2020 election security: Vulnerabilities, lockdowns and disinformation
John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO’s) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
[00:00] Chris Sienko: We recently hit yet another huge milestone here at the Cyber Work Podcast, 25,000 YouTube subscribers. Thanks to all of you who watch and listen each week, to those of you who watch the YouTube videos go live and chat with other and comments and everyone who is helping us to grow this great community.
To give back, we’re now giving you 30 days of team training for teams of 10 or more. Your Infosec Skills account will help your entire team develop their skills and earn CPEs through hundreds of IT and security courses, cloud hosted cyber ranges, hands-on projects, skills assessments and certification practice exams. Plus, you can easily monitor, assign and track training progress with team admin and reporting features.
If you have 10 or more people who need skills training, head over to infosecinstitute.com/cyberwork or click the link in the description to take advantage of the special offer for Cyber Work listeners. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week. On that note, I’ve got someone I’d like you to meet. So let’s begin the episode.
[01:02] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of Infosec professionals while offering tips for those trying to break-in or move up the ladder in the cybersecurity industry.
John Dickson was one of my first and favorite guests. He was our 13th recorded episode going all the way back to October of 2018. John and I spoke at some length about some of the cyber tampering and general malfeasance around the 2016 elections and fears that were happening around the 2018 midterms. Well, time certainly flies, because now it’s time for yet another election coming up on November 3rd. We’re going to talk about some of the portents currently in the year? What you can do to be watchful in the meantime as well as some of the ways that the current global pandemic could affect the election should it continue for many more months?
John Dickson is an internationally-recognized security leader, entrepreneur and principal at Denim Group, Ltd. He has nearly 20 years hands-on experience in intrusion detection, network security and application security in the commercial, public, and military sectors. As a Denim Group principal, he helps executives and chief security officers of Fortune 500 companies, including major financial institutions launch and expand their critical application security initiatives.
John, welcome back to the show.
[02:20] John Dickson: Chris! My pleasure, man. Are you doing okay? Hanging in there?
[02:23] CS: Oh yeah. Yeah, we’re doing fine. My wife and I are on different floors of the house. So we don’t get in each other’s way too badly.
[02:32] JD: All right. Look, man. Like I said, what are we? Week 5? Week 6?
[02:36] CS: Something like that. How are you holding up?
[02:39] JD: I would just say we had the biggest week of the year for us, which is RSA. Really the week leading up to the week off and the week following are these crescendo of activity from the things inside, and what we got as a reward for that heavy effort is we walked right into a pandemic. So it’s like – I looked at the calendar, I said, “We’ve been doing this in one way, shape or form for like 8 weeks.” I would say right now, modestly, certainly compare to other friends and people in the industry right now, we’re doing modestly well. I had friends that own or work at restaurants that are in the travel industry. I mean, that’s what worries me the most. If this is our new tempo, and I’m not going to say new normal. I’m not going to say that. I’m not going to say unprecedented. That’s out the window. I have this list of words like not to use anymore.
[03:39] CS: Right.
[03:41] JD: I’m not going to send an email to all of my contacts that says, “Yes, we know these are trying times. We’re here for you.” And give a pitch. This is the time for endpoint security and like, “Okay. Sure, boss.”
I think it’s a bit of a humbling time for people that have been doing this for some amount of time, and what I’ve told our team is for me to say that we’ve been here before or make a statement like that is just ludicrous. I would say I couldn’t be more honored to be with a team that has more experience, and that’s the one thing we have, is we have seniority experience. We’ve seen things. We have people that have been through 2008, 2001, people who are in the military, including myself that have been to a war.
The skills you develop are really one of being able to react quickly to the stimulus and adapt whatever strategy you had from yesterday. It’s lots of iterations, lots of – You wake up and you don’t know what to expect. You don’t overreact, but you also don’t take stuff lightly. The way that I’ve put it is we can’t control the external events. We can’t control science. We can control what’s in front of us and what we’re doing. I’ve said this to the team also, like Denim Group is a little bit of our lifeboat right now and we can at least paddle fast and do what we could do to keep that going and hope and pray that other things don’t happen in the outside. That’s all we can do.
[05:21] CS: Yeah. No. I mean, you’re right that we can’t say unprecedented or we’re living in weird times, but we can definitely say we have the tools at our disposal to sort of make our way through.
[05:32] JD: I was thinking the other thing. I know we have an established set of things to talk about, which is good, but I was thinking the other day like how awful this would have been if this were 10 or 15 years ago, pre-Zoom, pre-WebEx, pre Internet, where it was very much a desktop world versus a laptop world. I mean, like we had made the shift seamlessly. I give credit to both of my business partners who has seen this coming in probably like 4 or 5 years ago. We had a nice storm down in San Antonio, Texas, which is Armageddon. If you have the threat of an ice storm out there.
[06:13] CS: Yeah. I know. You guys don’t have quite the infrastructure for that kind of thing that we do in Chicago here.
[06:19] JD: We have no infrastructure. I mean, literally, for us – So we’ve experienced panic buying, and then it’s called a snow down here. What we did 5 years ago is somebody in our kind of on the operations side said, “Look, why are we even buying desktops from here on out?” We did get affected by that. So what happens, we said, was buy laptops even for the assistants and the different more administrative folks and the junior folks, let’s get laptops.
When we got back from RSA, Sheridan Chamber is our – Is one of the partners that handles who actually runs the business day-in, day-out, said, “Let’s just practice this and do a scenario-based thing,” and we worked from home that Thursday after RSA. The interesting observation is two things broke, and it wasn't any of VPNs infrastructure or Zoom or anything like that. It was our QuickBooks instance, which is part of the business and then our ability to collect mail, which ironically in this day and age, we still get physical checks. We had to put up a PO Box. We had to do that. We have a person that goes in that kind of checks and make sure everything's there.
The other interesting not from an infosec or security standpoint, from a business side, we were surprised by our insurance carrier, an important point here, that our workmen's comp did not cover pandemics, which meant that, in theory, if somebody came to work in our physical offices and got COVID-19 and then put in the workmen's comp claim, it would be outside our coverage. That have helped us accelerate decision to work from home.
As a matter fact, go quite the opposite, like, “Hey look, you should not go to the office.” As a matter fact, both offices are locked up and we have one person to make sure there’s not a gaping hole in the roof. But for the most part, we’re working from home. So far so good, but I mean the other thing that I think everybody that listens to this will agree, is like we get this is weird kind of compressed set of conference calls, like we have more work between 8:30 and 5:30. I feel like I'm getting bedsores on my gluteus maximi, you know… All day long, Zoom. All day long, conference calls.
I wonder, like the next thing I know, this is a little bit of streaming consciousness, but I enjoy talking to other –
[08:50] CS: Yeah, man. We’re all dying for connection right now.
[08:54] JD: What happens to Black Hat and all of those? We looked at our contract. We have an event, a happy hour event, and we’re going to probably lose 10,000 or 15,000 in non-recoverable deposit. We’ve made a decision or just kind of jokingly. We’ll see if this pans-out, that if like Black Hat gets canceled, we get stuck with 15 grand. At least three or four of us in the leadership team are going to fly to Vegas and try to consume 15 grand worth of alcohol that night. Just like, “Okay.”
[09:25] CS: We’re going to need a recording of this. I’m going to –
[09:29] JD: What is it? The 200-year scotch. It’s weird, like this is when we’re planning for that. It’s like a tempo or a cadence of events and things that happen. All that’s out the window, and so who the heck knows. I'm making no predictions. I think we just – If this is the new cadence, the new approach to business, it’s not altogether that bad. The one other strong observation I would have is, as a vendor, we have had some very good and deep discussions with other vendors on partnering stuff that we would never do.
That's very promising, and maybe because we have more time, we've had at least 4 or 5 folks that are in the application security market come to us and say, “Hey, look. We compete kind of, but we admire what y'all are doing. Maybe we can work on this together.”
When we're in the tempo that we had pre-RSA, we would never do this, because we’re just for one deal to the next. I probably traveled every week. We’re able to get like the deeper discussions below the obvious, below the surface level discussions and including with prospects. Now, the last thing I would say – Again, we’re vendors. I caution our team to not send out the same crazy emails that we’re receiving on our end, but really use this opportunity to deepen their relationships with the people you know and really kind of dial back the prospecting, which is just not well-received right now.
We’ll see how long that lasts. I mean, at some point, that's the catch up with us, but I think what we've observed is that we’ve focused on the most obvious opportunities, business opportunities. That's probably the same case. For your people within the enterprise, it’s the most day-to-day stuff they’re playing whack-a-mole at. We’re were having deeper discussions with partners. We’re having deeper discussions with the existing clients, which are going to uncover other business and other so we can help them. It may be an aggregate not that bad. We’ll see, man. I mean, I'm trying to keep a dialogue and write all these stuff down, because I think when we’re – I would say older, even more older.
[11:50] CS: Right. Yeah. To look back on this.
[11:53] JD: Hey, tell us how it was in the summer of 2020. They do World War II or 1918. You’ll know. I mean, there’s no grand strategy. There’s no grand playbook. We’re just trying to make do with what we’ve got and not stress-out and not freak out and not overreact.
[12:13] CS: Right. Well, speaking of unusual times, which we said we weren’t going to say. We wanted to talk today about election security and 2020 elections and so forth. But one of the things that we weren't doing on the program when you were last time that you gave us some nice context of the present, but we like to talk to our guests and find out about their security journeys. How did you first get involved in security as a vocation and a passion? Is this something always with you? Do you want to talk about that?
[12:42] JD: No! Quite the opposite. I backed into it. I mean, I totally—
[12:47] CS: All right. People like hearing that though, because there’s always that sort of perception that like if you weren't like hacking into local mainframes when you were six years old, you’re too late or whatever. Tell us how you started.
[12:57] JD: There’s certainly a lot of people to come from that background, and I always admire folks to do that and have CS major or came up through, like you said, on the attack side and just like new unit as a third-grader. I mean, at Linux. I always admire those. I didn’t come that way. Political science major. I was an intelligence officer and I was a Desert Storm guy. I was actually in – One of the sales that did was call targeting and we were doing picking targets in the Air Force terminology to be serviced by the – What happened is we had a very static database in the system of input that worked in a very kind of static Cold War way, and then as soon as stuff started to fly at the end of January, everything broke within like the first 2 or 3 days, everything, our databases, our inputs. Literally, we kept situational awareness of what was going on in Iraq and with the war via clipboards, whiteboards, Dv3 databases, like old school stuff, and it was really systems, but really the team itself of junior officers and NCOs. The reason I tell this story is because we were very close at any given time of losing that situation where I was very scared.
I have an actual war story to tell. We were doing dominating what are called C3 targets, command-and-control, switching centers, troposcatter dishes, comms facilities. It was like the first week that we would nominate these things. We’re part of a larger group of people in the air operations center, but we always thought there is like some smarter person above us in the chain of command. There was like, “Oh, hey. Let me look at this list. We’ll do A-B.”
[14:53] CS: Yeah. Someone will have answer for me.
[14:56] JD: So what happened is I went in – Within a week, I went into the air operations center and saw the targets that we nominated. The targets, they were up on the big board, just like the movies, right? I looked at my list and I looked at that list and I looked at my list. I was like, “It was the same lists.” Then it hit me, “Like oh my gosh! It's a first lieutenant and a bunch of captains and lieutenants, sergeants doing this.” Nobody is looking. They’re just taking it as – Just like this is a smart guy.
What happened is we recognized that everything broke at there. We’d never lost situational awareness. We get back, and this is the summer of ‘91, and we had to go on this tour, like how we won the war. How we knocked out the ears and eyes of Saddam Hussein? It was like infirmary. We knew like everything broke. We were this close to losing our awareness.
For three years after that, I became – Working with the systems guys to fix everything that broke out there, and this is really in the world of intelligence and air operations and all the thieves and all the parsers and all the – I became a UNIX person. In 1990, I found an old – This is a long story, but I found an old write-up of me. I got nominated for something. It said, “Self-taught UNIX.” That was like one of the things. I was like, “That’s when I did in, in “92.”
What happened is I started to look up and the contractors and computer guys were starting to ask me about stuff. Fast-forward a little bit further, I ended up getting out of active duty or leaving the Air Force, staying as a reserve, but then got picked up for what was then called the Air Force search, our computer emergency response team and it became real. That was like ’95, ‘96 by my recollection, and it became a thing. I was an outside, I started doing commercial consulting around security ‘98. I think I got my CISSP and it became real. Then I look up and I’m like, “Man! This is actually pretty fun, the cat and mouse, the Black Hat.”
I did go to Black Hat, I’m going to say DevCon in ’99, ’98, ’99, and here is my rude awakening. I was with these guys from our pen test team and they knew everybody. I didn't know anybody there. It was like, “Wait a second.” You know everybody. How do you –
[17:16] CS: It’s a secret society.
[17:18] JD: There was the other side, and so I became friends with them. I've been in this space on and off since then. I really – Kind of my focus has been how to get CISOs to get security baked in absent of a breach? That is our – As security folks, that's our existential challenge. How do you define enough? How do you get the non-technical, non-security IT buyer to say, “Yeah, I think we need to do more absent of a near-death experience.” That has been my effort, and I spent a lot of time talking about resource allocation, resource justification. That’s where I’m in. I'm also an MBA type. I got an MBA along the way. I probably have a decent background in business as well. But my first love has been security stuff. I enjoy the heck out of it, and that’s why this is the fun part of fun, yeah.
[18:16] CS: That's awesome. That's awesome. I want to sort of catch up. Since we last talked in early 2018, early 2018 in anticipation of the midterm elections, and folks can still hear more, can hear that hear that in our archives if you go to our YouTube page. The episode is still up, or podcast catchers, whatever, and it was a great talk. We spoke extensively about some of the outside interference and foreign meddling and other trickery that happened around the 2016 election, which at this point is pretty settled matter. I’d never really heard much. Did any cyber tampering or electronic disruptions happen around the midterm?
[18:52] JD: I mean, the challenge is so much this lives within the classified world. If you make statements like, “Hey, I think the Russians or Chinese are involved,” is really a supposition on my part, and people that are in skiffs and behind the green doors would probably laugh at that.
But let me make some statements that are very interesting since we talked last. I did look at what Microsoft did last fall. I don’t know if you saw this, but if you Google the Microsoft, they put out a warning I think in October based upon activity in August. What was very interesting? Okay, the background Microsoft because of O365 has his weird vantage point of looking at everything, right? I mean, they can see every – I mean, that’s where most email in the SMB world lives now, is not in your exchange server in the corner. It lives somewhere in Redmond or in San Antonio at our Microsoft data center.
What they noticed is they noticed this attack pattern that was happening, because they look into everything. They just badness coming across all these email boxes, and then they dove in and said, “Oh, wait a second. Wow! These are campaign-related or political-related.” If you find that, and it’s from their – That was interesting. They determined it by tactics and just tools and practices that it was probably the Iranians. That was interesting for two or three reasons. One is the Iranians have become squarely the number three player behind the Russians and Chinese in this particular matter. Probably, our number two behind the Russians in pure political stuff, they have a very diversified hope portfolio of nation state hacking I would say. I think that was interesting.
I think the big one that got my attention was really not related to the nation state stuff is what happened in Iowa with the Democratic caucus there where they just completely blew it.
[21:04] CS: Yeah. There was that new software, whatever.
[21:06] JD: Okay. Here's the thing. I put together jokingly Dickson's hierarchy of voting needs of like, and it as the ripoff of the Maslow’s hierarchy. At the bottom was tabulation. If you can't count the vote, everything else is irrelevant.
[21:21] CS: Right. If that’s not priority one to you, yeah.
[21:25] JD: Priority 1, 2, 3, probably tabulate above that timeliness. You can’t get the results out in a timely manner, then it infers – Like you have problems with the – If you accurately can capture the vote, the integrity of the vote is great, but if you get out three days later, everybody scratch their heads, "What happen?”
In our instantaneous culture now, if we don't have accurate results that evening, everyone's wondering what the heck happened. The third thing at the top of that pyramid is security. If you don't have – If you can't count the vote, you can get it out in a regular manner, then security is –Who cares? Nation state threats are – I don't have nation state threats. I have threats to being able to count, because what they did in Iowa, which was particularly not sophisticated, was they put all their eggs in one basket. They didn't do any modicum of testing capacity or testing. Of course they didn't. None of the testing stuff was realistically done. Then I think I saw the guys from Veracode put out a – Found the source code of the mobile device and have found these vulnerabilities after the fact that, to some degree – Again, who cares? Because it didn't count anything.
[22:43] CS: The problem happened before that even, before vulnerability.
[22:45] JD: Yeah. It’s like, “Oh, the fact that the vote – The voting information is insecure is like issue number 12 at this point.” I think that's something to remember as we’d go into this session, this this particular one, this election cycle. Here's the problem that we’re going to have. We didn't even think about 18 months ago or five weeks ago. There's going to be a big push I think by three different groups, the Democrats, the Republicans maybe, and maybe voting rights folks to give substantial vote by mail capability for all.
Here's a reason why. I did a Texas Tribune TribFest panel about a year and a half ago in Austin about voter security, and the whole thing got twisted around become an issue of voter access, suppress the vote. Remember, down in Texas, we have the voter ID thing, which was a group thing? That was going to affect certain communities over others. I guarantee that all pales in comparison to if your primary way of voting is to go to a voting place and get in line. I voted in our primary in March, I think, which I started calling it BC, and 1BC before coronavirus.
[24:08] CS: Yeah.
[24:10] JD: I think it was in March. It might've been February. But I’ll sit in line for an hour and a half with a bunch of people. You know what I’m going to do, unless it was a vaccine? I’m going to drive by that polling place and then go, “Ah! I don’t need to vote that bad.”
[24:24] CS: Not worth it. Yeah. Right.
[24:27] JD: The voter count, the voter – This is a presidential election that the count couldn't matter more. I think that’s the bigger that election officials and voting administrators are going to have, is a turnout issue. Again, if you can't count or if you can’t make it accessible, and I think it's reasonable. Meaning like in our county here, San Antonio, the county is called Bexar County, which is actually B-E-X-A-R, which is a Spanish term.
[24:56] CS: I’ve been pronouncing it wrong all these years.
[24:59] JD: Yeah, in Chicago when they call it Bexar— but Bexar County. I think we have around 200, 250 in a presidential year that will vote, registered voters that will vote, doing that by mail. I don't know. I can speak first certain, but I'm willing to be that that their capacity to process a quarter ofa million votes by mail is not that great, I suspect.
[25:24] CS: No.
[25:26] JD: I think that’s going to be –
[25:26] CS: It’s a new skill to learn .
[25:27] JD: Regardless of what the president says or whatever governor says, like, “Oh hey! We’re returning to work on Easter, Memorial Day. I think what's going to happen is people are going to make decisions. Again, absent of a vaccine. Unless you tested positive and have antibodies and know that you got nothing to worry about. But go in and voting becomes like is it really worth it? It’s already a pain in the rear to do it, to find your polling place, sit in line. I think that’s going to be the bigger problem. I think that everything was done in 2016 remains a factor. If I am the agent, the officer in charge of the FSS or GRU or whatever, I'm ready to do that when applicable.
I mean, I think they were already doing it with the troll farms to get Bernie nominated from the Democratic party for obvious reasons. I think because of the continued disavowals by our president. I mean, it still becomes the thing. I mean, it was a consensus opinion within the intelligence community. I like to stress this to all the listeners. That is extraordinary. I mean, like 16 od agencies. They’re rarely on the same sheet of music. Let them come out and say this is a consensus opinion is pretty unusual or not unprecedented.
[26:59] CS: Nope. Right off the list. Yeah.
[27:03] JD: I think, I’m most certainly happened. I got to speak at a local event for – I’m chairman of our mayor’s airport commission for San Antonio. We haven't met in eight weeks. I really don't know the status of it. I don’t know what we’re going to do when it comes back up and what the airport looks like, our air service looks like. We simply don't know. But I got to speak at a local Republican club to talk about the airport. I didn’t want to talk about political matters for the airport. This is informational. Here’s what the airport is doing, da-da-da. Then sure enough somebody asking me a voter security about the Russians. I said it's always been Russians. It was always the Russians. Absolutely. Period. Next question. It wasn't a real popular response.
[27:56] CS: No. Some cobweb, I imagine.
[27:57] JD: It’s like, “Look, I’m sorry.” I mean, like sorry.
[28:02] CS: I think you just added the 50 comments to this video.
[28:06] JD: No. It’s good. But the reality of it is, is I think we’ll look back on this time and that'll be one of the weirder moments. I say that, I will confess. I come from that side of the political realm. I’m not a D, but I still think this is the oddest. It's just odd times. I think that oddity adds to the ability to make craziness. Till this is all behind us or until we get somebody that says, “Yeah, I guess it did happen.” At the very top, it’s still going to be an open issue item.
[28:41] CS: Yeah, that could be in a generation before the consensus is everyone is willing to admit. Yeah.
[28:48] JD: I mean, we just need to have an election where that’s not an issue. Not that we don't have nation state involvement. It’s just that we all agree that like the results themselves, the process should be viewed a precious.
Now, the one thing I will say and I've learned and I think I said it when we talked last. The elections are a state activity and this is also in the context of the comments about total control, total authority that happened two days ago. But the elections are a state function. From a constitutional standpoint, Texas presents the results of election in the form of a congressman or two senators. They actually present the results of a presidential election, not raw votes in the form of electoral college votes to represented that. Because there’s no such thing really as a federal election. The feds through the Federal Election Commission regulate giving levels and how you give political contributions on federal elections. They can do that and they have done that.
But they could give money left and right the states and dictate this or that, but it's still a state matter, and I've heard from secretaries of state who’ve just said, “We appreciate your input. We’ll not do anything, are no, we’re not doing that.”
A thing to remember, this is a state. So that you listen to the comments or, right now, Gov. Newsom and Gov. Cuomo, transpose those on to voting stuff. Voting activities are a state activity. It’s nonpolitical. It’s an administrative thing. Whatever amount DHS gives and grants is great. They can't dictate how a state runs its election.
[30:42] CS: Right. Okay. I mean, that jumps forward to a question I had for later in the episode, but if this is – I mean, it seems like what you're saying about voting is basically what we’re seeing about the pandemic, is that it's become a state’s issue in the sense that every – that there is no sort of like top-down sweeping federal decoration other than we got to open economy soon or whatever. But if these are state’s issues for voting and some states are saying, “We’re not going to do anything about it, or we’re doing what we can, or we’re doing something else, or don't worry, the machines are fine.” Is there anything – Some of our listeners are obviously beginning level, but others are kind of high-level cybersecurity experts. Is there ways you can sort of volunteer your expertise to help at a local level? Can you sort of like volunteer to pen test your own voting machine, make sure there’s no vulnerabilities.
Because I think people just feel really powerless about this. It just looks like a slow-motion avalanche of like, “Well, we don't know if we’re going to be able to even vote. We don't even know if there's going to be collusion. We don't even know if we’re going to be able to leave our homes by then,” and stuff like that. What are some red flags and what are some things that we can – That you would suggest? You’re shaking your head. That doesn’t –
[31:55] JD: I’m dystopian on this particular topic, because an absent of some acceptance. There’s still going to be the ambiguity there. Here’s what I’d say. Pen testing your own voting machines – I have said this consistently. I don’t think that’s a great idea. The hackathons that Black Hat had been in the live life machines had been the most unrealistic scenarios. Guess what election judges can detect? Is the kid with the hoodie that is trying to get USB access to the voting machine? They got that one covered.
I’m going to say the bigger thing that they could do – Again, I live in Texas. We have 254 counties here. The elections are administered at the county level. I know there are efforts at the Secretary of State level to do tabletops with the county officials. I would say that county election administrators is where you want to be and help and at the secretaries of state, and it depends on what state you’re in. If you're in the smaller states, you may have an opportunity to volunteer actually at the Secretary of State. Just because they’re much smaller, I've been at least one Midwestern state where I’ve met the guy who is the IT person for the Secretary of State. I suspect that if you have a state where there is one guy doing it, that that’s where you could help out and just particularly in election night.
Being an election judge is probably more of an exercise in the democracy than it is security. You’ve learned a little bit about how things are done and votes are tallied. But I’ve always said, if I'm a GRU guy, why would I spend so much time on the endpoints where I can do things like attacking the registration system which affects, in our state, all 254 counties? Not just one or two. I can go after election night reporting on the Secretary of State’s website. I've asked this question publicly before. How many of the Secretary of State sites have Cloudflare or any modicum of DDoS protection in front of them? Because I mean like the problem is – Again, it’s that weird window started after the evening news till about 11 o'clock, like I better start seeing results. 30% of precincts reporting, 40% of precincts reporting. If there's nothing, like what happened in Iowa, then you’re like, “What on earth happened?”
In this world where I still can order stuff from Amazon and it will be here in some amount of time. I expect to see that little ticker come along – If you DDoS their election reporting site, all it is is DDoSing some web server that has some test results from the perception-wise. That’s the problem with elections, is you have these compressed timeframes where it really matters that night.
[34:50] CS: Yeah. People expected that evening. Yeah.
[34:52] JD: It’s kind of like if you’re able to do certain things in DDoS, the news during the Super Bowl or something like you got just this fixed window of time, you'll never get it back. If I’m an attacker, a state actor, I'm worried about selling discontent – I’m looking to bringing the question of, “I can do this all via social media at the same time with our trolls in the Baltics,” or wherever the heck they live these days.
I don't have to attack end points. I don't have to go to voting machines. I can go after the centralized stuff. I recommend in the smaller states in reaching out. What I’ve also found is some are more receptive than others. I’ve also gotten the vibe from a couple folks like, “Oh. We got it. We’re good.” Like, “Okay!” I say this publicly and I may have said it the last time we talked. It is a force mismatch between the FSB, GRU and that dude that I met in the Midwest. I mean, like the dude. The one guy against –
Again, if I'm a bad guy, I can leverage the heck out of whatever attack I do. I don't have to do in every county in every state. I just do a handful on the East Coast and just trumpet that out – Like, “Look. This is what we did. We redirected all these people at this one polling site in North Carolina. We’re going to do it all over the place,” and everybody would be like, “Woo!”
I would hit one county in one state on the East Coast in the night of election, early in the morning, and just so enough of questions out in public that they reaped the reward. The other one that I’ve said publicly, I'm surprised we haven't seen, is kind of the last – The social media is one, but the robo texts on election, “Hey! Precinct 113 has been moved over to so and so elementary school. Just letting you know. Your county election administrator,” that kind of stuff.
Again, you’re going to have some subset of people that fall for that one or do it. I view elections as the most fragile part of a fragile democracy. I just point to Vladimir Putin's background. I mean, he was in charge with information operations in the KGB in the 80s. That's his deal. I mean, he wasn't a thug. He wasn't an operator in the field. He was a disinformation guy, and that's his deal. Man! They’re exceedingly good at it and they’ve been good at it.
I mean, they had a country whose entire foundation is based upon lies. Who better to lie about other people, because they not a lot about themselves? Period. Still is.
[38:04] CS: Can we talk a little bit about sort of the disinformation? Because I mean I want to come back and sort of put together some sort of a plan of what we can do while we’re hunkered down here. But like in terms of like when you see disinformation going amongst your friends or friends of friends or some random dude on your Facebook thread who just jumped in and you’re like, “Who is that guys?” or whatever. What is the protocol? Because I think a lot of us of, the temptation is to either shut the person down or counter effect or block or whatever. What’s the best sort of like defense strategy or attack strategy?
[38:42] JD: I would say the most – Personally, is ignore it. I think we’re trying to, in a weird way, changing all the society to be a little bit more skeptical of stuff, and that's hard –
[38:53] CS: That’s going to be a long game too.
[38:55] JD: It’s the long game, if not impossible game. I would just say I try to not weigh in, because like my time is valuable and like,” Hey, this is John Dickson here,” like that. I’ve seen people that have said, like the voice of reason, like, “No. I actually have some background. That's not exactly the case. It is very difficult, and obviously you have the more vulnerable populations, the elderly and such that are quite skeptical, maybe.
I would say I do admire those that oppose to just come out as a voice of reason where they just say, “Hey, look. This appears to be so-and-so.” You can report it to Facebook or whatever platform. That helps them identify stuff too. I think, again, it’s tough. Think of me back at Republican luncheon where I got to these people that it was the Russians. It was real. I think it takes a little bit of courage to say like, “No.” In a non-confrontational way, like, “Look. It's just simply not the case. This appears to be something that's just out in left field.”
Okay. Let me talk about psychological warfare and information operations for a second. I actually went to a – When I was in active duty, I went to a one-week class on psychological warfare. The whole time I was there, I couldn't believe I was getting paid to go to a one week class on psychological warfare.
[40:30] CS: I was just going to ask you where I could sign up. That sounds fascinating.
[40:32] JD: I was just sitting there like a whole week with a big tub of popcorn like, “Tell me more stories. Tell me more.” It was so cool. One of the tenants that came out of that was you take a pre-existing condition and tweak it. That’s where the psychological warfare guys, information operations guys are so good, is they take a pre-existing perception even if it's bad, even if it's borderline racist or whatever and they just tweak and they had claims to fire.
The one that I remember specifically during Desert Storm is we used a pre-existing perception that the United States Marines always come ashore at the beach, right? For those students of military history, remember this. The Marines didn't come ashore. They actually— Schwarzkopf had them land south of the Bahran and they came around to the airport in Kuwait and totally did an end around.
What we did before is we apparently translated a bunch of Marine Corps videos from World War II into Arabic and showed him all throughout the gulf of Marines coming ashore at Tarawa, at Saipan, at Okinawa, or all these different places— at Iwo Jima. So guess what the Rockeys did? They churn up at a bunch of divisions facing the Persian Gulf waiting for the Marines to come ashore. We didn’t lie. We didn't manipulate the truth. We just jumped on a pre-existing condition.
The interesting part of that story, appparently this is hearsay, but I think it’s still – I think it probably is the case. When Norman Schwarzkopf pitched that I did to the Marine Corps component commander, apparently there was a little bit of pushback. Because guess what Marines do? They come ashore, and their culture was so shy…
[42:21] CS: You were asking them to commit heresy. Yeah.
[42:23] JD: Like, “Wait a second. That’s what we do. The Marine Corps culture.” I know a bunch of Marines, not ex-Marines, former Marines. There’s probably some truth to that story, but the point was that’s how psychological warfare and information operations exist, is there’s some preexisting perception coupled with what they call the willing idiot. Somebody in this side is like get some Facebook, “Yup! That’s it. Yup! That’s exactly.”
[42:50] CS: Yeah. Yeah, right.
[42:51] JD: I just think it’s probably easier to recruit those folks then it was during the Cold War, where it was a pretty monolithic threat and it was a societal and generational threat. Now, it’s a lot tougher.
[43:04] CS: Yeah. I mean, thinking in terms of, especially Facebook, which has sort of certain switches and settings in terms of like where your posts go and who can respond to them and stuff. Can there be sort of a parallel to the way we sort of our sort of cutting out extraneous interactions? If you make all your posts friends only and if everyone starts doing that, does that sort of keep some aspect of the contagion at bay? Because I mean, obviously are going to get infected or going to get infected. I understand.
[43:33] JD: Did you have the social element? That’s the gated community argument. Downsized to that, like suddenly I'm only interacting with the people that are like me, my friends and maybe the unintended consequences that is I am getting messages that are already receptive to me reinforced by this. I think as you know, I’ll just infer from all the books that you have behind you that you probably have a fairly broad set of ideas include the ones that challenge your underlying assumptions in your backup. Then you get in the weird world where that’s the CNN versus Fox world, where now we’re just playing to the crowd.
I'm not a big fan of that, but at the same time, my parents – I worry about my parents a little bit on stuff like that and just being a little more receptive or less skeptical. I mean, that's one good thing about being a security person, is by default you’re skeptical. You click on links, you’re just like us skeptical on everything. You question, and that's not something that everybody does.
[44:43] CS: Yeah. Okay. I want to sort of – I mean, we’ve sort of crisscrossed across an enormous issue here, but I want to kind of see if we can lash some of this together into, if not like action items. I want to sort of like get your crystal ball, magic gavel, like what sort of combination of things would you like to see? I mean, you said you’re already thinking kind of dystopian about this selection, but like that’s different from like throwing your hands up and saying there's nothing we can do. What sort of combination, especially assuming that we’re sheltering-in-place for the foreseeable future. What would you like to see happen in the next month, in the next three months, in the next six months leading up to the election in terms of registration things, in terms of primaries, in terms of election campaigning, in terms of election accessibility? What do you see is like a best case scenario whether or not we can reach or not?
[45:41] JD: I think you got everything there. Let me see if I can answer that.
[45:44] CS: Okay.
[45:45] JD: I was trying to make a point and then maybe we can revisit some of the questions. One is I had felt for some amount of time that security and privacy by extension are matters of policy. I've done a lot of lobbying and a lot of cajoling with elected officials in the State of Texas. As a matter of fact, two sessions ago, a representative named Giovanni Capriglione from the Dallas area sponsored and got something passed and signed into law called H.B.8, which just some modest things around security for the agencies. It was a big win because it was absent of a breach. I think the most legislation that comes after an event is poorly written. Sarbanes-Oxley 2008 crisis, Patriot Act September 11, and maybe the Cares Act with the pandemic, any legislation, shotgun and pass right after an event typically has lots of problems with in. Overtime they find problems.
What I’ve started to do is to become more engaged at a political and policy level, and a lot of these stuff, Josh Corman and crew have done a lot in this area, but what I mean is regardless of your political background, what party, or not part, or whatever, is just letting your city councilmember, letting your state rep, your local people know that your information is important to you. The way you handle elections is important, because what I found is unless at the neighborhood association meetings, at these luncheon meetings, if there's somebody that is not complaining about it or poking these elected officials in the chest, they simply – It’s not that they don't care. They just listened to squeakier wheels or louder voices.
[47:35] CS: Oh yeah. Absolutely.
[47:36] JD: So I have heard at least from some state reps in Texas – Again, this is kind of a weird political issue, because you’ve got – You got on the left, you got the EFF privacy people. On the right, you got the kind of tea party privacy people, which are bipolar some of the time.
[47:56] CS: Yeah.
[47:57] JD: But their common denominator is they don't mind if they lose their data on their own accord. They just don't want you to lose it for the government. I think if you start asking those questions or engaged in a little – At least asking the question. What my experiences with these state reps and politicians in large is they don’t ask the questions. The questions never – IT in general and security by extension two is just like background noise. They’re more worried. I’ve mentioned I'm chairman of the San Antonio airport room for the mayor. So I have some background in public policy stuff.
One of the things that council does as is they go through to each year or the city manager goes and says, “Here’re 21 public policy issues ranking. Rack and stack them by priority, from least public safety, police and fire, garbage collection, parks, library, all the way down to rodent control.”
Number one, airports are never on that list because people just think the airport exists in kind of from the ether, and IT and security is not issue items. They’re becoming that. I’m saying like the starting point is people have to care –
[49:09] CS: People need to know that that's something that could be addressed or needs to be addressed.
[49:13] JD: And anger, when there are loses. We had an issue in 2000 – Gosh! Long time ago now, with our comptroller who lost a bunch of – We think had an exposure. That person lost her political career. She was going to run for lieutenant governor and instead had to spend a lot of money to fix that. She lost her focal grid. Two people lost their jobs. But I got to speak at a group of CISOs for state workers right after that and I said, “How many people were the comptroller's breach?” It was like, “Oh, yeah. Yeah. Yeah. Yeah. Yeah.” How many people have been asked by their elected or appointed commissioner whether or not they're vulnerable to that particular thing?” and nobody kept their hands up.
That hit me that – I mean, we can have to continue to educate our elected officials and it's not one party or the other right. It is both parties so that this is part of what we do. I think that's the starting point. I like the idea of volunteering. Just particularly, I think the security folks are largely not a political. They're not partisan political. I think this is too important to leave this to the partisan hacks, if that makes sense. It’s the engagement of the local level, city council races, block walking.
I mean, part of the reason I was able to bring this up at the state level was the speaker of the house used to be my state rep. He no longer is. I blocked walk with him, for him. I actually went to campaign events, wrote like $50 check and block walked on a Saturday. Yet, guess what? He knows my first name was like – I met with him on this topic. He's like, “You know what? Let me –” He started talking about it.
[51:01] CS: People don’t really realize how few people need to say something to their rep before that rep makes it into a major issue.
[51:08] JD: If you go to the rep and the first thing you do is ask for something or bitch, get in line. Get in line. If you go to a campaign fundraiser and give him a $50 check or just say, “Hey, it’s a Saturday morning.” I’m going to learn what democracy is. I’m going to block walk. This guy seems like a swell guy, or this lady seemed really – I’m going to go find out what block walk is like,” and it’s pretty brutal. But I’m saying the politicians, elected officials love that and then like you’re their person. Then you can go ask them for something. Anyhow, this is just a background. I think there’s a lot to be done there, and I think engagement on public policy issues is – We need to do more.
[51:47] CS: Yeah. Yeah, I think you're absolutely right, and it is definitely a bipartisan issue. Also, I guess I also asked it because it feels like obviously we’re all working like crazy right now and there's the sort of eroding of work versus life, because everyone's work is at home and home is at home and work is at – Whatever. But there's also that feeling that like we’re all sort of here and we want to help, and like you say, so getting involved with your local politician and stuff. But it just seems like there's a lot of people who are like, “We’re trying to save our restaurants by ordering from them and we’re trying to save our artists by going to online concerts and things like that.” What are some things that we can sort of be doing in our day-to-day to sort of be saving our democracy in the same way?
[52:36] JD: I think – I mean, there’s a variety of folks. Being online and being that voice to raising is a helpful thing, contributing. Those are things you do on an individual basis. I mean, with LinkedIn, it's easy to write articles. It is easy to publish, micro-publish. I found that another thing that’s very helpful is we know a lot about just basics of security and being a wellspring, the Johnny Appleseed of cybersecurity, helping your friends and family and saying, “Hey, here's advice tip number three.”
I mean, we have so much. I mean, I get to do it every time we have a holiday party or family reunion. I end up, “Hey, what’s more secure, iOS or Android?” But I think that’s another way you can give back. I did a TED Talk about that about two years ago at Vale about the concept of resilient users, and like I think much of what – if we could be accused of one thing, and that's being cloistered in our little world, because we’re so busy with spy versus spy, cat and mouse game, within the bowels of the enterprise that we like just let that stuff happen and we kind of roll our eyes when we see stuff. We let the political and public sector stuff get run by people who have less contexts and are probably have questionable motives. That what I’m saying, this stuff is too important to leave it to others. I think what I notice is people that kind of go to a particular calling, be it helping nonprofits. There's always a component of what we know. There's so much demand for what we know at the personal level. I do that a lot. I have a little thing that I send to people, “Hey, this happen. What do you recommend?” It’s a little – I won’t even say it’s a whitepaper. It’s like a list of things to do to say, “Here you go. I got that generically.” Path, do the updates. Don't click on stuff, and then six other things. I just do those all the time.
[54:51] CS: Check resources. Yeah.
[54:52] JD: But I haven’t actually, because I get enough questions where I just like sling that over, “Oh, here you go. It's on my desktop. There you go.” I get that probably once a week or like, “What can I do?”
[55:04] CS: Yeah. A lot of the questions have the same answer.
[55:07] JD: that directly gather and I have a great answer.
[55:08] JD: Exactly. That’s not a great answer, but that’s trying at it.
[55:14] CS: There might not be a great answer right now.
[55:15] JD: That’s what I’m saying, is I think go to whatever your calling is. Mine, I’m a political science guy by background. I happen to know a bit about the public policy side. Again, there are others that are doing this too, but that was an area that I have background and context that many people don’t. I think that’s the one area I can contribute, is on the public policy side.
[55:37] CS: Okay. One last question. If listeners want to know more about John Dixon or Denim Group, where can they go online?
[55:43] JD: Www.denimgroup.com is our website. I think I'm on there. I should still be on there, and my Twitter handle is @JohnBDickson. I’ll just add one last thing to. It’s D-I-C-K-S-O-N. I get introduced all the time as like John Dickerson, Dickinson.
[56:01] CS: Dickson, yeah.
[56:02] JD: Dick Johnson.
[56:03] CS: Oh! Interesting.
[56:05] JD: All these.
[56:06] CS: They found all kinds of ways to scramble it around.
[56:08] JD: Asually in a public sector, like in a public setting where I’m speaking. But yeah, John, B as in boy, Dickson.
[56:16] JD: And not D-I-X-O-N. Yeah, right.
[56:18] JD: That might be some other guy.
[56:21] CS: Right. We’re not talking to him today. John, thanks again for joining us today. This was a blast. I hope lots of people get a lot out of this. I really appreciate your time.
[56:29] JD: I don’t know if you got anything out of it, but I enjoyed the heck out of it.
[56:31] CS: Oh, same here. Same here. Thank you and thanks all of you again for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice, and if you don't mind, leave us a rating and review. It does actually really help.
For a free month of the Infosec skills platform discussed on today's show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon code line type cyberwork, all one word, all small letter, no spaces for your free month. One thing we mentioned briefly in the episode, if you want to check out our free election security training resources to educate poll workers and volunteers on possible cybersecurity threats they face during election season, visit infosecinstitute.com/iq/election–securities–training or click the link. That’ll be probably in the description.
Thanks once again, John Dickson, D-I-C-K-S-O-N, and thank you all for watching and listening. We’ll speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.