Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Matt Olney: The research started in 2016 in the aftermath of the DNC hacks.
Dave Bittner: That's Matt Olney from Cisco Talos. The research we're discussing today is titled, "What to Expect When You're Electing."
Matt Olney: So, we started reaching out, and kind of fast-forward through just hours and hours and weeks on-site, and lots of conversations and reading and learning, and honestly some partnerships and friendships built along the way. And we wanted to kind of – we felt that it was important in today's environment to try to put out a kind of state of where we are, and why 2020 looks different to us than 2016 from the election side, from the election kind of infrastructure side, and try to kind of provide a little bit of feedback in the election space outside of kind of the chaos that is there currently.
Dave Bittner: Well, I mean, let's go through it together, and let's start with 2016. I mean, what was the state of things as you were coming into this process? How did you understand how things stood?
Matt Olney: How I understood it was I just knew there was this mysterious thing that elections were and they were really important and that they had some computerized components. I didn't know anything about it. But more importantly, on the election side, you know, there are – one of the strict joys of this project has been meeting just the everyday men and women who make elections work. And it sounds so corny to say, but it's just – they're just your neighbors. And they're people that you pass in the grocery store, and they have for decades been worrying about integrity and planning to have an election and knowing they get one shot at it, knowing it is the very fundamental way that Americans express themselves in a democratic society. And they just – they understand the importance of what they are doing.
Matt Olney: But what they were presented in 2016 was a piece of threat service and adversary that they hadn't had to worry about before. And it's unfair to ask the average person that you pass in the grocery store to go against the GRU, but that's exactly what was going on in 2016. And there was a complete lack of Federal to state to local communications and support in that time. And so, when push came to shove, we were caught flat-footed and unready to face that threat, and more importantly, unready to work together to face that threat. And I think the big changes that have occurred over 2016 to 2020 is in that cohesiveness of response.
Dave Bittner: One of the things that you point out in the research is the importance that we have faith in the system.
Matt Olney: Yeah, I mean, it is not important that I think that, but it's also important that our adversaries think that America is stronger and the West is stronger when the voters in their democracy believe in what they are doing. And we published a previous paper – my parents are going to be very proud – if you go to Google and type in "Let's Destroy Democracy," I'm actually the first link at the top of the page...
Dave Bittner: (Laughs) Every parent's dream.
Matt Olney: Yeah. And so that paper really goes into how to think about, as a foreign adversary, and kind of what is motivating you. And we talk about, in that piece, a lot more about why our foreign adversaries – not just Russia, but also China – view kind of democracy as a piece of the geopolitical stage. And if you're roughly my age, you will have lived in a time where we talked a lot about spreading democracy and bringing democracy to countries. And that's part of our geopolitical voice. And if they can damage that piece, then we are less able to use that voice on the stage. And if they can damage the faith the electorate has in its government in a democracy, then that government is less able to deal with international issues than they would be with the full support of the population.
Dave Bittner: Now, in the research, you describe the system and the pieces. Can we go through that together, what you're getting at with that description?
Matt Olney: Sure. So, the typical work that we do at Talos, I think, is we deal with pieces. We kind of go, hey, there's this library we know that's popularly used and we dig and pick at that until we find faults in it, and then we kind of talk about what we found. And that's kind of – I would say that's a pretty typical security approach for pure security research. But when you get into trying to think like an adversary and really trying to defend something, you have to deeply understand the pieces – the voting machines, and the ballot assisted marking devices, and the electronic poll books, and the voter registration database – all those kind of pieces, plus the typical things you would see in an enterprise environment with the computers and the networks and everything else.
Matt Olney: And then you have to understand how they're all put together and how they all flow together. How does the state obey the Motor Voter law? How does it get registrations from the DMV into the voter registration database? What are the regulations for a state when it comes to felons voting? And how are you notified at the Secretary of State's level that someone has been disqualified from voting because of their criminal record? And how are those things processed? What are these kind of inputs to the system? How are we authenticating users? Like, there's all these kind of pieces. And so, whereas my typical work kind of is very kind of piecemeal, this in particular was looking at the system across the Secretary of State's office in the counties and going, OK, this is what this looks like to an attacker, and here's the areas we kind of need to concentrate.
Dave Bittner: Hmm. Yeah, I mean, one of the things that impressed me that you lay out here is the spectrum of variety that you see state to state. You know, a small example is, in reading your research, I had no idea that North Dakota has no voter registration, for example.
Matt Olney: Right. I was having another interview – I've had a couple of interviews recently with people who are not in the United States. And they typically are in countries with this strong centralized authority running elections – what we would call, like, "federal" running of elections. And I have to explain to them that when we say we're the United States of America, this is the thing we're talking about. This is a collection of states that have come together to select a president. And each of those states gets to decide how they do that. And to a large extent, it's even more complicated. When I walked into the Ohio Secretary of State's office, for example, they had maps all over the walls of the eighty-eight counties in Ohio, and they're all color-coded and different maps meant different things. But one of the maps that was fascinating was the map of which counties have selected which vendor to go with. So there's not even, within a state, an agreement on which voting vendor to use. There's different options available to counties. Because ultimately, it's the counties that run elections – Secretary of State's offices don't.
Dave Bittner: And so how do you begin to distill all of this? How do you and your team wrap your hands around this broad variation across the nation?
Matt Olney: Well, I mean, part of it is the way that CISA has approached it. That if I want to talk to Mississippi or Ohio or Iowa or whoever about their election systems, I have to go there and learn about them first. It's one of the great challenges of American democracy in terms of security, is that every state is different. And within every state, every county can be different. And so, voting, like, you know, if you vote in Colorado, you're probably going to vote by mail. But if you vote in Georgia, you're probably going to vote in an electronic voting device. And they're just completely different experiences. And you cannot – it is very difficult to provide unified guidance when systems are built like that.
Matt Olney: And so that's why CISA essentially has spent the last four years traveling state to state, building relationships and assuring those states this is the Federal government's role in elections. It's limited, it involves sharing intelligence and capabilities and analysis, and this is how we can help you at your request. And much of what's better in 2020 is for the work of people like Matt Masterson and other folks at CISA that have spent time building those bridges.
Dave Bittner: So, what have the changes been since 2016? What sort of improvements have taken place?
Matt Olney: So, one of the things that I hadn't tracked but I actually learned today, I was on a show in Ohio about election security and Matt Masterson was on that show. And he actually had pointed out that the auditability of elections has gone up since 2016. So, where they had – I think the numbers were something like eighty-five percent of the country's votes cast could be audited in 2016. We're now up to something like ninety-two percent. And so, from a technology perspective, we've improved. We've got better voting machines on average out there than we had in 2016 – improvement where it was needed. And one of the weird things about our research, from a Talos perspective, is it is much more about the people than it is about the technology.
Matt Olney: And so I would say that the designation in 2017 of elections as critical infrastructure was critical. The creation of the ISAC was critical to the distribution of Albert sensors to states was critical. The time spent by DHS and CISA and the National Association of State Election Directors and the National Association of Secretaries of State to kind of bring the election community together to sort of coalesce and exchange information and ideas and data and intelligence about the threat and how different groups are preparing for it, and to build the capacity to respond to those threats and to share that information and to share resources and capability when necessary is probably the most important part. So what I would say is if something were to happen in 2020, the response would be distinctly different and better than it was in 2016.
Dave Bittner: One of the interesting things that caught my eye in your research is you have a – there's a graphic with a pair of pyramids and one is inverted from the other. One is the, you know, the pointy end at the top and the other is the pointy end at the bottom. And it's comparing the resources and the threats and kind of the mismatch there between them. Can you take us through that?
Matt Olney: Yeah, and it kind of goes back to the grocery store thing, where I was saying that these county employees who you pass unremarkably at the grocery store – and are just honestly, just everyday Americans doing this little part that they had chosen to do – are the front lines against foreign interference. And so, you have the GRU, you know, the Russian intelligence services going after the United States, but not at the Federal level, not against the military, not against the NSA, not against the CIA, not against DHS, but going against, like, Jackson County or, you know, small or individual counties. And some of them are dramatically under-resourced. So you have this world-class intelligence service going after poorly resourced counties in the United States. And there's this disparity between capabilities.
Matt Olney: And so what we have to figure out – one of the things that I think we're still figuring out, but we're further along – is how do we pool our resources together? There's this great group in Iowa called the Iowa County IT Group, and there are some counties in Iowa that don't have full-time IT staff. And so the counties have agreed to share that capability between them. And so if – and if a county were to lose its only IT person, other county IT staffers would help interview the person coming in for the new position. So it's – there's a ton of different aspects to this. But ultimately, on average, you have dramatically under-resourced environments, under-invested resources, under-invested environments, and facing heavily resourced adversaries.
Dave Bittner: Yeah, and I – you know, I often hear this question of is the – the way that our elections are spread out, as you describe, you know, the state and county level, you know, is that a feature or is that a bug? Can it be both things at the same time? By having it be so dispersed, diffuse, I suppose, does that mean that it makes it harder for a nation-state to come at us because there's so many different systems they would have to command?
Matt Olney: Sort of. And that was certainly the early response from election officials, were like, well, you can't really hack the election because we're all so different. But if you look back at the 2000 elections, which triggered an enormous kind of change in how we do things – you know, I can't remember the exact numbers, but it was like less than a thousand people stood between Al Gore and him winning, I think, New Mexico and Florida, if I remember correctly. You have to, as an adversary, figure out, look, I'm never going to get Maryland to go for the Republican, or I'm never going to get Mississippi to go for the Democrat, so I don't have to worry about those two. I just have to figure out those swing states and which counties in the swing states I can most easily get in and affect. And that's sort of the thought process that you would go against that. So certainly there is something to be said for that differentiation, but I don't think it is as protective as people like to make it out to be.
Dave Bittner: Now, how has COVID affected things? As we're heading into 2020, and I think a lot of folks perhaps had expected or hoped that we'd be farther along than we are, how do you suspect that's going to affect things?
Matt Olney: Well, I mean, it is almost, I would say, kind of displaced as the central sort of security concern for elections. A lot of it has to do with the politicization of the Postal Service and the vote-by-mail systems. And what we have to understand is we've got five states that have always voted by mail and have worked out just fine for years. So, the real concern is you're somewhere around at this point, at the time that we're recording this, about forty-four to forty-five days away from some states starting early voting. And so the question is, in responding to COVID-19 and changing to more heavily adopt absentee balloting or no-fault absentee balloting or automatic spending of ballots and all those options, are states able to prepare in, you know, the next forty-five to ninety days for that dramatically different look of an election than they had before. And so it's about changes that should be relatively simple, but they're changes at scale. And so, when you do changes at scale, nothing's simple. And so that's kind of where we're really looking.
Dave Bittner: So, what are your thoughts as we head towards the election? I mean, what sort of things do you have your eye out for? Do you have specific concerns? How do you think we're prepared here?
Matt Olney: My hope is that our worst enemies are external to us, but I'm not certain that that's necessarily the case. You know, when I initially started this research, we were definitely focused on kind of external actors and cyber. And then we kind of realized that the cyber piece was part of a disinformation campaign more than it was anything else. And so then we started worrying about, well, how do we protect, how do we help these organizations, the Secretary of States and local county offices, you know, fight a disinformation campaign? And then coming into 2020, where essentially we have actors, both foreign and domestic, engaging in disinformation campaigns, and how do you fight that? And it's exceptionally difficult. And I can tell you the local county and state resources, even now, here on August 20th, you know, months before the election, are already exhausted in terms of fielding phone calls, answering reporter questions, fighting back misinformation, disinformation. And it's just going to get worse as we get towards the election proper.
Matt Olney: And so, I would just, you know, I would hope that politicians and people who are acting on politicians or campaigns or special interest groups would understand that to play into the disinformation campaign, to try to sway voters with false facts is fundamentally un-American. And, you know, our founders had always thought that a properly factually informed electorate was what would get America where it needs to go. And that's not what they're building right now in many cases.
Dave Bittner: Our thanks to Matt Olney from Cisco Talos. The research is titled, "What to Expect When You're Electing." We'll have a link in the show notes.
Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Dave Bittner: Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.