Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security. (music)

Kacy Zurkus:
Hello listeners, and welcome to this installment of our RSAC 365 podcast series. We have a great podcast lined up for you today, looking at how to improve election security with our guests, Allie Mellen, and Geoff Hale. Here at RSAC we host podcasts twice a month, and I encourage you to subscribe on SoundCloud or your preferred podcast app so you can be notified when new tracks are posted. And now I'd like to ask Allie and Geoff to take a moment to introduce themselves before we dive into today's topic. Allie, let's start with you.

Allie Mellen:
Hi everyone. My name is Allie Mellen. I'm an analyst on the security and risk team at Forrester covering security operations. In previous roles, I've worked with the FBI, Secret Service, local and state governments to prepare for Election Day. Happy to be here.

Geoff Hale:
Thanks Kacy, for having us. I'm Geoff Hale, I serve as the director of the Election Security Initiative at the Cybersecurity and Infrastructure Security Agencies, National Risk Management Center. So here we work to build security and resilience to cyber, physical, mis- and disinformation threats to ensure that we have continued security of America's elections.

Kacy Zurkus:
Welcome both of you. I'm super excited to have you here. Geoff, I'd like to start with you when we talk about election infrastructure as critical infrastructure, what exactly are we referring to?

Geoff Hale:
Yeah, thank you. That's a great question, and it seems like a lifetime ago that in January of 2017, DHS designated elections infrastructure as critical infrastructure. And that designation was largely in recognition that state and local election officials should not be expected to combat sophisticated state sponsored threat actors, alone.

Geoff Hale:
So in reaction to the activity seen in the 2016 election, DHS wanted to prioritize support to this sector. So election infrastructure was encompassing the technologies, equipment, processes, locations, facilities that helped to prepare for and administer elections. So we're talking about voter registration databases, the business IT systems, the vendor community that supports election administration, election night reporting, canvassing equipment, including some interactions with things like USPS. And now it's by mail. When we rolled that out, there was honestly a lot of confusion about what that designation meant. It wasn't about new regulations or any new authorities for the federal government. For my organization it really allowed us to prioritize being able to provide support to state and local governments in their responsibilities... their authority to administer elections. So it allowed us to understand the risks to their system, prioritize the no-cost services, both cyber and physical services that we provide and to help coordinate the federal effort in support of this community and the threats they face towards elections.

Allie Mellen:
I absolutely agree with Geoff and I would love to add something to this. One of the things I've seen in my research is that election season, it doesn't solely affect government organizations. In fact, in many cases, critical infrastructure providers like financial services, some tech companies and broadcasters are affected as well. This is in part due to globalization and also due to how interconnected we've become in our own country. The line between private and public services can get quite blurry, especially when it comes to attacks that are looking to affect society as a whole.

Allie Mellen:
For attackers election season is an opportune time to target the different planes of our society, whether they be the physical, the information, or even our identity. We've seen throughout history attacks targeting our elections and other important events that affect each of these planes. Now, with the advent of the internet, we have the ability to spread information widely and easily making this even more straightforward. And when we think about election infrastructure, I also consider critical infrastructure providers, whether they are private or public, and the security considerations they should have prior to Election Day.

Kacy Zurkus:
So there's just a lot encompassed in that election infrastructure, critical infrastructure. Geoff, I want to follow up with you on that and how the federal government works with state and local election officials, and to Allie's point the private sector to protect and build resilience to election infrastructure against adversaries.

Geoff Hale:
So understand that states and especially locals own, operate, administer, run elections. They have primary responsibility. federal government can only do so much to assist, but we have recognized them as a wonderful and receptive audience to a lot of the benefits, the value that the federal government can provide. So in our efforts to help protect election infrastructure, we work closely with the Federal Bureau of Investigations, the Department of Justice, the Intelligence Community, to help understand the active threat environment targeting elections and communicate that back to election officials so that they can make risk management decisions on how to best protect their systems. What choices they make to implement, how they choose to apply security controls, the procurement decisions they make are all key and should be threaded and formed in addition to all the other operational risks they have to consider.

Geoff Hale:
Here, at CISA, again, we offer no cost, voluntary, and confidential services. We provide phishing campaign assessments, cyber hygiene scans, penetration tests, physical security services, expertise from our field staff, cyber cybersecurity advisors, protective security advisors, to really understand the local environment. All elections are local. So understand the needs of that community and be able to help them advise on managing their risks. We also fund things like the establishment of the Election Infrastructure Information Sharing and Analysis Center, which is just kind of a best practice for critical infrastructure and its ability to tailor threat and cyber-threat indicators for a particular critical infrastructure community and get that incisive to a broad stakeholder group. We're happy to have done things like host nationwide exercises. We actually, in the middle of July, just wrapped up our fourth iteration of a national exercise with more than 45 states and a thousand election participants across the country. And so we're really trying to advance the security and resilience of this community as much as possible.

Geoff Hale:
A lot of those traditional, kind of, physical vectors in cybersecurity vectors are easier to address given that we have a greater body of knowledge on how to assist critical infrastructure community against those risk disciplines. The emergence of mis- and disinformation is a bit of a new one, especially for the federal government. Our election officials are telling us, our partners are telling us, that this is one of the top threats across the election community. And they're looking for ways to promote trusted authoritative information in order to help make a more resilient public, to foreign influence operations, to disinformation campaigns, that really serve to undermine the democratic process. So here at CISA we've done things like free graphic novels that show the impact, anecdotally, that MDM, that mis- dis and mal-information can have in a particular environment. We've applied things like CISA's, rumor control, which was a website where we pointed to active counter-messaging of trusted sources of information on narratives that we'd seen across the information environment.

Geoff Hale:
And really we look to put information in the hands of election officials so that they're better positioned to debunk information. All of this happens in an environment where we've seen multiple advanced, persistent threat actors targeting this community. Often people think of Russia, but in the 2020 cycle, Iranian cyber actors were very active. One of the areas that was really a success story was in their influence activities. Within hours of Iranian cyber actors, pretending to be the Proud Boys, sending emails directly to the voting public in a threatening manner. Like "you shall vote this way. We know how you are going to vote. We can see everything behind the scenes. Do this or else." The public reported those to election officials. Election officials reported those to the FBI. And within 27 hours, the intelligence community had attributed those emails to Iranian cyber actors. We were able to brief back out to the election community and then brief out to the public that there were influenced activities going on. And I hope that the precedent-setting for how we're able to garner federal resources to provide as much transparency to election security as possible.

Kacy Zurkus:
Yeah. I mean, that's all really impressive stuff. And I actually loved hearing that, the exercise that you completed in July had 45 states and a thousand election participants. That's really impressive at a national level. Allie, perhaps you can help us widen the scope because Geoff really laid out a barrage of efforts that are being put forth to combat these adversaries. And I'm hoping maybe you can maybe widen the scope a little bit and give a more global perspective on how countries around the world have influenced worldwide elections historically. And then maybe perhaps give our listeners a deeper understanding of what's changed with modern day cyber warfare.

Allie Mellen:
Absolutely. What's really critical to note here is that election security and election attacks have been around for a lot longer than the internet has been around. The Cold War is a great example of a time when these types of attacks were quite rampant. Governments, especially superpowers, used a variety of means whether it be physical or through the spread of disinformation to change elections without the internet at all.

Allie Mellen:
One example of this is an attack that took place in Italy in 1948. This one is particularly funny to me because my grandfather was actually growing up there at the time. And he's always told me that he knows everything about Italy, but even he didn't know about this when I told him about it, so. (laughs) The United States and the Soviet Union were intent on interfering with the Italian elections of 1948 through psychological warfare. They actually launched a massive propaganda campaign that was meant to change the perception of the election into a fight between democracy and totalitarianism, which the US likened to Christianity versus Atheism and abundance versus starvation. And, it worked, the US was able to secure victory for the Christian Democrats away from the Communist Party of Italy.

Allie Mellen:
And it ultimately worked so well that they actually kept using this tactic in Guatemala, in South Vietnam and Afghanistan in Indonesia, and in many, many more countries. This is just one example, but there are many, many more throughout history from a variety of different countries. What has changed with modern day cyber-warfare is the ability to target these countries from anywhere over the internet. It's made attacks like these so much easier than they were before, and has also opened up new opportunities to target physical systems connected to the internet that they wouldn't have had access to a hundred years ago without being physically present there.

Kacy Zurkus:
It's so interesting to think about the evolution of the way that technology just helps and... unfortunately helps and assists these attacks on elections. But I love framing it from that historical perspective that this isn't anything new. It's just that technology has influenced changes in the way that adversaries are attacking. Geoff, can you talk a little bit about what election-specific infrastructure is vulnerable to attack and what countries are doing, or specifically what the US is doing to respond to these attacks when they happen?

Geoff Hale:
Thank you. And I completely agree with, with what Allie said. Technology has increased the scale to which election infrastructure is accessible by the internet, and really that's where it reaches thresholds of concern for national security. Right now we have physical access to systems, cyber access to systems, physical threats to election officials and mis- and disinformation as primary concerns for election systems. Oftentimes people talk about... actually in 2020 election night reporting. So those unofficial results on election night, all before the election has been certified were a main target for perceived accuracy and integrity of the election. Now, remembering that those are unofficial, that represents an easy opportunity for an influence campaign where you can easily have fat fingered the wrong number, or it's a delayed reporting processes. It's obviously a reporting system in the moment. So it's prone to human error often, and this has been seized upon, particularly as it gets picked up in different media in the moment that it's an indication of vulnerable systems across election infrastructure.

Geoff Hale:
Oftentimes we do want to apply security controls to help make that a best practice. But, the fact that that is an unofficial system means that we need to dedicate far more attention towards the actual integrity of the process. So we put a lot of security controls around voter registration databases, because all information seems to flow from that system. And the ability to protect that has a vast impact on access to vote on the ability to cast and tabulate and all the downstream processes. Other than that, we've seen, as I mentioned, a lot of threats to election officials recently. So there's an environment where you're kind of leaning on the judge in this way. So making it... the environment feel unsafe for election officials. We have not seen what an operational risk environment that creates for election officials, but the federal government has taken that seriously and looking for ways to help ensure that they have the physical security assessments, the capabilities, and the knowledge to better protect themselves and their offices and staff at the same time.

Allie Mellen:
I'm so glad that you brought up the actual physical threats that are being placed on election officials. That's just, when that was happening during the 2020 election, that was one of the most horrifying parts to me because they're entirely innocent people just trying to do their jobs in there. They're being targeted by any number of sources. I think what I'm really curious about in that context is, and this is a bit of a tangent but, in those situations, are those mostly foreign actors or are those actors with their own country? That type of thing I think is so interesting and also horrifying. And I wish that there was a way to stop those types of threats from being issued. In addition to what you were mentioning, a variety of different critical infrastructure is inevitably involved in modern day cyber-warfare. And we've seen this with the ransomware attacks on colonial pipeline and JBS just as some examples. However, these have not been targeting Election Day specifically.

Allie Mellen:
When it comes to elections, as I talked about a bit earlier, election season is such an opportune time to target the different planes of our society, whether it's the physical, the information or the identity of the country. We see the focus on critical infrastructure providers really being around things like broadcasters, social media networks, of course, which at this point have become a form of critical infrastructure on their own. We've also seen financial service providers targeted as well as email services. These targets and the attacks that are perpetrated against them are ultimately meant to cause confusion on Election Day and raise doubts about the validity of elections, which it sounds like Geoff was hearkening back to as well.

Kacy Zurkus:
And so Allie, I'm going to follow up there and maybe get your comments on how countries should be responding in these situations. And also maybe you can share with our listeners a little bit more about how other countries can actually disrupt an election.

Allie Mellen:
Absolutely. And I want to give you two recent examples. The first is the 2014 Ukrainian elections. So on May 21st, 2014, several days before the Ukrainian elections, attackers compromised the Central Election Committee of Ukraine's network and disabled vote counting. Now this is the official Election Committee Network, and so this is the type of attack that automatically makes citizens lose faith in the government's ability to protect the election. (laughter).

Allie Mellen:
Just a few days later, it got a lot worse. On Election Day, which again was just a few days after the vote counting was disabled, attackers targeted the CEC website with its denial of service attack. Just 12 minutes before the polls closed, attackers posted a photo of the former leader of the Right Sector on the CEC website claiming he'd won the election, even though he had not. Right at that moment, Russian media shared that widely. This can cause significant confusion and also caused citizens to lose faith in the validity of their elections. And further, it could have stopped people from going to vote at all because the polls were still open, people could have still gone to vote, but they were getting messages saying that this individual had won the election, even though they hadn't.

Allie Mellen:
So the second example is actually not on Election Day, but I want to bring it up because it's a great representation of what could happen when you mix cyber attacks and physical attacks, which is the Bronze Night in Estonia in 2007. Taking things way back to just after World War II, the Soviet Union placed a statue of a Red Army soldier in the center of the capital of Estonia. They claimed this was meant to symbolize liberation from the Nazis. However, for the people of Estonia, this statue signified something different, ultimately continued Red Army oppression. Fast forward to 2007,, the Estonian government decided to move the statue to a nearby Soviet cemetery instead given its history. However, the night of the move protests began to break out among Russian speaking individuals in Estonia fake news began to spread from Russian news reports, claiming the statue and Soviet war graves were being destroyed, even though they weren't.

Allie Mellen:
And at the exact same time banks, media outlets, and the government were hit with another denial of service attack, which took out ATM's and online banking, took down the email of government employees, and prevented newspapers and broadcasters from delivering the news of what was actually happening on the ground, leaving the Russian media spreading disinformation and not being the only source of information about what was happening in the country. This resulted in two nights of riots and looting with 156 people injured, one person died and a thousand people were detained. This is the type of damage and chaos you can cause when you combine physical violence with cyber attacks and is a good example of how attackers can use this type of combination to cause a lot of chaos and to also prevent even basic communication from happening between government officials. That's the type of thing that could be very, very impactful on Election Day. And we should be preparing for in the private sector in order to prevent this ahead of time.

Kacy Zurkus:
What's really interesting to me is that, in listening to both of you and in so many other conversations that I've had with folks about election security it seems like the greatest risk or threat to elections is that ability to compromise trust in the integrity of an election. And it's concerning just from a personal point of view because you can use technology and tools to protect against a cyber attack, but manipulating people's minds is so much harder to protect against, and it seems like a real uphill battle. So I don't quite know what the solution to that is, but we rely on you for that (laughter). So I'm going to pose a question to both of you, but let's start with Geoff and take a more narrow view of how the United States can better protect against these disruptions, including disruptions of trust. And then Allie, maybe if you could offer a more global perspective that builds on Goff's guidance. That would be great.

Geoff Hale:
I mean, thank you, Kacy. And Allie just gave two excellent examples of how trust is easier to target than some of the infrastructure itself. And in many cases, the elections especially are an exercise in trust. So how do election officials... how can election officials implement the secure practices that enable them to rebuild trust in the process? From a CISA perspective, we believe strongly in software independence. That effectively means that an undetected error in the system can't result in an unobservable error. So ultimately this becomes an exercise in how can you audit elections to make sure that the systems behave the way they are supposed to. Right now that means paper audit-ability. There's some promising technologies in end-to-end encryption that may eventually provide some innovation across the sector. But for the moment, the ability to go back and recount and verify and audit that these systems are behaving the way they are supposed to is essential to rebuilding trust.

Geoff Hale:
We also see exercises like moving to a managed top-level domain. We advocate for the.gov being that these are government systems. So it makes it more difficult for election websites to be spoofed. Exercises that we've seen that are really easy to make an authentic looking website when you're just operating off your county name.com. So moving to a managed to top level domain has a significant impact in the ability for the public to know that they are receiving emails from a trusted source, that they're on a website that is a trusted source, particularly has government election officials.

Geoff Hale:
We also think that there's a lot of just basic cyber practices that can support this. Better patching systems, embracing the information sharing environments. I know that in Info Sec, the pendulum swings whether information sharing is in vogue or not, but as a federal agency, if I have strong information to get to you that my partners at the intelligence community have provided, have specifically declassified for the protection of elections, I'm going to use those channels of information channels that already exist. So this is where it's key for all of our partners to sign up for things like the Election Infrastructure Information Sharing and Analysis Center to engage with us on exercises to know our... cyber security advisors and protective security advisors so that we can get them that tailored information that they need so that they have awareness of the threats going on and have taken actions to protect their systems.

Allie Mellen:
When it comes to a global perspective on protecting against election disruptions, it ultimately needs to be a joint effort between nations and the private sector. The biggest threat, Kacy, as you mentioned, that we face today is disinformation, degrading faith in our elections, in our democracy and in our values as a country. The private sector, especially social media companies, must do a better job of fighting disinformation. There is no other option.

Allie Mellen:
And on the flip side countries must work together and work with the private sector to condemn and prevent the spread of disinformation, to build transparency in the processes of our election, much like Geoff was saying, and hopefully in some ways to create trusted resources that the public can access to promote what is actually true and accurate. A worst case scenario is when an individual sees disinformation and has no other way to confirm its validity. We need to build personal connections in our community to make sure that there is some other way that they can confirm or deny potential misinformation.

Kacy Zurkus:
And so, you know, looking forward, Geoff obviously have upcoming elections in the United States that are ongoing, right? And to Allie's point election season is when these threat actors see as most opportune. So how is the United States preparing for coming elections?

Geoff Hale:
I think there's a lot of progress and implementing priorities already. I recently just butchered the term of software independence and being that Ron Rivest of was one of the people to coin it, I feel like I've got to clarify that. (Laughter) Some of the progress is around audit-ability in elections. Recently, the Voluntary Voting System Guidelines 2.0 was adopted. Part of that is the concept of software independence, where it's really about a voting system operating. It is software independence. If an undetected change cannot cause an undetectable error in the end result.

Geoff Hale:
So again, how do you know that you can trust that system? We're really promoting auditable systems. I think we'll start to see VVSG 2.0 compliant systems roll out just before 2024, but really that has a longer horizon for the systems to be deployed. Working with election officials across the community to increase confidence in the integrity of the electoral system and combat mis- dis- and mal- information. Giving them the tools and the awareness to not just develop general resilience and improve media literacy, but also the insights into what aspects of their infrastructure, where their process, their trust environment, are most likely to be attacked.

Geoff Hale:
A lot of the narratives that we saw in 2020 aren't new to 2020, they were rehashes and kind of old conspiracy theories that took slightly new forms. It's a bit of a game of mad libs. You insert a new dictator. You describe a new state or a new country's involvement. But these same conspiracy theories have been around for many, many years. I'm sure that Allie's probably seen them across the globe in similar respects. But here we're trying to help our stakeholders understand how they can be effective advocates for the truth in the processes that they administer. We're really focusing on reaching out to small and mid-sized election jurisdictions to bring them into the fold, the information sharing community, to make sure that they have the tools and resources necessary. Taking cyber hygiene, taking cybersecurity seriously on their systems, making sure they have the proper incident response planning and partnerships established before the election and that they know how they're going to respond when a community asked them to verify the integrity of their election.

Kacy Zurkus:
I think that should be, this is hashtag effective advocates for the truth. I love it. (laughter) That's a good goal. And what is fascinating me about this conversation is that to Allie's point, no one is alone, right? And this need for collaboration and countries working together is so important because this isn't a singular target or a singular country that is being targeted. It is a global issue that really working together and being global effective advocates for the truth can hopefully advance and work towards solving. Thank you so much for being here before we wrap up. Do either of you, Allie and Geoff, have any closing words for our listeners. Allie, we'll start with you.

Allie Mellen:
Yeah, absolutely. Thank you. Yeah. I love that "effective advocates for the truth." That's fantastic. (laughter) There are three things I want to leave you with that we can start doing today to make a change here.

Allie Mellen:
The first is, it sounds obvious, but it's secure your system. Whether you're an individual, an employee at a business or a member of government consider the election security implications of your work and how you can help protect your country, including things that we didn't even mention here today. What did we miss today?

Allie Mellen:
The second thing is to work with the government whenever possible. I'm personally part of a group called InfraGard, which is a public-private partnership focused on information sharing. And it's such a great group to be involved in if you work in critical infrastructure and lets you share information about attacks with the government and have a direct line of communication to them. But it doesn't always have to be at the federal level. It can just be your local government or whatever makes the most sense for your role and your community.

Allie Mellen:
Lastly, and most importantly, is to work, to fight disinformation. Consider whether something is just hitting an emotional chord with you or whether it's actually logical and truthful before you click on it, before you read it, before you share it. This is really important. No matter where on the political spectrum, you are. Disinformation can affect all of us and being mindful on the internet is critical. Think before you click. And also just as Geoff said, be a trusted resource to your friends and family and be an advocate for the truth.

Geoff Hale:
That was fantastic, Allie. I don't have a lot to add there. I imagine that like ourselves listeners of this podcast have a particular bend towards cybersecurity. Be a cybersecurity advocate for election officials. All elections are local. You can easily engage your local election officials, your county clerks, your state election officials and state election directors in many states, the Secretary of State to understand what the needs are. Each election seems simple, but in reality, we've learned at CISA how complex the policy environment across all 50 states, all 8,000 election jurisdictions, can be. So many times it is the unique needs of an election jurisdiction that has to be met. So I encourage the proactive, positive engagement with election officials to understand how you can help. And then with that engagement, I assume that the education of how elections are administered will be improved and everyone will be in a better position to understand the intricacies of how elections are administered and how we can trust them.

Kacy Zurkus:
Geoff, Allie, thank you so much for being here today. I really appreciate the perspective that each of you brings and that we're able to look at this through the lens of not only our own United States government, but also the global perspective because we are where the world does come together to talk security. So I love being able to look through the lens at the wider spectrum. So thank you both so much for what you bring to the conversation. Listeners, thank you for tuning in. A reminder that here at RSAC we host podcasts twice a month and I encourage you to subscribe on SoundCloud or your preferred podcast app. So you can be notified when new tracks are posted Interest in being a guest on our podcast? Visit RSA conference.com forward slash become a contributor to learn more. Thank you.