Chris Sienko: Hello and welcome today’s episode of CyberSpeak with Infosec Institute. Our guest today is John Dixon who has been researching and following security concerns surrounding the 2018 US midterm elections. John Dixon is an internationally recognized security leader, entrepreneur, and principal at Denim Group Limited, he has nearly 20 years hands-on experience in intrusion detection, network security, and application security in the commercial, public and military sectors. As a Denim Group principal, he helps Executives and chief security officers of Fortune 500 companies and government organizations launch and expand their critical application security initiatives. His leadership has been instrumental in Denim group being honored by Inked magazine as one of the fastest-growing companies in the industry for five years in a row. John thanks for being here.
John Dixon: Thanks Chris, glad to be here.
Chris: Great, could you give us to start with a little capsule summary of the history of electronic security issues with voting – obviously ballot stuffing and fake votes have been with us since voting started, but when and where specifically have electronic issues begin in the voting process?
John: Wow that’s a broad question but I would say concerns around the integrity of the system really predate 2016 but I would argue that much of the energy has been around what we call vote tabulation or vote counting and the integrity of the vote count you know what’s the precision and whether or not there could be fraud committed at the polling stations via a voting machine, hence this whole movement by political scientists and activists around having a paper receipt. A paper receipt ensures the integrity of the actual tabulation of the one person. So it’s harder for dead people to vote it’s harder for manipulation by people that are trying to manipulate the outcome of an individual election.
What I would argue that has happened since 2016 and continues to happen is an attack by nation-states trying to undermine the credibility and the integrity of the election in general and my strong feeling is this is a very different phenomenon. As a matter of fact actually going after the tabulation and trying to manipulate the outcome is not necessary for trying to undermine the confidence of the system. There’s so many other easy ways to attack it. Again, the one thing I like to point out the folks – one thing that the Russians are better at than cyber is disinformation and deception and they have hundreds of years’ worth of practice. So, the cyber part is just another way to do it.
Chris: So, I guess jumping to that, what are the practical security issues around the midterm election from a cybersecurity perspective. You mentioned obviously that there is an undermining of the confidence of the system, but sort of practically speaking – how big of a margin could security in cyber tampering actually go in altering the election?
John: I would say the things that I focused on reporting are more the fixed assets. These are assets that exist – they’re not ephemeral, they’re not temporary, and the nature of election machines and voting machines and precincts – they’re temporary. If you’re going to go after voting machines you have two options. One is to break into the secure storage facility where they live 300 and so days a year and the other ways to actually go into precincts and try to physically go coop an election judge. Those are particularly tricky ways to do to undermine the system and actually put people in harm’s way. So what I would argue is a bigger risk if you’re in again you have to think like the attacker, you have to think like the Russians, I would point at voter registration systems as a great example or voter registration log, poisoning up those logs is a great example of undermining confidence. The scenario is the people go to polls, they look and they’re not on the list as a registered voter.
The second thing that I have mentioned this election night reporting. The ability to DDOS most of the Secretary of States and county report infrastructure exist right now and I will just say, I would point you to – I think it’s Lexington County in Tennessee that had a small election early in the year and they experienced a DDOS – it’s just so easy to do. You throw in some social media posts and fake news and bot news, and you can make it seem like the system’s under attack and that would be a fairly straightforward thing to do without putting people in harm’s way and without trying to change the vote count.
That’s what I’m worried about and I would say this, as a general theme, you basically have taken all the Secretaries of State and county voting administrators and put them on the front line of a cyber war – and you couldn’t have a bigger mismatch of talent, technical, and defenses. I think there’s a lot of catching up to do. I read an interesting foreign policy article about the Cold War and how the US essentially did this from 1945 to 1991 in context of the Domino Theory – we actually went and manipulated votes in the developing world. The fact that the Russians haven’t done it until now is to some degree astounding
Chris: Why do you think they haven’t done it until now and I guess that answers itself why they’re doing it now but why do you think they just sort of quote-unquote hit on the idea?
John: Social media didn’t exist in the 50’s and 60’s so there’s an easier venue to poison the news cycle if that makes sense. You had to go through the news bureau and reporters, it’s just easier – people consume news from less formal sources, less centralized sources. So that’s one thing. I think the stakes are different. We went for tit-for-tat in the Cold War on everything – hence the going country for country. We don’t view this as pernicious of a threat. It’s now coming around from 1991 until recently we are quote unquote at peace with the Russians. Most people in the national security world have known that they have maintained their posture and never fully got over at the collapse of the Soviet Union and to some degree feel that they owe us one. Hence they view our use of the voice of America as manipulating their population. Now we’ve done this for years – trying to manipulate them and trying to point them, their population, into a direction that’s different. How is this different?
The fact that they totally disclaim it is at times incredible. And the other thing that they have RT and some of the newer venues, they have more credible news sources than Pravda, in some of the Cold War places they look real. I love going online and reading their English versions of events that happened and just seeing our interpretation and reading the British interpretations, the French, German, and then going and reading Pravda or RT news and it’s just incredible – it’s like we live in a different world.
Chris: It is and it’s also interesting to, I mean you also see a lot of those articles about struggling US journalist who get that call and say, “Oh I can pad up my resume by working for RT News and then realizing sort of what they’ve gotten themselves into and they’ve given this face of credibility to blatant disinformation.
John: I agree with that and I think this is what’s so tragic about this whole thing of fake news is, again, they’ve been at it for at least 60-70 years. So this is sad that we have actually become less distrustful of what comes out of that. You know, we view it as claims, and I’ll give you a great example. Back a few months ago, maybe longer than months ago, we struck the Syrian facilities after they did the chemical attack – I guess it was like a year ago – right afterwards I hopped online and was looking at stuff on YouTube. They were all these videos about cruise missile shoot downs that all came out about the same time. They were all from news box and different folks. The reality of it is I think we fired 40 or 50 odd cruise missiles.
The combat planners always put way more into the planning to service a target. Even if they did have four or five of them shot down, the reason they sent so many is because they wanted to make sure they had target coverage. I used to be an Air Force guy – they don’t just send one bomb for one target. Immediately it was put up – it was the same video from different sources and their ability to respond and react it’s less about the cyber and cybersecurity World and cyber war – it’s more about information warfare. It’s the information itself. We’ve got just such a receptive audience now on this side of the pond that it’s, like I said, it’s sad.
Chris: So going back to the county and local issues of election day issues and stuff like that, what tactics should citizens, poll watchers, and polling places use to avoid these sort of social engineering techniques or these muddying of the voter registration list? Like what are some of the practical things that we should be watching out for on the day of?
John: Let me start at the top, it’s really, the majority of the focus should be at the Secretaries of State because those are the aggregation points, those are the ones that set a tone for their individual states. For the record, these elections are purely a state and local function. There’s federal input and federal money, but for the most part, this is a state and local effort. So at the aggregation points I would say that, at the Secretary of State -Texas, where I live, has 254 counties so there’s probably four to eight major urban counties including like Houston, Dallas, San Antonio, Austin, those are different than some of the rural counties in West Texas where they don’t even have an IT guy in their elections group.
The other thing is, our challenge is down here, even within Texas all the election systems, the voting systems, are different. In a weird way we have this protection in that they’re not connected number one and number two they’re all over the place. So that provides protections. So its really the Secretaries of State and the voting election heads of each of those counties, and as far as actual election judges in the precincts, I think it’s just simply, you know you do some awareness training, you start to lead in with that but candidly, I don’t believe that’s where the risk is from where we live right now.
Chris: Another story that I hear occasionally getting reported is sort of phishing campaigns that use emails or phone calls to gather voter information or disseminate fake information from phone polling or even attempt to harvest registration information by phone – is that also a credible threat and what should voters in the home do to keep themselves and their information protected as we come into the election season?
John: If you think about how many of the fake phone calls have you gotten yourself about extending the warranty on your car? Those are done through voiceover IP and done through call centers that are essentially fake call centers. I’m not aware of that being done but technically it’s very easy to do. Right now, you have robo calls as part of a campaign, push poles as a political thing where you call the poles that seem tilted one way or the other. We have a history of political manipulation of elections in our own end. Hence the Secretary of State, the federal election commissions. Yeah is it easier for somebody to do that from overseas? You better believe it.
That’s the challenge is this distrust of government now has started to extend to the polling places and to individual voting precincts so that’s probably the biggest thing. The starting point for this discussion is distrust in government and that distrust has extended to the voting systems whether we like it or not. As a result, you’ve got this is this perfect mix of challenges.
One thing I was going to pass on – I actually got to go a psychological warfare training class when I was in the Air Force. Best training class I’ve ever been to. One thing I remember from the class is: you don’t just outright lie because that’s not well-received, people are not stupid. You take pre-existing perceptions and you tweak it a little bit. I would argue that the Russians are better at disinformation and information warfare. They know their stuff. Those ads where they try to foment distrust around racial things, and I think I heard recently they were doing some paid ads around Texas – you know like Texas seceding from the union and just crazy stuff. Yeah there are few folks in west Texas and compounds that think that way but it’s not remotely a mainstream thought, but they love that. Whatever they can do to fragment and disunify the west and the US, that’s their goal. All of this is through the lens of what their goal is which is to undermine the US and its position in the world and also undermine democracy as we know it.
Chris: Again from a tech standpoint I know we’re not there yet but I’ve heard talk that as soon as the 2020 presidential election we can be moving towards an all-electronic voting process. Do you think there’s increased dangers around that, do you think that’s actually a possibility and is it even possible to make all-electronic voting safer than our current method, or is the sealed box nature just a disaster waiting to happen?
John: I think that in the long-term, underlying technologies like blockchain will make this much more straightforward. I think if you were to fast forward 50 years, a hundred years and talk about paper ballots – I mean paper ballots in 2018 are anachronistic. They are a coping mechanism that harkens back to a previous age where “Oh, if we could just see it in paper”. If you’re a fraudster, you’re going to find another way to attack the system so there’s other ways to do it. My point is, I think the fragmented nature of acquisition makes this a challenge.
Now the Election Assistance Commission and the feds have done a good job about certifying systems. I think that’s how you solve this problem is you pick two or three vendors, you work with them, and have two or three reference models that are able to do this well, and then you do it through that supply chain. The problem is that starting point for that world is not particularly advanced of a security area. So, if you look at Diebold and some of the people that make ATMs they’ve been doing this stuff for 25, 30, 40 years. Obviously, they understand concepts like tamper-proof host security modules, private key encryption, they get all that, they’ve been doing all it for 40-50 years.
Chris: I can’t think of once in 20 years where I’ve got too much or too little money out of an ATM it’s just like right on the mark there.
John: It always is, and the interesting thing there is – obviously they’re worried about the integrity of the transaction and the confidentiality of your PINs as you enter them. But to give you some sense – 20 years ago I did an audit for KPMG of ATM systems and they were super mature back then they’ve been mature forever. The use case for an ATM is physical, it’s there all the time and it’s got tamper-proof. So now you have these attackers that pull up their pickup trucks and try to pull the whole machine – that’s the only way you can do it. But the voting machine use case is a lot more challenging.
You have this basic temporary infrastructure that’s up and running for just a couple of times a year – and so I told you the Texas challenge which was 254 counties. I live in what’s called called Bexar County in San Antonio which is one of the larger urban counties in Texas and I think we have somewhere around 2,500 machines for upwards in 300 voting locations. The numbers are humongous. If you do a, what we call in the IT world, a forklift upgrade those are lots and lots of money. I would argue that right now, the existing machines that are out there do not solve the problems against the nation-state threat. Maybe future machines will but the current machines simply don’t do that – we actually have security through obscurity in Texas. I think most, if not all, of our machines are connected to the internet.
Chris: Do you think we’ll ever get to a point where, this might be total pie-in-the-sky, but I know people have said for years, we get to a point where you could vote like you use an ATM, you can vote like you call in for American Idol or whatever, do you think that polling places are also going to become anachronistic eventually?
John: If you look at it this way – think about what you can do online with your bank. I mean, virtually everything, and the stakes are even higher. So, the question is, they have a profit motive to innovate and to roll these technologies out. The challenge is, the voting administrators don’t have that profit motive, probably don’t have the best and brightest and e-commerce in digital transactions is a nice way to put it. It’ll be slow for adoption because the numbers are just off the charts expensive and again you don’t have the profit motive.
The next time they have a refresh it would be after 2020 and the number I heard in our county is tens of millions to do a refresh. So multiply that over all the different counties and it’s probably a trillion-dollar number or maybe not a trillion but hundreds of billions of dollars across all of the different voting precincts. And again, the technical debt, I mean, go to Cook County in Chicago, how many voting machines exist on the planet or at least in the US? I don’t know that number, but it has to be hundreds of thousands I would suspect.
Chris: Are there any safeguards in place that would even be able to detect that tampering that has taken place? Would we even know the extent?
John: Yeah, the good news about the underlying blockchain stuff is that they’re essentially tamper-proof. You have an encrypted hash that could essentially validate that this person has voted for this person, but that’s potentially years away. The question is how quickly will our municipalities, our counties, our states adopt this and at what pace is the question. Now here’s what I would say knowing what I know about technology we might buy your way out of solving that problem and there will likely be other problems that we can’t even foresee at this point. So the stakes are so high.
The way I put it is that we have a delicate democracy, and this is the delicate part of that delicate democracy. And the fact that the Russians hadn’t done this before is actually kind of flabbergasting. We’re going to have to change our game. The role of a Secretary of State and the role of a county election administrator suddenly changed, I would argue.
Chris: Jumping back from elections to political party security and stuff there’s a story a few weeks ago at a hacker conference in which a teenager said he was basically easily able to hack into a political party’s website. Why is it still the easiest thing in the world to do? Is it just people aren’t taking the notion of security on their site seriously even after 2016?
John: Okay so if you look at the world, look at presidential campaigns, senatorial campaigns, congressional campaigns… okay so there are a hundred senators so that means there are probably 200 people running, but they don’t all run all at the same time – every 6 years right. I mean hundreds and hundreds of campaigns. If you go down to state rep, state senators, local races there’s thousands and thousands and thousands. The vast majority of them don’t even have an IT person – the vast majority of them. So the interesting thing I would say that’s out there is, I saw an FEC filing about Microsoft rolling out a secure version of infrastructure for campaigns. I think when Microsoft and Google do that, that will solve the problem.
The only catch is, the FEC, the Federal Election Commission is pushing back and wondering if that is too generous a donation. Like the fact that Microsoft and Google would Curry favor with every candidate and elective by doing it. But candidly, even if it was provided at a low fee, I’ve argued that you basically have to have a secure campaign in a box. Which means the equivalent of an InstallShield type of thing where you go in and say “okay you have a candidate, okay, hey, give me your phone number, we’re going to set this up by default, you’re going to have to factor auth, we’re going to text you this, and you have a campaign manager,”
It’s basically so a user can do it, long story short is most campaigns don’t have a dedicated IT staff. They sure as heck don’t have a security smart person. So it’s going to remain a target-rich environment. I look forward to seeing what is out there. I do like what Microsoft did and again I think Google is probably going to respond with their Gmail equivalent. But, they’re running into oversight issues about influence. It’s kind of interesting.
Chris: Yeah absolutely. Now do you think, what sort of education initiatives should be undertaken to bring the voting populace a bit more up to speed about the current dangers. I mean it’s easy to talk about things on an administrative level and stuff, but you know again with the fear of fake news and stuff, is there any kind of messages we can get out about your vote and how to protect it?
John: I think the good old public service announcements might help. I would argue that unfortunately at least at certain levels. We have mixed messages coming from the top is a nice way to say it without being too political. That’s the problem if you’ve got, candidly, the guy at the top that’s actively undermining certain aspects of things and saying this is all fake news and whatever, it’s hard. I have friends that still believe that they weren’t involved, and I say they were absolutely involved. Whether or not it tipped the scales the last election, who knows, maybe not, but to say they were not involved at all is crazy land, I would argue. So that’s the problem is how do you educate voters? That’s a tough societal problem. That’s way above my pay grade.
Chris: Well let’s sort of play that out a little bit. I mean going past the 2018 midterms and into the 2020 presidential and other local things, what would your mix be of social engineering education versus software like what are the long-term campaigns that we could get into place because it always seems like every election that comes along and we’re always kind of, no one’s prepared for it, there’s all these new threats and stuff. What would your long-term strategy be for sort of the safety and future of elections?
John: The thing I would remind you is that having worked on campaigns – focus number one, number two, and number three, and number four is to win the campaign. You don’t want to lose and have the most locked down campaign and be number two. So that’s the focus of the campaign exclusively is to win. The challenge is again you’ve got election administrators, candidates, and campaigns and the voting populous – I think it’s difficult to boil the ocean and I think you start with the leadership and they’ll message this out. I’ve actually encouraged local and state to reach out to the Press before the midterms, have a rapport with them, and talk to them about what they’re doing and have table talk exercises so that if there is an event they can say “hey remember back in September when we went through this stuff? That’s what we’re about, that’s exactly what happened.”
That’s pretty cool versus no engagement and then the press puts out something that says “voting election gets hacked by Russians” when in fact it’s a denial-of-service attack from somewhere. I think educating and having the top-level voting administrators, leaders, educate the press is another thing. I’ve been told that’s naive but I still feel very strongly about that. If you wait for it to come to you, good luck on whatever headlines are written.
Chris: Do you think there could be some modifications of the procedure within campaigns or within the local level to make sure that discovering tampering in cybercrime can be properly triaged and reported? It seems like there’s stories of, “well I got phished, but I didn’t tell my IT department because I was embarrassed” and things like that.
John: I would say that at the very national level, I think at the presidential campaign you’re going to have that. You’re going to have a lot more awareness, you’re probably going to have CISO, you’re probably going to have a CIO, but that’s at that level – maybe not even at the senatorial level or gubernatorial level, you’re going to have that. I think we’re gonna probably going to have to have more hiccups for this to become real. The guys that I know that are running for office and I know a bunch in our backyard are aware of this issue, they’re conscious, and we are working with at least one congressional candidate to help him do the right things. But for the most part this is a nice to-do activity and of the many competing issues, fundraising, positioning, polling, I mean like having your cybersecurity down is just candidly, is not on the radar screen. Until we have more of these issues I think it’ll remain that way.
Chris: Where do cloud services play into all this? Wasn’t there a huge issue of a huge breach of voter data in California in which the cloud server was backed up without a password? Is that something that, I guess if you’re talking about campaigns in a box that might be –
John: Do have more faith in Google and Microsoft to roll out a secure version of something? Yes, I do, than every individual campaign rolling their own, absolutely. I think that rings true if you are, you know you can custom do certain things at the federal level but again the local campaigns don’t even have an IT person, so I would worry more about them trying to do their own thing and there’s probably more hope in having the bigger guys provide something that is easily consumed, is a nice way to put it.
Chris: Okay so I’m going to start circling toward a wrap up here but if you were given a magic legislative gavel to put a parcel of laws in place to make voting safer and more accurate, what law or laws would you enact?
John: I would have rigorous testing of the voting infrastructure at the state level. I mean, to replicate a sophisticated threat, what they call, essentially, adversarial threat mimicking. Much of the testing and things that they’re doing to see if they’re vulnerable is kind of garden-variety vulnerability scanning. So I would say it’s that threat emulation and what that means, in English, is like more than technical scanning – actual penetration scanning with social engineering, with a targeted phishing attack. You add all that stuff that replicates what the Russians would do, along with some social engineering outside of the election officials.
The tabletops that I see that exercise this are mostly corporate facing but I do think you’re like if you’re going to have a tabletop exercise to repair of Secretary of State much of what you’re worried about is external reaction to other events including the press. In spite of the warnings I don’t have a warm fuzzy that most of the states are ready for that particular sophisticated threat.
Chris: And that’s too bad – my last question was a warm and fuzzy one. Do you have any rays of hope or the possible safety and accuracy of this next election versus previous ones?
John: I have hope that the heterogeneous nature of our voting machines that’s so widespread, that it’s kind of the cathode ray to defense that the Russians had during the Cold War. They weren’t susceptible to EMP because they had an outdated technology. In a weird way, our attack surface is pretty low. I’m more worried about the aggregation points. I’m more worried about the fact that our Secretaries of State haven’t realized that this is more of an information warfare activity than it is a cyber one, so the responses are more technical in nature.
Like anything that happens in this realm you have to have a series of near-death experiences before you realize it because otherwise it’s an abstract risk that I just kind of accept. If it becomes less abstract, then people pay attention.
Chris: Well and on that note, I think we’re going to wrap up today. Thank you, John Dixon, very much for your insights.
John: Yes, it was my pleasure! Fun stuff and let’s keep in touch.
Chris: Absolutely thank you and thank you all for listening and watching. If you enjoyed today’s video you can find many more in our YouTube page, just go to YouTube and type in Infosec Institute. Check out our collection of tutorials, interviews, and past webinars. If you’d rather have us in your ears during the workday, all of our videos are available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify for a free pair of headphones with a class sign up, podcast listeners can go to infosecinstitute.com/podcast to learn more. And if you’d like to try our free security IQ package which includes phishing simulators which you can fake phish and educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityiq. Thanks once again to John Dixon and thank you all for watching and listening and will speak with you next week.