1
00:00:00,000 --> 00:00:18,620
35C3 preroll music
2
00:00:18,620 --> 00:00:24,779
Herald Angel: Mr. Halderman, professor of
computer science at the University of
3
00:00:24,779 --> 00:00:32,598
Michigan. Famous for inventing things like
Let's Encrypt, finding the--
4
00:00:32,598 --> 00:00:33,620
applause
5
00:00:33,620 --> 00:00:38,050
Herald Angel: There's more.
applause
6
00:00:38,050 --> 00:00:49,770
Herald: But wait, there's more! Logjam
-- I love buzzword bingo -- and zmap.
7
00:00:49,770 --> 00:00:55,520
And now he's going to talk about
American elections. Thank you.
8
00:00:55,520 --> 00:01:00,760
J. Alex Halderman: All right. Thank you so
much. It's fantastic to be back at
9
00:01:00,760 --> 00:01:07,259
Congress this year. Two years ago I was
here with Matt Bernhard one of my Ph.D.
10
00:01:07,259 --> 00:01:13,000
students and we gave an update about what
happened during the 2016 presidential
11
00:01:13,000 --> 00:01:22,460
election. Today a lot has changed and a
lot remains the same. And I'm here to let
12
00:01:22,460 --> 00:01:27,830
you know what we've learned about what
happened in the 2016 election and what we
13
00:01:27,830 --> 00:01:32,330
still need to do to make sure elections in
the U.S. and around the world are well
14
00:01:32,330 --> 00:01:40,990
protected. So, a quick flashback. On
November 8th, 2016 Donald Trump became
15
00:01:40,990 --> 00:01:46,210
president of the United States by beating
some other person. Now history quickly
16
00:01:46,210 --> 00:01:53,170
forgets the losers in presidential
elections. And it really doesn't matter
17
00:01:53,170 --> 00:02:00,170
who Donald Trump beat, because today, for
better or for worse, he is the president.
18
00:02:00,170 --> 00:02:06,920
But how close was the election? President
Trump likes to talk about how he won by a
19
00:02:06,920 --> 00:02:14,250
landslide, but actually he was the fifth
person in American history to win the
20
00:02:14,250 --> 00:02:20,700
presidency while losing the popular vote.
In fact his opponent received 3 million
21
00:02:20,700 --> 00:02:26,920
more votes in the election than President
Trump did. How can that happen? Well we
22
00:02:26,920 --> 00:02:33,011
have this crazy system called the
Electoral College. And in the Electoral
23
00:02:33,011 --> 00:02:38,349
College each state has a certain number of
points, and Donald Trump ended up getting
24
00:02:38,349 --> 00:02:43,840
more of those points. But if we want to
ask "How close was the election,
25
00:02:43,840 --> 00:02:49,660
really?"... well that depends on the way
each state allocates its electoral votes,
26
00:02:49,660 --> 00:02:58,319
and most are "winner-take-all". So we
might ask how many votes would, say, an
27
00:02:58,319 --> 00:03:03,590
attacker have had to change in the
smallest number of states in order to
28
00:03:03,590 --> 00:03:07,850
change the election result in order to,
say, make it a tie instead of a win for
29
00:03:07,850 --> 00:03:14,310
President Trump. And it turns out that if
you look at the three closest states, they
30
00:03:14,310 --> 00:03:19,580
could be flipped with a very very small
number of votes changing, and changing
31
00:03:19,580 --> 00:03:24,370
just any two of these three states would
have been enough to reverse the outcome of
32
00:03:24,370 --> 00:03:29,750
the presidential election. If we look at
the next few closest states they also have
33
00:03:29,750 --> 00:03:36,220
very small margins, and any three of these
six states would have sufficed to change
34
00:03:36,220 --> 00:03:42,650
the election result. In total just
changing twenty seven thousand, five
35
00:03:42,650 --> 00:03:49,519
hundred votes from Donald Trump to Donald
Trump's opponent would have changed the
36
00:03:49,519 --> 00:03:55,590
outcome of the U.S. presidential election.
There were 137 million votes in total.
37
00:03:55,590 --> 00:04:03,200
That's a change of just 0.02 percent. That
is a very close electoral result by even
38
00:04:03,200 --> 00:04:10,450
contemporary American standards. And
that's why the possibilities of computer
39
00:04:10,450 --> 00:04:17,019
hacking, voting machine manipulation,
information warfare that actually did take
40
00:04:17,019 --> 00:04:24,690
place, some of them in 2016, not only have
the possibility to have effected the 2016
41
00:04:24,690 --> 00:04:29,190
election result but stand to have the
possibility to affect future election
42
00:04:29,190 --> 00:04:37,050
results as well. And that's why election
security is so important right now. But if
43
00:04:37,050 --> 00:04:43,280
we go back to 2016, when I was speaking
here two years ago, the main thing I was
44
00:04:43,280 --> 00:04:48,430
talking about were recounts in three
states: Wisconsin, Michigan, and
45
00:04:48,430 --> 00:04:53,900
Pennsylvania, that I and other election
security advocates had a big role in
46
00:04:53,900 --> 00:04:59,360
orchestrating. Well we realized after 2016
that this was a close and unexpected
47
00:04:59,360 --> 00:05:05,240
election result, but no one was going to
go back and check the physical evidence of
48
00:05:05,240 --> 00:05:11,750
the votes: the actual paper ballots in any
states that really mattered to make sure
49
00:05:11,750 --> 00:05:16,920
that the computer election results we have
been told about were right. Well, when I
50
00:05:16,920 --> 00:05:22,290
and others pointed this out to the public
it resulted in an overwhelming show of
51
00:05:22,290 --> 00:05:27,980
support. And one of the third party
presidential candidate Jill Stein stepped
52
00:05:27,980 --> 00:05:34,040
in and had the legal standing to demand
recounts in states where she stood for
53
00:05:34,040 --> 00:05:38,350
election, even though she had no chance of
winning. And she raised through small
54
00:05:38,350 --> 00:05:43,290
donations from the public more than seven
million dollars to fund efforts to go back
55
00:05:43,290 --> 00:05:49,419
and count and check the votes to make sure
things were right. Unfortunately, a
56
00:05:49,419 --> 00:05:54,840
recount after an American election is a
politically fraught process, and in all
57
00:05:54,840 --> 00:06:02,100
three states we found opposition from the
apparent winner of the election, we found
58
00:06:02,100 --> 00:06:07,229
challenges in the courts, and only one of
those states, Wisconsin, ended up
59
00:06:07,229 --> 00:06:13,039
recounting all of its ballots and found no
evidence of fraud. In Michigan the
60
00:06:13,039 --> 00:06:20,580
recounts were halted after only a few days
with less than half of the votes counted
61
00:06:20,580 --> 00:06:25,830
after a court challenge by the
Republicans. Again, no evidence of fraud
62
00:06:25,830 --> 00:06:31,860
in the votes that were recounted. And in
Pennsylvania, unfortunately, like many
63
00:06:31,860 --> 00:06:36,930
states most of the state had no paper
trail at all. There was nothing to
64
00:06:36,930 --> 00:06:42,389
recount: just digital records and
machines. The courts denied the Stein
65
00:06:42,389 --> 00:06:48,620
campaign the right to have independent
experts examine the machines, and in very
66
00:06:48,620 --> 00:06:52,639
few of the places in the rest of the
state, the small amount that did have
67
00:06:52,639 --> 00:07:00,270
paper actually did complete a recount. But
still there was no evidence of fraud. So
68
00:07:00,270 --> 00:07:05,300
in all there is no evidence that hacking
of voting machines -- hacking of actual
69
00:07:05,300 --> 00:07:11,240
vote counts -- changed the outcome of the
2016 election. But there is abundant
70
00:07:11,240 --> 00:07:17,850
evidence that cyberattacks of other forms
had a major influence on the election,
71
00:07:17,850 --> 00:07:22,639
certainly could have a huge influence on
future elections. And that's what I'm
72
00:07:22,639 --> 00:07:28,940
going to talk about today. So first
looking back at 2016 in the two years
73
00:07:28,940 --> 00:07:33,639
since I was last here we have learned a
lot more about what really took place
74
00:07:33,639 --> 00:07:42,900
during the 2016 election. Starting just
January of 2017 when the U.S. intelligence
75
00:07:42,900 --> 00:07:51,169
community -- the CIA, NSA, and other three
letter agencies -- who often in this
76
00:07:51,169 --> 00:07:57,009
community we don't trust, still came out
and released a joint assessment in which
77
00:07:57,009 --> 00:08:04,490
they rated with very high confidence the
conclusion that attackers linked to Russia
78
00:08:04,490 --> 00:08:10,380
were ordered by Russian President Vladimir
Putin to interfere with the American
79
00:08:10,380 --> 00:08:16,000
election in order to weaken Clinton, boost
Donald Trump, and discredit the electoral
80
00:08:16,000 --> 00:08:21,479
process as a whole. They called it a
significant escalation of longstanding
81
00:08:21,479 --> 00:08:28,860
Russian efforts to undermine the US-led
liberal democratic order. So where's the
82
00:08:28,860 --> 00:08:34,448
evidence that this actually happened? And
what actually happened? According to not
83
00:08:34,448 --> 00:08:39,328
only the intelligence reports but other
information from other sources we can use
84
00:08:39,328 --> 00:08:45,939
to see to see whether it's credible. Well
what happened in the U.S. actually looks a
85
00:08:45,939 --> 00:08:51,190
lot like something that happened in 2014
in Ukraine, where, according to other
86
00:08:51,190 --> 00:08:58,220
published reports, attackers linked to
Russia engaged in a multipronged attack to
87
00:08:58,220 --> 00:09:04,089
try to undermine the presidential election
there. They released targeted leaks of
88
00:09:04,089 --> 00:09:09,740
e-mails linked to the presidential
campaign. They attacked the Election
89
00:09:09,740 --> 00:09:14,269
Commission's servers in order to cause
them to initially post the wrong
90
00:09:14,269 --> 00:09:19,139
presidential winner. And this was
apparently detected and narrowly averted
91
00:09:19,139 --> 00:09:24,319
only hours before the winner was to be
announced. And they orchestrated DDoS
92
00:09:24,319 --> 00:09:30,790
attacks to try to delay the election
results. In the U.S. in 2016 we saw a
93
00:09:30,790 --> 00:09:36,430
similar multipronged attack of targeted
political leaks trolling and message
94
00:09:36,430 --> 00:09:42,550
amplification on social media and attacks
against election infrastructure. So the
95
00:09:42,550 --> 00:09:48,279
targeted political leaks, you've probably
heard about some of this. You have e-mails
96
00:09:48,279 --> 00:09:54,189
stolen from the Democratic National
Committee through a hacking campaign that
97
00:09:54,189 --> 00:10:00,639
involved two different Russian-linked
military groups hacking into the DNC
98
00:10:00,639 --> 00:10:06,779
servers, installing customized malware and
exfiltrating thousands of e-mails that
99
00:10:06,779 --> 00:10:13,149
were then published by WikiLeaks. Later,
John Podesta -- Clinton's campaign
100
00:10:13,149 --> 00:10:20,299
chairman -- also had his personal email
compromised, and Podesta's emails were
101
00:10:20,299 --> 00:10:25,100
similarly published by WikiLeaks. Whatever
you think about WikiLeaks -- and
102
00:10:25,100 --> 00:10:30,230
government transparency, and I myself am a
huge fan of transparency -- there's
103
00:10:30,230 --> 00:10:36,220
clearly something subversive and
manipulative about just one side being
104
00:10:36,220 --> 00:10:41,720
targeted, and being targeted by other
foreign nations, and having its dirty
105
00:10:41,720 --> 00:10:46,630
laundry aired for the world to see. This
is subverting the entire notion of
106
00:10:46,630 --> 00:10:52,730
transparency, turning our need for true
information about politicians against us
107
00:10:52,730 --> 00:10:59,279
and manipulating the entire process. John
Podesta, since his e-mails were all leaked
108
00:10:59,279 --> 00:11:03,540
to the public, well, we can go and see the
phishing attack e-mail that got his
109
00:11:03,540 --> 00:11:09,399
password, and here it is. So this mail
sent to John Podesta claims to be from
110
00:11:09,399 --> 00:11:13,680
Gmail saying that someone has tried to
sign in with his password and he urgently
111
00:11:13,680 --> 00:11:20,939
needs to change it by clicking here. Well
he did click there and Russia got his
112
00:11:20,939 --> 00:11:27,509
password. We also see his staff talking
about this e-mail and one of his staffers
113
00:11:27,509 --> 00:11:32,550
recognized that this was a phishing
attempt and emailed urgently telling John
114
00:11:32,550 --> 00:11:38,810
Podesta to change his password immediately
but he typo'd. In dashing out this e-mail
115
00:11:38,810 --> 00:11:44,019
he wrote that this is a "legitimate
e-mail". He has subsequently claimed every
116
00:11:44,019 --> 00:11:47,759
time he's talked about it that he meant to
write "illegitimate" not "legitimate".
117
00:11:47,759 --> 00:11:55,410
Well, the rest is history. A couple of
extra letters might have changed a lot. So
118
00:11:55,410 --> 00:12:00,199
beyond the e-mail leaks we've seen an
orchestrated campaign on social media
119
00:12:00,199 --> 00:12:06,600
through trolls and false identities to try
to manipulate people's opinions, to try to
120
00:12:06,600 --> 00:12:12,189
create political divisions between people,
to try to amplify certain discordant
121
00:12:12,189 --> 00:12:17,819
messages. That could be a whole talk in
itself, and I'm not going to go deep into
122
00:12:17,819 --> 00:12:23,329
the trolling and message amplification,
but it's a subject that is an ongoing form
123
00:12:23,329 --> 00:12:29,259
of attack that again turns our tools of
communication against us. People need to
124
00:12:29,259 --> 00:12:34,149
know whether the information they're
reading is really what other people they
125
00:12:34,149 --> 00:12:40,079
know and are like them think, or whether
it's being generated by bots, by attacks.
126
00:12:40,079 --> 00:12:44,870
Alright this kind of artificial
amplification and manipulation of
127
00:12:44,870 --> 00:12:51,259
messaging turns us against each other.
Finally, and the category of attacks that
128
00:12:51,259 --> 00:12:55,639
I want to talk about most today because I
think they're the most relevant for our
129
00:12:55,639 --> 00:13:01,509
community, are attacks against election
infrastructure itself: the increasingly
130
00:13:01,509 --> 00:13:06,939
computerized systems that we use to run
elections, not just in the US but in
131
00:13:06,939 --> 00:13:12,459
countries around the world. There were
attacks against voter registration systems
132
00:13:12,459 --> 00:13:18,350
in states across the country, organized by
the same Russian groups. There were
133
00:13:18,350 --> 00:13:24,809
attacks against companies that make
technology used in polling places. In all,
134
00:13:24,809 --> 00:13:29,819
the intelligence assessment is that up to
21 states had their voter registration
135
00:13:29,819 --> 00:13:34,569
systems probed. Now of course how can you
go back in time and know for sure that
136
00:13:34,569 --> 00:13:38,889
others were not probed, were not
compromised. That's very difficult, even
137
00:13:38,889 --> 00:13:44,809
if you are, say, the NSA and are watching
everyone's network traffic. However we
138
00:13:44,809 --> 00:13:49,449
know that in multiple states the attackers
got in through SQL injection, through
139
00:13:49,449 --> 00:13:53,110
other attacks, and were able to steal
hundreds of thousands of voters'
140
00:13:53,110 --> 00:14:06,669
registration records. More information
came out later in 2017 through leaked
141
00:14:06,669 --> 00:14:15,019
information from NSA. So this woman,
Reality Winner, an NSA contractor, leaked
142
00:14:15,019 --> 00:14:20,410
to the Intercept a series of intelligence
assessments that showed the Russian
143
00:14:20,410 --> 00:14:26,129
attacks went even farther, that they
executed attempts to break into the
144
00:14:26,129 --> 00:14:30,929
computer systems of at least one election
computer software vendor, and then after
145
00:14:30,929 --> 00:14:35,660
breaking into their systems started trying
to fish their way into the computers of
146
00:14:35,660 --> 00:14:39,859
local election administrators, the people
who actually run the technology on
147
00:14:39,859 --> 00:14:45,399
Election Day. For sharing this information
with us Reality Winner is currently
148
00:14:45,399 --> 00:14:52,629
serving a five year prison sentence for
violating the Espionage Act. But the
149
00:14:52,629 --> 00:15:01,149
information that she leaked has since been
corroborated. In July of this year
150
00:15:01,149 --> 00:15:06,160
prosecutors in the Special Counsel's
office -- this is the Robert Mueller
151
00:15:06,160 --> 00:15:12,149
investigation of Russian interference and
collusion -- indicted a set of GRU
152
00:15:12,149 --> 00:15:18,329
officers, Russian military officers, in
conjunction with the voter registration
153
00:15:18,329 --> 00:15:23,049
system attacks, the theft of email from
the Democrats, and the attempts to indict
154
00:15:23,049 --> 00:15:28,220
local election officials. If you're
interested in this stuff I highly
155
00:15:28,220 --> 00:15:32,939
recommend you read this indictment. It's
about 20 pages of very detailed
156
00:15:32,939 --> 00:15:40,639
information asserting to apparently
detailing exactly who these people were
157
00:15:40,639 --> 00:15:46,299
where they worked what they did. Step by
step.Now it's scary to think that we might
158
00:15:46,299 --> 00:15:51,460
have such detailed information about
crimes that took place in the past. It
159
00:15:51,460 --> 00:15:58,290
doesn't say how we learned, for instance,
that this certain officer, Anatoly
160
00:15:58,290 --> 00:16:09,379
Kovalev, was working for unit 74455 of the
GRU at 22 Kirabo Street Building, the
161
00:16:09,379 --> 00:16:16,800
tower, and quite how he pulled off each
step in the attack that's asserted here.
162
00:16:16,800 --> 00:16:21,930
But as the Mueller indictments advance, as
the special prosecutor's case comes
163
00:16:21,930 --> 00:16:30,019
together, we're likely to learn a lot more.
And what's to come in 2018 as the Mueller
164
00:16:30,019 --> 00:16:33,540
investigation winds down, I think we're
going to learn a lot more about quite who
165
00:16:33,540 --> 00:16:39,050
ordered what, about who in the United
States was involved, and about whether the
166
00:16:39,050 --> 00:16:50,589
attacks went even further than we have so
far discovered. So that's 2016
167
00:16:50,589 --> 00:16:55,790
and what we've learned about 2016,
but I'm here today to give you a
168
00:16:55,790 --> 00:17:04,480
progress report on 2018. So what happened
during the 2018 election? Well we saw
169
00:17:04,480 --> 00:17:08,859
several things during the November
election this year. According to
170
00:17:08,859 --> 00:17:13,569
intelligence, once again, we have
allegations of continued social media
171
00:17:13,569 --> 00:17:19,888
influence operations, this time allegedly
linked to not only Russia, but China and
172
00:17:19,888 --> 00:17:27,648
Iran. Now I think it's very difficult to
independently comment and establish on
173
00:17:27,648 --> 00:17:31,740
whether these allegations are true or even
to understand the full extent of the
174
00:17:31,740 --> 00:17:35,990
social media involvement, because it's
just a small set of large Internet
175
00:17:35,990 --> 00:17:41,440
companies that have the raw data that we
need to analyze. However the best reports
176
00:17:41,440 --> 00:17:45,559
we have are these assessments from the
intelligence community that the social
177
00:17:45,559 --> 00:17:52,890
media influence is ongoing. We also saw
sporadic breakdowns of voting machines.
178
00:17:52,890 --> 00:17:57,320
Now patterns of breakdowns of voting
machines could be the indication of an
179
00:17:57,320 --> 00:18:02,540
attack. But in 2018 all of them seem to
have perfectly natural explanations. In
180
00:18:02,540 --> 00:18:07,450
New York City for instance many optical
scan machines broke down and jammed and
181
00:18:07,450 --> 00:18:12,799
caused long lines but apparently it was
because it was raining and that causes the
182
00:18:12,799 --> 00:18:18,010
paper to swell a little bit, these
machines to mis-feed and so on. So this is
183
00:18:18,010 --> 00:18:26,740
probably just natural failure. We also had
unfortunate human error for not the first
184
00:18:26,740 --> 00:18:32,960
time. An election in Florida potentially
had the result changed because of very bad
185
00:18:32,960 --> 00:18:40,740
usability design in just the layout of the
ballot. So in Broward County, Florida
186
00:18:40,740 --> 00:18:45,759
3.7 percent fewer voters cast a vote at all
in the U.S. Senate race than the race for
187
00:18:45,759 --> 00:18:50,850
governor. This was potentially enough
because of the demographics of Broward to
188
00:18:50,850 --> 00:18:56,639
change the outcome of the Florida Senate
race. Here's why: Here's the ballot. So
189
00:18:56,639 --> 00:19:03,580
this is the race for governor, which most
voters filled out, as you would expect.
190
00:19:03,580 --> 00:19:08,380
Right down there underneath that long
column of instructions is the U.S. senator
191
00:19:08,380 --> 00:19:13,460
race. So you imagine this ballot. It's
much larger than a normal piece of paper.
192
00:19:13,460 --> 00:19:17,809
At the bottom of that is hanging off your
desk as you're filling it in. I can see
193
00:19:17,809 --> 00:19:22,260
how 3.7 percent of voters might have
completely missed that race in the first
194
00:19:22,260 --> 00:19:29,889
column. Finally we had the old-fashioned
political fraud. In North Carolina a race
195
00:19:29,889 --> 00:19:34,540
for the House of Representatives was
decided by only about 900 votes. But it's
196
00:19:34,540 --> 00:19:40,000
come out since then that operatives
working for the Republican candidate
197
00:19:40,000 --> 00:19:45,070
allegedly stole or manipulated a large
number of absentee ballots, and the
198
00:19:45,070 --> 00:19:51,549
candidate there hasn't been certified yet,
it likely won't be seated on time. There's
199
00:19:51,549 --> 00:19:55,909
multiple investigations going on into
exactly what happened, but it goes to show
200
00:19:55,909 --> 00:20:01,809
you that political fraud is a reality. And
even outside the domain of computers it
201
00:20:01,809 --> 00:20:07,049
continues to this day. Now if you can
imagine an election can be changed by just
202
00:20:07,049 --> 00:20:11,850
a few people working on the ground, going
around collecting people's mail in ballots
203
00:20:11,850 --> 00:20:17,519
and promising to return them for them,
well imagine what nation state attackers
204
00:20:17,519 --> 00:20:23,570
could do to a vulnerable and highly
computerized online infrastructure. But on
205
00:20:23,570 --> 00:20:36,000
the whole 2018 was, well, eerily quiet. But
if we go back to 2016... so the U.S. Senate
206
00:20:36,000 --> 00:20:41,900
Intelligence Committee, a bipartisan group
controlled by Republicans in the Senate,
207
00:20:41,900 --> 00:20:47,179
issued its report earlier this year about
2016. They pointed out that they found
208
00:20:47,179 --> 00:20:52,100
that in a number of the states where
Russia attacked the registration systems,
209
00:20:52,100 --> 00:20:57,559
the Russian hackers were in a position to,
at a minimum, alter or destroy the voter
210
00:20:57,559 --> 00:21:02,029
registration data, which, if undetected,
would have caused massive chaos on
211
00:21:02,029 --> 00:21:06,230
election day when people showed up to vote
and were told that they weren't on the
212
00:21:06,230 --> 00:21:13,309
election rolls. But those attackers chose
not to pull the trigger. And I think
213
00:21:13,309 --> 00:21:18,210
that's exactly what happened in 2018. It
was quiet, not because we've adequately
214
00:21:18,210 --> 00:21:22,890
secured our election systems, but because
our adversaries this year chose not to
215
00:21:22,890 --> 00:21:28,210
pull the trigger. They're waiting for the
bigger prize in 2020 when we're likely to
216
00:21:28,210 --> 00:21:39,080
once again have a close and divisive
presidential contest. So what do I worry
217
00:21:39,080 --> 00:21:45,200
about? What I worry about most is not the
last war -- registration systems, all of
218
00:21:45,200 --> 00:21:49,990
that -- but the bigger prize: the 2020
election and the vulnerabilities in the
219
00:21:49,990 --> 00:21:57,880
way that we cast and count votes in the
U.S. Now I testified about this in 2017 to
220
00:21:57,880 --> 00:22:03,110
the Senate Intelligence Committee and --
that's actually not me. that's that's
221
00:22:03,110 --> 00:22:08,659
former FBI Director Comey-- but two weeks
later I was sitting in the same chair with
222
00:22:08,659 --> 00:22:15,059
far fewer TV cameras and testified that
the real lesson of 2016 is that the
223
00:22:15,059 --> 00:22:20,470
threats are real and that the attackers
will be back. And this is the picture I
224
00:22:20,470 --> 00:22:28,240
painted: so U.S. voting machines have their
own extreme set of vulnerabilities. I was
225
00:22:28,240 --> 00:22:33,080
going to bring one of these machines,
AccuVote TSX with me here today. This
226
00:22:33,080 --> 00:22:40,049
machine is still used in many parts of the
U.S., but my machine has been in Germany
227
00:22:40,049 --> 00:22:46,420
for about a week and FedEx doesn't know
where it is. So if it shows up I'll have
228
00:22:46,420 --> 00:22:51,000
it somewhere for people to play with, but
my advice is if you have to ship something
229
00:22:51,000 --> 00:22:57,720
urgent to Germany don't send it via FedEx.
What I would have shown you though is a
230
00:22:57,720 --> 00:23:01,940
mock election on this machine and the mock
election I always like to do to keep it
231
00:23:01,940 --> 00:23:05,851
from getting too political is between
George Washington, the father of the
232
00:23:05,851 --> 00:23:10,770
country, and Benedict Arnold, the traitor
of the American Revolution. And of course
233
00:23:10,770 --> 00:23:16,620
everyone likes to vote for George
Washington. But these machines are so
234
00:23:16,620 --> 00:23:22,799
vulnerable. So I would have shown you an
attack whereby I can compromise this
235
00:23:22,799 --> 00:23:28,419
machine and cause it to report the wrong
election outcome without having any direct
236
00:23:28,419 --> 00:23:32,929
physical access to the voting machines.
Instead all an attacker needs to do is be
237
00:23:32,929 --> 00:23:37,419
able to infect these memory cards that
election officials use before every
238
00:23:37,419 --> 00:23:42,409
election to program the machine with the
design of the ballot -- that is, the
239
00:23:42,409 --> 00:23:46,220
races, the candidates, the rules for
counting. If an attacker can infect the
240
00:23:46,220 --> 00:23:51,330
memory card there are a whole host of
different ways that the attacker can
241
00:23:51,330 --> 00:23:57,269
compromise the machine and install malware
on the voting machine itself. There is an
242
00:23:57,269 --> 00:24:01,929
unauthenticated software update mechanism
that can replace the election software.
243
00:24:01,929 --> 00:24:06,110
There are buffer overflows in the code
that's used to read the ballot design and
244
00:24:06,110 --> 00:24:10,999
process it. There's even an interpreted
programming language that's used to
245
00:24:10,999 --> 00:24:16,320
generate the reports of who won. So you
can just replace the honest counting
246
00:24:16,320 --> 00:24:21,230
software with dishonest counting software
right on the memory card, and that's what
247
00:24:21,230 --> 00:24:25,590
will get executed and determine the
election results. Any of these ways would
248
00:24:25,590 --> 00:24:31,629
be sufficient. So when the machine counts
the votes at the end of the election it
249
00:24:31,629 --> 00:24:36,030
prints out a little cash register receipt
that becomes the official record of the
250
00:24:36,030 --> 00:24:40,610
result. That's controlled by the
interpreted programming language on the
251
00:24:40,610 --> 00:24:46,000
memory card. And on my machine, no matter
who you vote for, Benedict Arnold is going
252
00:24:46,000 --> 00:24:51,139
to win. And that's because the malware I
install via the memory card is in complete
253
00:24:51,139 --> 00:24:56,899
control of the election results. And there
are more problems than that. So these
254
00:24:56,899 --> 00:25:03,310
voting machines like the AccuVote TSX have
been studied by academic researchers, by
255
00:25:03,310 --> 00:25:08,769
independent researchers, by groups
commissioned by secretaries of state in
256
00:25:08,769 --> 00:25:13,360
various states around the country. And
every time the same machine is studied
257
00:25:13,360 --> 00:25:18,070
again, groups find new vulnerabilities.
This is part of the table of contents from
258
00:25:18,070 --> 00:25:23,340
a report I helped to author ten years ago
about the AccuVote TSX, and you can see
259
00:25:23,340 --> 00:25:28,380
just this one page of several pages of
vulnerabilities in this single machine.
260
00:25:28,380 --> 00:25:33,179
These things are so poorly designed;
they're so complex. Each of the voting
261
00:25:33,179 --> 00:25:38,299
systems has on the order of a million
lines of source code. And that's on top
262
00:25:38,299 --> 00:25:43,920
of, in this case, on top of an old and
unsupported version of Windows CE. There's
263
00:25:43,920 --> 00:25:51,029
no way that these things could possibly be
secure. But the AccuVote TSX is still used
264
00:25:51,029 --> 00:25:57,749
in 18 states. In many of these states it's
still used with software that predates
265
00:25:57,749 --> 00:26:02,130
that 2007 report I just showed you. We've
had known buffer overflows and other
266
00:26:02,130 --> 00:26:06,970
problems in this firmware for more than 10
years and some states still have not
267
00:26:06,970 --> 00:26:14,649
updated the software. That's how bad it
is. But it's not just that one machine. So
268
00:26:14,649 --> 00:26:20,460
in the US every state gets to pick its own
election technology. There are no federal
269
00:26:20,460 --> 00:26:27,140
rules that requires states to do any
particular kind of technology or testing,
270
00:26:27,140 --> 00:26:31,370
and you might ask, especially from the
European perspective, why don't we just
271
00:26:31,370 --> 00:26:38,210
count votes by hand like a civilized
country. Well here's part of the answer.
272
00:26:38,210 --> 00:26:44,799
This is one example of a ballot from one
part of the country and it's eight pages
273
00:26:44,799 --> 00:26:50,009
long. We insist on voting for not only the
federal races but the state and local
274
00:26:50,009 --> 00:26:56,870
races and even city races. The joke is
even for dog catcher. And this complexity,
275
00:26:56,870 --> 00:27:01,889
well, the counting ballots by hand scales
linearly with the number of questions and
276
00:27:01,889 --> 00:27:07,759
our ballots by tradition are just too
complicated to efficiently count manually.
277
00:27:07,759 --> 00:27:13,491
So we turn to computers, and about half
the country-- well, really there are two
278
00:27:13,491 --> 00:27:20,830
different styles of voting machines that
we use. Some of them are optical scanners
279
00:27:20,830 --> 00:27:25,750
where the voter fills in a piece of paper,
and it gets scanned in by a computer. The
280
00:27:25,750 --> 00:27:31,460
rest are touch screen machines and others
that we call DREs -- direct recording
281
00:27:31,460 --> 00:27:36,490
electronic. On these machines voters cast
a vote on the screen; it gets recorded in
282
00:27:36,490 --> 00:27:41,440
electronic memory; some of them will also
generate a print out of each vote, but
283
00:27:41,440 --> 00:27:46,890
that's relatively rare. In many cases the
only record of the vote is in a computer
284
00:27:46,890 --> 00:27:54,940
memory. So in study after study these
machines have been examined, and in every
285
00:27:54,940 --> 00:27:59,510
case, for both the optical scanners and
the DREs, where a machine has been tested
286
00:27:59,510 --> 00:28:04,669
by qualified people, well, it's been found
to have vulnerabilities that would allow
287
00:28:04,669 --> 00:28:10,510
an attacker to install vote stealing
malware and change the electronic results.
288
00:28:10,510 --> 00:28:19,340
Every single case. So how hard would it be
to go from hacking these individual
289
00:28:19,340 --> 00:28:25,360
machines to say changing the results of a
presidential election? Unfortunately much
290
00:28:25,360 --> 00:28:30,610
easier than we might think. There'd be
three challenges to doing this in a way
291
00:28:30,610 --> 00:28:36,960
that would likely be invisible. The first
challenge is that the machines are, well,
292
00:28:36,960 --> 00:28:40,679
many different types. They're diverse;
they're decentralized. Each state's system
293
00:28:40,679 --> 00:28:44,590
is independent, and thank goodness! Because
that means that we don't have just a
294
00:28:44,590 --> 00:28:51,850
single place you can hack into to change
results nationwide. Unfortunately, because
295
00:28:51,850 --> 00:28:58,529
of our electoral college system, this
diversity of technology can turn into a
296
00:28:58,529 --> 00:29:04,049
weakness in very close elections. So
remember I said that just any three of six
297
00:29:04,049 --> 00:29:09,299
states, for instance in 2016, would have
been sufficient to flip the outcome of the
298
00:29:09,299 --> 00:29:14,980
presidential election. Well before an
election an attacker can scan all the
299
00:29:14,980 --> 00:29:19,730
states, figure out which ones are most
weakly protected, and, if they can find
300
00:29:19,730 --> 00:29:24,899
enough weakly protected ones to strike in,
that could be sufficient to change the
301
00:29:24,899 --> 00:29:29,960
national results. So the attacker gets to
pick and choose, because our diversity of
302
00:29:29,960 --> 00:29:36,009
technology also means a diversity of
strength and weakness. The second
303
00:29:36,009 --> 00:29:40,230
challenge is that, as election officials
often point out, the voting machines
304
00:29:40,230 --> 00:29:43,960
aren't connected to the Internet, or at
least they're not supposed to be. It turns
305
00:29:43,960 --> 00:29:48,950
out that some of them are, because they
upload their results over a 4G cellular
306
00:29:48,950 --> 00:29:56,309
modem right after election results are
complete. But let's just suppose they're
307
00:29:56,309 --> 00:30:00,710
not connected to the Internet. All right.
It turns out that's still not enough to
308
00:30:00,710 --> 00:30:05,799
protect us. So as I said before every
election every single voting machine in
309
00:30:05,799 --> 00:30:10,789
the country has to be programmed with the
ballot design and that ballot programming
310
00:30:10,789 --> 00:30:15,640
is created by election officials on a
computer workstation somewhere, usually an
311
00:30:15,640 --> 00:30:21,650
old Windows PC. Those computer
workstations can sometimes service an
312
00:30:21,650 --> 00:30:26,840
entire county, sometimes an entire state.
Sometimes they're controlled by
313
00:30:26,840 --> 00:30:32,649
independent external contractors that can
perform work across multiple states. And
314
00:30:32,649 --> 00:30:37,369
if an attacker can infiltrate one of those
systems they can spread vote stealing
315
00:30:37,369 --> 00:30:44,039
malware on the memory cards to voting
machines across the whole region. So how
316
00:30:44,039 --> 00:30:48,369
hard would it be to break into one of
these systems? Well in Michigan, my state,
317
00:30:48,369 --> 00:30:54,210
in 2016, about three quarters of counties
outsourced this programming to just three
318
00:30:54,210 --> 00:30:59,279
small businesses. These are 10-20 person
companies operating in strip malls and so
319
00:30:59,279 --> 00:31:03,929
forth -- the same companies that the
jurisdictions buy their ballot boxes and
320
00:31:03,929 --> 00:31:07,989
"I voted" stickers from. Here's the
website of one of them. You can see it
321
00:31:07,989 --> 00:31:13,889
doesn't have HTTPS, has lots of nice high
resolution photos of their warehouse in
322
00:31:13,889 --> 00:31:19,039
case you want to burglarize it, and,
probably most interestingly to an
323
00:31:19,039 --> 00:31:22,759
attacker, they have this nice employee
directory with everyone's name,
324
00:31:22,759 --> 00:31:28,799
photograph, job title, and email address.
So if I wanted to break into elections in
325
00:31:28,799 --> 00:31:33,679
Michigan I might start by, say, forging an
email from Larry the president there to
326
00:31:33,679 --> 00:31:39,491
Sue his administrative assistant and say I
urgently need you to open this file. After
327
00:31:39,491 --> 00:31:44,549
she does, of course, it installs my malware
on their network, I'm in. I'm one step away
328
00:31:44,549 --> 00:31:49,690
from the election programming system and
spreading malware to machines across a
329
00:31:49,690 --> 00:31:56,769
quarter of the state. All right, there's
one more challenge. And that's that today
330
00:31:56,769 --> 00:32:01,669
more than 70 percent of US votes are
recorded on a piece of paper. And this is
331
00:32:01,669 --> 00:32:07,249
great! This is much more than ten years
ago because officials have been listening
332
00:32:07,249 --> 00:32:10,769
to computer scientists and security
experts who have been warning about the
333
00:32:10,769 --> 00:32:16,960
dangers of fully electronic voting. And
paper might seem like a step backwards,
334
00:32:16,960 --> 00:32:22,500
but it's actually a pretty high tech way
of thinking. In any kind of critical
335
00:32:22,500 --> 00:32:26,889
system, if we can afford to have a
physical failsafe in case of technology
336
00:32:26,889 --> 00:32:31,649
problems it's a good idea to do that. This
is why if you fly on a commercial
337
00:32:31,649 --> 00:32:36,470
aircraft... well, it has a very fancy
satellite-guided navigation system, but
338
00:32:36,470 --> 00:32:41,539
also, by law, there's a magnetic compas in
the cockpit. It's also why in your
339
00:32:41,539 --> 00:32:47,220
car...well you probably want to have a
mechanical linkage between the brake pedal
340
00:32:47,220 --> 00:32:54,280
and the brakes just in case... well, you
know. So paper can be a very sophisticated
341
00:32:54,280 --> 00:32:59,460
defense. It's relatively slow and
expensive to tally, but it's something
342
00:32:59,460 --> 00:33:05,399
that's verified by the voter and that
can't be changed later in a cyberattack.
343
00:33:05,399 --> 00:33:10,350
Meanwhile we also get an electronic record
from systems like optical scanners that's
344
00:33:10,350 --> 00:33:16,179
fast and cheap to tally, but unverified.
As long as we make sure that these records
345
00:33:16,179 --> 00:33:19,970
agree well then changing the election
result would require you to change the
346
00:33:19,970 --> 00:33:23,990
electronic record through a high tech
attack. And the paper records through a
347
00:33:23,990 --> 00:33:28,340
low tech attack and in a way that
agrees, and that would require a truly
348
00:33:28,340 --> 00:33:33,919
extraordinary conspiracy. And to check
that the paper is right... Well we have
349
00:33:33,919 --> 00:33:38,989
high tech approaches to that too. You
don't have to count all of it. In fact
350
00:33:38,989 --> 00:33:43,860
over the last ten years computer
scientists and statisticians have
351
00:33:43,860 --> 00:33:48,570
developed very sophisticated ways of just
spot checking the paper record to make
352
00:33:48,570 --> 00:33:53,100
sure that it's right and these are called
risks limiting audits. A risk limiting
353
00:33:53,100 --> 00:33:58,249
audit is a statistical process in which
you can count randomly selected ballots
354
00:33:58,249 --> 00:34:01,960
until you establish with high confidence
that hand counting all of them would
355
00:34:01,960 --> 00:34:07,539
determine the same winner. There are many
ways to do this but they all turn out to
356
00:34:07,539 --> 00:34:12,969
be, or many of them turn out to be
incredibly efficient. In a typical state
357
00:34:12,969 --> 00:34:19,809
with a fairly wide margin of victory just
spot checking a handful of ballots might
358
00:34:19,809 --> 00:34:23,570
be enough to establish with high
confidence that the winner really did win
359
00:34:23,570 --> 00:34:29,359
by a landslide. Of course if the election
result is a tie, logically you do have to
360
00:34:29,359 --> 00:34:34,649
look at all the ballots to establish that
it is indeed a tie. So the amount of work
361
00:34:34,649 --> 00:34:39,320
you have to do depends on how close the
election was. But in all cases you can
362
00:34:39,320 --> 00:34:44,340
find an efficient approach to determining,
without trusting the computer systems,
363
00:34:44,340 --> 00:34:50,569
that the paper really does reflect the
true winner. Unfortunately, well, most
364
00:34:50,569 --> 00:34:55,179
states don't do risk limiting audits. In
fact most states don't look at enough
365
00:34:55,179 --> 00:35:02,620
paper at all to determine that the winner
of a close election was genuine. So
366
00:35:02,620 --> 00:35:08,510
hacking a national election would probably
be easier than most of us thought. You can
367
00:35:08,510 --> 00:35:13,041
use pre-election polls and scanning to
determine which states to target, hack
368
00:35:13,041 --> 00:35:17,531
into the election management systems in
the most weakly protected ones, then
369
00:35:17,531 --> 00:35:22,180
infect voting machines with malware to
change, say, a few percent of the vote.
370
00:35:22,180 --> 00:35:26,859
The paper records might catch the fraud,
but you can rely on the fact that most
371
00:35:26,859 --> 00:35:31,060
states will throw it away without looking
at enough of it to determine who actually
372
00:35:31,060 --> 00:35:41,470
won. And that's the sorry situation that
unfortunately in 2018 we are still in. So
373
00:35:41,470 --> 00:35:47,859
since 2016, however, there has been a
change in mindset. Increasingly election
374
00:35:47,859 --> 00:35:52,640
officials have been listening to the
scientific community when we say you need
375
00:35:52,640 --> 00:35:57,549
a paper trail, and they're starting to
think that that is correct. Almost all
376
00:35:57,549 --> 00:36:03,329
states that don't have paper trails today
at least have people strongly advocating
377
00:36:03,329 --> 00:36:09,599
for replacing the equipment that's there.
And most other states, well, they at least
378
00:36:09,599 --> 00:36:13,920
have people starting to look into the
security and testing the security of other
379
00:36:13,920 --> 00:36:18,359
election related computer systems, like
their voter registration systems, to make
380
00:36:18,359 --> 00:36:24,280
sure that they're shored up. Now you don't
have to take it from me that paper ballots
381
00:36:24,280 --> 00:36:29,650
and post election audits are the way to go
to secure our election systems. Just this
382
00:36:29,650 --> 00:36:36,030
fall the National Academies of Science
Engineering and Medicine -- the authority
383
00:36:36,030 --> 00:36:40,410
on scientific advice to government --
released a report with their highest level
384
00:36:40,410 --> 00:36:45,740
of advice -- a consensus report -- urging
the adoption of paper and risk limiting
385
00:36:45,740 --> 00:36:51,270
audits, pointing out that this is a
pragmatic, robust, and necessary defense
386
00:36:51,270 --> 00:36:57,420
for elections. This report was written in
conjunction with election officials.
387
00:36:57,420 --> 00:37:01,869
People with experience administering
elections and it just goes to show you
388
00:37:01,869 --> 00:37:06,606
that at least the election officials who
have taken the time to understand the
389
00:37:06,606 --> 00:37:13,766
threat are waking up and starting to pay
attention to the path to a solution. The
390
00:37:13,766 --> 00:37:19,460
problem is that that solution will take
time to implement. And if we look at which
391
00:37:19,460 --> 00:37:24,890
states still don't have a paper trail, it
turns out that there are 14 where some or
392
00:37:24,890 --> 00:37:31,660
all votes still aren't recorded on paper,
and it's going to take between 130 and 420
393
00:37:31,660 --> 00:37:35,559
million dollars according to credible
estimates to replace all the machines
394
00:37:35,559 --> 00:37:41,410
still in those states. Some of them like
Pennsylvania are working to do that now,
395
00:37:41,410 --> 00:37:46,630
but in other states there still are no
plans in effect to get rid of the
396
00:37:46,630 --> 00:37:52,600
vulnerable machines. If we look at the
national map for post-election audits
397
00:37:52,600 --> 00:37:57,870
though the picture is a lot worse. And
this is what concerns me most. Although
398
00:37:57,870 --> 00:38:04,030
many states in 2018 did small pilots of
risk limiting audits, the majority of
399
00:38:04,030 --> 00:38:11,860
states still do not conduct audits that
can rigorously guarantee the electronic
400
00:38:11,860 --> 00:38:18,799
results of an election. And many still
have no plans to do so in time for 2020.
401
00:38:18,799 --> 00:38:22,369
Because risk limiting audits are so
efficient, the cost for auditing
402
00:38:22,369 --> 00:38:28,130
nationwide is ridiculously small. It would
cost according to my estimates less than
403
00:38:28,130 --> 00:38:33,410
25 million dollars a year to audit every
federal race nationally, potentially a lot
404
00:38:33,410 --> 00:38:38,099
less than that. But it requires
organizational on the ground. And
405
00:38:38,099 --> 00:38:44,660
unfortunately in our system operations on
the ground are conducted by about 13.000
406
00:38:44,660 --> 00:38:51,359
local jurisdictions on Election Day. We
need national leadership. We need much
407
00:38:51,359 --> 00:38:57,380
more dispersed expertise in order to get
these protections in place, because if you
408
00:38:57,380 --> 00:39:03,450
don't actually look at the paper you might
as well not have it in the first place. So
409
00:39:03,450 --> 00:39:09,460
this year did see some movement in
Congress. In the spring, as part of the
410
00:39:09,460 --> 00:39:14,650
omnibus appropriations process, Congress
gave the states 380 million dollars in
411
00:39:14,650 --> 00:39:20,160
emergency election funding in order to
start working to secure their registration
412
00:39:20,160 --> 00:39:24,720
systems and polling places. This was great
in that it was money available
413
00:39:24,720 --> 00:39:29,089
immediately, and if you've been paying
attention, getting Congress to do much of
414
00:39:29,089 --> 00:39:34,810
anything these days is pretty hard. On the
other hand the money came with very
415
00:39:34,810 --> 00:39:41,069
limited oversight, with no standards about
how that money should be used, and isn't
416
00:39:41,069 --> 00:39:46,079
even enough to eliminate all of the
paperless machines because of the way it's
417
00:39:46,079 --> 00:39:52,490
spread out amongst the states. But it's an
important first step. We can look at a few
418
00:39:52,490 --> 00:39:58,040
of the states to see how they're doing,
and I pick these as a representative
419
00:39:58,040 --> 00:40:06,050
sample of the diversity of progress. In
Maryland, for instance, which until 2016
420
00:40:06,050 --> 00:40:09,620
used AccuVote touch-screen machines,
vulnerable to all of those problems I
421
00:40:09,620 --> 00:40:15,859
talked about, finally replaced the
machines with paper ballots. That's a huge
422
00:40:15,859 --> 00:40:22,630
step forward. Unfortunately Maryland,
instead of auditing them by having people
423
00:40:22,630 --> 00:40:27,000
look at the ballots, decided it would be
more efficient to audit them by having
424
00:40:27,000 --> 00:40:33,220
people look at digital scans of the
ballots from the voting machines. As I
425
00:40:33,220 --> 00:40:38,430
think everyone in this room probably
realizes, but maybe some in a broader
426
00:40:38,430 --> 00:40:45,530
audience would not, it's pretty easy to
manipulate digital photographs. In fact I
427
00:40:45,530 --> 00:40:50,690
have work from students in an
undergraduate security class I taught this
428
00:40:50,690 --> 00:40:56,049
term who implemented a machine learning
algorithm that can take scans of ballots
429
00:40:56,049 --> 00:41:00,970
and just automatically change the marked
results to produce whatever outcome you
430
00:41:00,970 --> 00:41:06,720
want, and we'll have more on that in
a publication this spring. But
431
00:41:06,720 --> 00:41:12,270
unfortunately these audits are security
theater. They might catch human error, but
432
00:41:12,270 --> 00:41:16,859
they're not going to catch a sophisticated
attacker who has the ability to manipulate
433
00:41:16,859 --> 00:41:21,900
how the machines are reading the ballots,
can be easily fooled by malware. So I give
434
00:41:21,900 --> 00:41:28,700
Maryland on the whole maybe a "C".
Pennsylvania, another state that just two
435
00:41:28,700 --> 00:41:32,161
years ago during the recounts was
practically a laughing stock of the
436
00:41:32,161 --> 00:41:37,820
country for its lack of paper records of
votes and it's byzantine rules about
437
00:41:37,820 --> 00:41:42,990
recounting them, well, today is making
really good progress. The state recently
438
00:41:42,990 --> 00:41:47,270
committed to replacing all of its
paperless machines with paper ballots in
439
00:41:47,270 --> 00:41:53,819
time for the 2020 election, and it's
committed to implementing a robust post
440
00:41:53,819 --> 00:42:00,930
election audits by 2022. Unfortunately,
2022 is going to be too late to secure the
441
00:42:00,930 --> 00:42:06,599
2020 presidential election, and this just
emphasizes the need to get moving more
442
00:42:06,599 --> 00:42:12,270
quickly. There were also questions about
whether the auditing regime they implement
443
00:42:12,270 --> 00:42:17,240
will be truly statistically rigorous.
There are a lot of details to get right,
444
00:42:17,240 --> 00:42:22,340
but on the whole, Pennsylvania has made so
much progress. I think out of sympathy I
445
00:42:22,340 --> 00:42:28,261
can give them a "B". All right, now let's
look at a top performer. This is the state
446
00:42:28,261 --> 00:42:34,890
of Colorado. Colorado has become a leader
in election security, because not only
447
00:42:34,890 --> 00:42:40,819
does it have paper ballots statewide,
largely vote by mail which has its own
448
00:42:40,819 --> 00:42:45,260
problems, but that's a subject for later.
But Colorado also was the first state in
449
00:42:45,260 --> 00:42:49,090
the country to implement these
statistically robust risk limiting audits
450
00:42:49,090 --> 00:42:53,809
statewide and has been doing it since
2017. They've got both of these critical
451
00:42:53,809 --> 00:42:58,800
protections in place, and yes, they
actually do choose the random seed for
452
00:42:58,800 --> 00:43:02,839
sampling the ballots during the risk
limiting audit by rolling a set of
453
00:43:02,839 --> 00:43:08,140
10-sided dice. So that's a great way to do
it in a public ceremony. So Colorado gets
454
00:43:08,140 --> 00:43:15,731
an "A". They're very well protected by
these standards. Then there's Georgia. So
455
00:43:15,731 --> 00:43:23,260
Georgia in 2018 voted statewide with the
AccuVote TSX voting machine, the one that
456
00:43:23,260 --> 00:43:29,720
FedEx has that I've hacked. They haven't
updated this software in their AccuVote
457
00:43:29,720 --> 00:43:37,130
TSX machines since 2005, and they claim
that the machines and their election
458
00:43:37,130 --> 00:43:43,510
programming systems are air gapped. But
during a court hearing about this earlier
459
00:43:43,510 --> 00:43:47,990
this fall their head of elections
described that their system was air
460
00:43:47,990 --> 00:43:52,119
gapped. Yes it's perfectly secure. It's
air gapped. The only way you can get into
461
00:43:52,119 --> 00:43:58,080
it is through the bank of modems attached
to it. It's air gapped except the bank of
462
00:43:58,080 --> 00:44:03,569
modems. Also it turns out he programs it
by moving a USB stick back and forth from
463
00:44:03,569 --> 00:44:11,700
his personal laptop. Sigh Georgia also
of course doesn't have robust audits,
464
00:44:11,700 --> 00:44:15,770
because, well, meaningful post election
audits would require a paper trail, and
465
00:44:15,770 --> 00:44:21,079
none of those machines have paper. This
alone would be enough to give Georgia an
466
00:44:21,079 --> 00:44:26,859
"F". Except there's one more thing: their
voter registration system also was shown
467
00:44:26,859 --> 00:44:33,839
in 2018 to have some problems. So you're
not going to believe this story. One more
468
00:44:33,839 --> 00:44:41,260
story. So in Georgia they do online voter
registrations through a Web site. And in
469
00:44:41,260 --> 00:44:49,380
2018 just a few days before the election
the Georgia Democratic party learned from
470
00:44:49,380 --> 00:44:54,590
one of it's-- from someone working for
them, from a volunteer, about a series of
471
00:44:54,590 --> 00:44:59,500
vulnerabilities in this voter registration
system. While it turned out that you could
472
00:44:59,500 --> 00:45:03,990
read and manipulate anyone's voter
registration records just by changing a
473
00:45:03,990 --> 00:45:10,750
sequential ID number in a particular URL.
There was another URL for viewing a sample
474
00:45:10,750 --> 00:45:14,170
ballot, that if you just change the path
of the file it pointed to you could read
475
00:45:14,170 --> 00:45:20,721
any file and the server's filesystem. Well
these are pretty bad problems, right? Even
476
00:45:20,721 --> 00:45:24,589
though Georgia apparently had gone through
the process of having a security
477
00:45:24,589 --> 00:45:29,610
assessment of its registration system
performed and didn't catch these, well...
478
00:45:29,610 --> 00:45:33,760
So the Democrats less than five days
before the election learned of these
479
00:45:33,760 --> 00:45:37,910
problems and disclosed them to the
Secretary of State's office which is
480
00:45:37,910 --> 00:45:43,400
responsible for running the election
system. There is Secretary of State Brian
481
00:45:43,400 --> 00:45:49,569
Kemp, who, also, it turned out, was
candidate for governor in a very close
482
00:45:49,569 --> 00:45:54,799
race. So not only was he running the
election system, but he was the candidate
483
00:45:54,799 --> 00:46:00,339
in the most important race in the state
where the polls were projecting that the
484
00:46:00,339 --> 00:46:06,340
election was going to be a dead heat. So
an hour after receiving the security
485
00:46:06,340 --> 00:46:12,190
disclosure, Secretary Kemp's office put
out a press release with this headline:
486
00:46:12,190 --> 00:46:16,440
That after a failed hacking attempt
they're launching an investigation into the
487
00:46:16,440 --> 00:46:24,790
Georgia Democratic Party and they've
called the FBI on the Democrats. So...
488
00:46:24,790 --> 00:46:32,140
Brian Kemp won the election and is now the
governor elect of Georgia. So this guy who
489
00:46:32,140 --> 00:46:36,660
did so well handling the security of the
voting system while he was secretary of
490
00:46:36,660 --> 00:46:42,710
state is now the head political officer of
the state of Georgia. I think Georgia's
491
00:46:42,710 --> 00:46:47,770
"F" just might stick with them through
2020. So...
492
00:46:47,770 --> 00:46:55,510
applause
H: Thank you. So there is hope though. I
493
00:46:55,510 --> 00:47:01,250
want to end on a message of hope, because
despite this, with all of these different
494
00:47:01,250 --> 00:47:07,010
levels of rigor and of readiness across
the different states I believe we need
495
00:47:07,010 --> 00:47:12,020
more national leadership, national
standards, and national resources thrown
496
00:47:12,020 --> 00:47:18,670
into securing elections. And a bill to do
just these things made a lot of progress
497
00:47:18,670 --> 00:47:24,029
in the Senate during the past term. This
is a bill called the Secure Elections Act
498
00:47:24,029 --> 00:47:29,890
that was introduced by Senators Lankford,
Republican of Oklahoma, and Klobuchar,
499
00:47:29,890 --> 00:47:35,290
Democrat of Minnesota. And it ended up
gathering a large number of bipartisan
500
00:47:35,290 --> 00:47:41,400
sponsors, split evenly between Republicans
and Democrats. It would have required
501
00:47:41,400 --> 00:47:46,410
states to adopt paper, to adopt strong
audits, and to adopt stronger information
502
00:47:46,410 --> 00:47:50,710
sharing practices to let each other and
the federal government know if they saw
503
00:47:50,710 --> 00:47:57,869
signs of people trying to break in. This
bill made it a long way, but unfortunately
504
00:47:57,869 --> 00:48:03,400
got stuck in the committee after some
opposition from the White House just days
505
00:48:03,400 --> 00:48:07,520
before it was going to be marked up and
hopefully then made it make its way to the
506
00:48:07,520 --> 00:48:12,760
floor. But this shows that bipartisan
cooperation is possible even in this
507
00:48:12,760 --> 00:48:17,069
Congress, and that there are a lot of
serious people who now realize that
508
00:48:17,069 --> 00:48:22,160
election cybersecurity is a matter of
national security and defense. I think in
509
00:48:22,160 --> 00:48:26,460
the next Congress there's a good
possibility that we will see effective
510
00:48:26,460 --> 00:48:31,970
legislation to provide national standards
and leadership for elections. But it's a
511
00:48:31,970 --> 00:48:39,299
question of threading a political needle
and getting Congress to act. So to defend
512
00:48:39,299 --> 00:48:44,599
our elections we don't need rocket
science. We need simple steps like
513
00:48:44,599 --> 00:48:51,420
applying security best practices and
expertise to secure registration servers,
514
00:48:51,420 --> 00:48:56,430
adopting a paper record of every vote, and
applying simple post-election audit
515
00:48:56,430 --> 00:49:01,860
techniques to make sure the paper record
is right. If we do these things well we'll
516
00:49:01,860 --> 00:49:07,569
have a much more robust and evidence-based
election system that can detect and
517
00:49:07,569 --> 00:49:13,010
recover from attack attempts.
Unfortunately today our dialogue about
518
00:49:13,010 --> 00:49:18,170
elections isn't based on evidence. It's
largely based on faith: on faith in the
519
00:49:18,170 --> 00:49:23,641
democratic process, on faith in the people
and the technology that's responsible. But
520
00:49:23,641 --> 00:49:29,410
I think voters deserve better. Voters
deserve, if they're reasonably skeptical,
521
00:49:29,410 --> 00:49:33,550
to have it proven to them that the
election result was right, and that is
522
00:49:33,550 --> 00:49:38,480
possible with simple and practical
technology that we have today. All it's
523
00:49:38,480 --> 00:49:43,170
going to take is national leadership to
make sure that all states, even states like
524
00:49:43,170 --> 00:49:49,880
Georgia, adopt the necessary protections
soon. So what can you do? Well as a hacker
525
00:49:49,880 --> 00:49:55,250
or a computer scientist you can work with
your election officials to help explain
526
00:49:55,250 --> 00:50:00,420
the technology, the threats, and the
defenses. You can work to explain the
527
00:50:00,420 --> 00:50:05,640
threats to the public, because we all need
to understand, just as a matter of modern
528
00:50:05,640 --> 00:50:10,540
civics, how elections can be attacked and
defended. You can work to build better
529
00:50:10,540 --> 00:50:15,720
ways to use technology to make voting on
paper easier and more efficient. While
530
00:50:15,720 --> 00:50:20,450
technology can help voting in a lot of
ways, just... we shouldn't trust it is the
531
00:50:20,450 --> 00:50:26,369
only way in which votes are counted and
results are determined. And as a citizen,
532
00:50:26,369 --> 00:50:30,559
well, you can demand that election
authorities implement paper and risk
533
00:50:30,559 --> 00:50:34,690
limiting audits. Get involved through
activist groups to help campaign for
534
00:50:34,690 --> 00:50:41,040
protections like this, and especially
please urge the U.S. Congress to pass
535
00:50:41,040 --> 00:50:45,730
legislation like the Secure Elections Act
and similar bills to make sure that
536
00:50:45,730 --> 00:50:51,720
election systems across our country
achieve these security properties. You can
537
00:50:51,720 --> 00:50:56,770
learn more from an online course I have
for free on Coursera called Securing
538
00:50:56,770 --> 00:51:02,230
Digital Democracy that provides several
weeks' worth of material about the history
539
00:51:02,230 --> 00:51:07,589
and the technology of election defenses.
But we've got to get going. It's only been
540
00:51:07,589 --> 00:51:12,089
two years, believe it or not, since Donald
Trump became president, and it's only
541
00:51:12,089 --> 00:51:16,289
about 22 months until the next
presidential election. It's time to get
542
00:51:16,289 --> 00:51:18,480
moving. Thank you.
543
00:51:18,480 --> 00:51:30,660
applause
544
00:51:30,660 --> 00:51:39,020
Herald Angel: thank you very much. What I
got from this talk is it takes 27,400
545
00:51:39,020 --> 00:51:46,510
people, so we have to scale up Congress.
We're going to do a Q&A. And I think we'll
546
00:51:46,510 --> 00:51:52,561
just start with Mic number two
because I can see that one.
547
00:51:52,561 --> 00:52:00,410
Question: Thanks for the great talk. What
if someone targets the-- Mic problems
548
00:52:00,410 --> 00:52:06,899
Mumbling
Herald: Um, we need mic #2 live.
549
00:52:08,359 --> 00:52:10,869
Question: Does this work? Hello?
silence
550
00:52:15,519 --> 00:52:18,499
Angel: Try again
Question: Hello? Ok great. Thanks for the
551
00:52:18,499 --> 00:52:23,520
great talk. What if someone targets the
randomness in your risk-limiting audit?
552
00:52:23,520 --> 00:52:27,431
Q: Doesn't that pose a vulnerability?
Speaker: Oh yes. Definitely you need to have
553
00:52:27,431 --> 00:52:31,740
a secure randomness in whatever auditing
method you're doing if it's going to be by
554
00:52:31,740 --> 00:52:37,760
a statistical sampling. That's one reason
why the auditing techniques that Colorado
555
00:52:37,760 --> 00:52:43,289
practices, they actually have a public
ceremony in which officials throw dice in
556
00:52:43,289 --> 00:52:48,520
front of TV cameras in order to pick the
random seed. But a lot of thought has to
557
00:52:48,520 --> 00:52:53,260
go into designing that process well, so
that it's not only truly random but also
558
00:52:53,260 --> 00:52:57,230
something that people can know and believe
is truly random. Thank you
559
00:52:57,230 --> 00:53:06,029
Angel: OK Mic number six
Question: Thank you so much for the talk.
560
00:53:06,029 --> 00:53:10,799
You spoke about how in Georgia the
disclosure of vulnerabilities was
561
00:53:10,799 --> 00:53:18,150
punished, almost. Is there any talk or
movement towards having something like bug
562
00:53:18,150 --> 00:53:23,970
bounties for Election Systems?
Speaker: Yes in fact there is another bill
563
00:53:23,970 --> 00:53:29,390
that was introduced in Congress that would
do just that, and establish a kind of bug
564
00:53:29,390 --> 00:53:36,441
bounty program. I'm not sure that that
idea yet has a lot of legs, but I think it
565
00:53:36,441 --> 00:53:41,819
would help. I think right now though we
don't really need all that much more
566
00:53:41,819 --> 00:53:47,369
incentive for people to want to try to
help secure democracy. A lot of people,
567
00:53:47,369 --> 00:53:51,829
including I'm sure a lot of people in this
room, would gladly volunteer to do so. We
568
00:53:51,829 --> 00:53:55,940
need a way of organizing that effort and
making sure that people can discover and
569
00:53:55,940 --> 00:54:00,980
report problems without fear of having it
turn into some political weapon to be used
570
00:54:00,980 --> 00:54:05,150
against them.
Angel: Mic number one
571
00:54:05,150 --> 00:54:10,930
Question: Hey thanks for the talk. Like
the case in Georgia doesn't sound that
572
00:54:10,930 --> 00:54:14,529
terrible because like in Lithuania a couple
of years ago we've had this issue where you
573
00:54:14,529 --> 00:54:20,510
just didn't need to change the URL you
just did have to refresh the page and here
574
00:54:20,510 --> 00:54:29,230
you go. You have the information about a
different citizen. My question is, like,
575
00:54:29,230 --> 00:54:35,799
what if the paper trail leads to the
knowledge that the election was rigged in
576
00:54:35,799 --> 00:54:41,200
some particular area like two years after
the election or like one year after the
577
00:54:41,200 --> 00:54:43,609
election? What happens then? Does it
change anything?
578
00:54:43,609 --> 00:54:49,480
Speaker: A year or so after an election
would be a great catastrophe if we only learned
579
00:54:49,480 --> 00:54:53,579
then that the political leaders were not
legitimately elected. We don't really have
580
00:54:53,579 --> 00:55:01,630
any precedent for that. That's why the
recommendation and what some states like
581
00:55:01,630 --> 00:55:05,200
Colorado are starting to do is, they're
implementing stronger audits, is to make
582
00:55:05,200 --> 00:55:09,640
sure the audits are completed as soon as
possible, ideally before the election
583
00:55:09,640 --> 00:55:16,769
results is certified. I recently came out
with a paper with Phillip Stark and Ron
584
00:55:16,769 --> 00:55:21,640
Rivest that gives an audit system that you
can start doing even the moment polls
585
00:55:21,640 --> 00:55:27,849
close on election night and perhaps have,
in a not so close election, a full complete
586
00:55:27,849 --> 00:55:33,800
audit by the time results are announced on
election night. So it's possible to do it
587
00:55:33,800 --> 00:55:39,900
quickly with sufficient organization.
Angel: OK. Microphone number 8
588
00:55:40,770 --> 00:55:50,380
Question: Hi I'm curious about the
attribution of attacks. Is there possibly
589
00:55:50,380 --> 00:55:56,730
any instance at which you would be not
sure that it was Russia that performed the
590
00:55:56,730 --> 00:56:03,320
attacks, or maybe it was China. So how do
you know that it was exactly Russia, or
591
00:56:03,320 --> 00:56:10,799
China or India?
Speaker: So all we have to go by really is the
592
00:56:10,799 --> 00:56:16,160
assertions of our intelligence agencies in
the U.S. and in some cases like for the
593
00:56:16,160 --> 00:56:21,000
Democratic National Committee breaches the
assertions of private security firms that
594
00:56:21,000 --> 00:56:26,560
were involved in the investigations. I
agree with you, attribution in general is a
595
00:56:26,560 --> 00:56:32,390
darn hard problem. But if you're willing
to accept the credibility of the
596
00:56:32,390 --> 00:56:37,119
intelligence reports and read between the
lines just a little bit it looks like the
597
00:56:37,119 --> 00:56:43,279
reason, the basis for their attribution, is
largely not technical but based on
598
00:56:43,279 --> 00:56:47,339
intercepted communication of people who
were involved in organizing the attacks in
599
00:56:47,339 --> 00:56:52,590
Russia. And I think more information about
that is likely to come out as the Mueller
600
00:56:52,590 --> 00:56:58,500
investigations proceed. So I mean there's
some necessary grain of salt. You can see
601
00:56:58,500 --> 00:57:04,869
what incentive people might have to try to
trump up, so to speak, the involvement
602
00:57:04,869 --> 00:57:08,900
of Russia. But you can also see in the
current political climate why at least the
603
00:57:08,900 --> 00:57:14,200
executive branch would have a reason to
try to tone down allegations of Russia's
604
00:57:14,200 --> 00:57:20,160
involvement. So you'll have to interpret
the weight of the evidence as you will.
605
00:57:20,160 --> 00:57:24,640
Angel: OK, the last question
from the Internet.
606
00:57:24,640 --> 00:57:28,650
Angel: We're running out of time. Sorry.
Question: Has any organization or group
607
00:57:28,650 --> 00:57:32,079
unveiled a voting machine designed to
address all of the security issues that
608
00:57:32,079 --> 00:57:35,059
you have brought up here? Is there a
solution to the problem?
609
00:57:35,059 --> 00:57:38,730
Speaker: I'm sorry could you repeat the
beginning of that question?
610
00:57:38,730 --> 00:57:43,119
Question: Has any group or organization
unveiled a voting machine that is designed
611
00:57:43,119 --> 00:57:46,470
to address all of those security issues
that have grown up?
612
00:57:46,470 --> 00:57:52,329
Speaker: OK so there are efforts to
develop voting machines that are based on open
613
00:57:52,329 --> 00:58:00,490
source software, that are based on better
validated software. Benedita, a researcher
614
00:58:00,490 --> 00:58:07,089
in this area who has done a lot of great
work is one person who's recently launched
615
00:58:07,089 --> 00:58:13,740
an effort to do that, although there are
others. And I think that will help. But at
616
00:58:13,740 --> 00:58:17,809
the end of the day I think however well-
designed the software and our voting
617
00:58:17,809 --> 00:58:22,160
machines is, that can raise the bar for
attacks, but it's never going to be enough
618
00:58:22,160 --> 00:58:27,160
to also be able to convince skeptical
voters that everything is OK, because,
619
00:58:27,160 --> 00:58:31,109
well, among other things, how do you know
that that software is really what's
620
00:58:31,109 --> 00:58:36,530
running in the machines that are counting
your votes? So there's a lot we can do to
621
00:58:36,530 --> 00:58:41,750
make voting machines better. At the end of
the day they're also going to have to have
622
00:58:41,750 --> 00:58:47,709
that paper trail and those statistical audit
so that everyone can believe the results.
623
00:58:47,709 --> 00:58:52,259
Angel: Thank you very much.
That concludes the talk.
624
00:58:52,259 --> 00:59:00,219
Speaker: Thank you.
applause
625
00:59:00,219 --> 00:59:04,940
Angel: I think you'll be around for a few more
answers on the Congress, so everybody who
626
00:59:04,940 --> 00:59:08,750
is here can ask questions in person.
Speaker: I will and hopefully tomorrow
627
00:59:08,750 --> 00:59:11,799
there'll be a Diebold voting machine
somewhere around here for everyone
628
00:59:11,799 --> 00:59:16,220
to hack themselves. Thank you again.
Angel: Let's hack that thing.
629
00:59:16,220 --> 00:59:20,380
postroll music
630
00:59:20,380 --> 00:59:39,000
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!