WEBVTT
00:00:00.000 --> 00:00:18.620
35C3 preroll music
00:00:18.620 --> 00:00:24.779
Herald Angel: Mr. Halderman, professor of
computer science at the University of
00:00:24.779 --> 00:00:32.598
Michigan. Famous for inventing things like
Let's Encrypt, finding the--
00:00:32.598 --> 00:00:33.620
applause
00:00:33.620 --> 00:00:38.050
Herald Angel: There's more.
applause
00:00:38.050 --> 00:00:49.770
Herald: But wait, there's more! Logjam
-- I love buzzword bingo -- and zmap.
00:00:49.770 --> 00:00:55.520
And now he's going to talk about
American elections. Thank you.
00:00:55.520 --> 00:01:00.760
J. Alex Halderman: All right. Thank you so
much. It's fantastic to be back at
00:01:00.760 --> 00:01:07.259
Congress this year. Two years ago I was
here with Matt Bernhard one of my Ph.D.
00:01:07.259 --> 00:01:13.000
students and we gave an update about what
happened during the 2016 presidential
00:01:13.000 --> 00:01:22.460
election. Today a lot has changed and a
lot remains the same. And I'm here to let
00:01:22.460 --> 00:01:27.830
you know what we've learned about what
happened in the 2016 election and what we
00:01:27.830 --> 00:01:32.330
still need to do to make sure elections in
the U.S. and around the world are well
00:01:32.330 --> 00:01:40.990
protected. So, a quick flashback. On
November 8th, 2016 Donald Trump became
00:01:40.990 --> 00:01:46.210
president of the United States by beating
some other person. Now history quickly
00:01:46.210 --> 00:01:53.170
forgets the losers in presidential
elections. And it really doesn't matter
00:01:53.170 --> 00:02:00.170
who Donald Trump beat, because today, for
better or for worse, he is the president.
00:02:00.170 --> 00:02:06.920
But how close was the election? President
Trump likes to talk about how he won by a
00:02:06.920 --> 00:02:14.250
landslide, but actually he was the fifth
person in American history to win the
00:02:14.250 --> 00:02:20.700
presidency while losing the popular vote.
In fact his opponent received 3 million
00:02:20.700 --> 00:02:26.920
more votes in the election than President
Trump did. How can that happen? Well we
00:02:26.920 --> 00:02:33.011
have this crazy system called the
Electoral College. And in the Electoral
00:02:33.011 --> 00:02:38.349
College each state has a certain number of
points, and Donald Trump ended up getting
00:02:38.349 --> 00:02:43.840
more of those points. But if we want to
ask "How close was the election,
00:02:43.840 --> 00:02:49.660
really?"... well that depends on the way
each state allocates its electoral votes,
00:02:49.660 --> 00:02:58.319
and most are "winner-take-all". So we
might ask how many votes would, say, an
00:02:58.319 --> 00:03:03.590
attacker have had to change in the
smallest number of states in order to
00:03:03.590 --> 00:03:07.850
change the election result in order to,
say, make it a tie instead of a win for
00:03:07.850 --> 00:03:14.310
President Trump. And it turns out that if
you look at the three closest states, they
00:03:14.310 --> 00:03:19.580
could be flipped with a very very small
number of votes changing, and changing
00:03:19.580 --> 00:03:24.370
just any two of these three states would
have been enough to reverse the outcome of
00:03:24.370 --> 00:03:29.750
the presidential election. If we look at
the next few closest states they also have
00:03:29.750 --> 00:03:36.220
very small margins, and any three of these
six states would have sufficed to change
00:03:36.220 --> 00:03:42.650
the election result. In total just
changing twenty seven thousand, five
00:03:42.650 --> 00:03:49.519
hundred votes from Donald Trump to Donald
Trump's opponent would have changed the
00:03:49.519 --> 00:03:55.590
outcome of the U.S. presidential election.
There were 137 million votes in total.
00:03:55.590 --> 00:04:03.200
That's a change of just 0.02 percent. That
is a very close electoral result by even
00:04:03.200 --> 00:04:10.450
contemporary American standards. And
that's why the possibilities of computer
00:04:10.450 --> 00:04:17.019
hacking, voting machine manipulation,
information warfare that actually did take
00:04:17.019 --> 00:04:24.690
place, some of them in 2016, not only have
the possibility to have effected the 2016
00:04:24.690 --> 00:04:29.190
election result but stand to have the
possibility to affect future election
00:04:29.190 --> 00:04:37.050
results as well. And that's why election
security is so important right now. But if
00:04:37.050 --> 00:04:43.280
we go back to 2016, when I was speaking
here two years ago, the main thing I was
00:04:43.280 --> 00:04:48.430
talking about were recounts in three
states: Wisconsin, Michigan, and
00:04:48.430 --> 00:04:53.900
Pennsylvania, that I and other election
security advocates had a big role in
00:04:53.900 --> 00:04:59.360
orchestrating. Well we realized after 2016
that this was a close and unexpected
00:04:59.360 --> 00:05:05.240
election result, but no one was going to
go back and check the physical evidence of
00:05:05.240 --> 00:05:11.750
the votes: the actual paper ballots in any
states that really mattered to make sure
00:05:11.750 --> 00:05:16.920
that the computer election results we have
been told about were right. Well, when I
00:05:16.920 --> 00:05:22.290
and others pointed this out to the public
it resulted in an overwhelming show of
00:05:22.290 --> 00:05:27.980
support. And one of the third party
presidential candidate Jill Stein stepped
00:05:27.980 --> 00:05:34.040
in and had the legal standing to demand
recounts in states where she stood for
00:05:34.040 --> 00:05:38.350
election, even though she had no chance of
winning. And she raised through small
00:05:38.350 --> 00:05:43.290
donations from the public more than seven
million dollars to fund efforts to go back
00:05:43.290 --> 00:05:49.419
and count and check the votes to make sure
things were right. Unfortunately, a
00:05:49.419 --> 00:05:54.840
recount after an American election is a
politically fraught process, and in all
00:05:54.840 --> 00:06:02.100
three states we found opposition from the
apparent winner of the election, we found
00:06:02.100 --> 00:06:07.229
challenges in the courts, and only one of
those states, Wisconsin, ended up
00:06:07.229 --> 00:06:13.039
recounting all of its ballots and found no
evidence of fraud. In Michigan the
00:06:13.039 --> 00:06:20.580
recounts were halted after only a few days
with less than half of the votes counted
00:06:20.580 --> 00:06:25.830
after a court challenge by the
Republicans. Again, no evidence of fraud
00:06:25.830 --> 00:06:31.860
in the votes that were recounted. And in
Pennsylvania, unfortunately, like many
00:06:31.860 --> 00:06:36.930
states most of the state had no paper
trail at all. There was nothing to
00:06:36.930 --> 00:06:42.389
recount: just digital records and
machines. The courts denied the Stein
00:06:42.389 --> 00:06:48.620
campaign the right to have independent
experts examine the machines, and in very
00:06:48.620 --> 00:06:52.639
few of the places in the rest of the
state, the small amount that did have
00:06:52.639 --> 00:07:00.270
paper actually did complete a recount. But
still there was no evidence of fraud. So
00:07:00.270 --> 00:07:05.300
in all there is no evidence that hacking
of voting machines -- hacking of actual
00:07:05.300 --> 00:07:11.240
vote counts -- changed the outcome of the
2016 election. But there is abundant
00:07:11.240 --> 00:07:17.850
evidence that cyberattacks of other forms
had a major influence on the election,
00:07:17.850 --> 00:07:22.639
certainly could have a huge influence on
future elections. And that's what I'm
00:07:22.639 --> 00:07:28.940
going to talk about today. So first
looking back at 2016 in the two years
00:07:28.940 --> 00:07:33.639
since I was last here we have learned a
lot more about what really took place
00:07:33.639 --> 00:07:42.900
during the 2016 election. Starting just
January of 2017 when the U.S. intelligence
00:07:42.900 --> 00:07:51.169
community -- the CIA, NSA, and other three
letter agencies -- who often in this
00:07:51.169 --> 00:07:57.009
community we don't trust, still came out
and released a joint assessment in which
00:07:57.009 --> 00:08:04.490
they rated with very high confidence the
conclusion that attackers linked to Russia
00:08:04.490 --> 00:08:10.380
were ordered by Russian President Vladimir
Putin to interfere with the American
00:08:10.380 --> 00:08:16.000
election in order to weaken Clinton, boost
Donald Trump, and discredit the electoral
00:08:16.000 --> 00:08:21.479
process as a whole. They called it a
significant escalation of longstanding
00:08:21.479 --> 00:08:28.860
Russian efforts to undermine the US-led
liberal democratic order. So where's the
00:08:28.860 --> 00:08:34.448
evidence that this actually happened? And
what actually happened? According to not
00:08:34.448 --> 00:08:39.328
only the intelligence reports but other
information from other sources we can use
00:08:39.328 --> 00:08:45.939
to see to see whether it's credible. Well
what happened in the U.S. actually looks a
00:08:45.939 --> 00:08:51.190
lot like something that happened in 2014
in Ukraine, where, according to other
00:08:51.190 --> 00:08:58.220
published reports, attackers linked to
Russia engaged in a multipronged attack to
00:08:58.220 --> 00:09:04.089
try to undermine the presidential election
there. They released targeted leaks of
00:09:04.089 --> 00:09:09.740
e-mails linked to the presidential
campaign. They attacked the Election
00:09:09.740 --> 00:09:14.269
Commission's servers in order to cause
them to initially post the wrong
00:09:14.269 --> 00:09:19.139
presidential winner. And this was
apparently detected and narrowly averted
00:09:19.139 --> 00:09:24.319
only hours before the winner was to be
announced. And they orchestrated DDoS
00:09:24.319 --> 00:09:30.790
attacks to try to delay the election
results. In the U.S. in 2016 we saw a
00:09:30.790 --> 00:09:36.430
similar multipronged attack of targeted
political leaks trolling and message
00:09:36.430 --> 00:09:42.550
amplification on social media and attacks
against election infrastructure. So the
00:09:42.550 --> 00:09:48.279
targeted political leaks, you've probably
heard about some of this. You have e-mails
00:09:48.279 --> 00:09:54.189
stolen from the Democratic National
Committee through a hacking campaign that
00:09:54.189 --> 00:10:00.639
involved two different Russian-linked
military groups hacking into the DNC
00:10:00.639 --> 00:10:06.779
servers, installing customized malware and
exfiltrating thousands of e-mails that
00:10:06.779 --> 00:10:13.149
were then published by WikiLeaks. Later,
John Podesta -- Clinton's campaign
00:10:13.149 --> 00:10:20.299
chairman -- also had his personal email
compromised, and Podesta's emails were
00:10:20.299 --> 00:10:25.100
similarly published by WikiLeaks. Whatever
you think about WikiLeaks -- and
00:10:25.100 --> 00:10:30.230
government transparency, and I myself am a
huge fan of transparency -- there's
00:10:30.230 --> 00:10:36.220
clearly something subversive and
manipulative about just one side being
00:10:36.220 --> 00:10:41.720
targeted, and being targeted by other
foreign nations, and having its dirty
00:10:41.720 --> 00:10:46.630
laundry aired for the world to see. This
is subverting the entire notion of
00:10:46.630 --> 00:10:52.730
transparency, turning our need for true
information about politicians against us
00:10:52.730 --> 00:10:59.279
and manipulating the entire process. John
Podesta, since his e-mails were all leaked
00:10:59.279 --> 00:11:03.540
to the public, well, we can go and see the
phishing attack e-mail that got his
00:11:03.540 --> 00:11:09.399
password, and here it is. So this mail
sent to John Podesta claims to be from
00:11:09.399 --> 00:11:13.680
Gmail saying that someone has tried to
sign in with his password and he urgently
00:11:13.680 --> 00:11:20.939
needs to change it by clicking here. Well
he did click there and Russia got his
00:11:20.939 --> 00:11:27.509
password. We also see his staff talking
about this e-mail and one of his staffers
00:11:27.509 --> 00:11:32.550
recognized that this was a phishing
attempt and emailed urgently telling John
00:11:32.550 --> 00:11:38.810
Podesta to change his password immediately
but he typo'd. In dashing out this e-mail
00:11:38.810 --> 00:11:44.019
he wrote that this is a "legitimate
e-mail". He has subsequently claimed every
00:11:44.019 --> 00:11:47.759
time he's talked about it that he meant to
write "illegitimate" not "legitimate".
00:11:47.759 --> 00:11:55.410
Well, the rest is history. A couple of
extra letters might have changed a lot. So
00:11:55.410 --> 00:12:00.199
beyond the e-mail leaks we've seen an
orchestrated campaign on social media
00:12:00.199 --> 00:12:06.600
through trolls and false identities to try
to manipulate people's opinions, to try to
00:12:06.600 --> 00:12:12.189
create political divisions between people,
to try to amplify certain discordant
00:12:12.189 --> 00:12:17.819
messages. That could be a whole talk in
itself, and I'm not going to go deep into
00:12:17.819 --> 00:12:23.329
the trolling and message amplification,
but it's a subject that is an ongoing form
00:12:23.329 --> 00:12:29.259
of attack that again turns our tools of
communication against us. People need to
00:12:29.259 --> 00:12:34.149
know whether the information they're
reading is really what other people they
00:12:34.149 --> 00:12:40.079
know and are like them think, or whether
it's being generated by bots, by attacks.
00:12:40.079 --> 00:12:44.870
Alright this kind of artificial
amplification and manipulation of
00:12:44.870 --> 00:12:51.259
messaging turns us against each other.
Finally, and the category of attacks that
00:12:51.259 --> 00:12:55.639
I want to talk about most today because I
think they're the most relevant for our
00:12:55.639 --> 00:13:01.509
community, are attacks against election
infrastructure itself: the increasingly
00:13:01.509 --> 00:13:06.939
computerized systems that we use to run
elections, not just in the US but in
00:13:06.939 --> 00:13:12.459
countries around the world. There were
attacks against voter registration systems
00:13:12.459 --> 00:13:18.350
in states across the country, organized by
the same Russian groups. There were
00:13:18.350 --> 00:13:24.809
attacks against companies that make
technology used in polling places. In all,
00:13:24.809 --> 00:13:29.819
the intelligence assessment is that up to
21 states had their voter registration
00:13:29.819 --> 00:13:34.569
systems probed. Now of course how can you
go back in time and know for sure that
00:13:34.569 --> 00:13:38.889
others were not probed, were not
compromised. That's very difficult, even
00:13:38.889 --> 00:13:44.809
if you are, say, the NSA and are watching
everyone's network traffic. However we
00:13:44.809 --> 00:13:49.449
know that in multiple states the attackers
got in through SQL injection, through
00:13:49.449 --> 00:13:53.110
other attacks, and were able to steal
hundreds of thousands of voters'
NOTE Paragraph
00:13:53.110 --> 00:14:06.669
registration records. More information
came out later in 2017 through leaked
00:14:06.669 --> 00:14:15.019
information from NSA. So this woman,
Reality Winner, an NSA contractor, leaked
00:14:15.019 --> 00:14:20.410
to the Intercept a series of intelligence
assessments that showed the Russian
00:14:20.410 --> 00:14:26.129
attacks went even farther, that they
executed attempts to break into the
00:14:26.129 --> 00:14:30.929
computer systems of at least one election
computer software vendor, and then after
00:14:30.929 --> 00:14:35.660
breaking into their systems started trying
to fish their way into the computers of
00:14:35.660 --> 00:14:39.859
local election administrators, the people
who actually run the technology on
00:14:39.859 --> 00:14:45.399
Election Day. For sharing this information
with us Reality Winner is currently
00:14:45.399 --> 00:14:52.629
serving a five year prison sentence for
violating the Espionage Act. But the
00:14:52.629 --> 00:15:01.149
information that she leaked has since been
corroborated. In July of this year
00:15:01.149 --> 00:15:06.160
prosecutors in the Special Counsel's
office -- this is the Robert Mueller
00:15:06.160 --> 00:15:12.149
investigation of Russian interference and
collusion -- indicted a set of GRU
00:15:12.149 --> 00:15:18.329
officers, Russian military officers, in
conjunction with the voter registration
00:15:18.329 --> 00:15:23.049
system attacks, the theft of email from
the Democrats, and the attempts to indict
00:15:23.049 --> 00:15:28.220
local election officials. If you're
interested in this stuff I highly
00:15:28.220 --> 00:15:32.939
recommend you read this indictment. It's
about 20 pages of very detailed
00:15:32.939 --> 00:15:40.639
information asserting to apparently
detailing exactly who these people were
00:15:40.639 --> 00:15:46.299
where they worked what they did. Step by
step.Now it's scary to think that we might
00:15:46.299 --> 00:15:51.460
have such detailed information about
crimes that took place in the past. It
00:15:51.460 --> 00:15:58.290
doesn't say how we learned, for instance,
that this certain officer, Anatoly
00:15:58.290 --> 00:16:09.379
Kovalev, was working for unit 74455 of the
GRU at 22 Kirabo Street Building, the
00:16:09.379 --> 00:16:16.800
tower, and quite how he pulled off each
step in the attack that's asserted here.
00:16:16.800 --> 00:16:21.930
But as the Mueller indictments advance, as
the special prosecutor's case comes
00:16:21.930 --> 00:16:30.019
together, we're likely to learn a lot more.
And what's to come in 2018 as the Mueller
00:16:30.019 --> 00:16:33.540
investigation winds down, I think we're
going to learn a lot more about quite who
00:16:33.540 --> 00:16:39.050
ordered what, about who in the United
States was involved, and about whether the
00:16:39.050 --> 00:16:50.589
attacks went even further than we have so
far discovered. So that's 2016
00:16:50.589 --> 00:16:55.790
and what we've learned about 2016,
but I'm here today to give you a
00:16:55.790 --> 00:17:04.480
progress report on 2018. So what happened
during the 2018 election? Well we saw
00:17:04.480 --> 00:17:08.859
several things during the November
election this year. According to
00:17:08.859 --> 00:17:13.569
intelligence, once again, we have
allegations of continued social media
00:17:13.569 --> 00:17:19.888
influence operations, this time allegedly
linked to not only Russia, but China and
00:17:19.888 --> 00:17:27.648
Iran. Now I think it's very difficult to
independently comment and establish on
00:17:27.648 --> 00:17:31.740
whether these allegations are true or even
to understand the full extent of the
00:17:31.740 --> 00:17:35.990
social media involvement, because it's
just a small set of large Internet
00:17:35.990 --> 00:17:41.440
companies that have the raw data that we
need to analyze. However the best reports
00:17:41.440 --> 00:17:45.559
we have are these assessments from the
intelligence community that the social
00:17:45.559 --> 00:17:52.890
media influence is ongoing. We also saw
sporadic breakdowns of voting machines.
00:17:52.890 --> 00:17:57.320
Now patterns of breakdowns of voting
machines could be the indication of an
00:17:57.320 --> 00:18:02.540
attack. But in 2018 all of them seem to
have perfectly natural explanations. In
00:18:02.540 --> 00:18:07.450
New York City for instance many optical
scan machines broke down and jammed and
00:18:07.450 --> 00:18:12.799
caused long lines but apparently it was
because it was raining and that causes the
00:18:12.799 --> 00:18:18.010
paper to swell a little bit, these
machines to mis-feed and so on. So this is
00:18:18.010 --> 00:18:26.740
probably just natural failure. We also had
unfortunate human error for not the first
00:18:26.740 --> 00:18:32.960
time. An election in Florida potentially
had the result changed because of very bad
00:18:32.960 --> 00:18:40.740
usability design in just the layout of the
ballot. So in Broward County, Florida
00:18:40.740 --> 00:18:45.759
3.7 percent fewer voters cast a vote at all
in the U.S. Senate race than the race for
00:18:45.759 --> 00:18:50.850
governor. This was potentially enough
because of the demographics of Broward to
00:18:50.850 --> 00:18:56.639
change the outcome of the Florida Senate
race. Here's why: Here's the ballot. So
00:18:56.639 --> 00:19:03.580
this is the race for governor, which most
voters filled out, as you would expect.
00:19:03.580 --> 00:19:08.380
Right down there underneath that long
column of instructions is the U.S. senator
00:19:08.380 --> 00:19:13.460
race. So you imagine this ballot. It's
much larger than a normal piece of paper.
00:19:13.460 --> 00:19:17.809
At the bottom of that is hanging off your
desk as you're filling it in. I can see
00:19:17.809 --> 00:19:22.260
how 3.7 percent of voters might have
completely missed that race in the first
00:19:22.260 --> 00:19:29.889
column. Finally we had the old-fashioned
political fraud. In North Carolina a race
00:19:29.889 --> 00:19:34.540
for the House of Representatives was
decided by only about 900 votes. But it's
00:19:34.540 --> 00:19:40.000
come out since then that operatives
working for the Republican candidate
00:19:40.000 --> 00:19:45.070
allegedly stole or manipulated a large
number of absentee ballots, and the
00:19:45.070 --> 00:19:51.549
candidate there hasn't been certified yet,
it likely won't be seated on time. There's
00:19:51.549 --> 00:19:55.909
multiple investigations going on into
exactly what happened, but it goes to show
00:19:55.909 --> 00:20:01.809
you that political fraud is a reality. And
even outside the domain of computers it
00:20:01.809 --> 00:20:07.049
continues to this day. Now if you can
imagine an election can be changed by just
00:20:07.049 --> 00:20:11.850
a few people working on the ground, going
around collecting people's mail in ballots
00:20:11.850 --> 00:20:17.519
and promising to return them for them,
well imagine what nation state attackers
00:20:17.519 --> 00:20:23.570
could do to a vulnerable and highly
computerized online infrastructure. But on
00:20:23.570 --> 00:20:36.000
the whole 2018 was, well, eerily quiet. But
if we go back to 2016... so the U.S. Senate
00:20:36.000 --> 00:20:41.900
Intelligence Committee, a bipartisan group
controlled by Republicans in the Senate,
00:20:41.900 --> 00:20:47.179
issued its report earlier this year about
2016. They pointed out that they found
00:20:47.179 --> 00:20:52.100
that in a number of the states where
Russia attacked the registration systems,
00:20:52.100 --> 00:20:57.559
the Russian hackers were in a position to,
at a minimum, alter or destroy the voter
00:20:57.559 --> 00:21:02.029
registration data, which, if undetected,
would have caused massive chaos on
00:21:02.029 --> 00:21:06.230
election day when people showed up to vote
and were told that they weren't on the
00:21:06.230 --> 00:21:13.309
election rolls. But those attackers chose
not to pull the trigger. And I think
00:21:13.309 --> 00:21:18.210
that's exactly what happened in 2018. It
was quiet, not because we've adequately
00:21:18.210 --> 00:21:22.890
secured our election systems, but because
our adversaries this year chose not to
00:21:22.890 --> 00:21:28.210
pull the trigger. They're waiting for the
bigger prize in 2020 when we're likely to
00:21:28.210 --> 00:21:39.080
once again have a close and divisive
presidential contest. So what do I worry
00:21:39.080 --> 00:21:45.200
about? What I worry about most is not the
last war -- registration systems, all of
00:21:45.200 --> 00:21:49.990
that -- but the bigger prize: the 2020
election and the vulnerabilities in the
00:21:49.990 --> 00:21:57.880
way that we cast and count votes in the
U.S. Now I testified about this in 2017 to
00:21:57.880 --> 00:22:03.110
the Senate Intelligence Committee and --
that's actually not me. that's that's
00:22:03.110 --> 00:22:08.659
former FBI Director Comey-- but two weeks
later I was sitting in the same chair with
00:22:08.659 --> 00:22:15.059
far fewer TV cameras and testified that
the real lesson of 2016 is that the
00:22:15.059 --> 00:22:20.470
threats are real and that the attackers
will be back. And this is the picture I
00:22:20.470 --> 00:22:28.240
painted: so U.S. voting machines have their
own extreme set of vulnerabilities. I was
00:22:28.240 --> 00:22:33.080
going to bring one of these machines,
AccuVote TSX with me here today. This
00:22:33.080 --> 00:22:40.049
machine is still used in many parts of the
U.S., but my machine has been in Germany
00:22:40.049 --> 00:22:46.420
for about a week and FedEx doesn't know
where it is. So if it shows up I'll have
00:22:46.420 --> 00:22:51.000
it somewhere for people to play with, but
my advice is if you have to ship something
00:22:51.000 --> 00:22:57.720
urgent to Germany don't send it via FedEx.
What I would have shown you though is a
00:22:57.720 --> 00:23:01.940
mock election on this machine and the mock
election I always like to do to keep it
00:23:01.940 --> 00:23:05.851
from getting too political is between
George Washington, the father of the
00:23:05.851 --> 00:23:10.770
country, and Benedict Arnold, the traitor
of the American Revolution. And of course
00:23:10.770 --> 00:23:16.620
everyone likes to vote for George
Washington. But these machines are so
00:23:16.620 --> 00:23:22.799
vulnerable. So I would have shown you an
attack whereby I can compromise this
00:23:22.799 --> 00:23:28.419
machine and cause it to report the wrong
election outcome without having any direct
00:23:28.419 --> 00:23:32.929
physical access to the voting machines.
Instead all an attacker needs to do is be
00:23:32.929 --> 00:23:37.419
able to infect these memory cards that
election officials use before every
00:23:37.419 --> 00:23:42.409
election to program the machine with the
design of the ballot -- that is, the
00:23:42.409 --> 00:23:46.220
races, the candidates, the rules for
counting. If an attacker can infect the
00:23:46.220 --> 00:23:51.330
memory card there are a whole host of
different ways that the attacker can
00:23:51.330 --> 00:23:57.269
compromise the machine and install malware
on the voting machine itself. There is an
00:23:57.269 --> 00:24:01.929
unauthenticated software update mechanism
that can replace the election software.
00:24:01.929 --> 00:24:06.110
There are buffer overflows in the code
that's used to read the ballot design and
00:24:06.110 --> 00:24:10.999
process it. There's even an interpreted
programming language that's used to
00:24:10.999 --> 00:24:16.320
generate the reports of who won. So you
can just replace the honest counting
00:24:16.320 --> 00:24:21.230
software with dishonest counting software
right on the memory card, and that's what
00:24:21.230 --> 00:24:25.590
will get executed and determine the
election results. Any of these ways would
00:24:25.590 --> 00:24:31.629
be sufficient. So when the machine counts
the votes at the end of the election it
00:24:31.629 --> 00:24:36.030
prints out a little cash register receipt
that becomes the official record of the
00:24:36.030 --> 00:24:40.610
result. That's controlled by the
interpreted programming language on the
00:24:40.610 --> 00:24:46.000
memory card. And on my machine, no matter
who you vote for, Benedict Arnold is going
00:24:46.000 --> 00:24:51.139
to win. And that's because the malware I
install via the memory card is in complete
00:24:51.139 --> 00:24:56.899
control of the election results. And there
are more problems than that. So these
00:24:56.899 --> 00:25:03.310
voting machines like the AccuVote TSX have
been studied by academic researchers, by
00:25:03.310 --> 00:25:08.769
independent researchers, by groups
commissioned by secretaries of state in
00:25:08.769 --> 00:25:13.360
various states around the country. And
every time the same machine is studied
00:25:13.360 --> 00:25:18.070
again, groups find new vulnerabilities.
This is part of the table of contents from
00:25:18.070 --> 00:25:23.340
a report I helped to author ten years ago
about the AccuVote TSX, and you can see
00:25:23.340 --> 00:25:28.380
just this one page of several pages of
vulnerabilities in this single machine.
00:25:28.380 --> 00:25:33.179
These things are so poorly designed;
they're so complex. Each of the voting
00:25:33.179 --> 00:25:38.299
systems has on the order of a million
lines of source code. And that's on top
00:25:38.299 --> 00:25:43.920
of, in this case, on top of an old and
unsupported version of Windows CE. There's
00:25:43.920 --> 00:25:51.029
no way that these things could possibly be
secure. But the AccuVote TSX is still used
00:25:51.029 --> 00:25:57.749
in 18 states. In many of these states it's
still used with software that predates
00:25:57.749 --> 00:26:02.130
that 2007 report I just showed you. We've
had known buffer overflows and other
00:26:02.130 --> 00:26:06.970
problems in this firmware for more than 10
years and some states still have not
00:26:06.970 --> 00:26:14.649
updated the software. That's how bad it
is. But it's not just that one machine. So
00:26:14.649 --> 00:26:20.460
in the US every state gets to pick its own
election technology. There are no federal
00:26:20.460 --> 00:26:27.140
rules that requires states to do any
particular kind of technology or testing,
00:26:27.140 --> 00:26:31.370
and you might ask, especially from the
European perspective, why don't we just
00:26:31.370 --> 00:26:38.210
count votes by hand like a civilized
country. Well here's part of the answer.
00:26:38.210 --> 00:26:44.799
This is one example of a ballot from one
part of the country and it's eight pages
00:26:44.799 --> 00:26:50.009
long. We insist on voting for not only the
federal races but the state and local
00:26:50.009 --> 00:26:56.870
races and even city races. The joke is
even for dog catcher. And this complexity,
00:26:56.870 --> 00:27:01.889
well, the counting ballots by hand scales
linearly with the number of questions and
00:27:01.889 --> 00:27:07.759
our ballots by tradition are just too
complicated to efficiently count manually.
00:27:07.759 --> 00:27:13.491
So we turn to computers, and about half
the country-- well, really there are two
00:27:13.491 --> 00:27:20.830
different styles of voting machines that
we use. Some of them are optical scanners
00:27:20.830 --> 00:27:25.750
where the voter fills in a piece of paper,
and it gets scanned in by a computer. The
00:27:25.750 --> 00:27:31.460
rest are touch screen machines and others
that we call DREs -- direct recording
00:27:31.460 --> 00:27:36.490
electronic. On these machines voters cast
a vote on the screen; it gets recorded in
00:27:36.490 --> 00:27:41.440
electronic memory; some of them will also
generate a print out of each vote, but
00:27:41.440 --> 00:27:46.890
that's relatively rare. In many cases the
only record of the vote is in a computer
00:27:46.890 --> 00:27:54.940
memory. So in study after study these
machines have been examined, and in every
00:27:54.940 --> 00:27:59.510
case, for both the optical scanners and
the DREs, where a machine has been tested
00:27:59.510 --> 00:28:04.669
by qualified people, well, it's been found
to have vulnerabilities that would allow
00:28:04.669 --> 00:28:10.510
an attacker to install vote stealing
malware and change the electronic results.
00:28:10.510 --> 00:28:19.340
Every single case. So how hard would it be
to go from hacking these individual
00:28:19.340 --> 00:28:25.360
machines to say changing the results of a
presidential election? Unfortunately much
00:28:25.360 --> 00:28:30.610
easier than we might think. There'd be
three challenges to doing this in a way
00:28:30.610 --> 00:28:36.960
that would likely be invisible. The first
challenge is that the machines are, well,
00:28:36.960 --> 00:28:40.679
many different types. They're diverse;
they're decentralized. Each state's system
00:28:40.679 --> 00:28:44.590
is independent, and thank goodness! Because
that means that we don't have just a
00:28:44.590 --> 00:28:51.850
single place you can hack into to change
results nationwide. Unfortunately, because
00:28:51.850 --> 00:28:58.529
of our electoral college system, this
diversity of technology can turn into a
00:28:58.529 --> 00:29:04.049
weakness in very close elections. So
remember I said that just any three of six
00:29:04.049 --> 00:29:09.299
states, for instance in 2016, would have
been sufficient to flip the outcome of the
00:29:09.299 --> 00:29:14.980
presidential election. Well before an
election an attacker can scan all the
00:29:14.980 --> 00:29:19.730
states, figure out which ones are most
weakly protected, and, if they can find
00:29:19.730 --> 00:29:24.899
enough weakly protected ones to strike in,
that could be sufficient to change the
00:29:24.899 --> 00:29:29.960
national results. So the attacker gets to
pick and choose, because our diversity of
00:29:29.960 --> 00:29:36.009
technology also means a diversity of
strength and weakness. The second
00:29:36.009 --> 00:29:40.230
challenge is that, as election officials
often point out, the voting machines
00:29:40.230 --> 00:29:43.960
aren't connected to the Internet, or at
least they're not supposed to be. It turns
00:29:43.960 --> 00:29:48.950
out that some of them are, because they
upload their results over a 4G cellular
00:29:48.950 --> 00:29:56.309
modem right after election results are
complete. But let's just suppose they're
00:29:56.309 --> 00:30:00.710
not connected to the Internet. All right.
It turns out that's still not enough to
00:30:00.710 --> 00:30:05.799
protect us. So as I said before every
election every single voting machine in
00:30:05.799 --> 00:30:10.789
the country has to be programmed with the
ballot design and that ballot programming
00:30:10.789 --> 00:30:15.640
is created by election officials on a
computer workstation somewhere, usually an
00:30:15.640 --> 00:30:21.650
old Windows PC. Those computer
workstations can sometimes service an
00:30:21.650 --> 00:30:26.840
entire county, sometimes an entire state.
Sometimes they're controlled by
00:30:26.840 --> 00:30:32.649
independent external contractors that can
perform work across multiple states. And
00:30:32.649 --> 00:30:37.369
if an attacker can infiltrate one of those
systems they can spread vote stealing
00:30:37.369 --> 00:30:44.039
malware on the memory cards to voting
machines across the whole region. So how
00:30:44.039 --> 00:30:48.369
hard would it be to break into one of
these systems? Well in Michigan, my state,
00:30:48.369 --> 00:30:54.210
in 2016, about three quarters of counties
outsourced this programming to just three
00:30:54.210 --> 00:30:59.279
small businesses. These are 10-20 person
companies operating in strip malls and so
00:30:59.279 --> 00:31:03.929
forth -- the same companies that the
jurisdictions buy their ballot boxes and
00:31:03.929 --> 00:31:07.989
"I voted" stickers from. Here's the
website of one of them. You can see it
00:31:07.989 --> 00:31:13.889
doesn't have HTTPS, has lots of nice high
resolution photos of their warehouse in
00:31:13.889 --> 00:31:19.039
case you want to burglarize it, and,
probably most interestingly to an
00:31:19.039 --> 00:31:22.759
attacker, they have this nice employee
directory with everyone's name,
00:31:22.759 --> 00:31:28.799
photograph, job title, and email address.
So if I wanted to break into elections in
00:31:28.799 --> 00:31:33.679
Michigan I might start by, say, forging an
email from Larry the president there to
00:31:33.679 --> 00:31:39.491
Sue his administrative assistant and say I
urgently need you to open this file. After
00:31:39.491 --> 00:31:44.549
she does, of course, it installs my malware
on their network, I'm in. I'm one step away
00:31:44.549 --> 00:31:49.690
from the election programming system and
spreading malware to machines across a
00:31:49.690 --> 00:31:56.769
quarter of the state. All right, there's
one more challenge. And that's that today
00:31:56.769 --> 00:32:01.669
more than 70 percent of US votes are
recorded on a piece of paper. And this is
00:32:01.669 --> 00:32:07.249
great! This is much more than ten years
ago because officials have been listening
00:32:07.249 --> 00:32:10.769
to computer scientists and security
experts who have been warning about the
00:32:10.769 --> 00:32:16.960
dangers of fully electronic voting. And
paper might seem like a step backwards,
00:32:16.960 --> 00:32:22.500
but it's actually a pretty high tech way
of thinking. In any kind of critical
00:32:22.500 --> 00:32:26.889
system, if we can afford to have a
physical failsafe in case of technology
00:32:26.889 --> 00:32:31.649
problems it's a good idea to do that. This
is why if you fly on a commercial
00:32:31.649 --> 00:32:36.470
aircraft... well, it has a very fancy
satellite-guided navigation system, but
00:32:36.470 --> 00:32:41.539
also, by law, there's a magnetic compas in
the cockpit. It's also why in your
00:32:41.539 --> 00:32:47.220
car...well you probably want to have a
mechanical linkage between the brake pedal
00:32:47.220 --> 00:32:54.280
and the brakes just in case... well, you
know. So paper can be a very sophisticated
00:32:54.280 --> 00:32:59.460
defense. It's relatively slow and
expensive to tally, but it's something
00:32:59.460 --> 00:33:05.399
that's verified by the voter and that
can't be changed later in a cyberattack.
00:33:05.399 --> 00:33:10.350
Meanwhile we also get an electronic record
from systems like optical scanners that's
00:33:10.350 --> 00:33:16.179
fast and cheap to tally, but unverified.
As long as we make sure that these records
00:33:16.179 --> 00:33:19.970
agree well then changing the election
result would require you to change the
00:33:19.970 --> 00:33:23.990
electronic record through a high tech
attack. And the paper records through a
00:33:23.990 --> 00:33:28.340
low tech attack and in a way that
agrees, and that would require a truly
00:33:28.340 --> 00:33:33.919
extraordinary conspiracy. And to check
that the paper is right... Well we have
00:33:33.919 --> 00:33:38.989
high tech approaches to that too. You
don't have to count all of it. In fact
00:33:38.989 --> 00:33:43.860
over the last ten years computer
scientists and statisticians have
00:33:43.860 --> 00:33:48.570
developed very sophisticated ways of just
spot checking the paper record to make
00:33:48.570 --> 00:33:53.100
sure that it's right and these are called
risks limiting audits. A risk limiting
00:33:53.100 --> 00:33:58.249
audit is a statistical process in which
you can count randomly selected ballots
00:33:58.249 --> 00:34:01.960
until you establish with high confidence
that hand counting all of them would
00:34:01.960 --> 00:34:07.539
determine the same winner. There are many
ways to do this but they all turn out to
00:34:07.539 --> 00:34:12.969
be, or many of them turn out to be
incredibly efficient. In a typical state
00:34:12.969 --> 00:34:19.809
with a fairly wide margin of victory just
spot checking a handful of ballots might
00:34:19.809 --> 00:34:23.570
be enough to establish with high
confidence that the winner really did win
00:34:23.570 --> 00:34:29.359
by a landslide. Of course if the election
result is a tie, logically you do have to
00:34:29.359 --> 00:34:34.649
look at all the ballots to establish that
it is indeed a tie. So the amount of work
00:34:34.649 --> 00:34:39.320
you have to do depends on how close the
election was. But in all cases you can
00:34:39.320 --> 00:34:44.340
find an efficient approach to determining,
without trusting the computer systems,
00:34:44.340 --> 00:34:50.569
that the paper really does reflect the
true winner. Unfortunately, well, most
00:34:50.569 --> 00:34:55.179
states don't do risk limiting audits. In
fact most states don't look at enough
00:34:55.179 --> 00:35:02.620
paper at all to determine that the winner
of a close election was genuine. So
00:35:02.620 --> 00:35:08.510
hacking a national election would probably
be easier than most of us thought. You can
00:35:08.510 --> 00:35:13.041
use pre-election polls and scanning to
determine which states to target, hack
00:35:13.041 --> 00:35:17.531
into the election management systems in
the most weakly protected ones, then
00:35:17.531 --> 00:35:22.180
infect voting machines with malware to
change, say, a few percent of the vote.
00:35:22.180 --> 00:35:26.859
The paper records might catch the fraud,
but you can rely on the fact that most
00:35:26.859 --> 00:35:31.060
states will throw it away without looking
at enough of it to determine who actually
00:35:31.060 --> 00:35:41.470
won. And that's the sorry situation that
unfortunately in 2018 we are still in. So
00:35:41.470 --> 00:35:47.859
since 2016, however, there has been a
change in mindset. Increasingly election
00:35:47.859 --> 00:35:52.640
officials have been listening to the
scientific community when we say you need
00:35:52.640 --> 00:35:57.549
a paper trail, and they're starting to
think that that is correct. Almost all
00:35:57.549 --> 00:36:03.329
states that don't have paper trails today
at least have people strongly advocating
00:36:03.329 --> 00:36:09.599
for replacing the equipment that's there.
And most other states, well, they at least
00:36:09.599 --> 00:36:13.920
have people starting to look into the
security and testing the security of other
00:36:13.920 --> 00:36:18.359
election related computer systems, like
their voter registration systems, to make
00:36:18.359 --> 00:36:24.280
sure that they're shored up. Now you don't
have to take it from me that paper ballots
00:36:24.280 --> 00:36:29.650
and post election audits are the way to go
to secure our election systems. Just this
00:36:29.650 --> 00:36:36.030
fall the National Academies of Science
Engineering and Medicine -- the authority
00:36:36.030 --> 00:36:40.410
on scientific advice to government --
released a report with their highest level
00:36:40.410 --> 00:36:45.740
of advice -- a consensus report -- urging
the adoption of paper and risk limiting
00:36:45.740 --> 00:36:51.270
audits, pointing out that this is a
pragmatic, robust, and necessary defense
00:36:51.270 --> 00:36:57.420
for elections. This report was written in
conjunction with election officials.
00:36:57.420 --> 00:37:01.869
People with experience administering
elections and it just goes to show you
00:37:01.869 --> 00:37:06.606
that at least the election officials who
have taken the time to understand the
00:37:06.606 --> 00:37:13.766
threat are waking up and starting to pay
attention to the path to a solution. The
00:37:13.766 --> 00:37:19.460
problem is that that solution will take
time to implement. And if we look at which
00:37:19.460 --> 00:37:24.890
states still don't have a paper trail, it
turns out that there are 14 where some or
00:37:24.890 --> 00:37:31.660
all votes still aren't recorded on paper,
and it's going to take between 130 and 420
00:37:31.660 --> 00:37:35.559
million dollars according to credible
estimates to replace all the machines
00:37:35.559 --> 00:37:41.410
still in those states. Some of them like
Pennsylvania are working to do that now,
00:37:41.410 --> 00:37:46.630
but in other states there still are no
plans in effect to get rid of the
00:37:46.630 --> 00:37:52.600
vulnerable machines. If we look at the
national map for post-election audits
00:37:52.600 --> 00:37:57.870
though the picture is a lot worse. And
this is what concerns me most. Although
00:37:57.870 --> 00:38:04.030
many states in 2018 did small pilots of
risk limiting audits, the majority of
00:38:04.030 --> 00:38:11.860
states still do not conduct audits that
can rigorously guarantee the electronic
00:38:11.860 --> 00:38:18.799
results of an election. And many still
have no plans to do so in time for 2020.
00:38:18.799 --> 00:38:22.369
Because risk limiting audits are so
efficient, the cost for auditing
00:38:22.369 --> 00:38:28.130
nationwide is ridiculously small. It would
cost according to my estimates less than
00:38:28.130 --> 00:38:33.410
25 million dollars a year to audit every
federal race nationally, potentially a lot
00:38:33.410 --> 00:38:38.099
less than that. But it requires
organizational on the ground. And
00:38:38.099 --> 00:38:44.660
unfortunately in our system operations on
the ground are conducted by about 13.000
00:38:44.660 --> 00:38:51.359
local jurisdictions on Election Day. We
need national leadership. We need much
00:38:51.359 --> 00:38:57.380
more dispersed expertise in order to get
these protections in place, because if you
00:38:57.380 --> 00:39:03.450
don't actually look at the paper you might
as well not have it in the first place. So
00:39:03.450 --> 00:39:09.460
this year did see some movement in
Congress. In the spring, as part of the
00:39:09.460 --> 00:39:14.650
omnibus appropriations process, Congress
gave the states 380 million dollars in
00:39:14.650 --> 00:39:20.160
emergency election funding in order to
start working to secure their registration
00:39:20.160 --> 00:39:24.720
systems and polling places. This was great
in that it was money available
00:39:24.720 --> 00:39:29.089
immediately, and if you've been paying
attention, getting Congress to do much of
00:39:29.089 --> 00:39:34.810
anything these days is pretty hard. On the
other hand the money came with very
00:39:34.810 --> 00:39:41.069
limited oversight, with no standards about
how that money should be used, and isn't
00:39:41.069 --> 00:39:46.079
even enough to eliminate all of the
paperless machines because of the way it's
00:39:46.079 --> 00:39:52.490
spread out amongst the states. But it's an
important first step. We can look at a few
00:39:52.490 --> 00:39:58.040
of the states to see how they're doing,
and I pick these as a representative
00:39:58.040 --> 00:40:06.050
sample of the diversity of progress. In
Maryland, for instance, which until 2016
00:40:06.050 --> 00:40:09.620
used AccuVote touch-screen machines,
vulnerable to all of those problems I
00:40:09.620 --> 00:40:15.859
talked about, finally replaced the
machines with paper ballots. That's a huge
00:40:15.859 --> 00:40:22.630
step forward. Unfortunately Maryland,
instead of auditing them by having people
00:40:22.630 --> 00:40:27.000
look at the ballots, decided it would be
more efficient to audit them by having
00:40:27.000 --> 00:40:33.220
people look at digital scans of the
ballots from the voting machines. As I
00:40:33.220 --> 00:40:38.430
think everyone in this room probably
realizes, but maybe some in a broader
00:40:38.430 --> 00:40:45.530
audience would not, it's pretty easy to
manipulate digital photographs. In fact I
00:40:45.530 --> 00:40:50.690
have work from students in an
undergraduate security class I taught this
00:40:50.690 --> 00:40:56.049
term who implemented a machine learning
algorithm that can take scans of ballots
00:40:56.049 --> 00:41:00.970
and just automatically change the marked
results to produce whatever outcome you
00:41:00.970 --> 00:41:06.720
want, and we'll have more on that in
a publication this spring. But
00:41:06.720 --> 00:41:12.270
unfortunately these audits are security
theater. They might catch human error, but
00:41:12.270 --> 00:41:16.859
they're not going to catch a sophisticated
attacker who has the ability to manipulate
00:41:16.859 --> 00:41:21.900
how the machines are reading the ballots,
can be easily fooled by malware. So I give
00:41:21.900 --> 00:41:28.700
Maryland on the whole maybe a "C".
Pennsylvania, another state that just two
00:41:28.700 --> 00:41:32.161
years ago during the recounts was
practically a laughing stock of the
00:41:32.161 --> 00:41:37.820
country for its lack of paper records of
votes and it's byzantine rules about
00:41:37.820 --> 00:41:42.990
recounting them, well, today is making
really good progress. The state recently
00:41:42.990 --> 00:41:47.270
committed to replacing all of its
paperless machines with paper ballots in
00:41:47.270 --> 00:41:53.819
time for the 2020 election, and it's
committed to implementing a robust post
00:41:53.819 --> 00:42:00.930
election audits by 2022. Unfortunately,
2022 is going to be too late to secure the
00:42:00.930 --> 00:42:06.599
2020 presidential election, and this just
emphasizes the need to get moving more
00:42:06.599 --> 00:42:12.270
quickly. There were also questions about
whether the auditing regime they implement
00:42:12.270 --> 00:42:17.240
will be truly statistically rigorous.
There are a lot of details to get right,
00:42:17.240 --> 00:42:22.340
but on the whole, Pennsylvania has made so
much progress. I think out of sympathy I
00:42:22.340 --> 00:42:28.261
can give them a "B". All right, now let's
look at a top performer. This is the state
00:42:28.261 --> 00:42:34.890
of Colorado. Colorado has become a leader
in election security, because not only
00:42:34.890 --> 00:42:40.819
does it have paper ballots statewide,
largely vote by mail which has its own
00:42:40.819 --> 00:42:45.260
problems, but that's a subject for later.
But Colorado also was the first state in
00:42:45.260 --> 00:42:49.090
the country to implement these
statistically robust risk limiting audits
00:42:49.090 --> 00:42:53.809
statewide and has been doing it since
2017. They've got both of these critical
00:42:53.809 --> 00:42:58.800
protections in place, and yes, they
actually do choose the random seed for
00:42:58.800 --> 00:43:02.839
sampling the ballots during the risk
limiting audit by rolling a set of
00:43:02.839 --> 00:43:08.140
10-sided dice. So that's a great way to do
it in a public ceremony. So Colorado gets
00:43:08.140 --> 00:43:15.731
an "A". They're very well protected by
these standards. Then there's Georgia. So
00:43:15.731 --> 00:43:23.260
Georgia in 2018 voted statewide with the
AccuVote TSX voting machine, the one that
00:43:23.260 --> 00:43:29.720
FedEx has that I've hacked. They haven't
updated this software in their AccuVote
00:43:29.720 --> 00:43:37.130
TSX machines since 2005, and they claim
that the machines and their election
00:43:37.130 --> 00:43:43.510
programming systems are air gapped. But
during a court hearing about this earlier
00:43:43.510 --> 00:43:47.990
this fall their head of elections
described that their system was air
00:43:47.990 --> 00:43:52.119
gapped. Yes it's perfectly secure. It's
air gapped. The only way you can get into
00:43:52.119 --> 00:43:58.080
it is through the bank of modems attached
to it. It's air gapped except the bank of
00:43:58.080 --> 00:44:03.569
modems. Also it turns out he programs it
by moving a USB stick back and forth from
00:44:03.569 --> 00:44:11.700
his personal laptop. Sigh Georgia also
of course doesn't have robust audits,
00:44:11.700 --> 00:44:15.770
because, well, meaningful post election
audits would require a paper trail, and
00:44:15.770 --> 00:44:21.079
none of those machines have paper. This
alone would be enough to give Georgia an
00:44:21.079 --> 00:44:26.859
"F". Except there's one more thing: their
voter registration system also was shown
00:44:26.859 --> 00:44:33.839
in 2018 to have some problems. So you're
not going to believe this story. One more
00:44:33.839 --> 00:44:41.260
story. So in Georgia they do online voter
registrations through a Web site. And in
00:44:41.260 --> 00:44:49.380
2018 just a few days before the election
the Georgia Democratic party learned from
00:44:49.380 --> 00:44:54.590
one of it's-- from someone working for
them, from a volunteer, about a series of
00:44:54.590 --> 00:44:59.500
vulnerabilities in this voter registration
system. While it turned out that you could
00:44:59.500 --> 00:45:03.990
read and manipulate anyone's voter
registration records just by changing a
00:45:03.990 --> 00:45:10.750
sequential ID number in a particular URL.
There was another URL for viewing a sample
00:45:10.750 --> 00:45:14.170
ballot, that if you just change the path
of the file it pointed to you could read
00:45:14.170 --> 00:45:20.721
any file and the server's filesystem. Well
these are pretty bad problems, right? Even
00:45:20.721 --> 00:45:24.589
though Georgia apparently had gone through
the process of having a security
00:45:24.589 --> 00:45:29.610
assessment of its registration system
performed and didn't catch these, well...
00:45:29.610 --> 00:45:33.760
So the Democrats less than five days
before the election learned of these
00:45:33.760 --> 00:45:37.910
problems and disclosed them to the
Secretary of State's office which is
00:45:37.910 --> 00:45:43.400
responsible for running the election
system. There is Secretary of State Brian
00:45:43.400 --> 00:45:49.569
Kemp, who, also, it turned out, was
candidate for governor in a very close
00:45:49.569 --> 00:45:54.799
race. So not only was he running the
election system, but he was the candidate
00:45:54.799 --> 00:46:00.339
in the most important race in the state
where the polls were projecting that the
00:46:00.339 --> 00:46:06.340
election was going to be a dead heat. So
an hour after receiving the security
00:46:06.340 --> 00:46:12.190
disclosure, Secretary Kemp's office put
out a press release with this headline:
00:46:12.190 --> 00:46:16.440
That after a failed hacking attempt
they're launching an investigation into the
00:46:16.440 --> 00:46:24.790
Georgia Democratic Party and they've
called the FBI on the Democrats. So...
00:46:24.790 --> 00:46:32.140
Brian Kemp won the election and is now the
governor elect of Georgia. So this guy who
00:46:32.140 --> 00:46:36.660
did so well handling the security of the
voting system while he was secretary of
00:46:36.660 --> 00:46:42.710
state is now the head political officer of
the state of Georgia. I think Georgia's
00:46:42.710 --> 00:46:47.770
"F" just might stick with them through
2020. So...
00:46:47.770 --> 00:46:55.510
applause
H: Thank you. So there is hope though. I
00:46:55.510 --> 00:47:01.250
want to end on a message of hope, because
despite this, with all of these different
00:47:01.250 --> 00:47:07.010
levels of rigor and of readiness across
the different states I believe we need
00:47:07.010 --> 00:47:12.020
more national leadership, national
standards, and national resources thrown
00:47:12.020 --> 00:47:18.670
into securing elections. And a bill to do
just these things made a lot of progress
00:47:18.670 --> 00:47:24.029
in the Senate during the past term. This
is a bill called the Secure Elections Act
00:47:24.029 --> 00:47:29.890
that was introduced by Senators Lankford,
Republican of Oklahoma, and Klobuchar,
00:47:29.890 --> 00:47:35.290
Democrat of Minnesota. And it ended up
gathering a large number of bipartisan
00:47:35.290 --> 00:47:41.400
sponsors, split evenly between Republicans
and Democrats. It would have required
00:47:41.400 --> 00:47:46.410
states to adopt paper, to adopt strong
audits, and to adopt stronger information
00:47:46.410 --> 00:47:50.710
sharing practices to let each other and
the federal government know if they saw
00:47:50.710 --> 00:47:57.869
signs of people trying to break in. This
bill made it a long way, but unfortunately
00:47:57.869 --> 00:48:03.400
got stuck in the committee after some
opposition from the White House just days
00:48:03.400 --> 00:48:07.520
before it was going to be marked up and
hopefully then made it make its way to the
00:48:07.520 --> 00:48:12.760
floor. But this shows that bipartisan
cooperation is possible even in this
00:48:12.760 --> 00:48:17.069
Congress, and that there are a lot of
serious people who now realize that
00:48:17.069 --> 00:48:22.160
election cybersecurity is a matter of
national security and defense. I think in
00:48:22.160 --> 00:48:26.460
the next Congress there's a good
possibility that we will see effective
00:48:26.460 --> 00:48:31.970
legislation to provide national standards
and leadership for elections. But it's a
00:48:31.970 --> 00:48:39.299
question of threading a political needle
and getting Congress to act. So to defend
00:48:39.299 --> 00:48:44.599
our elections we don't need rocket
science. We need simple steps like
00:48:44.599 --> 00:48:51.420
applying security best practices and
expertise to secure registration servers,
00:48:51.420 --> 00:48:56.430
adopting a paper record of every vote, and
applying simple post-election audit
00:48:56.430 --> 00:49:01.860
techniques to make sure the paper record
is right. If we do these things well we'll
00:49:01.860 --> 00:49:07.569
have a much more robust and evidence-based
election system that can detect and
00:49:07.569 --> 00:49:13.010
recover from attack attempts.
Unfortunately today our dialogue about
00:49:13.010 --> 00:49:18.170
elections isn't based on evidence. It's
largely based on faith: on faith in the
00:49:18.170 --> 00:49:23.641
democratic process, on faith in the people
and the technology that's responsible. But
00:49:23.641 --> 00:49:29.410
I think voters deserve better. Voters
deserve, if they're reasonably skeptical,
00:49:29.410 --> 00:49:33.550
to have it proven to them that the
election result was right, and that is
00:49:33.550 --> 00:49:38.480
possible with simple and practical
technology that we have today. All it's
00:49:38.480 --> 00:49:43.170
going to take is national leadership to
make sure that all states, even states like
00:49:43.170 --> 00:49:49.880
Georgia, adopt the necessary protections
soon. So what can you do? Well as a hacker
00:49:49.880 --> 00:49:55.250
or a computer scientist you can work with
your election officials to help explain
00:49:55.250 --> 00:50:00.420
the technology, the threats, and the
defenses. You can work to explain the
00:50:00.420 --> 00:50:05.640
threats to the public, because we all need
to understand, just as a matter of modern
00:50:05.640 --> 00:50:10.540
civics, how elections can be attacked and
defended. You can work to build better
00:50:10.540 --> 00:50:15.720
ways to use technology to make voting on
paper easier and more efficient. While
00:50:15.720 --> 00:50:20.450
technology can help voting in a lot of
ways, just... we shouldn't trust it is the
00:50:20.450 --> 00:50:26.369
only way in which votes are counted and
results are determined. And as a citizen,
00:50:26.369 --> 00:50:30.559
well, you can demand that election
authorities implement paper and risk
00:50:30.559 --> 00:50:34.690
limiting audits. Get involved through
activist groups to help campaign for
00:50:34.690 --> 00:50:41.040
protections like this, and especially
please urge the U.S. Congress to pass
00:50:41.040 --> 00:50:45.730
legislation like the Secure Elections Act
and similar bills to make sure that
00:50:45.730 --> 00:50:51.720
election systems across our country
achieve these security properties. You can
00:50:51.720 --> 00:50:56.770
learn more from an online course I have
for free on Coursera called Securing
00:50:56.770 --> 00:51:02.230
Digital Democracy that provides several
weeks' worth of material about the history
00:51:02.230 --> 00:51:07.589
and the technology of election defenses.
But we've got to get going. It's only been
00:51:07.589 --> 00:51:12.089
two years, believe it or not, since Donald
Trump became president, and it's only
00:51:12.089 --> 00:51:16.289
about 22 months until the next
presidential election. It's time to get
00:51:16.289 --> 00:51:18.480
moving. Thank you.
00:51:18.480 --> 00:51:30.660
applause
00:51:30.660 --> 00:51:39.020
Herald Angel: thank you very much. What I
got from this talk is it takes 27,400
00:51:39.020 --> 00:51:46.510
people, so we have to scale up Congress.
We're going to do a Q&A. And I think we'll
00:51:46.510 --> 00:51:52.561
just start with Mic number two
because I can see that one.
00:51:52.561 --> 00:52:00.410
Question: Thanks for the great talk. What
if someone targets the-- Mic problems
00:52:00.410 --> 00:52:06.899
Mumbling
Herald: Um, we need mic #2 live.
00:52:08.359 --> 00:52:10.869
Question: Does this work? Hello?
silence
00:52:15.519 --> 00:52:18.499
Angel: Try again
Question: Hello? Ok great. Thanks for the
00:52:18.499 --> 00:52:23.520
great talk. What if someone targets the
randomness in your risk-limiting audit?
00:52:23.520 --> 00:52:27.431
Q: Doesn't that pose a vulnerability?
Speaker: Oh yes. Definitely you need to have
00:52:27.431 --> 00:52:31.740
a secure randomness in whatever auditing
method you're doing if it's going to be by
00:52:31.740 --> 00:52:37.760
a statistical sampling. That's one reason
why the auditing techniques that Colorado
00:52:37.760 --> 00:52:43.289
practices, they actually have a public
ceremony in which officials throw dice in
00:52:43.289 --> 00:52:48.520
front of TV cameras in order to pick the
random seed. But a lot of thought has to
00:52:48.520 --> 00:52:53.260
go into designing that process well, so
that it's not only truly random but also
00:52:53.260 --> 00:52:57.230
something that people can know and believe
is truly random. Thank you
00:52:57.230 --> 00:53:06.029
Angel: OK Mic number six
Question: Thank you so much for the talk.
00:53:06.029 --> 00:53:10.799
You spoke about how in Georgia the
disclosure of vulnerabilities was
00:53:10.799 --> 00:53:18.150
punished, almost. Is there any talk or
movement towards having something like bug
00:53:18.150 --> 00:53:23.970
bounties for Election Systems?
Speaker: Yes in fact there is another bill
00:53:23.970 --> 00:53:29.390
that was introduced in Congress that would
do just that, and establish a kind of bug
00:53:29.390 --> 00:53:36.441
bounty program. I'm not sure that that
idea yet has a lot of legs, but I think it
00:53:36.441 --> 00:53:41.819
would help. I think right now though we
don't really need all that much more
00:53:41.819 --> 00:53:47.369
incentive for people to want to try to
help secure democracy. A lot of people,
00:53:47.369 --> 00:53:51.829
including I'm sure a lot of people in this
room, would gladly volunteer to do so. We
00:53:51.829 --> 00:53:55.940
need a way of organizing that effort and
making sure that people can discover and
00:53:55.940 --> 00:54:00.980
report problems without fear of having it
turn into some political weapon to be used
00:54:00.980 --> 00:54:05.150
against them.
Angel: Mic number one
00:54:05.150 --> 00:54:10.930
Question: Hey thanks for the talk. Like
the case in Georgia doesn't sound that
00:54:10.930 --> 00:54:14.529
terrible because like in Lithuania a couple
of years ago we've had this issue where you
00:54:14.529 --> 00:54:20.510
just didn't need to change the URL you
just did have to refresh the page and here
00:54:20.510 --> 00:54:29.230
you go. You have the information about a
different citizen. My question is, like,
00:54:29.230 --> 00:54:35.799
what if the paper trail leads to the
knowledge that the election was rigged in
00:54:35.799 --> 00:54:41.200
some particular area like two years after
the election or like one year after the
00:54:41.200 --> 00:54:43.609
election? What happens then? Does it
change anything?
00:54:43.609 --> 00:54:49.480
Speaker: A year or so after an election
would be a great catastrophe if we only learned
00:54:49.480 --> 00:54:53.579
then that the political leaders were not
legitimately elected. We don't really have
00:54:53.579 --> 00:55:01.630
any precedent for that. That's why the
recommendation and what some states like
00:55:01.630 --> 00:55:05.200
Colorado are starting to do is, they're
implementing stronger audits, is to make
00:55:05.200 --> 00:55:09.640
sure the audits are completed as soon as
possible, ideally before the election
00:55:09.640 --> 00:55:16.769
results is certified. I recently came out
with a paper with Phillip Stark and Ron
00:55:16.769 --> 00:55:21.640
Rivest that gives an audit system that you
can start doing even the moment polls
00:55:21.640 --> 00:55:27.849
close on election night and perhaps have,
in a not so close election, a full complete
00:55:27.849 --> 00:55:33.800
audit by the time results are announced on
election night. So it's possible to do it
00:55:33.800 --> 00:55:39.900
quickly with sufficient organization.
Angel: OK. Microphone number 8
00:55:40.770 --> 00:55:50.380
Question: Hi I'm curious about the
attribution of attacks. Is there possibly
00:55:50.380 --> 00:55:56.730
any instance at which you would be not
sure that it was Russia that performed the
00:55:56.730 --> 00:56:03.320
attacks, or maybe it was China. So how do
you know that it was exactly Russia, or
00:56:03.320 --> 00:56:10.799
China or India?
Speaker: So all we have to go by really is the
00:56:10.799 --> 00:56:16.160
assertions of our intelligence agencies in
the U.S. and in some cases like for the
00:56:16.160 --> 00:56:21.000
Democratic National Committee breaches the
assertions of private security firms that
00:56:21.000 --> 00:56:26.560
were involved in the investigations. I
agree with you, attribution in general is a
00:56:26.560 --> 00:56:32.390
darn hard problem. But if you're willing
to accept the credibility of the
00:56:32.390 --> 00:56:37.119
intelligence reports and read between the
lines just a little bit it looks like the
00:56:37.119 --> 00:56:43.279
reason, the basis for their attribution, is
largely not technical but based on
00:56:43.279 --> 00:56:47.339
intercepted communication of people who
were involved in organizing the attacks in
00:56:47.339 --> 00:56:52.590
Russia. And I think more information about
that is likely to come out as the Mueller
00:56:52.590 --> 00:56:58.500
investigations proceed. So I mean there's
some necessary grain of salt. You can see
00:56:58.500 --> 00:57:04.869
what incentive people might have to try to
trump up, so to speak, the involvement
00:57:04.869 --> 00:57:08.900
of Russia. But you can also see in the
current political climate why at least the
00:57:08.900 --> 00:57:14.200
executive branch would have a reason to
try to tone down allegations of Russia's
00:57:14.200 --> 00:57:20.160
involvement. So you'll have to interpret
the weight of the evidence as you will.
00:57:20.160 --> 00:57:24.640
Angel: OK, the last question
from the Internet.
00:57:24.640 --> 00:57:28.650
Angel: We're running out of time. Sorry.
Question: Has any organization or group
00:57:28.650 --> 00:57:32.079
unveiled a voting machine designed to
address all of the security issues that
00:57:32.079 --> 00:57:35.059
you have brought up here? Is there a
solution to the problem?
00:57:35.059 --> 00:57:38.730
Speaker: I'm sorry could you repeat the
beginning of that question?
00:57:38.730 --> 00:57:43.119
Question: Has any group or organization
unveiled a voting machine that is designed
00:57:43.119 --> 00:57:46.470
to address all of those security issues
that have grown up?
00:57:46.470 --> 00:57:52.329
Speaker: OK so there are efforts to
develop voting machines that are based on open
00:57:52.329 --> 00:58:00.490
source software, that are based on better
validated software. Benedita, a researcher
00:58:00.490 --> 00:58:07.089
in this area who has done a lot of great
work is one person who's recently launched
00:58:07.089 --> 00:58:13.740
an effort to do that, although there are
others. And I think that will help. But at
00:58:13.740 --> 00:58:17.809
the end of the day I think however well-
designed the software and our voting
00:58:17.809 --> 00:58:22.160
machines is, that can raise the bar for
attacks, but it's never going to be enough
00:58:22.160 --> 00:58:27.160
to also be able to convince skeptical
voters that everything is OK, because,
00:58:27.160 --> 00:58:31.109
well, among other things, how do you know
that that software is really what's
00:58:31.109 --> 00:58:36.530
running in the machines that are counting
your votes? So there's a lot we can do to
00:58:36.530 --> 00:58:41.750
make voting machines better. At the end of
the day they're also going to have to have
00:58:41.750 --> 00:58:47.709
that paper trail and those statistical audit
so that everyone can believe the results.
00:58:47.709 --> 00:58:52.259
Angel: Thank you very much.
That concludes the talk.
00:58:52.259 --> 00:59:00.219
Speaker: Thank you.
applause
00:59:00.219 --> 00:59:04.940
Angel: I think you'll be around for a few more
answers on the Congress, so everybody who
00:59:04.940 --> 00:59:08.750
is here can ask questions in person.
Speaker: I will and hopefully tomorrow
00:59:08.750 --> 00:59:11.799
there'll be a Diebold voting machine
somewhere around here for everyone
00:59:11.799 --> 00:59:16.220
to hack themselves. Thank you again.
Angel: Let's hack that thing.
00:59:16.220 --> 00:59:20.380
postroll music
00:59:20.380 --> 00:59:39.000
subtitles created by c3subtitles.de
in the year 2018. Join, and help us!