Speaker 0
0:10 – 0:14
Welcome to Tech Talk. Bye. CT. Tea.
Speaker 1
0:16 – 1:19
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. With the recent indictments and the ongoing investigation of Russian interference in the twenty sixteen election, the importance of election security is even more front and center. Russian military intelligence officers, or the GRU, successfully hacked the Democratic Congressional Campaign Committee and the Democratic National Committee, bringing to light vulnerabilities in election infrastructure at the campaign level. Joining us to talk about the key takeaways from the Mueller indictment and share why cybersecurity practices must be a key priority in campaigns and for election officials is CDT's senior technologist, Maurice Turner. Welcome, Maurice. Well, thank you. Welcome. Welcome to you. Right now, Maurice has been asking me for ages to be on the show, and I finally relented. So it's great to have you here. I mean, your your work is pretty hot right now.
Speaker 0
1:20 – 1:26
Yeah. The phone's been ringing off the hook. It seems like, everyone has finally woken up to the fact that, yes, in fact,
Speaker 1
1:27 – 1:54
Vladimir Putin did order his intelligence agents to, hack our elections in 2016. And that order seems like it's still standing. Yeah. It sure does despite, some of the rhetoric that we're hearing. So let's look at the indictment that came out. It was Friday last week. Correct? Yes. So the indictment was about the DNC and D triple c being hacked. And apparently, a lot of people were surprised at the level of detail in there or at least very intrigued by it. What what was revealed in there about how this was done?
Speaker 0
1:55 – 2:13
Well, the surprising part of the indictment, besides actually naming those officers, is actually getting down into the detail of the techniques and tactics that they used and laying out the timeline step by step that convincingly leak linked them to, the attacks, on the campaigns.
Speaker 1
2:14 – 2:27
How did they do this? What was the the methods that they used? Kind of super high-tech y stuff or was it, you know, know, less high-tech y stuff? It was a straightforward game plan, but it was pretty sophisticated in in how those steps were linked together.
Speaker 0
2:27 – 3:41
So the the basic game plan was one, trying to convince the staff or volunteers to give up their credentials so that Consensus being things like passwords? Correct. Usernames, passwords, things like that so they can actually gain access. And that's the second step is actually getting into those computer systems and then looking around for interesting bits of information, whether it be strategy, whether it be, email correspondence, things of that nature. And then lastly, finding a way to actually get that data off of the systems in a way that can be used in other information campaigns. And how successful were they? Just as a reminder, what did they actually end up getting from, the d triple c and the DNC? Oh, they were very successful. There there's no good at what they do. Yeah. Yeah. They we're dealing with professionals here. That's obvious. They went straight for the top. They they got John Podesta to give up his credentials to his Google account. And then they spread throughout the systems. And I believe eventually ended up, getting into about 33 different computers and finding gigabytes of data that they were able to actually pull out, and provide to members of the media and, unfortunately, even to a congressional candidate who's
Speaker 1
3:42 – 4:07
yet to be named. Yeah. That is not gonna, probably end up great for him. So Podesta, I mean, this is a big deal that he was hacked. And from what I well, I was surprised to see that he actually checked whether he should be turning over these credentials, you know, and there so there was some sort of process where something clearly, like, it was a flag for him, but he still did it. So is that just means that people are getting far more sophisticated and, you know, appearing to be legitimate?
Speaker 0
4:08 – 5:13
It is. It's a very clever spear phishing, attempt. So, typically, you have a a phishing email that'll go out to hundreds or even millions of people. Very generic. Everyone's seen them. The typos, the, like, you know, prints somewhere or the yeah. That's where we're we're accustomed to to the point that sometimes we don't even pay attention to what they say. We just automatically know they're spam and delete them. Yeah. Spear phishing, is where more detailed specific information is used. So it might reference a person's place of work or someone they do business with. So something that'll try to convince you to let your guard down so you you click on the email. Sure. And this is where I actually kinda feel bad for Podesta. He went through the right steps. He recognized that there was something off about it. He he checked with, his staff. And, unfortunately, he was given the wrong answer, when he asked whether or not it was legitimate or not. And he clicked on it, and he typed in his credentials into a fake website that was controlled by the GRU and Wow. Game over. Game over. Yeah. No. It's it's funny. Even at CDT, we've, we've had some pretty sophisticated,
Speaker 1
5:14 – 5:47
attacks where folks have tried to, or pretended that they were our presidency. You know? And we're asking our accountant for an immediate wire transfer. And I'm like, oh, that is and it looked very legitimate. It took a little bit more investigation and we did not turn anything over. But it you could see how easy it is, to do that and if you didn't ask a few more questions how how it might happen at even the most secure place. So let's look at this a little bit deeper. What should campaign officials be doing? You know, so we've we know how this happened. What should they be doing to promote better cybersecurity? Or are we just kinda
Speaker 0
5:48 – 7:17
screwed? First and foremost, they need to recognize that they are in fact going to be targets, and that they have a very high responsibility to maintain voter records. And they need to implement, two factor authentication. Make sure that they have IT staff that is available. So that way, if there is any issue, it can immediately be addressed. And more importantly, especially for the campaigns, they need to make sure they close-up shop properly. You know, the day after elections usually a very happy day or a very sad day. But no matter what, the campaign's gonna be closing up. So making sure that those data records are properly removed, from any online servers, make sure that, passwords and accounts are properly closed down or even, canceled would be great steps for campaigns to do, to make sure that none of that data gets out to the people that it should not get out to. That's great advice. And just, you know, I'm guessing our savvy listeners know, but two factor authentication, what is that? So two factor authentication is pretty simple. It is the concept where, you have a password. So that'd be one factor authentication. And then you add a second layer of protection. So whether it's something physical that you have, like a USB flash key or, some other sort of biometric. It could be like a fingerprint or a face scan or maybe even a code that is sent to your phone. Just one more step, that someone would have to take in order to, illegitimately
Speaker 1
7:17 – 7:43
access your account without your knowledge. Okay. That's great. That's a fantastic explanation of that. So, of course, we have the midterms coming up. So elections very top of mind even before the indictments came down. So let's shift a little bit from election or campaign officials to election officials. Do you think that, you know, most election officials are ready for November? Unfortunately, no. They're getting there. Okay. They're definitely improving.
Speaker 0
7:44 – 8:32
But now the the attention and the spotlight is definitely on elections, and the nation state actors have, already known that elections, are vulnerable in various areas. But now other malicious actors are beginning to see that there's an opportunity to take advantage of some of these vulnerabilities. So I think it's great that election officials are now more aware, that they need to take cybersecurity seriously. But it's a process. It's not just something where you can go out and buy a product or do a single training and then say that your election system is secure. It really comes down to having a plan in place to be able to recognize the vulnerabilities and predict where those risks are going to be and adequately make sure that a mitigation plan is in place and can be executed,
Speaker 1
8:32 – 8:48
if there is an attack. So what are some of those vulnerabilities? When we talked about the DNC and the d triple c, that was kind of a straightforward hack. What are other ways that, you know, election equipment, like voting machines and, like, voter rolls, how how do those get attacked?
Speaker 0
8:48 – 9:30
Voter registration databases, are ones that can be accessed by the public in 38 states because as we want, we want voter turnout to be high. And so we wanna encourage people to vote. One of the ways you can encourage people to vote is to allow them to register to vote online. So voter registration databases being publicly available online are a a vulnerability that need to be, addressed properly. And then you also have the other end of the voting process, which is the results. So, again, those websites those websites are publicly available. And it's not so much that the votes would be changed. It's that any disruption in the results coming in on election night might introduce
Speaker 1
9:31 – 10:06
a a little bit of fear and concern and shake the confidence of voters that something happened to the system. Sure. Well, and there's also if someone someone's declared a winner or as people are still voting or something like that, you could easily see how that would influence, you know, people even deciding to go out to vote. So a lot of ways you can manipulate that. You mentioned the voter confidence side. How how confident should voters be in voting right now? Do you think that we're we're making progress there as well? Because certainly, I'm sure a number of voters, their their confidence was shaken a bit by some of this news. I think voters should be confident that when they cast their vote, it's gonna be counted accurately.
Speaker 0
10:07 – 10:24
Unfortunately, we're getting some mixed messages at the federal level. And I I think that's being addressed certainly in the past week. We're getting a little bit more clarity from some of our representatives. But, there needs to be solidarity when it comes to recognizing the threats that we are facing to our election system.
Speaker 1
10:25 – 10:47
So at this stage now, with the state and local election officials, they have about, I guess, what is it, three months left? Is that right? Trying to count here. No. More. Four. So you shared a little bit about what they should be doing. Do they do they have the funding for it? This has been something I've been hearing a bit about, federal funding for, local and state elections.
Speaker 0
10:48 – 11:44
Funding for elections has been a big challenge, especially over the past two decades. Coming off of the hanging Chad incident, the federal government definitely stepped up, with the Help America Vote Act. Mhmm. And there was a large transition over to, machines that wouldn't necessarily have that paper problem. But now we're running into a a digital problem. And so the focus is going back to, okay, we need a paper trail to make sure that all these votes can be counted accurately. Now the problem this year is that the federal government put a little bit more money into those HAVA fund accounts to make sure that election security would be the focus for the states. Now the shortcoming of that is that the states really need to step up and increase their funding and treat election security as something that's serious, that warrants the critical infrastructure designation. So that means planning and continuously funding for an improving election system. And I'm not seeing that in the states.
Speaker 1
11:45 – 12:04
So, well, that's a little concerning. Election security, and this has all been fantastic information. Tell us a little bit about your focus areas beyond what we just talked about. Anything that, you know, we didn't cover that you think people should know about when it comes to election security?
Speaker 0
12:05 – 12:59
Election security begins at the local level. That means making sure that election officials know how to recognize cyber risk, and they know how to mitigate those risks. That's why the election security project at CDT is really focused on making sure that election officials have the resources available to be able to raise the level of security across the board. We've partnered with the Center for Technology and Civic Life to offer local election officials online trainings. Awesome. We're developing and disseminating, field guides so that election officials can understand the basics of cybersecurity, concepts like two factor authentication, that we mentioned before, password managers. So for more for folks who have IT support backgrounds or have security training, these might seem like really simple concepts. But for anyone else who doesn't have that background, background,
Speaker 1
13:00 – 13:13
it's very helpful. Yeah. Absolutely. So if people wanna know more about this project, get in touch with you. I understand you're taking your show on the road a bit. Where are you gonna be? And what's you know, when you're not on the road, what's a good way to get in touch with you if people wanna be engaged in this project, especially election and campaign officials?
Speaker 0
13:14 – 13:26
Certainly. I will be, speaking at the National Conference for State Legislators annual summit in Los Angeles at the end of the month. I'll also be giving a talk at b sides Las Vegas. What is b sides?
Speaker 1
13:28 – 13:29
See, that's good. Right?
Speaker 0
13:30 – 13:44
Oh, that is, the middle of a long and fun week in Las Vegas, full of, pretty much every hacker and security researcher, that wants to find out what's going on with the rest of their peers and have a little fun on the side.
Speaker 1
13:45 – 13:54
So it's definitely gonna be a, a dangerous place for you to bring anything electronic. That that whole conference scares the heck out of me. I am never going to.
Speaker 0
13:55 – 14:27
But that's part of the fun. Hacking is definitely, going to be the vice of choice in the Sin City for that week. I'm looking forward to seeing the Defcon voting village, hacking, machines. And so, we should have some good information coming out of there. I'm looking forward to meeting some folks who, might be interested in helping out their local election officials by offering their support as more technical volunteers. That's awesome. That's great. Maurice, you are doing really important things. I feel better about the elections despite you scaring me a little bit with the the preparedness.
Speaker 1
14:28 – 15:02
But it's good to know that people like you are doing important work to get ready for it. So thank you so much, and check out cdt.org for the election resources that we currently have. Well, thanks, Brian. It's been fun. That's it for this episode of Tech Talk. You'll find a ton of information about CDTs efforts to make elections more secure@cdt.org. And whenever we talk elections, I like to remind you all to register to vote and then of course to exercise your right to vote. I'm Brian Wasilowski. Thanks for listening.