About this time in 2016, it became very clear that Russia was intent on disrupting our election in several ways, including information disruption, election tampering, etc. There was an ad-hoc response pulled together, as it hadn't been clear this was going to happen in advance. The Russians did research and targeted attacks on all 50 states, but did not seem to be able to impact a vote via cyber means.
Why was it an ad-hoc response? there was no dedicated approach on election security. The security research community was aware, but there was nothing dedicated at the federal level. Pulled it together last minute and provided a successful defense from a cyber security standpoint. Then a playbook was brought out now that others can study.
What are the implications of what happened in 2016? it was a Sputnik type moment - for the first time, the Soviets had a way to reach out and touch us, geographic isolation was no longer in our favor. Now they could use cyber techniques to destabilize and election. gave the US heads up that we had a lot at stake in 2018 and 2020.
We have 3 distinct advantages now: vibrant election security community, better understanding of risks, better visibility of what is happening with elections. Federal gov't is here to support state and local governments run their elections. Since 2016, pulled together and information sharing infrastructure. sharing threats, strategic and defense tactics. Been providing services / tech capabilities to partners in local government. Been working together to analyze trends and issues, helping others to buy-down risk with the tools & techniques that have been developed.
We have a much better understanding now than we did in 2016 how different states and counties are running elections - we are listening to them about what their risks and issues are. One of the best risk management technique: paper. We are asking states to switch to a system that has a paper record. for 2020, we may hit 92% or higher with a paper trail. The paper trail is needed for audibility.
We now have a much better understanding & visibility of what is happening in the election space and worked hard to develop trust with state & local election authorities. We've been able to provide tools, like intrusion detection, deployed across all 50 states (not necessarily all counties).
Even with all these preparations, still more work to do - there could be more disruptions, we have Covid-19, and we need voters to be informed.
Today, in 2020, the focused mission of NSA, Intelligence, etc - watching out for Russia, China, and other state actors targeting our infrastructure. Lots of scanning, but not seeing anything at the level we saw in 2016. But, still seeing too many ransomeware attacks of hospitals and financial institutions - do not want to see this happen to election systems. Helping with tools and techniques to protect these systems.
Looking at the failover mechanisms - analog backups of voter registration databases, etc. we need to make sure that the voters can vote, no matter what. We also have provisional ballots as a backup.
We have Albert Sensors (IDS), but we also need end point detection, capabilities on individual hosts. We have to continue to improve security at all levels.
In terms of Covid, that's why he's here talking to us today. Covid will change how we do elections - we realized in February that Covid was going to change the voting process. We are, at the very least, going to need PPE for poll workers, sanitation procedures, etc. But not just about in-person voting, many states are adopting absentee & mail-in balloting. This takes time & money. States like New Jersey could not identify budget for doing things like upgrading their machines to have paper audit, but now they are moving to more mail-in system - so they may get the paper trail this year.
It's quite possible that we won't know on November 3 who won the election. Please be patient.
We need informed voters - something will change in the way you vote. May be a new polling location: schools & aged homes may not be available. Have a plan for how you will vote. Take advantage of early voting, absentee or mail-in. Be a part of the solution.
[Q&A - Live Commentary section]
Under the constitution, states will determine the time, place and manner of an election. Congress has a role here as well, but local & state has to carry the bulk of the burden. CISA and the intelligence committee are here to help and support.
Couple of developments since this was recorded: have set up a vulnerability disclosure guidance, saw University of Chicago is providing free support to state & local election boards, and launching an end-point detection system pilot in 29 states.
We are trying to help with debunking/prebunking of disinformation, in a balanced way.
Last fall pushed out a state & local disinformation kit, so they can tailor to their local needs, and also leveraged that for Covid related disinformation. they launched the War on Pineapple campaign, benign and easy to understand.
Working to help the states adjust and studying the equipment and risk controls, adjusting our approach to do more remote pen testing.
Unfortunately for us, he can't discuss confidential information ;-)
Be prepared, participate - we need 250K poll workers, and be patient!