Podcasts
Caveat
Ep 284
Caveat 10.30.25
Ep 284 | 10.30.25

Cybersecurity on the ballot in California.

Show Notes
Transcript

[ Music ]

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin, from the University of Maryland Center for Cyber Health and Hazard Strategies. Hey there, Ben.

 

Ben Yelin: Hello, Dave.

 

Dave Bittner: On today's show, we are joined by our guest, Sanny Liao, co-founder and CTO of Fable Security, on points of cyber exposure for California's election coming up soon. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right. Well, it is my pleasure to welcome to the show, Sanny Liao from Fable Security. Sanny, welcome, and thanks for joining us.

 

Sanny Liao: Thanks for having me.

 

Dave Bittner: So we have this election coming up in California, and there have been concerns about election security. Can we just start off with some broad descriptive things? I mean, where do we find ourselves these days here in the U.S. when it comes to the realities and the perceptions of election security?

 

Sanny Liao: Yeah. You know, the thing with election security is that when most people think about it, you're thinking about politically motivated cyberattacks, but election season is a bit like a Black Friday for cyber criminals. So yes, we do see the type of politically motivated cyberattacks, sometimes conducted by state actors, sometimes individuals. But there's actually a huge range of financially motivated attacks that really make use of the special emotional moment of an election season. So we do expect that in this season, cyberattacks are going to pick up and, you know, actually everyone could be a target.

 

Dave Bittner: What sort of things, specifically, should people be on the alert for?

 

Sanny Liao: Yeah, so, you know, I think in general, I actually tend to see -- we tend to see a couple different types of attacks. So let's actually start with the politically motivated ones. So, you know, if you are, for example, an election worker, if you're a campaign worker, you should expect that you will be targeted both, you know, online, in your emails. Now we're seeing a lot more voice-based attacks and SMS-based attacks. And I remember in the last election season, there was a lot of attacks that actually made use of dating scams to, you know, get close to someone for -- to gather intelligence. But, usually, what we also see on top of it is that because it's such an emotional moment, it becomes a really good trigger point for people where you can -- you know, someone who normally would not fall for a, for example, a text-based scam, it becomes a really good point for attackers to use that emotional moment and send -- use the election season as a way to actually hook people. So if you're the type of person who normally wouldn't fall for a SMS-based attacks, we call them "smishing." If you, all of a sudden, on Election Day, start getting a message around, hey, you know, your voter registration is out of date and to fix this today -- people, they emotionally react, and they are, actually, much more likely to click on something to engage with attackers.

 

Ben Yelin: Just from a legal perspective, some of the attacks might be coming from in-state, but you mentioned nation states, and also, I would guess that a lot of attackers come from other states. So how does the state of California, which really only has the authority to police its own people. I mean, how do you use the legal system to try and punish those who are outside your jurisdiction? Can you talk a little bit about that as an issue?

 

Sanny Liao: Yeah, absolutely. You know, the thing with attackers is that they don't actually respect state boundaries. They also do not respect nation boundaries. So, you know, what we see is that nation states, sometimes they conduct these attacks for political reasons. Sometimes it's actually for financial reasons, right? So it's -- a lot of times, honestly, unfortunately, the legal system doesn't actually reach as far as where the attackers are. So what we often see is that where you actually have to make up the gaps are organizations. Let's say, if you are in charge of a group of people, if you're an employer, you employ a group of people, this is actually a place where you honestly have to come in and make up for a lot of places where the legal system cannot actually help and reach, as well as individuals. I think it's kind of no longer okay for us to say that, like, hey, I won't be targeted because I'm a nobody, because guess what? If you have a social security number, you will be valuable for an attacker. If you have a credit card, you're valuable for an attacker, so it's, you know, unfortunately, legal system, I think a lot of times just do not reach far enough, and it really kind of comes down to organization. Individuals have to figure out actually how to protect themselves more proactively.

 

Dave Bittner: So it seems like there are a couple categories here. I mean, there's the issue of the election itself and the potential for folks trying to influence that, but what you're speaking to, specifically, is just, I guess, broader social engineering scams that are using the election as a point of convenience.

 

Sanny Liao: That's right.

 

Dave Bittner: So can we talk about the election itself? I mean, to what degree are folks in California concerned about influence operations and the integrity of the actual election?

 

Sanny Liao: It's hard for me to speak on the integrity of the actual election itself, but if we look at what has actually happened in the last election season, there is already a lot of evidence of different vectors, different attackers coming in to try to influence the election. So let's even put the financially motivated attacks aside. What we have seen is that in the last election cycle, we had -- there was, actually, a lot of coverage over campaign workers for major political parties being targeted on dating apps. Why? Because attackers are actually trying to get close to them using essentially romance scams to get close to them to steal valuable information. So now if you know where people live, where you know how people trend, it's actually information emulation for opposing parties, attackers, to actually use to try to trick people into doing something they shouldn't. What we have also seen is that, increasingly, I think if you remember both the 2016 election, as well as the 2024 election, what we have seen is that attackers are increasingly using personal accounts to actually infiltrate people who may be in a position with privileged access to data, power, or information. So, you know, 2016 election, everyone knows about it. Hillary's personal email got hacked. That led to this big fiasco, and in the 2024 election, what we saw was Roger Stone's personal email got compromised and they actually used it to compromise more of his colleagues on the Republican National Committee, and they stole a bunch of information. So it's, you know, that information itself is actually highly, highly valuable, and we see that attackers, actually, a lot of times, using personal accounts to get into them. What we will also expect is that this type of attack is going to not just target prominent political figures, but anyone who worked on a campaign. So if you're actually -- if your LinkedIn profile is saying that, like, hey, I am now volunteering with campaign, you know, X or Y, just know that attackers are smart people. They're going to find that out, and that means you might actually be in a position where you're holding sensitive information they want, and they will go after you in similar fashions. What, you know, what we I think this year, especially this year, I think what's going to start changing is that because AI technology has gotten so good. We've also, you know, we've already kind of, in the commercial sector, seen AI being used to, you know, to create deepfake attacks that impersonate someone you know, to get people to send -- to wire money to the wrong accounts. And I think it will be a no brainer to expect that attackers will also similarly use deepfakes to impersonate someone you know; to get you, you know, perhaps, like misdirect people on where to vote; get people to respond to them by, you know, calling, actually, a fake number. The technology, unfortunately, has gotten to a place where it's so good that attackers have just found a lot of ways to infiltrate and get to people and get the information they need.

 

Ben Yelin: Do you get the sense that at least among people who are active in election season activists, there's increased awareness of these threats? Do you think we're more prepared than we were in 2016 and 2024?

 

Sanny Liao: Absolutely, absolutely. So, you know, in the 2024 election, we actually worked very closely with a major political party. And I have to say, I am very, very impressed by the type of security they have actually brought in-house to protect their employees. I would say it's on par with some of the best protection we've seen in, actually, you know, in the commercial sector already.

 

Dave Bittner: So are the states themselves upping their game when it comes to protecting the people who help run these elections? Because it would be my understanding is there are a lot of volunteers that are involved with this.

 

Sanny Liao: Yeah, yeah, there's actually a big discrepancy. Unfortunately, what we see is that how good organizations' protection is is very much a function of the person who's actually put in charge of protecting that organization. We see this in the public sector, in states, in our schools, in universities. We also see it in the commercial sector, so it's not a problem unique to two states. But, you know, a couple of things we do know, right, is that one, you know, states are actually one of the most highly targeted organizations just everywhere, even if you're baselining against the political organizations, because often, they don't have, actually, a lot of money to invest in really, really good cyber protection; and two is that attacks have evolved a lot to the point where if you see that these state-organizations are bringing in, you know, people who are very forward thinking about redesigning -- literally ripping out the old system and redesigning a new system -- we see that people tend, actually -- that tends to really work. Both from a technology angle, the controls you put in place to make sure that people are -- even if they click on a phishing email, for example, they're account at work gets compromised, and people's devices are all up to date and there's control over everything, as well as from an awareness angle that employees are kept up to date on the latest attacks that target them, that target the organization. We do see that, but for the most part, it's very much driven by the folks who's in charge of protecting this organization. So where we don't see these forward-thinking leaders coming in and bringing that level of protection, the status quo is actually still quite outdated. [ Music ]

 

Dave Bittner: You mentioned that a component of this is going after more of the consumers, I guess the actual voters themselves, who are in a certain mindset and an emotional state on Election Day or the days leading up to the election. Can you provide us some more insights on to that? I mean, what specifically are they targeting there?

 

Sanny Liao: Yeah, no, that's a good question. So this is actually, honestly, one that I am just personally more worried about because I've seen this being used over and over again to trick people, like anyone on the street, your neighbor, your cousin, your parents could get tricked. And if you think about what's happened in the last couple of years, every time when there's an emotional moment, attackers, you can assume that people are pretty crappy. There are people out there who make use of those emotional moments. So just like during COVID-19, people started using COVID-19 as a reason to trick people into clicking on phishing emails, giving away sensitive information. Right now, because election is such a hot and emotional topic, I would absolutely expect that attackers are going to use it to trick people into, again, clicking on emails; picking up the phone and, you know, calling a fraudulent number; wiring money to the wrong accounts, and so on. I'll give you an example. So lately, almost everybody has gotten one of these toll violation SMS messages, right?

 

Dave Bittner: Yep.

 

Sanny Liao: And it looks like, hey, you know, your FasTrak is, you know, you have like some amount of money that you haven't paid on FasTrak. You have to pay it right away. And a lot of people have now begun to realize that, like, hey, that's a scam. I should not reply to that. But imagine this is Election Day and you get a text message on your phone that says, hey, your registration is out of date. Your voter registration is out of date. Your vote might not count. And now, with Prop 50, there is so much emotion going on around whether you're on one side or the other side. When you get something like that, you're not thinking rationally. Your prefrontal cortex is not kicking in. And instead, what's happening is that your amygdala is actually kicking in and saying that, like, oh, my God, you know, I need to do something about this ASAP because I really need my vote to count. This is such a big and personal issue to me. And people are much, much more likely to reply to that SMS phishing email phishing attack or an email attack or a fake phone call. So it's just -- it's kind of this emotional moment. It creates the perfect opportunity for attackers to make use of and get people to respond when they otherwise would not.

 

Ben Yelin: Can we also talk quickly just about the nature of this election? So everybody knows it's 2024. There's a presidential election. There's Senate, House, et cetera. This is an odd year election, and it's one initiative, and I think most people who aren't kind of politically in tune with what's going on might not even realize there's going to be an election. Does that impact your analysis of vulnerabilities, the fact that there's less of an awareness that we're even in an election season?

 

Sanny Liao: That's actually a really big concern. So, yes, for sure. You know, the thing is that this election is very, very top of mind for, actually, not just Californians, but actually around, you know, everybody around the country. California is a huge state. We have a lot of votes. Whether these votes swing one way or another will have a huge impact on the next election, so it is getting a lot of national spotlight. What we know about attackers is that you can assume that attackers are very, very smart people and they don't have to take one, basically a single approach to everybody. So they know that in 2025, in California, this Prop 50 issue is a really, really hot emotional issue. So they don't have to target everybody in the country, they just have to target folks in California because they know it's so important and emotional for folks here. So we should definitely absolutely expect that attackers are going to make use of the fact that, hey, I know exactly when this election is happening. I know exactly who to target and make use of this moment, and this group of people, from a protection side. I will really, really hope that, you know, the state organizations, the campaign workers who are working on this election, realize that they are now -- have been kind of prompted to the national spotlight for -- unfortunately for attackers; that they will see an increased number of attacks, not just on their work phones, their work emails, but on their personal accounts, on their social media. Like, they will for sure be targeted because that's how attackers find them. But at the same time, every single voter in California, you should actually really think about this election is, literally, just as one of the many things attackers will make use of, but you should expect that you also could be targeted by voice phishing, by SMS phishing, email phishing, all that stuff. So I, you know, this is something I feel very personally about is that I think in 2025, we should expect that we will be targeted. And therefore, it's we need to actually really educate ourselves what these attacks look like, but at the same time, take measures to secure our accounts. So it's not just our work accounts, but personal is a huge, huge point. Make sure that you're using a password manager.. Make sure that you have a strong multi-factor authentication set up on your personal accounts. Make sure you have your social media accounts locked down under MFA as well. And if you're exposing, let's say, your phone number anywhere, take that down. So you need to, actually, really, kind of arm and protect your personal -- basically all your personal identities. And for all the employers out there or anyone who's really responsible for a group of people, know that attackers find you a very, very valuable target. So it's actually absolutely critical for, you know, your business's well-being to think about investing in protecting your employees, both technically, you know, the controls over giving people access to password managers, MFA device, helping them update their devices, email security, all of that. But also, to really, really stay on top of making security, top of mind for folks, and showing people what the target attacks look like, right, so they make it easy for people to look out for them and pattern match when they see something similar.

 

Dave Bittner: You know, it strikes me that there are people out there, certain groups in this environment that we find ourselves in when it comes to elections, who benefit from doubt, that people wonder if our elections are secure. They wonder if the votes are being counted correctly or if people are interfering with them. It seems to me like these issues play into that narrative.

 

Sanny Liao: You know, the thing is that cyberattack comes in a lot of different flavors. I will say that narrative, it is what people make of it. It is, you know, if you are in this -- if you are a story spinner and you want to sow doubt, there are a lot of different ways to sow doubt. Election security is one of them. It's in reality, a lot of times, what these election-based attacks, what they are after is, actually, sensitive information that people have access to and people's personal credentials, really for monetary purposes. It's, you know, in the last election season, we did actually see that there was quite a bit of disinformation going on. It's not actually directly impacting, let's say, you know, whether the vote, the election system was secure or not. But what it is impacting is, actually, people's ability to really vote, people's ability to, you know, show up at their assigned voting station, people's ability to have their vote counted. So it's, I think the integrity of the election system is actually kind of a big issue that there's a lot of things getting lumped in there, but, like, whether we can trust the system or not, I think, to this day, I haven't seen, actually, a lot of very concrete evidence that the actual voting system itself is compromised. But much more often than not, it's really -- it's disinformation that is swaying people to, you know, not vote or getting to a state where the vote is not being counted. But much more often than not, it's really the theft of information and money. Yeah, and I suppose, I mean, we even see efforts to, as you mentioned, dissuade people from voting or to say, you know, the polls are closing early or, you know, don't vote till the day after Election Day, you know, just all sorts of misinformation to try to keep people one way or another from getting to the polls. Absolutely. And this year, I think it's, you know, on top of it, right, because of all the, I think there's these basically election monitoring that's going on with all the ICE arrests that's going on. I think, there's even more of an emotional moment that bad actors can make use of. You know, I think I would not be surprised if in order to dissuade people, some people could start getting, you know, fake information around, hey, you know, if you register to vote, you know, your information could be, you know, used to, I don't know, like arrest you or something, something like that's just, like, feels, like, personally unsafe. I think at the end of the day, you know, having worked in cyber for a long time, what, you know, I kind of realized is that there are a small group of people out there. We should assume that they really just -- they will make use of any opportunity for their personal benefits. A lot of times, you know, it's a -- you may be surprised by that. Like, like, why are people talking to me? I'm nobody. But, you know, for a lot of the hackers, you are -- you literally -- you're walking with a dollar sign on your head because you have a credit card, you have a bank account, you have a social security number. So it's, you know, people, unfortunately, there are bad actors out there who, you know, will want to actually benefit, profit off that, and therefore, you know, unfortunately, we're all in a boat where we just have to be very, very proactive about protecting ourselves.

 

Dave Bittner: So what are your recommendations then for folks, organizations and then also individuals, to best protect themselves?

 

Sanny Liao: Absolutely. So organizations, you should you know, if you haven't already, you should really, really think about cybersecurity as one of the main components of your business success, which means that you should -- you should put someone in charge who knows what they're doing, invest sufficiently in actually protecting your employees from email, from devices to awareness training. Number two is that for individuals, we should absolutely assume that all of us will get targeted. That means we should actually take a lot of -- we should invest a lot in protecting our own personal accounts. So if your personal account, whether you use Gmail, Yahoo, whatnot, if your personal account, if you're not using a password manager, you should start using that tomorrow. It's not that hard to set up. Safari, Chrome all have their password managers. You can use a lot. There's a lot of these password manager apps, OnePass, Dashlane, all that. Get one of those security passwords. Number two, MFA, so which means that -- MFA stands for Multifactor Authentication. What this does is that if someone was able to trick you, steal your password or buy it off the dark web, they still cannot get in without a second mode of authentication. Absolutely set that up for your account. And third is update your devices. You know, in the last 10 years, we've seen a lot of device-based attacks that Apple, Google, are actually getting very on top of patching on people's devices. You should patch them. If you don't, it actually means that there's a vulnerability that attackers can make use of. It's very easy. Just go ahead and patch your devices. And finally, I would say, you know, for, you know, you should think really, really hard about social media. Attackers now, one of the most -- fastest growing attacks we've seen recently are attacks that call up people by on their phone or text them on their phone. What they need is your phone number. So if your phone number is out there on social media, if your phone number is out there, even if it's, you know, a LinkedIn -- on your LinkedIn account, you should take it down. Attackers -- just know that attackers will find it. And I think, yeah, it's, you know, it's -- and finally, I will say it's also awareness, actually. Attacks are evolving very quickly, again, because attackers are -- they're just smart people. They know what's the trending topic that's going to get someone to respond. They know places where, you know, technical controls is hard for them to reach, and they will find those. So that means it's actually really good for us to read up about, hey, what's the latest attacks that's happening? Listen to this podcast and hear about how, you know, what are actually -- what are the things that people have been doing successfully to protect themselves? It's, you know, it's going to -- it's much, much better than actually having to go figure out how to recover your account.

 

Dave Bittner: Well, Sanny Liao is co-founder of Fable Security. Sanny, thank you so much for taking the time for us today.

 

Sanny Liao: It's my pleasure. [ Music ]

 

Dave Bittner: And that is Caveat brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to caveat@n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tré Hester. Peter Kilpe is our publisher. I'm Dave Bittner.

 

Ben Yelin: And I'm Ben Yelin.

 

Dave Bittner: Thanks for listening. [ Music ]

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Cyber Health and Hazard Strategies, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: N2K Networks, Inc.