electronic voting

Spotlight Podcast: Taking a Risk-Based Approach to Election Security

In this Spotlight Podcast, sponsored by RSA, we take on the question of securing the 2020 Presidential election. Given the magnitude of the problem, could taking a more risk-based approach to security pay off? We’re joined by two information security professionals: Rob Carey is the Vice President and General Manager of Global Public Sector Solutions at RSA. Also joining us: Sam Curry, the CSO of Cybereason.

[Read the full transcript.]


With just over two months until the 2020 presidential election in the United States, campaigns are entering the final stretch as states and local governments prepare for the novel challenge of holding a national election amidst a global pandemic. 

As Election Threats Mount, Voting Machine Hacks are a Distraction

Lurking in the background: the specter of interference and manipulation of the election by targeted, disinformation campaigns like those Russia used during the 2016 campaign – or by outright attacks on election infrastructure. A report by the Senate Intelligence Committee warns that the Russian government is preparing to try to influence the 2020 vote, as well.

A Risk Eye on the Election Guy

Securing an election that takes place over weeks or even months across tens of thousands cities and towns – each using a different mix of technology and process – may be an impossible task. But that’s not necessarily what’s called for either.

Robert Carey RSA Security
Robert J. Carey is the  Vice President and GM of Global Public Sector Solutions at RSA.

Like large organizations who must contend with a myriad of threats, security experts say that elections officials would do well to adopt a risk-based approach to election security: focusing staff and resources in the communities and on the systems that are most critical to the outcome of the election. 

What does such an approach look like? To find out, we invited two, seasoned security professionals with deep experience in cyber threats targeting the public sector. 

Robert J. Carey is the  Vice President and GM of Global Public Sector Solutions at RSA.

Feds, Facebook Join Forces to Prevent Mid-Term Election Fraud

Rob retired from the Department of Defense in 2014 after over 31 years of distinguished public service after serving a 3½ years as DoD Principal Deputy Chief Information Officer.

Sam Curry, CISO Cybereason
Sam Curry is the CISO at Cybereason

Also with us is this week is Sam Curry, Chief Security Officer of the firm Cybereason. Sam has a long career in information security including work as CTO and CISO for Arbor Networks (NetScout)  CSO and SVP R&D at Microstrategy in addition to senior security roles at McAfee and CA. He spent seven years at RSA variously as CSO, CTO and SVP of Product and as Head of RSA Labs. 

Voting Machine Maker Defends Refusal of White-Hat Hacker Testing at DEF-CON

To start off our conversation: with a November election staring us in the face,  I asked Rob and Sam what they imagined the next few weeks would bring us in terms of election security. 

Like Last Time – But Worse

Both Rob and Sam said that the window has closed for major new voting security initiatives ahead of the 2020 vote. “This election…we’re rounding third base. Whatever we’ve done, we have to put the final touches on,” said Carey.

Like any other security program, election security needs baselines, said Curry. Elections officials need to “game out” various threat, hacking scenarios and contingencies. Election officials need to figure out how they would respond and how communications with the public will be handled in the event of a disruption, Curry said.

“The result we need is an election with integrity and the notion that the people have been heard. So let’s make that happen,” Curry said.

Spotlight Podcast: As Attacks Mount, ERP Security Still Lags

Carey said that – despite concerns – little progress had been made on election security. “The elections process has not really moved forward much. We had hanging chads and then we went to digital voting and then cyber came out and now we’re back to paper,” he said.

Going forward into the future, both agree that there is ample room for improvement in election security – whether that is through digital voting or more secure processes and technologies for in person voting. Carey said that the government does a good job securing classified networks and a similar level of seriousness needs to be brought to securing voting sessions.

“Is there something that enables a secure digital vote?” Carey said. “I’m pretty sure our classified networks are tight. I know we’re not in that space here, but I know we need that kind of confidence in that result to make this evidence of democracy stick,” he said.  


(*) Disclosure: This podcast and blog post were sponsored by RSA Security for more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


Spotlight Transcript

[START OF RECORDING]

PAUL: This Spotlight edition of The Security Ledger Podcast is brought to you by RSA Security. RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights, and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access control, and reduce business risk, fraud, and cyber-crime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information, visit rsa.com.

INTRO: [MUSIC] This is The Security Ledger Podcast and I’m Paul Roberts, Editor in Chief at The Security Ledger. In this Spotlight episode of the podcast:

ROB: The introduction of doubt is all you need, right? ëCause now we’re just gonna fight about is the result accurate at all, let alone somebody could be winning by a landslide. But they’ll introduce doubt that alleviates the ability to move forward and make a decision.

PAUL: With just over two months until the 2020 presidential election in the United States, campaigns are entering the final stretch as states and local governments prepare for the novel challenge of holding a national election amidst a global pandemic. Lurking in the background, the spectre of interference and manipulation of the election via targeted disinformation campaigns like those Russia used during the 2016 campaign or through outright attacks on elections’ infrastructure. Securing an election that takes place over weeks or even months across tens of thousands of counties, towns, and cities, each using a slightly different mix of technology and process may be an impossible task, but that’s not necessarily what’s called for either.

Like large organizations who must contend with the myriad of threats, security experts say that elections officials in the US would do well to adopt a risk-based approach to election security, focusing their staff and resources in the communities and on the systems that are most critical to the outcome of the election. What does such an approach look like? To find out, we invited two seasoned security professionals with deep experience in cyber-threats targeting the public sector into The Security Ledger studio. Robert Carey is the vice president and general manager of Global Public Sector Solutions at RSA. He retired from the Department of Defense in 2014 after more than thirty-one years of distinguished service and after serving three-and-a-half years as the Department of Defense’s Principal Deputy Chief Information Officer. Also with us for this podcast is Sam Curry, the Chief Security Officer of the firm Cybereason. To start off our conversation with a November presidential election just weeks away, I asked Rob and Sam what they imagine the next few weeks would bring.

SAM: My name is Sam Curry. I’m the Chief Security Officer for Cybereason and a visiting fellow at the National Security Institute.

ROB: My name is Rob Carey and I run the Global Public Sector Solutions business for RSA Security. In a past life, I was a former federal CIO.

PAUL: Thank you both and welcome to Security Ledger Podcast. I think I’ve had you both on individually but never together, so this is great.

ROB: Always good to come back and have a chat.

SAM: Absolutely.

PAUL: Yeah. It’s mid-August and everybody’s thoughts and attention are turning to the upcoming presidential election. One of the big concerns this year, as in past years, is cyber-tampering with election infrastructure, some kind of effort to influence maybe the outcome of the election. I had asked for each of you to give me your thoughts on the relative risk this year of election hacking and what your gut says about what 2020 is going to bring to us.

ROB: It’s a very good question, and I think we’ve already seen the rumblings of uncertainty surrounding the outcome. A fundamental of that is covid. Our pandemic has caused us to change the platform upon which we implement our vote and cast our ballots whether it’s in person or it’s via mail. The American citizen really demands confidence that their vote is submitted and it is submitted securely so that the electoral process can continue, can produce a winner, whoever that may be, and then the peaceful change of authority or continuation of authority on January 21st.

I think the risks that come about are really — further break that problem down into there are cyber-based risks and there are process-based risks, right? The cyber-based risks, we’ve already seen from our last election and some of the mid-term elections, the information warfare campaigns by some of our adversaries being highly successful. People see things on the internet and they believe them. The common person, the normal person out there wouldn’t know a modified website, the website. The basis of your understanding of what’s going on is being shifted which then introduces uncertainty about the outcome.

PAUL: Sam, I’m sorry, I interrupted you.

SAM: I’ll paraphrase Winston Churchill who quipped that democracy’s the risk from a government except for all those other ones.

ROB: But this is where it gets tested, right? It’s we the people, and this is how something as powerful and amazing as the United States chooses how the policies will be formed for the next four years. It’s how can you resist that as a target? Let’s not forget that back in the Cold War there were — nation states had propaganda campaigns. They sought to influence elections at the polls physically, and that fraud’s been going on even domestically for hundreds of years here in the US and elsewhere. The thing we all expected, of course, with the connected digital world was that democracy would be supported, that our values seemed to say that this is an inevitable thing, that we’ll become more open, more transparent, and democracy will be reinforced and that information ubiquity will make us all more intelligent and more informed. But the truth of the matter; there’s nothing inherently good or bad about the tech.

If you’re a bad guy out there right now, and I use the term terribly, right — I mean, if you’re a political interest, a hacker, a terrorist, a nation state, even a special interest group, the temptation is enormous to use the anonymity of the internet to get affected scale. Every election we’ve seen has seen an increase in — call it cyber-temperature. I love how you called out the fact that covid-19 is an external factor changing the way we do it anyway, because the big concern I have — I’m not actually concerned generally about cyber Pearl Harbors and things. I feel like we respond to those sorts of existential threats well as a society. My big concern is undermining the integrity of the election, affecting the processes of the democracy, that this is really critical for how we work and operate as a thing called the United States, and it will be at risk in 2020, but my big takeaway, and I hate to put something big upfront like this but maybe we can build on it, is we should be making very — as few changes as we can given we have to make some big ones to deal with covid.

It’s not the time for huge social experiments. It’s time to reinforce the way the post office works. It sounds boring but this is critical, and because frankly everyone has budgets — who wants to influence the government for the next four years — has budgets and tools and resources that are mature, and they’re gonna bring them to bear, and they’re gonna bring — we can talk about how infrastructure and application and propaganda, franchisement; we can talk about how that will happen, but I think it’s absolutely critical that we change as little as possible and have as much faith in the outcome of the election, no matter how it turns out, as possible.

PAUL: One of the core problems, one of the root problems, I think with many of these disinformation campaigns, and Robert, I think you’re right; if you look at 2016, it certainly wasn’t the case that there were widespread reports of tampering with vote infrastructure. It was more these social media influence campaigns and bots and fake sites and fake groups and so on. One of the underlying issues there, and I think that’s still a problem, is just information and media literacy that people really don’t — many people don’t understand the difference between a actual reported story by a credible news source and some incendiary thing on chowderheads.com or whatever that is circulating. I made that up. My apologies to the real chowderheads.com site, but you see these links and it’s like, what is that? That’s not a news site. But for many people, there is no difference between The Washington Post, New York Times, The Wall Street Journal, and chowderheads.com that showed up in my news feed, and they just circulate it around like it’s a deeply-reported investigative source of information.

SAM: Oh, yeah. It’s this confirmation bias. It’s echo chambers. The word ëfake news’ I think has hurt us. I like how the British have very formally said there’s this thing called misinformation or disinformation; let’s get specific. These are propaganda tools. The amazing thing is that we have all drifted over the course of the last, I’ll say decade so we even disentangle [00:10:00] it from the 2016 election, we’ve drifted to have different sources of trust. In other words, one person likes Fox News, the other likes MSNBC. Somebody likes to get their running online, and there’s some big implications in that, that people will cultivate resources just like they cultivate a botnet. They’ll cultivate social media resources and news networks with legitimate news and rebroadcast. Even interests; hey, if somebody determines that in a particular city there will be a swing vote and a class of voters — in the middle-class voters, let’s start something like a cooking interest and recipe club.

Then, that can be used on the day of the election to say hey, some reporters — some people were reported as sick at the local polling station and with the new mutant version of covid-19, don’t go in tomorrow. That group has now effectively been tipped just enough to get that extra thousand. It’s weaponized, right? To some extent, we — this is combined now with the fact we have a common [inaudible] around covid-19. The whole ëwho do we trust’; it’s almost we need to have new cyber-civic literacy. We used to have civics courses and cyber is now grossly underappreciated, but this whole plane of what’s happening on social media and it’s really memes, not pictures, but mimetically, what’s happening with idea-sharing and confirmation bias and other biases, there’s real thought and psychology behind it, how people are being abused as groups and taken advantage of.

ROB: Sam, you’re spot on. The use of the internet compared to, let’s say, twenty-five years ago before the internet, we got our election information from the evening news or the late night news or the newspaper; three sources, generally reasonably credible, and now there’s an explosion of electronic means to gather any information that might shift your psyche, the readers’ psyche. That information is able to be modified almost at will. That’s the part that — not saying people don’t understand that, but when people are on social media sites and they are picking up memes and other things as fact, it tends to alter where they go that day, what they do that day, what they might have for lunch. We’re in this — everything over mobile society. We stare at our smart phones almost hours and hours a day, so as you’re standing in the polling line, you may be staring at your smart phone. You could be influenced right before you walk in with information that may or may not be accurate, and that’s a — that is one of the risks.

PAUL: You’re listening to a Spotlight edition of The Security Ledger Podcast. This Spotlight podcast is sponsored by RSA Security. I think as Sam kind of suggested as well, many of these groups that are behind these whether they’re dark money groups or nation state actors or campaigns themselves, are playing a long game. Like Sam said, they might set up a presence online, a network of fake accounts or a group or what have you that seems completely innocuous, and their play is gonna be in the November 1st to 3rd window, and they might be utterly indistinguishable from other accounts until then. It’s this very — I’ve certainly seen many, many, as I’m sure you guys have, sock puppet accounts on Facebook that aren’t — don’t seem to be doing much. They’re kind of churning out either left wing or right wing stories at a pretty regular cadence, but don’t seem to be pushing disinformation per se; they’re just engaging in the conversation and building networks of friends. But my sense is these are gonna become activated at some point with some very specific information or some specific goal. It’s just not clear what that is.

ROB: As we are now, we’re just starting to groom the battlefield, if you will, or groom the population for the messages which are registering and which are not. As you get closer, you change your message.

SAM: Yeah. Look, guys, even before we had the internet, we would see honestly some genocides like in Germany and in Rwanda. People would be mobilized at scale with codes. These codes can exist online as well, and if you want the power of a message, I’ll give you a positive one in retrospect; Rolessa in Poland got half an hour of television and it led to the Solidarity movement, basically overturning the Polish Communist Party in 1989 [00:15:00] from half an hour of television at the right time. When people get this stuff through a source of authority, which arguably, almost anything could be now. If it’s delivering value to you in a way that passes your sniff test, then when you’re standing in the polls, as you said, waiting to go in with your mask on six feet in-between and you’re reading this article, you go into the room, that — if that message was injected at that point, it is, for all intents and purposes, the biggest influence on you right then. Not the evening news, as you put it, and not the newspaper.

PAUL: When we talk about election security, I feel often in the information security field that people’s minds immediately go to DRE, direct-record electronic voting machines and maybe voting infrastructure. We take it as a IT security, IT asset security problem. I don’t think conferences have helped by having the focus be on hacking voting machines for god knows, I don’t know, fifteen years now. I kind of feel like that’s a disservice these days to even be really talking about that as opposed to all these other things we’re talking about, but I’d be interested in your thoughts. What should the information security community be talking about with regard to election security rather than specifically voting security?

SAM: I still think there’s a lot of important work to be done ëcause people still build bad voting machines. They still build things that don’t have an accountability afterwards or as we saw in the Iowa caucuses, there’s — a new app rolls out to do something and it hasn’t been fully tested. Then you get the denial-of-service on the phone [inaudible] that’s the backup service because somebody posted it to 4chan and you’ve got some cyber-swarming going on. But in the end, everything around that machine is as important if not more so. I love when people say hey, I found this great crypto. Nothing can break it. I’m like yeah, you found a way to secure a pipe from A to B, but A isn’t secure and B isn’t secure. The pipe can be abused by the attacker, so let’s assume that the — if we assume the machine is safe and the voting rules are safe, very worthwhile looking into it. Look at the photo negative. What can be done around it?

We’ve spent a lot of time in a non-commercial way doing Operation Blackout where we game this with law enforcement. We pick a red team and a blue team and we create a white team to act as a sort of game master/escalation point for either team. But the point is that until you practice it, and we should use peace-tempered practice, then you’re not — you don’t know how the 911 service could be used or the — could be abused and you don’t know how a social media botnet could be used and abused. If a party had as a goal to get a result or to affect the integrity of the election and create a scandal for the next two years, theoretically they could do it quite simply if they were coordinated and on-target. The rest of the system has to be tested as well. Rob, you were actually a CIO though, so I actually want to hear what you were saying, what you think would…

ROB: It’s interesting, Sam, that you mentioned when I was in government, I got called down the DoD council’s office which I thought oh boy, I’m in trouble. They were meeting with a firm who wanted to ensure that we did not implement electronic voting for the military, for deployed troops, ëcause it’s all mail-in. I sat there and I’m watching the attorneys and I’m the IT guy, quote unquote, I’m the ìIT guyî, and it was a very interesting conversation about why there were so many hiccups in that process from their point of view. When I look at the process from this year, from November 3rd to January 21st, right, and whether the ballots are coming in via mail like Nevada, like Oregon, several — five or six states I think have said hey, we’re doing this all by mail, and now the postal service and then there’s a tally. We go from a manual process. At some point, this result or this draft result hits a network. We’re starting to create a digital representation of the result.

Those process linkages do create uncertainty but at some point, every one of these processes is digitized. That surety of that vote is really where this starts to get important. As Sam, I think, said earlier, the introduction of doubt is all you need, ëcause now we’re just gonna fight about is the result accurate at all, let alone somebody could be winning by a landslide. But they’ll — introduced doubt that alleviates the ability to move forward and make a decision ëcause we’re so patently used to the decision-making itself, and today we have come so far forward that we have to make sure that — and I think Sam said this — the present set of processes need to be exorcised and validated that they are still [00:20:00] able to execute their function with certainty or sufficient certainty to support the democracy and the expectations of the American citizens.

SAM: I can promise you that after the election, somebody will do a cluster bias. They’re gonna draw a circle around a set of results and say see, there’s a conspiracy. It’s gonna happen. Now, the question is how do we undermine the validity of that perspective? How do we make it so that less people are saying not my president, whoever it is, and less people are saying this bias exists instead of more? If we do the integrity right, there will be quiet voices or at least not as loud. If we do it wrong, they’re going to be deafening.

PAUL: You guys are both information security professionals and you know from your conversations with your customers and messaging and so on right now that everybody talks about taking a risk-based approach to security; stop throwing money at problems that are not worth the money you’re throwing at them and start focusing resources and attention where it matters, right, on the assets and data that matter, on the processes and technologies that are actually gonna make a difference in reducing your risk. With election security, it strikes me that everybody runs around with their hair on fire. One minute we’re talking about DRE voting machines and then state infrastructure and then local polling and then — I mean, it’s everything all at once. If we were to take a risk-based approach to this problem, what would that look like in terms of marshaling the resources of federal and state governments to make a difference where it makes — it’s gonna make the most sense?

SAM: I think taking a risk-based approach, we could describe it as dealing with the big rocks first. In other words, let’s do a risk ranking and we’ll try to really burn down the big risks. The problem is, it’s dynamic. There’s no risk registry that’s static. The world isn’t the same. It’s changing constantly. The bad guys are developing and evolving. In fact, it’s an adaptive war. In InfoSec, it’s his or her on a rate of innovational attack versus his or her rate of innovation on defense. How do you make sure you have the fastest rate of innovation? The implication I think, long term of this is there’s a pace of innovation in electoral processes that’s optimal.

By the way, typically the right, in most political spectra, the right is the slower, please, because it says that which we’ve been doing for the longest is better, and the left typically says faster, please, because we want to change the human condition for the better. I’m gonna say that somewhere in the middle, the left can have the electoral system that gives the franchise to minorities and the right can have it be trustworthy, but if we don’t pace the rate of election reform adoption, and this is why it’s so scary to make changes within 100 days of an election, then the risk registry becomes dynamic or unknown. You can’t tell the big rocks new rocks are coming in at a risk you can’t predict and they’re changing size, to mix metaphors a little bit. Rob, does that resonate with you?

ROB: One of the risk mitigation factors that is present is a very simple one; there are fifty states, there are thousands of voting precincts that all do it slightly differently. The myriad of variability of the basic, same process goes in favor of — I can’t — somebody can’t mess with all of them. Or, actually, even a small number of them almost requires armies of people. To me, the — staying inside the general system and balancing the lean forward — and I’ll go back to digitally voting — to the lean back paper voting is really how we move forward here because at this point, change is bad. I would agree with Sam. Change is the worst thing that could happen right now because the last thing you want to do is have a registered voter, American citizen, standing there going now what do I do? That’s not what we want. You’ve gotta be able to walk through that pathway and whether your state requires that you produce whatever documentation that says you’re a registered voter or not, ëcause some do and some don’t, but you walk through the portal, you cast your vote, off you go just like you did the last time.

That’s, I think, very important to ensure the sanctity of the process so that the risk in the voter’s mind is mitigated. Some of the biggest challenges we have are basic nuts and bolts of okay, where are all the volunteers that are gonna show up at the — I think Maryland just came out with we’re doing [00:25:00] polling centers, not polling stations. Governor Hogan has said I don’t have enough — I don’t have the volunteers to man all the myriad of sites that I typically own, all the elementary schools, if you will, so I’m gonna do centers and I’m ask everybody to go to the centers. Well, from a covid perspective, you go, I guess I get that, but now I got a bigger line at a more — and a drive. There’s a balance here. There’s a balance between the digitization of voting and the reality of covid right now.

PAUL: I note that even though we’re a huge country with thousands or tens of thousands of voting precincts, that in fact the number that actually matter in turning an election is much, much smaller than that; maybe a couple hundred that actually are gonna count. I’m in Belmont, Massachusetts. We’re a deep blue town in a deep blue state. There is no question about the outcome of the vote in Belmont, and I don’t expect that the Russians are going to be very interested in our voting precincts, but there are counties that maybe were Obama-to-Trump counties or precincts that would seem to be targets where if you change the outcome slightly, it can tip the result of the election itself. It would seem that the risk for a given community or even a precinct might be very, very different based on what the behavior has been in past elections.

ROB: Well, I think, again, the data that represents those communities and precincts that are in — you’ve heard the term swing states, but there are swing precincts and swing groupings of precincts that…

PAUL: Yeah, within those states. That’s right.

ROB: That they go a certain direction. They are the recipient of a lot of the misinformation campaigns. If we sat back and looked at where are our friends from, let’s say Russia and China and North Korea sending their messages? Well, you can look and you can see that they do have an effect, unfortunately. The thing that I feel best about with this upcoming election is there seems to be enough energy around making a selection of who you think is the right candidate to win the presidency that they will go, that there’s a — period. I gotta be able to cast a vote one way or the other. I’m gonna vote. That’s helpful here. Turnout one way or the other should not be that big of an issue. The downside is will the results hold up to analysis and scrutiny whether digital or not? That’s the challenge. I think if I’m Federal Election Commission or I’m a state — secretary of state ëcause I run the voting process for my state, I’m out wargaming this. I’m out dry-running these various scenarios that Sam was mentioning so that I have a really good understanding of what I think is gonna happen on November 3rd in my state or if I’ve elected to start the mail-in process early, do I have the ability and surety to deliver that outcome either way?

SAM: One of the benefits we’ve had from an otherwise terrible thing around covid is many states have established official news portals. Here’s how the government would get news to you. That can be done ahead of time. By the way, the bad guys can also set up fake news distribution mechanisms in the same way we’d lay as a person in the middle, really, to get that information out. But I do worry a little bit, Rob. I think about people’s concern for safety. There’s a sort of hierarchy of needs where voting probably comes pretty high over — maybe once my physical safety is okay, then voting’s important.

As opposed to, for many people, the way that they’re gonna improve their physical safety is by voting and trying to change the election. But I wouldn’t rule out people trying to target lower in the hierarchy of Maslow speak and say if I can threaten you, I can get you to not vote. On the one hand you’ve got misinformation, disinformation to change your vote, and then you can target those precincts and counties that Rob’s talking about and say — and I’ll try and scare some of you from going or maybe have one block of voters turn up and protest not wearing masks. What does that do to the line of people outside the polling station?

ROB: Sam, I agree, but I think the [00:30:00] pressure on the states to offer alternatives to in-person voting is manifesting itself to — being made now so that everybody’s aware how do I vote in my precinct; do I roll down the street to the elementary school, like I do, or do I request my mail-in ballot? When do I have to do that by? When do I have to cast it by to have it count? Things like that. I think the ROI — if you’re the governor or you’re the secretary of state who’s running that process, you’re a busy person right now making sure that you enable, to your point, a hybrid just like we’re doing with almost everything that’s in the covid world.

There’s a hybrid approach to moving forward. I go back to — as a cyber-security guy, these results all become digital at some point ëcause there’s no pile of — a single pile of ballots, right? They’re — all become digital, they’re forwarded to a central location and then we declare a winner. That’s the part that I think is gonna be the interesting transition, and then monitoring that ìnetworkî, quote unquote, that ecosystem for bad things that are going on. That’s really important. I know Sam’s been around world class actors as I have. Most of the world-class hackers leave no footprints. You just don’t know. That’s the scary part.

SAM: There’s another parallel with covid which is just as we all went home and all our baselines changed. Now whether we’re going from work at the office to work at home, we’re gonna go into work from anywhere. Two, we don’t have — we don’t know what it’s like when a majority of people vote by mail or even a significantly large minority. It’s time to start really paying attention to this election in going forward to build up baselines. We’ve got to build the knowledge because our wisdom in being able to spot — it all looks like — not a needle in a haystack; it’s a needle in a stack of needles.

PAUL: Some of their early trial balloons like in New York state have been very messy, very worrying. There’s a lot of reason to be worried about how it’s gonna work at scale because clearly in the past, vote by mail or absentee votes have been a small percentage of all the votes. Final question to both of you; I’m gonna ask you to put on your ëI’m president of the United States’ pretend hat. If you were to spearhead an effort to remake the voting infrastructure and voting process in the United States to address some of the issues that we’ve raised and also, I guess, preserve what works; obviously increase the integrity and believability of the vote, what types of things would you recommend? What would be top on your list?

SAM: Practice, practice, practice. I would say Postmaster General, you need to fix these problems. That has to be a priority. It should not be an issue of budget. I realize that the post office is in some financial straits, and I would say secretaries of state and going down, game it out now. Make sure you know what you’re gonna do and what your contingencies are and again, practice, practice, practice it. Make sure your news — that you know how you get news to the public, you know the conditions under which you’re going to postpone an election, for instance. That you test this as much as possible and you learn from each other, ëcause it’s frankly — it’s vital to the Republic and it is within a certain group of people’s power to have a massive effect here. Leadership is defined quite simply as the ability to make a large group of people achieve a result. That doesn’t mean how you order or manage or do things, but the result we need is an election that has integrity and we know that the people have been heard. Let’s make sure that happens.

ROB: Yeah. We’re reading off the same notes. I think that Sam’s right; this secure — this election is — we’re rounding third base and whatever we’ve done, we have to put the final touches on because the scale of what we designed, this process change, this accommodation of covid as the main instrument of change to this election, this is not the 2016 election. This is the 2016 election except, as Sam said, somebody may think it’s not safe to roll down to the elementary school just to stand in line. How do we, as he said, how do we practice that? How do we do that in ninety days? We’re ninety days away; actually, inside ninety days away from doing that. Now, as you move into the future, I think there are lots of things that could be examined to be determined to be effective. What’s needed for digitally voting? What actually is needed? The national ID card with some sort of PKI on it? Is there something that enables a sure digital vote?

I’m not saying we have that today ëcause I — six years ago I [00:35:00] lived this discussion and it certainly didn’t exist then. Frankly, the election process has not really moved forward very much. I think Florida went from the hey, we have hanging chads to we went digital, then cyber came in and we backed out and went back to paper. I think whatever we do, as Sam was saying, today we’re rounding third base. You cannot make dramatic changes to the process because you have to educate the voter on what’s going to change and then you’re gonna make sure that the back end piece is really secure because if you’ve got the front end right, now I’ve got to get the back end tight. As if it was a classified network that I used to deal with in DoD, I’m pretty sure that the classified networks are tight and I know that we’re not in that space here, but I know that I have to have that kind of confidence in that result to then make this next evidence of democracy stick.

PAUL: It’s interesting; Intel had a little journalist get-together a week or so ago and they had a bunch of their executives on. I asked them do you think it’s possible that we could, in the United States, go — design a completely secure digital voting system for all citizens to use to vote electronically? They were like — two-in-one were like, absolutely. This is the United States. We’ve got the best technology companies and experts in the world; 100% we could design a secure electronic voting system. I would tend to agree; we’ve got RSA, we’ve got Microsoft.

SAM: I don’t like that. I don’t like that, Paul. I’m like, squirming. I’m squirming because I can’t think of a completely secure anything. I can’t. Good enough? Yes. Good enough? Yes, but…

PAUL: But as with everything, Sam, our system right now is not secure.

SAM: You’re right, you’re right, but it doesn’t have to be perfectly secure. Just take out the ëcompletely’ and change it to a ësecure enough’ where the margin of error is tolerable.

ROB: Yeah, it’s within the — yeah, it’s within the tolerance of the current process. As you allude to, Sam, the current process is, what, 99% accurate? Let’s just throw a number out there. If you’re that accurate or more, what’s not to like? Now, getting people to embrace a new process, that could be where the difference lies.

SAM: Where are the few thousand votes that lead to dozens of Electoral College votes? That is a tiny tolerance. Let’s not forget that.

PAUL: Right, and the question is what societal changes need to happen to enable that system? I think you raised some of them, Rob, around digital identity and so on. Some of the infrastructure you would need to build to support that in a freedom-loving individualistic country like America like a digital national ID are very hard sells. But until you do those — until you do one, you really can’t do the other.

SAM: The potential exists for us to have a better process if we do this right, but it’s not gonna happen fast and we need to take it in small steps to really absorb them ëcause the — we’re certainly not gonna be doing at a Silicon Valley pace. We need to do these things in the right time. Because, by the way, two years after this, there will be the mid-terms. You’ve got a very narrow window to make progress of it. We should be doing this or we should be testing new methods with the freedom of time.

PAUL: Yeah, the waves keep rolling in. The elections keep rolling in, right. Rob?

ROB: Yeah, I would just add that as Sam alluded to, we need a sufficiently secure process that enables the capture of the votes, a process that’s resilient, that enables democracy and its pinnacle process of freedom of expression and vote to occur. I think the information warfare that’s going on right now — I know DoD and DHS are both — US Cyber Command DHS system are both working actively to combat that information warfare campaign. This is probably the first election, I think, and maybe Sam can counter me, but I think this is the first election where the secretaries of state are gonna stare really hard at how would I do this differently?

Where do I bring in innovation? Where do I bring in change that is embraced by the general US population? How do I offer a diversity of voting methodologies that are all secure? This is not the first covid. We may see this kind of thing again, so this is not a one-time — it’s only November 2020 that has this issue. I think it’d be interesting to see how much redesign goes in after the results [00:40:00] are tabulated because that process still has to be absolutely tight enough to support the election. But I think following the election and the result, we have to stare at this and go, how do I take this and move forward?

PAUL: Rob Carey of RSA, Sam Curry, Cybereason, thank you guys both so much for coming on and speaking to us on Security Ledger Podcast.

SAM: Thank you.

ROB: Thank you for having us.

PAUL: Robert Carey is Vice President and general manager of Global Public Sector Solutions at RSA. Sam Curry is the Chief Security Officer at the firm Cybereason. They were here to talk to us about securing the 2020 presidential election in the United States. You’ve been listening to a Spotlight edition of The Security Ledger Podcast, sponsored by RSA Security. RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights, and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access control, and reduce business risk, fraud, and cyber-crime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information, visit rsa.com.

[END OF RECORDING]

Transcription by: www.leahtranscribes.com