if we lose the public
trust, no one’s going to believe the results
that we post from an election. And so it’s get involved, get
educated about what we do, come and visit us,
come and arrange. We love to give tours,
things like that. Be involved. Become an observer, the
Citizen Oversight Committee. But now getting down more
into the technical area is understand the difference. You hear in the national media
the voter stations or polling stations are getting hacked. In Washington state,
we don’t have those. But truly understand
that, in all states, you have your voter registration
system, which, yes, we have a voter registration system. And you have your
tabulation system. How do we keep those? And people speak to those as
if they’re one and the same. And so the voter
registration is where we have the information
about you, about the voter. We do track how often you vote. We in King County track
where did we get your ballot. Did you drop it in a drop box? Did we get it by mail? But once it goes to
the tabulation system, we don’t know who that is. We only know what
is on the ballot. And so from more of a
technical side, well, I’ve been at Elections
for 14 months. In that time, we did not
have a cybersecurity program. I now have someone working
almost full-time in it. My goal is to move
him full-time. But we have to offload
some of his other work. I’m working in it
about 50% of the time. I also have the support from the
King County security aspects. So there is need for more
cybersecurity professionals. And the key is also
all our vendors have needs for
cybersecurity professionals, because we won’t
purchase anything unless we know that system
is secure, maintained, up-to-date with patches. There is a program to keep it
up-to-date when vulnerabilities come through. I’m not getting around
to technical stuff. I was going to do that
in the next question. TOM MUEHLEISEN: You don’t
have to do technical. You’re doing awesome. MARGARET BROWNELL: So from
the King County perspective, what can you do to help
us maintain public trust? Yes, we’re transparent. But we need people. We have over 33
community partners. If you hear that we’ve
been hacked, call us. Find out for sure. Then get the information
out, because we will let people know if
something has happened, positive or negative. TOM MUEHLEISEN:
That was perfect. Thank you. There was one thread
in there that I’d like to have Barbara follow up on. See that? How’s that work? That’s pretty cool. There was a workforce
development piece. And that’s very much where she
was coming from in her talk. You said we need more
cybersecurity professionals. How do we get them not only
just generated in general, but get them focused towards
things like electoral security? What do you think, Barbara? BARBARA ENDICOTT-POPOVSKY:
Is this one– yeah, this is. TOM MUEHLEISEN: It is. BARBARA ENDICOTT-POPOVSKY:
I do have some thoughts about some wise policy that
could help encourage people to work in infrastructure,
which generally doesn’t pay what the private sector does. We’ve had a lot of success in
the past with a program called CyberCorps, which is
sponsored through NSF. And it has put about 200
to 300 students nationwide, which isn’t enough, but through
their academic programs, paying for their last two years
in exchange for commitment to work for the feds. I think we need a similar
program for infrastructure where students are encouraged
to sign up for a scholarship. We provide them courses
that we’re developing now in infrastructure. And we ask that students commit
to work for local government. TOM MUEHLEISEN: So we’re talking
scholarship for service, SFS– BARBARA ENDICOTT-POPOVSKY: Yes. TOM MUEHLEISEN: –but
more focused granularly. And it could be something
similar to [? Kilmer’s ?] bill. BARBARA ENDICOTT-POPOVSKY:
Yes, yes. TOM MUEHLEISEN: So you
just had DelBene in here. She’s dialed in. And you know [? Derek’s ?] easy. BARBARA ENDICOTT-POPOVSKY: Yes. TOM MUEHLEISEN: So we
could talk the two of them and say, hey, what
about a bill that does this, that creates these
programs at the federal level, the money comes from federal,
but then is applied down at the local level? BARBARA ENDICOTT-POPOVSKY:
I mean, I’m sure that if students
knew that they could get half of their
education paid for and have a job on
the other side, you’re going to see
people very willingly go into infrastructure. And it’s a great place to
learn, because nation-states are focused on these things. And you’re going to see
lots of interesting examples of attacks. TOM MUEHLEISEN:
That’s fantastic. Well, I think we have
our marching orders. Somebody needs to send an
email to Suzan DelBene. BARBARA ENDICOTT-POPOVSKY:
But I also want to add something else, too, Tom. I really think the general
public and our news media needs to educate themselves. That was mentioned earlier. I cringe when I see
these stories that misrepresent cybersecurity
and confuse the public. We have our MOOC. That’s free, if you
want to take it. It’s designed to give
literacy in cybersecurity. We need to have literate,
engaged public that’s not afraid of cybersecurity. It’s not some
spooky techie thing. You’ve got to
recognize that there’s a lot of common sense
in dealing with this. So I have some thoughts about
how we could do that, too. TOM MUEHLEISEN: OK. But we’ll work that in
later, if that’s OK. BARBARA ENDICOTT-POPOVSKY:
That’s OK. TOM MUEHLEISEN: And we’re
going to get into the dot com question, which we
talked generally about some of the threat actors,
some of their motivations. We talked a little about threat
phone risk just a little bit. And I thought actually
Pat did a great job. And I loved hearing about
it from that perspective, which was not technical. But now, actually, I
want to get technical. So Billy, leading off on this,
what are the known threats? And how do those threats relate
to a citizen’s personal life outside the voting process? BILLY RIOS: Yeah,
I think you don’t have to have access to
top secret information to know that there
are threat actors that are trying to disrupt
the election process. And so I think
that’s why we can’t view this as a confidentiality,
integrity, availability issue. That’s the CIA triangle that
everyone’s mentioning here. That’s the core
tenet of IT security. I don’t think it works
for systems like this. This is a much more complicated
thing than just a computer. There are optics and
perception and education and just influence and
information operations missions that are going on at
the highest level, nation-states against
nation-states. And so you may find a
vulnerability where you think, hey, look, not really
that important. Can’t really influence the
integrity of our election. But if it’s spun
in the correct way, it definitely
becomes a big issue. One of the things that
I see time and time again having actually done
assessments against real voting systems, having briefed
DHS against vulnerabilities in actual voting machines’
tabulation, tally collection– and there’s some problems there. And I know that, as far as
managing the election process, it’s pretty solid. As far as stopping
someone from being able to insert malicious
or incorrect votes or getting access to systems
that they probably shouldn’t have access to, pretty good. But that’s not the
end of the line. So we have a lot
of work to do in as far as managing
perceptions, managing the optics around all these
systems, because there are issues with voting
machines, tabulation systems, some of
the software that runs in our voting systems. And to complicate
matters even further, every state does it differently. In some cases, every
county does it differently. And so that makes
this problem hard. Just patching a bug or
having a security team doesn’t solve the
election security problem. TOM MUEHLEISEN:
That was perfect. And you even alluded to question
4, which is the hardest one. And so now people may be
thinking about our models and the way that we apply them. I’m going to go ahead
and shift to question 3. And this is focused on you, Ben. And feel free to jump
in when Ben gets done. What role does detection– so think of framework,
cybersecurity, identify, protect, detect. What role does detection play
in the response process that may seem obvious to some folks? But let’s go through it anyway. And then how can
smaller jurisdictions– and this may be where other
folks need to dive in, like Margaret–
smaller jurisdictions gain access to
external data sources? And I’m not talking
about getting into a secure, compartmented
information facility or skiff and getting top
secret information. That’s very hard to do. But how do I get access to
maybe some open source feeds? So we need to talk about how we
connect smaller jurisdictions. During a earlier break I heard
both Julie and Margaret talk about their concerns about
some of the smaller counties and how they can protect
themselves as well. So we’ll start off
with Ben and probably naturally switch to Margaret. So the question was,
what role does detection play in the response process? BEN KOLAR: Right. So the simple and easy
answer is obviously that you can’t respond
to anything that you haven’t detected first. So there’s a sequential process
there that needs to take place in order for you to be able
to detect that– in this case, a threat actor or a malicious– anomalous traffic or
that sort of thing. So to walk through those
steps, first and foremost, you need some type of
hardware or software and knowledge of the
system, be able to put it in the correct location, to
be able to ingest or capture that information. Second more, you need
to be able to capture the correct information. And then you need
to be able to have an operator of that gray matter
to put the pieces together to analyze that information
that you’ve been collecting to be able to identify
whether it’s a false positive or if it’s actually a
malicious actor trying to hack your system or whatever. TOM MUEHLEISEN: So you have to
have the systems, the process, but then also the people. BEN KOLAR: Correct, yeah. TOM MUEHLEISEN: Right. There we go. BEN KOLAR: Absolutely. And that’s one thing that,
as part of our methodology in the Guard, that
we’ve been able to look at through this
election infrastructure that we’ve been looking at. We started with the bare metal. Why does this process exist? What are the systems that
make up those components? How do they talk together? How do they work? And then from
there, we can start putting in our equipment
and hardware and software in certain places
to be able to make sure we have the correct
visibility to give us the information that we need. TOM MUEHLEISEN: Where
do the eyeballs go? BEN KOLAR: Correct. BARBARA ENDICOTT-POPOVSKY: Yep. I had a question I
wanted to ask you about. I came from IT on industry side. And of course, back then,
it was pretty obvious what the bad guys were going after–
anything they could monetize. TOM MUEHLEISEN: So that
hasn’t changed much. BARBARA ENDICOTT-POPOVSKY:
Yeah, that’s true. TOM MUEHLEISEN: Except for
China’s Hoover vacuum approach to information. But other than that. BARBARA ENDICOTT-POPOVSKY:
They take everything. TOM MUEHLEISEN: Yeah, they do. BARBARA ENDICOTT-POPOVSKY:
But what I’m getting from talking to
the folks on the military side, in this nation-state threat
environment that we’re now in, how challenging is it to
really understand what the bad guys are looking for? Because it’s not
so straightforward. They have a strategy,
an objective in mind. Is it a little more
difficult to get your mind wrapped around it? TOM MUEHLEISEN: I
think Billy started alluding to that when he talked
about information operations, which, of course,
I was trying hard not to break out the
pom poms and megaphone and start cheering. But when you look at it from
an influence perspective in the larger context– and we’ll get into
it in question 4. But you start getting
there in that detection. But just if we can focus down
on detection just a little bit, Ben was doing a great job with
not just talking about the bits and bytes and blinking
green lights, but someone, an operator, you started there. But then you also went
up to the process. The operator, if you want
to go into the target hack, a guy raised his paw. But their internal
process did not allow that message to get to
the correct decision maker. So it’s more than just
I’ve got the eyeballs in the right place. I’ve got somebody watching
what the eyeballs are seeing. It’s also, do I have the
way of getting the detection to the person that says respond? That was really good. So let’s look at how can
smaller jurisdictions get access to some of those
indicators of compromise, if I can throw out a term. Indicators of compromise,
those get spread through certain things
that Pat talked about and Margaret talked about. So Margaret, how would you
help a smaller county be aware? MARGARET BROWNELL: Be aware. Well, sorry. I’m going to answer
a different question. I’ll come back to that. But how would I help
a smaller county if they thought they
had something going on? And I’ll give an
example of actually what we did within King
County and what we volunteer to do for other counties. For example, I don’t
know if people realize, but within the
state of Washington, there’s five days
a year that people can register to be a candidate. We call it candidate
filing week. And so across the
entire state, if you’re going to be a candidate
for any office, you have to apply or sign
up during those five days. This year– and it’s in May– this year in May, we notice,
because of our monitoring, that every day at about
the same time, we were getting six or
seven candidates filing from the same IP address. And so it’s, erm,
what’s going on here? Are these false candidates? So we just put in, one,
if we got two candidates from the same IP address, we
started doing research on it. And we found out that yes,
those candidates– one of the national parties was
having a candidate filing event every day at the same time. And so yes, it was OK that
we were getting six or seven from the same site. So we have offered that out to
the other counties, that, one, King County, we do try to
help the other counties. So if they see things
coming from the same IP or if they see something
that they look is odd, we will go out and aid them. And we don’t have to
physically go there. TOM MUEHLEISEN: Yes, the
indicator of compromise, that IOC, which
turned out to be OK. MARGARET BROWNELL: Yes. TOM MUEHLEISEN: But it,
nonetheless, was an IOC. It was an indicator
of compromise. You went and looked at it. And the way that you helped
a small jurisdiction was you had that analysis
capability they lacked. And so you provided
that for them. MARGARET BROWNELL: Yes. And that’s another thing
that the EI-SAC Will also do for the smaller counties. TOM MUEHLEISEN: I was
hoping you’d bring them up. MARGARET BROWNELL: So if
we can identify a threat or if we see a threat
within King County, we can notify the EI-SAC. And they can aid
the other counties. The other thing
that we are doing to help the other counties
is, yes, King County has had a cyber audit. It’s not public information. We’re protected by the RCW,
the Revised Code of Washington, because we don’t want
everybody to know what were the vulnerabilities
that were found. But from that, Julie
gave me the charge to what are some
of the key things from that that we can do to
help the smaller counties? Let’s face it. Within Washington state,
we have 39 counties. King County, 1.3 million voters. The smallest county
has 1,200 voters. Most of the counties
don’t have– over half the counties
within Washington state do not have an IT
person in their employ. I’m lucky. I have six dedicated
just for elections. So some of the areas that we
found that were vulnerabilities within our audit– printers. It’s something most
people don’t think about. But printers are on the network. That’s a very easy
place to hack in. And so we have
provided information to all of the other counties on
how to shore up their printers so people can’t get in. Passwords– we all
know this even just from personal identity threat. But passwords, how
to make them harder– we know most people don’t like
putting in hard passwords. So you know, come on. We want greater
than 20 characters. We want multi-factor
authentication. We’re helping the other
counties with at least getting to the 20 characters. Also PCs, this is simple. This is basically
our bread and butter. But to keep PCs patched,
that’s a tough deal to do. Within King County Elections,
for a large election, we have over 400 PCs
plugged into the network. We only have 68
full-time employees. But we hire so many extra
people during the elections. We have to ensure
that those are patched and not always
accepting the tools that say it has been patched. So we have
vulnerability scanning. But some of the
things that we’re trying to aid some of
the smaller counties with how to get an automated
patching program up and running. So there’s different
things that we do every day that we are
trying to get standardized– this is not a word,
but processized, where we can easily package
it up and provide it to the smaller counties
that don’t have an IT staff. TOM MUEHLEISEN: It’s a word now. We decided. We voted. So let’s go ahead,
and we’re going to go to the last question
on this particular part. And we’re going to
start with Barbara. But I think, pretty
quickly, this is going to go over to Billy. And he’s already started to
answer this one, Barbara. Do our current models– the triad the
framework, whatever ISO you want to throw at this one– adequately prepare us
for this kind of threat as we’ve described it? If not, and I think we can
say they don’t fully cover it, what are the gaps? And how do we prepare
our defenders? We’re getting back
into the research part where we can dig into,
hey, does this model work? Well, yeah, until
you put it here. So we can dig into that. What do you think about
academia’s role or just in general, looking
at those models? BARBARA ENDICOTT-POPOVSKY: Well,
I think you know I love models. And I think that we
do need a model that applies for infrastructure,
taking into account the nation-state actor. I think CIA plays a role. But I think we need to
think about CIA in context. And while Billy was talking,
I was starting to noodle it. And I do think this is a
contribution that academics can make. TOM MUEHLEISEN: I agree. So there’s something I’ve
said to folks a few times when I’m consulting and other times. I’ll say, you know,
you need a model. You need a framework. But the point at which
you’re starting to argue it, you don’t need it anymore. People get so
wrapped around, well, I don’t know whether I’m going
to do [? ISO, ?] bla, bla, bla, bla, bla, or whether I’m going
to use the framework with this. I’m like, pick one. Go with it. And when you start
to argue it, you don’t need that model anymore. But you at least started
with something pretty good. BARBARA
ENDICOTT-POPOVSKY: I think it helps you think
a problem through. TOM MUEHLEISEN: Sure. BARBARA ENDICOTT-POPOVSKY:
You don’t have to constrain it. TOM MUEHLEISEN: It does
constrain you a bit. And that’s why I
bring up academia. The models do constrain us. They constrain our thought. And that’s why I
brought up academia, because one of academia’s
roles in society is to try to break
outside those constraints and look at out of
context problems. But I’m going to let
Billy start to answer some of the places where– you brought up CIA
and influence, inform and influence. And bless you, brother,
for saying that. Why don’t you expand
on that a little bit? BILLY RIOS: Yeah. I think we’ve heard from a
lot of folks about how awesome our cybersecurity is for
our voting infrastructure and election security. But we have to remember,
this is cybersecurity at the highest level. This is not about hygiene. This is not about patching. This is about protecting
our process, our voting process, our election process,
against other nation-states. And when they’re
going to come and do an operation against
these systems, they’re going to bring it. They’re going to
bring the highest level of technical
sophistication against these systems. They’re going to
bring the highest level of operational
sophistication against this process. They’re going to bring
the most strategic level of planning that
they can provide to attack these systems. And so that is a very,
very, very difficult thing to defend against. And so this cannot be
a, hey, one and done. We’ve done a pen test. It’s not about that. You have to protect
this entire process. That’s hard. That is very, very hard. And the deck is
stacked against us. So we have counties that
are so small that they don’t have an IT person. We have infrastructure like
voting machines and tabulation machines. And to be honest,
the software is just really bad from a
cybersecurity standpoint. And so we have to mitigate
this stuff in order to protect the integrity
of this process. It’s not an easy thing. I’m not saying it’s impossible. But it’s not an easy thing. So I think we have to
focus less on, as you said, the blinking lights,
and focus more on treating this
as, hey, we have to defend against an
active, ongoing operation against this process. BARBARA ENDICOTT-POPOVSKY:
This should be continuous. BILLY RIOS: Yeah, definitely. Definitely. So it always worries
me when I hear folks say, hey, we just stood up
a cybersecurity thing for this. And we just did an
audit last month. I’m like, oh, man. BARBARA ENDICOTT-POPOVSKY:
So did Target. BILLY RIOS: Right. If someone were to
come to me and say, hey, we want to disrupt
an election process for another country,
man, I would get started years in advance. And the rules of engagement
there, like I said, are at the highest level. That could include supply
chain, vendors, personnel. It could include a lot
of different things. And so I hope we can expand
the scope a bit.. TOM MUEHLEISEN: But we
use our powers for good. [LAUGHTER] BARBARA ENDICOTT-POPOVSKY:
I would like to, even though this sounds dismal,
while I have all of you folks here, I’d like to pass on
a huge compliment from one of our colleagues
down in California. Some of you here in the
audience know Matt Bishop. We brought him out last spring. I don’t know if
you know the name. But Dr. Bishop is the leading
expert in cybersecurity and election systems,
particularly voting machines, in the country. And we blew him
away, because he’s been called in to consult with
states all around the country. And he said he couldn’t believe
that people were actually taking this problem
seriously and wrapping their minds around it. Maybe we don’t have
it entirely solved. But we recognize there
is a problem, number one. And there is an intent
to get something fixed. So I felt really good. He said usually he’s not
looked upon very favorably. People aren’t happy
to see him coming. And in this case, he was
welcomed with open arms, because he was always
finding audiences that were engaged with this problem. So I think there’s hope. TOM MUEHLEISEN: I
think you’re right. And we’re going to
go, and we’re going to break out of the context of
Washington state for a second. I think, frankly, we’re
doing pretty well. BARBARA ENDICOTT-POPOVSKY: Yes. TOM MUEHLEISEN: And
I’m not just saying that because I want people to
calm down and not hack things. Yeah, I’d like for you
not to hack things. Don’t be a crappy person. But they’re going to anyway. But the way that,
certainly, King County and the secretary of state– she has acknowledged that,
hey, I probably have– BARBARA ENDICOTT-POPOVSKY:
And she’s awesome. TOM MUEHLEISEN: This right. And I probably have an issue. And I’m not afraid
to look at it. And so she brought in the Guard. And one of my next questions– oops– was I have
some prepared talks. And one of them was going
to be the threat landscape. But we alluded to that. The other one was going to be
the known threats and things that we found. But we’re not going to allude
to that, because while the Air Guard has, largely
Air Guard, has helped mitigate those threats with
the secretary of state, those are ongoing operations. We don’t talk about those. But we are going to cut into
something that breaks us out of our current context and looks
at the machines, the devices themselves, because we’re lucky
enough to have Billy here. So we switch over to
your [? prezo. ?] Give me just a second. Well, what do you know? Hackers vote, too. And if I can get it– there you go. You’re in charge. BILLY RIOS: Perfect. Yeah. I just want to walk
through some things that I’ve had a
chance to see when it comes to voting systems. Because we did this as
independent research, it wasn’t paid for by anyone. We could actually just talk
about it whenever we want to. And this is a subset
of slides that we briefed to DHS many years
ago, I think in 2016. Like I said, I’m a graduate of
the University of Washington. That’s kind of neat. Many years ago, I worked on
a mission as part of the, actually, your Air Guard, where
we looked at a specific weapons system and actually
really shaped the way I view these
systems of systems. This went all the way
up to the president. In fact, this mission
was actually directed, it was a presidential
directed mission. They talk about it in
these two books here. I remember when I read about it
in– actually, the first book I read about it was in duty. I took the book to my wife. And I was like, hey,
remember many years ago I was on this mission I
couldn’t tell you about? This is it. And my wife was like, this is
two sentences in 1,000 page book. It can’t be that important. So it’s always good for the
spouses to keep you grounded. But I remember, at
the end of the day, we found some vulnerabilities. And we were really
interested in that. And at the end of
the day, we were presenting these
vulnerabilities to people. And they essentially
just wiped everything that we had discovered out and
said, we really don’t care, because you haven’t explained
any of this to us in a way that matters, because
all they cared about was, hey, what do these
vulnerabilities mean to a warfighter when it
comes to a weapon system? And so you can actually take
that construct and apply it to other systems as well. Hey, what does this
mean to my brand? Or what does this
mean to operations? That’s how we need to view
these voting machine systems. It’s not just about the
vulnerabilities themselves, but really how they
affect this process. And an overly simple
way to think about this is, hey, how does this
affect the vote tally? I think that’s how some people
try to frame this problem. But it’s much bigger than
that, because it’s not just about the vote tally. If someone can’t
influence the vote tally but they can influence the
court of public opinion, then you have a problem. If there’s one
single voting machine that’s hacked in one of your
counties, the smallest county, and that voting machine is
on some newscast showing some kind of defaced screen,
you’ve got a problem. It doesn’t matter that the
vote tally is totally secure, because now you have
a perception problem. And so this was
what I was trying to talk about when
I was saying, hey, this problem for
voting security is much bigger than just making
sure that a machine is patched. We have the vote tally
that we have to protect. We have to protect the
voting system integrity. Because if the integrity
of the system is busted and someone can
demonstrate that, even if the vote
tally is correct but they’re showing that
the integrity of the system is broken, you have a problem. If there’s issues that
influence voter confidence in particular systems and
particular mechanisms, you’ve got a problem. If there is
something that can be challenged in a court of
law, man, you have a problem. This is more than making
sure you’re running the latest bits on a system. And there’s nothing new to this. People have been doing
this for a long time. And I think that’s what
we need to understand, is that this is not an
IT procedure that we have to go through in order to
protect these voting systems. This is an operational problem. The folks that are going to be
attacking our election systems and voting systems,
they are going to be conducting operation
against the voting systems. So here’s a Lieutenant
Colonel that spoke at the National Defense
University many years ago. And I think he sums
it up very perfectly. But I want to show
you what can be done. This is just
independent research, one of the valuable pieces
the commercial world can give to the strategic voting industry
or the voting election systems. If you want to get these
systems, it’s not hard. You can buy a voting machine. You can buy the
memory cards that go in these voting
machines to do analysis against the software. If you want to, you
can actually even buy the authentication
credentials that are used to manage these systems
at a central administrator level. So I know that over the
last couple of hours here, everyone’s been talking
like, oh, it’s awesome. We have all this stuff in place. These things are really secure. There are some problems
there that we have to manage. We can’t just say,
hey, everything’s good. There are things that
we have to get in front and we have to manage. And then once someone buys
these machines, it’s theirs. They can do whatever they
want with these machines. There’s actually two voting
machines in my office. At the time, my six-year-old
daughter was asking me, hey, can I cast a vote with that
voting machine over there? I’m like, eh, it
doesn’t work that way. But there’s nothing
stopping someone from taking these machines
and tearing them apart in the comfort of
their own home. And if we don’t think
other countries are doing this against the
voting infrastructure that we’re using,
we’re pretty naive. Other people are
definitely doing this. And like I said, there’s issues. The years that these
systems were created, the actual hardware and
software for these systems, no one was thinking
about cybersecurity. And it’s tough to fix
that after the fact. Here’s a JTAG interface
to interface directly with the processor of
this voting machine. So if I want to take
the software off of this voting machine,
this is how I would do it. More importantly,
here’s another one that’s at the very top of
a printed circuit board. And the problem with that
is that that top piece, that JTAG interface, is
right near someplace that someone could
actually access if they had physical access
to this voting machine, for example, casting a vote. And so there’s other
things out there as well. If you lift that lid
of the voting machine, there’s interfaces there that
probably shouldn’t be there. And the problem with
this is that this is what we’re going to have
to deal with from an election security standpoint. These machines are
created many years ago. No one thought
about cybersecurity. These issues are there in the
machines that are in the field. So I know that Washington state
is one of three states that does all mail ballots. That’s great. So you’ll have to deal
with these issues. But there’s other things you’ll
have to deal with as well. And the whole point of
this is saying, hey, look, it’s not all fine. It’s manageable. But we have to put
forth the effort to manage this kind of stuff. So people are going to
take apart these systems. They’re going to be able to
get access to the software. They’re going to be able
to get access to things that they shouldn’t have
access to, for example, keys that are securing
and encrypting the data on these machines. And then at the end of the
day, some of the machines that they’re buying,
this is not some, well, you bought
some esoteric machine that’s not used anywhere. Some of the infrastructure
that we purchase actually are really used in real
elections, like in DC, for example. And we did this research
a long time ago. So a couple years after the
2008 election, one of the voting machines that we
actually purchased was used in the
presidential election. So this is not something
that’s just out there that no one’s ever using. These are real machines
that we have to think about. What’s it cost
for us to do this? Probably about $1,000 worth of
equipment, maybe about $500– or $1,000 of equipment that
we needed to do actually do the analysis, maybe about
$500 of purchasing equipment, and then maybe one
or two weeks of time. So if someone had the
time and inclination and wanted to do
this for three years, imagine what they
could discover. So I just want to
throw that out there. Definitely think about that. It’s food for thought. We’re doing a lot of
really good things. But this is a problem
that we have to manage. It’s not a one and done. This is not something
that we can fix overnight. This is a pretty hard problem. TOM MUEHLEISEN:
That was excellent. Thanks, Billy. I’ve done engagements. I didn’t want to say
operations, because most of them were on the civilian side. And the one and done thing– and so the metaphor I
finally came up with is everybody’s focused
on these pen tests. Pen tests are like
checking the oil. And now, don’t get me wrong. You should check your oil. It’s a great indicator
of engine health. But it doesn’t really talk
about what’s going on. And it’s certainly
a snapshot in time. So people should
look at these things. And then as you think
about, as a manager, if you happen to be Margaret,
how do I mitigate this? I can’t say where this happened,
because it’s still active. And I’ll tell you why. So we’ve got a
large organization– let’s be careful about
how I explain this– a large organization that has
a bunch of cameras that it uses for what it does. And so my hacker, my pen tester,
bought one of those cameras on the open market,
did a little software to find radio action on it,
and discovered a zero-day. OK, well, what were we
supposed to do with that? I have no requirement as a
private citizen or a contractor to say anything to anybody
about the zero-day I just found. That’s not what we did. We actually did go back
to the manufacturer. We went back to the correct
ISAC, believe it or not, and tried to get there. The problem was that
particular manufacturer, that device had been
designed back long before we thought about cybersecurity. And there honestly
was no way to fix it. The engineers that had designed
that thing have moved on. The company that designed it
had been bought three times. That device is no
longer manufactured. And there’s no line of
funding to replace it, because it still works. And so imagine being Margaret. And you’re faced with that
problem, where Billy comes in and says, gee, that’s nice. You think you’re secure. And people say,
well, I’m behind, da da da da da, air gapped. And I go, so were the
Iranian centrifuges. So I’ve got all these
things in place. And they’re good things. But he comes up and says, this
machine– fundamentally flawed. Can’t be fixed. And you’re like,
what do I do when I’m faced with not just
the reality issue of I’ve mitigated this as much as
reasonably you can do– and I actually agree
with her professionally. She explained it. And I went, yeah, yeah, yeah. That’s totally reasonable. But the problem is perception. Because if that gets out in
the wild and somebody says, well, you had that device. You didn’t replace it. Say, well, yeah. You voted down the initiative. We had to up our budget. And so these things relate. And so I want the students
to think about this as they watch this. This stuff all comes
back into context. It all comes in together. And so the last part
of our discussion is a chance for our panelists to
reengage in a couple of issues. And we’re going
to skip this one. We’re going to go to– we don’t really
have any questions from the audience I don’t think. AUDIENCE: We have some from online. TOM MUEHLEISEN: We do? AUDIENCE: Yeah. I think there are about 10. TOM MUEHLEISEN: Oh, do you
have some from the audience I don’t see right now? AUDIENCE: Right. We have about 124 folks online. TOM MUEHLEISEN: OK. Then let me go ahead
and I’m going to put out the rules for the folks online. I don’t even look at you. Sorry, I’ve been
looking– over here is the camera for the feed
I’m going to use for my class and we’re going to
use for other folks. So I’m going to talk to you now. OK. So here are the rules. Be brief, be brilliant, be gone. It should be easy for
you, because you’re going to put it in text form. Sorry. He’s laughing, because he’s
heard that as an officer. When you get up to brief in
front of general officers, it’s usually be brief,
be brilliant, be gone. So I need you to have
a concise question. So who’s going to ask me? Is it Zach? Or is it Morgan? Who’s going to pass
on the questions? AUDIENCE: I think Zach. TOM MUEHLEISEN: OK. So Zach’s going to do it. Zach, as you’re
doing it, I need you to filter to make it
concise and focused on election system security,
unless, for some reason, we get somebody on
the models piece.
2846
02:04:49,610 –>02:04:51,77[? I have on ?]0
And we may want
to noodle on that. So go ahead. ZACH RUBLE: I just see questions
right now in… this list on inside threats. TOM MUEHLEISEN:
Oh, that’s great. So people will bring that up. And I’m going to let– Margaret’s going to– I know
she’s chomping at the bit. So whenever I do
assessments, I always suggest that to the client. I say, look, most
of your, frankly, your threat space is internal. And people don’t want to
look at it, because you’re admitting that somebody is going
to be evil– somebody you know. And it was so cool. I finally was working with
kind of a small hospital. And they were willing to do it. So we actually did
vignettes, if you will. One was the evil nurse. And I’ve worked in health
care for a really long time, long ago, in a
body far, far away. And so trust me. There’s motivations
there, because nurses are very unappreciated in
the health care system. And yet they have
access to so much stuff. And then we had the
evil office worker. Again, same thing. You have the folks
that actually make the paper, if it’s digital or
not, move around the system. They get pissed off. And then we actually
did the evil IT person, which, of course, is the
most evil of all of them. And they let us look at those. Now, unfortunately, I wasn’t
able to do what Ben was talking about and actually go in
and say, look, darn it, and take their CIO
by the tie and say, you need to write
these policies– because that was my role,
was doing the CIO thing– and then have my IT
guy come up and say, you need to enforce
these controls. We weren’t able to do that, man. But what would you do
about the insider threat? MARGARET BROWNELL: OK, first
off, as Julie mentioned, we have our internal policy,
which is see it, say something. So our internal
threat, first off, all of our full time
staff, of course, we all have background checks
and criminal background checks. But like I alluded to, we hire
hundreds of short-term temps for our elections. And so for this upcoming
general election, we’re hiring 201
short-term temps. Or we call them STTs. So what do we do about
the insider threat there? We never have a ballot by
itself or with one person. We always have the two person
rule that if there’s a ballot, there’s always two people. Our folks change who their
buddy is at least daily. Sometimes it’s twice a day. And so yes, we can’t say there
won’t be an internal threat. But we are hedging
the bets by changing– TOM MUEHLEISEN: You
have really reduced it MARGARET BROWNELL: Right. We are reducing that internal
threat by mixing things up. And again, even an example is
ballots that were returned too late– there was two ballots
at the end of the last election were wedged in between
our front doors, well after 8 o’clock at
night, hoping that they’d be– I’m sure the people wanted
their ballots to be counted. We get a lot of ballots
returned too late. And when one of our
staff went out– she was leaving, because
we leave on election night anywhere from 9:30 to
midnight, depending upon what our jobs are. When she was
leaving, she saw it. She had to go and find another
person that was still there– I happened to still be there– to go. Before she could touch
those two and get them out the door so she
could leave, we had to go get those two
ballots, walk them, put them into a secure envelope. So we had the chain of
custody of where did those two ballots go at any time. TOM MUEHLEISEN: You
know what I love most about your talk that
addressed, I thought, the insider problem very
effectively was there was not a single bit, byte, or
blinking green light involved in that conversation,
because that’s where we start to fix things. Did you get any more
questions yet, Zach? ZACH RUBLE: No. All right. BILLY RIOS: I would actually
like to add something. So the thing that I like
about this and the way that Washington is
dealing with this problem is that they are treating it
like it’s an operational issue. If you’re looking
at the panel here, everyone has something to do
with a voting system security here. They’re working together. So you have the
academia piece here. You have the Guard working here. And then you have the folks
that are actually running the election infrastructure. That’s a good thing. That’s a really good thing. And so this is not a,
hey, we did a pen test. And here’s the report. And we’re going to fix
it at some point in time. It does seem like this
problem is being treated as an operational problem. And if at some point the
governor or secretary of state needs to reach down and
get some capability, maybe they can go to the Guard. Maybe they can go to the
University of Washington. Maybe they can reach
out to commercial. So it’s neat to see how
this is playing out. I’ve had an opportunity
to work on some election systems for a couple
of different places. I briefed DHS on
election security. I was in Time Magazine in 2016
about election security stuff. Some states don’t
do it that way. And so I’m happy to see
that Washington is actually taking the lead in
something like this. TOM MUEHLEISEN:
Well, I love that we keep coming back to that. And we talked about it in
the quick model discussion that we have. But cyber is not IT. And early on– and
trust me, being a CIO, it got dumped on me early on. And quite frankly,
to be blunt about it, I got my teeth kicked in
over this issue of security, because they’re like,
you’re the G6, which is CIO in civilian language. Go fix it. No, this is an
operational issue. And that was the first
teeth kicking in, was when I pushed
back on my boss and said no, this
is a you problem. I’m a piece of it. I’m even a big piece. But I’m not the whole thing. And I agree with Billy. I love how we’ve looked at
it as an operational issue. And I will say
that, quite frankly, the reason we’re there,
Barbara, is because of the partnerships over
the last half dozen years that have been very focused
on getting people to see this, especially within government,
as an operational issue. And I think we do,
governor on down. BARBARA ENDICOTT-POPOVSKY:
So I wanted to ask Margaret where
she gets her volunteers. MARGARET BROWNELL:
The STTs are paid. They are paid short-term temps. So if that’s what you’re
talking about for our volunteers to work the elections, no. If you’re working in the
election, you need to be paid. So therefore we do have
that, quote, “control.” TOM MUEHLEISEN: But
your observers are– MARGARET BROWNELL: Our
observers are volunteers. And so the observers
are through the parties. And we have observer
training and then days. And I invite anybody
to come to our accuracy test, which is on October 23. BARBARA ENDICOTT-POPOVSKY:
So I wanted to put some people
at the spot here, like Zach with the Gray Hat. He’s president of
the Gray Hat Group. Is this something that that
group might be interested in? We’re talking paid work. And we’re talking
election security. Can I put the two
of you together to have a conversation,
because Zach really has a finger on– how many
students are in the Gray Hat now? ZACH RUBLE: We actually
have between 20-30 students Who are completing degrees. BARBARA
ENDICOTT-POPOVSKY: I mean, this would be a real front
and center insider threat opportunity for learning, Zach. TOM MUEHLEISEN: So if you
can urge him to be thinking– BARBARA ENDICOTT-POPOVSKY:
Plus you get paid. TOM MUEHLEISEN: –white
hat would be cool. White hat on that
one would be nice. MARGARET BROWNELL: I also
want to add something. Again, I can only
speak of what’s going on in Washington state. But speaking from the
Washington state perspective, even though I’m the
county perspective, what Secretary Wyman put together
for the annual state conference this year, we had
the National Guard. The elections
officials every year have a three-day conference. 1 and 1/2 of those
days this year was totally focused
on cybersecurity. And we had Homeland
Security there. We had the FBI there. We had the National Guard there. We had the EI-SAC. We had all the other acronym
places from Washington DC come. But it was a day and a
half across the state, except in King County. They’re called the auditors,
not the elections director. The auditors, it
was interesting. I sat with the smaller
counties in almost all things. And so you could see
eyes getting very big, because they are
suddenly being charged with you need to do this now. But along with this
came all of the tools. Our National Guard is
there, volunteering to help. We’ve had cyber events,
both at Camp Murray and at Moses Lake for
the elections officials to come and practice
cybersecurity. And some of those
were technical. But most of the
exercises were, again, the how do we communicate? How do we get the perception? What do we do? And so the focus
within Washington state is there at all 39 counties. TOM MUEHLEISEN: It took years
to build that infrastructure. And again, we talk about
teeth getting kicked in. There were many career limiting
events along that pathway. All right. I won’t say anything
more about that. Just understand
that it was fraught with professional peril. Yet we had enough people. We had a core team
that didn’t quit. For instance, Billy and
I, I’d met him before. But when we worked together
on the [? snowpud ?] mission, that was not always a done deal. That was very much
fraught with peril. And I ended up in front
of generals and colonels, explaining what
we’re trying to do, writing a letter
for the governor to sign to put Billy and
nine other people on state active duty to do this thing. And it almost didn’t happen. And what crushed me at the
time– and we got through it– was we were so far out
ahead of the other states, it made me shudder to think
what was happening there, where you talk about just
your view of the problem, you’re a full
election cycle ahead of other states and the
way they view that problem. They’re saying, oh, the
IT guy should handle it. And you’ve already
said the small counties don’t have an IT guy. And so what do we do about that? Did we get any
questions yet, Zach? ZACH RUBLE: No. TOM MUEHLEISEN: No. So Wendy, not so many questions. But that’s OK, because
they’re watching. And it’s cool that they’re here. We have the question from Zach. Now’s your chance, if you
didn’t get it in before panel, these are your last words. And I know I try to put Barbara
into a box as much as I can. Do you want to go first or last? BARBARA ENDICOTT-POPOVSKY:
You decide. TOM MUEHLEISEN: All right. I want you to go first, because
you know I love your brain. If you haven’t
picked up on it, I consider Barbara to
be a mentor, certainly someone I would like
to be when I grow up. But she’s certainly
a dear friend. So Barbara, what was your last
word on this conversation? BARBARA
ENDICOTT-POPOVSKY: I think it’s really great that we’re
suffering through this right now, because I think
lessons learned from this infrastructure
are going to provide models and planning procedures
for handling incidents with other infrastructure. I also think it’s a
vehicle for education actually, which is
desperately needed. I keep telling you. My teeth grind at night over
what I hear on the news. It’s such a disservice. TOM MUEHLEISEN:
Right, alt facts. BARBARA ENDICOTT-POPOVSKY:
And it just confuses people. So I think, in many ways,
this has been a turning point for situational awareness. I had a colleague from Germany
whose father came to visit. And his dad was
a power engineer. And this was back pre-9/11. But his dad couldn’t
get over the fact that you could take a putt putt
and motorboat up the Columbia River, right next to the dam. In Europe, that doesn’t happen. They’ve had some bad
things happen over there that makes them
situationally aware. And they’re forever scarred. Our society is not
situationally aware. And we have to raise awareness
without scaring the heck out of them. If you scare the
heck out of them, they don’t know what to do. But I’m just hoping that we’re
seeing a more literate society come out of this. And I think that elections
are a great vehicle, because people can get that. They might not get how
the light switch operates. They’re kind of spooked
by the telephone. But elections, you
can kind of sort of think your way through, at
least on the operations side. So that’s my thing. TOM MUEHLEISEN: That’s perfect. BARBARA
ENDICOTT-POPOVSKY: I think this has been fortuitous,
even though it’s put you through a lot. TOM MUEHLEISEN: That’s true. It’s good, not to be Julie
or Margaret right now. OK. I love that you’re doing
your job, quite frankly. All right. We’re just going to
work down the way. So Ben, you’re next. So your last
thoughts, if there’s one thing that the person
watching this video walks away with, what is it? BEN KOLAR: Yeah. So one thing I’ll say,
it’s like Billy alluded to. It’s going to take more than
just a standard risk approach to this problem to solve it. And what’s been great about
the last several months, I’ve seen an enormous
amount of collaboration between many different
organizations not just in Washington state, but
even other states as well. I’ve been collaborating with
other National Guard units in their own states
that have been tasked to secure their election
infrastructure as well. So the collaboration
that’s happening between smaller jurisdictions
within a single state who has government agencies,
with state agencies, and then even across state
borders has been great to see. So it’s definitely
opened my eyes to see how serious this
problem is being tackled. And it’s making me
very hopeful for it. TOM MUEHLEISEN:
That’s kind of cool. Margaret, your
turn, last thought. MARGARET BROWNELL: Well, I think
our last thought is it is true. This is a never ending event. King County’s attacked
every single day. But every single day, the
people providing the threats are learning more. And so we’re having
to learn more. I just said yes, I love my job. I’m having to learn every single
day, change every single day, be nimble every single day. But within that, comes– yes, audits are a
snapshot in time. I like audits. As soon as I’m done with
one and have worked my way through the action plan,
I’m calling for another one, because it’s the
way to bring in– now within elections, as
we’re critical infrastructure, we have so much free help. And I’m using that
free help to find out, where do I need to improve? And so like I say,
we’re in a cyber audit. Once we finish that, which
will take a year or so, then it’s time to go and
ask for our next free help audit and then our
next free help audit, because everybody wants
to come and help us. And so that will
help keep us fresh. And so it’s something for the
folks working within elections. We need to educate
folks as far as how it’s run, but also
never stay stagnant, because it’s changing
every single day. TOM MUEHLEISEN: I would
like the free help to become the funded help as
a small business owner who does that sort of thing. I’d like to see–
because I think it’s the way our economy works. But I do like the fact that
we have the capability, the capacity, and
the willingness within this state to apply our
National Guard to this problem. They are not the
full time answer. The full time answer is to
put it out in the market. I used to call it
ringing the dinner bell. We need to ring the dinner bell. Well, to do that, you’ve
got to have a bell. And somebody’s got
to pay for that bell. So Billy, your last word. BILLY RIOS: Yeah. This is a big, hard problem. And I think some people
have alluded to this. I think as Washington
state pioneers how you can solve or get in
front of some of these problems with voting security, election
security, it’s pretty painful. And I think whenever
you’re blazing the trail, it’s always painful. It’s kind of like
being the first person to scale a huge mountain
or rock climbing. And what I hope doesn’t
happen is folks like Ben and the other folks on the
panel here blazed a trail, get to the top of the
mountain, and then climb down. So what we really need to
do is set anchor points for people who follow. And this election
security problem is not just a Washington
state problem. It’s a national problem. And there are other
states out there that are going to be dealing
with the same exact issues that you’re going
through right now. And so hopefully
you can lay down some anchor points for them. All the work that you’ve
done with memorandum of understanding and
getting secretary of state to understand how to
utilize the Guard and academia and commercial, all the
work that you’ve been doing to secure the election systems
at the operational level, it’s all really important stuff. And so now we’ve gone
through the pain. Hopefully we can share
that with some other states and help them build
their programs up without making them climb
the mountain by themselves. We can definitely set some
anchor points for them so that they can
have an easier time. BARBARA
ENDICOTT-POPOVSKY: So Tom, could I just make a few thank
yous before we sign out? TOM MUEHLEISEN: Oh, you can
take us home if you want. OK. Wait. ZACH RUBLE: Are you guys
still taking questions? BARBARA ENDICOTT-POPOVSKY: Yeah. TOM MUEHLEISEN: Sure. Why not? ZACH RUBLE: The question
is, who safeguards the database security
and are they all standardized accross the states? TOM MUEHLEISEN: So no
to the second question. And the database
is tough to answer. Because as both Julie
and Margaret spoke to, you’ve got two at a
minimum, two databases. And I’m being loose with the
terminology at this point. Two databases–
one is, hey, I’ve got to go figure
out who can vote. And then I’ve got to
go take their vote and do something with it. And so that is not standardized. Billy talked about that. And that’s both a good
thing and a bad thing when it comes to democracy. I think is mostly a good thing. But when it comes to
security, that’s a bad thing. It’s only a bad thing, because
we don’t have just a way to say here, plug this in. It’ll patch your system– well, because they don’t
have the same system. So there’s not a
collective way to do it. So that’s the whole states
part of the United States. It’s 54 states, territories. Little fiefdoms do
their own thing. There you go. Did I get close enough to the
right answer there, Margaret? Do you think? MARGARET BROWNELL:
You got it close. Yes. Yes. You got it close. I will add a little more detail. Again, within Washington state
right now, as Julie stated, every county– well, the small counties use
the secretary of state’s. The secretary of state
has the primary database. But I’ll say it’s the
database of record. But the most of us
within King County, we have our own database. I’m talking about
voter registration. We have our own database that
we monitor, that we maintain, and then we feed the
secretary of state daily. They feed us. We are moving. We are currently in
a statewide project that’s called
VoteWA, where we will be moving to one centralized,
statewide database for the entire state so that,
within Washington state, yes, we will have a consistent
database that all counties use that we are using. And it will be maintained
by the secretary of state and WaTech with, of course,
aid from some of the rest of us watching them, because
this is a new world. TOM MUEHLEISEN: Right. Just use the responsibility. MARGARET BROWNELL:
This new scary world for King County for me. I’m giving up some
of my responsibility. And so I will be watching. TOM MUEHLEISEN: Are you
actually giving up– wow, that’s a noodle on
[? RCW ?] and [? WAC ?] stuff. But I don’t know that you’re
giving up the responsibility. You are giving us
some authorities. MARGARET BROWNELL: Some
authorities, right. TOM MUEHLEISEN: But you
keep the responsibility squarely in your county. And that is dicey. MARGARET BROWNELL: Correct. TOM MUEHLEISEN: When you’re
delegating authorities, the responsibility
doesn’t go with it. And I know it’s a
little out of context for some of the students. But just understand,
these are the problems you have to noodle through. They’re important. MARGARET BROWNELL:
But it will be great so that, within
Washington state, again, one of the concerns
by the general public nationwide is somebody
can vote twice. Somebody can vote multiple
places, multiple counties. When we have one database
across the entire state, we will know if a
person is registered in a different county. We will know if they have
received a ballot already. So that will help elude some
of the concerns of, oh, people are voting multiple times. TOM MUEHLEISEN: And then you
get the economies that scale. And there are
economies that scale when it comes to security. You alluded to them earlier. The fact that you have
six people looking at this problem in your
county, other people don’t even have an IT person. So when you get up
to the state level and then you delegate
that even further within WaTech, which has some
very capable people working in security, you get
these economies of scale just like the three of us
when we were in uniform. I used to be a CIO. And I would talk about that. But when I talked
to civilian CIOs, I would say, but remember, dude. I’m behind 14 firewalls. That’s my economy of scale
when it comes to security. Barbara? BARBARA ENDICOTT-POPOVSKY: Yeah. I did want to say thank
you as we wind this up. We have over 120
students that have participated in live streaming. And I want to thank all of
you for joining us today. This is the new world we’re in. I would like to
indicate to you folks that we will have the video
linked to our website, courtesy of Christine, back
there, very shortly. I think within the next
day, day and a half, you’ll be able to see
the video again linked to the CIAC website. We’ll give that link to Wendy,
who heads up the MIPM program. And to Zach, you
can get that out to your colleagues
with Gray Hat. And of course, we’ll give that
to Jorin who can get this distributed
here at UW Bothell. I want to thank everybody
that made this possible. Wendy, I appreciate your
impetus in suggesting this, because we do have talent
and capability and knowledge here on campus. And thank you for
being the spark plug for this and for co-hosting. I appreciate your determination
to make this happen. And it’s been a success. Thank you very much. Tom, I really appreciate
you contributing your time. TOM MUEHLEISEN: Glad to be here. BARBARA ENDICOTT-POPOVSKY:
And I love being able to access all of
your tremendous resources, because I know you have
access to folks that really know what we’re doing. And we can sleep
easily at night. The tech people, Zach and Mark
Studer’s group that captured the chancellor
and did our video, I really thank you. So appreciate all
of you for coming. And we will see another
seminar, won’t we, from MIPM within the next
few months for those of you that are online. So thank you very much. Oh, one more thing– there is a fourth bite
of the apple here. We will be using the
video for some cuts that we’d like to include
with our online courses that we’re building. And Morgan, back there,
is going to figure out how to get permission
slips from all these folks that are captured online. So just a heads up– TOM MUEHLEISEN:
Already got them. BARBARA ENDICOTT-POPOVSKY:
Oh, you have them already? TOM MUEHLEISEN:
Already got them. That’s why we need to
thank Morgan more than just about anyone else for the
fact that this thing happened. BARBARA ENDICOTT-POPOVSKY:
Sorry about that, Morgan. You did it already. TOM MUEHLEISEN: That’s OK. I had your back, sister. BARBARA ENDICOTT-POPOVSKY:
And we also have to thank Morgan for
handling the logistics with Tom of this, too. Thank you for being
there, Morgan, and for getting this
all pulled together. So that’s it folks. And we’ll join MIPM
maybe in another seminar here in a few months. Thank you very much. Thank you all for participating. TOM MUEHLEISEN: Good job. [APPLAUSE]

Leave a Reply

Your email address will not be published. Required fields are marked *