CYBRARY PODCASTS

401 Access Denied Ep. 10 | Election Security: Can a Hacker Really Pick the Next US President?

401 Access Denied Podcast Icon

Special guest Dan Lohrmann from Security Mentor and former advisor to the White House and Homeland Security joins Thycotic and Cybrary to talk election security. We cover topics from voting registration, mail-in voting, to in-person voting and even the fake news Americans will be bombarded with from now until election day. How do we - and more importantly, should we - feel confident in our election security?

Hosted by: Joseph Carson, Mike Gruen, CISO at Cybrary, Dan Lohrmann
Length: 54 minutes
Released on: September 9th, 2020
401 Access Denied Podcast Icon

Listen to the Audio

Watch the Video

Enjoyed this podcast?
Share it with friends now!

Transcript

Joseph: Hi, everyone. Welcome to another exciting 401 access tonight, podcast. This topic today is going to be very exciting and I'm back again, your host Joseph Carson joining in from Talon, Estonia, where it's quite hot and steamy in the country at the moment so the temperature never lets us down. But I'm really excited. This is going to be a fun conversation. We've got a special guest on today to talk about a very, very hot topic that's on pretty much everyone's minds, not just in the U.S but globally and also with me today, again is, Mike, you want to give us an introduction?

Mike: Yep. Yeah. Mike Gruen, cohost, VP of engineering and CSO here at Cybrary, in lovely D.C, which very tightly coupled to the topic today. And Dan Lorman is also joining us. I'll let him introduce himself.

Dan: It's great to be with you guys. Thanks so much, Mike and Joseph. I'm Dan Lormam. I'm the CSO, and Chief security officer and chief strategist and security mentor. I have over 30 years in the security industry, so I actually started at the national security agency in Washington, in the mid eighties and, worked in England with Lockheed and ManTech, in the nineties and then joined Michigan government for 17 years so I had a lot of different roles in Michigan. Agency CIO and after 9/11, I became the state's first CISO. First CISO in all 50 state governments. And, basically did that job for about seven years then became CTO in Michigan, so all the CXO roles guys CCO like bringing all the, bringing all the data centers together, a lot of consolidations. And then Governor Snyder came in, we actually created a CSO role. So, went from, dropped the 'I' and brought physical and cyber security together and actually a Homeland security when DHS did that in Washington, they actually modeled it after what we did in Michigan so we actually brought together physical and cyber security so all the cameras, all the badges, all the physical security in the buildings under one roof and I ran that for over three years. Before I joined security mentor. So we're involved in security awareness training. I do a lot of, I blog for CSO magazine and also government technology magazine. You can follow me on Lorman on cyber security, @govcso is my Twitter handle, and really talk about really everything related, to really government security but obviously that place in the private sector because you get a lot of private sector companies supporting government. Right. So, but yeah, glad to be with you guys today.

Joseph: Awesome.

Mike: Yeah, awesome.

Joseph: It's great to have you on and definitely, you know, we've had some very interesting conversations over the past and always exciting discussions and today is none other than the kind of interesting and hot topic of the time, which is election hacking. It's really all about, you know, upcoming elections and presidential, and you've got a lot, you know, we've had a lot of experiences in the past and really kind of get into, you know, what have we learned from the past? Has anything changed? Are we getting better? What types of things should be concerned about, you know, especially given the pandemic and COVID-19 also does have you play into the ability for people to vote, not only securely, but also safely from, from that perspective so a lot of interesting things coming and, you know, it's really interesting. I will say that when I, when I think about sometimes we get overemphasized, you know, even, even my go to black hat and DEFCON in the conferences and we also have the, the hacking election village is there and I always kind of interesting that we sometimes tend to focus on just one aspect of elections, voting, is the infrastructure is the actual, the time you push the button on the machine to when it gets counted and that's sometimes what we tend to focus on but in my experience, when I look at election hacking, I think it's the overall process end to end and it's service and sometimes we kind of, you know, we don't look at the end to end service of it entirely and we get overly involved excited into the machines and into the firmware and into, you know, getting physical access but I think we need to step back and look at the bigger picture, look at how it all connects together and also, I think one thing that's also mistaken and not made transparent enough, is the transparency over the security measures of each different method, you know, from whether you're going to vote on paper or they're using a mobile device while using internet voting as we do in Estonia, or whether you use a electronic voting, we may go into voting booth, is important to really reveal what's the security differences between those, make it transparent, make people more aware, which one, you know, they might not care about the security, they just want to get the vote. And others might be more conservative, conservative, more worried about security and therefore might choose a more secure method, but only if they knew which one was the right one that they would choose. So getting into, to Dan, you know, when you hear about you know, election hacking and some of the experiences and the lessons learned, and the reports as revealed in the past, what keeps you up? What, what worries you about, you know, the voting system itself and which things you think should people be really thinking about?

Dan: Well first of all. I totally agree with your point Joseph about, people process technology. It's the end to end. It is the process. It is, you know, I think we learned a ton over the last four years when you think about, I mean, we, I started blogging about election security, literally, like before the actually said, you know, could the election be hacked, nine months before the 2016 election, everyone was laughing at me literally. I mean, I got mocked by a lot of, a lot of hackers and a lot of people saying, you know, you're you're a fringe or an idiot, you're this, you're that, you know, the election could never be hacked and this was January of 16 before the 16th election and then all the way through after we, you know, the, the, you know, what happened afterwards and literally all the different you know, Russian involvement and, all the different stories, really for the last four years so been covering this for five years now and I totally agree with you that, you know, it's much broader than the machine itself or the, you know, counting ballots, especially now and I think the thing keeping me up at night right now is, and we'll talk about it again not taking any talking points one side or the other but the mail and voting and especially, you know, the process, I worry zero about mailing voting for the States that have been doing it for awhile. I worry the number one thing I would say, starting right off, back up and pumped by a number of different things but the States that have made the changes, like literally in a matter of months,

Mike: Right.

Dan: and then they, you know, these, these, they come up with these processes, these secure processes. I think it was a pretty good process,I mean, but the reality is that a lot of States, a number of States, and I'm not talking about the States that have had mail-in voting forever. States have been all mail in voting, which is a number of States that then we could start naming them but upstates that are making the change is kind of like since June or since coo, you know, they decided to redo this you know under COVID. That concerns me probably the most. I also say I'm probably

Mike: Go ahead. I was going to ask what about like the registration system, because I think we focus a lot on voting, but the fact is if you can hack earlier, you know, the other part of the process, you can invalidate an 's' ton of votes

Dan: Yep.

Mike: just with the registration system.

Dan: Absolutely and so that was always the number one thing. I totally agree,

Mike: that was the number one thing with, when we first. You know I'm talking four years ago, you know, hack, hack the voter files. You know,

Mike:Right

Dan: the, you know, I work a lot in Michigan. We work a lot with the secretary of state there I say right now, I'm not formally working for any state government now. So I actually I'd like well I could talk to you guys if I wasn't being able to do it, but I I know a lot of people that are I talk to them literally every week, I know what what's hot and what's not and I, and done a lot of blogging and writing about this and, we'll talk about that maybe at the end, but you know people get detailed comments written on this. But you could almost go state by state. But I agree the voter files, the names, you know, if you can, you know, delete people, if you can get in there and then there's been documented interference in 16, 18, or early 2020. About those, you know, people trying to go after those voter files. There's examples of that we can walk through those, trying to access and change names, delete names, add names, whatever. And then also the other thing we haven't mentioned real quickly Joe, I just mentioned it is really the fake news issue, you know, you can insert information. You can go after, if you can, you know, change, even covert conditions. If somebody makes it fully expect, what would you do if you were trying to disrupt an election, make it so people couldn't vote, didn't vote, lack trust in the vote, you know in the process, any kind of news. Pile on, maybe there is a real story pile on bad news pile on good news. You know, you can influence things, influence behaviors. That's a big part of this as well.

Mike: Yeah

Joseph: Yeah, absolutely and that's some, some things that even, even, yeah, I've seen over, you know, in my entire career, what I've seen as the biggest challenge, that many kind of from a political standpoint and election standpoint is voter suppression

Dan: Yeah

Joseph: is how to redraw. So even, even in the old times, you know, before, you know, electronic and, you know, electronic machines and stuff for voting, what way you could do it is basically redrawing County and border lines was to, to move people, to shift them around and that basically changed a lot of the outcomes of a lot of elections.

Mike: Yeah, Maryland is one of the worst gerrymandered States in the country and that's where I live. It's, it happens to be gerrymandered, you know, in a particular way, you know, but not, you know, very differently than the other States are gerrymandered, but it's one of those worst. And you see that. Yeah. The whole stacking and packing and that aspect of it as well. Although I feel like that's, that's fringe, that's gray area hacking, right? That's where the government has. Th, there's people, there's a process there. Right? It's not, in some outside individual doing it and having that influence, but yeah.

Dan: This is transparent. I mean, whether you agree with that or not, you can argue with it, like, you know, 49, 51 vote in in the house with the Senator on almost any issue, you know, you can besides do an issue, the gerrymandering, we have a lot of that in Michigan, by the way as well. I totally agree with you. But at least in theory, at least I'm going to show there's some backroom deals. It's, it's, it's, it's in the public domain. You can see the votes, you can see

Mike: You can even challenge, you can even challenge the generator during, or at least try to

Joseph: I agree Dan on that side as well. One of the things I think though, is that voter suppression though, is what we look at today in the, in the electronic side of things is basically is preventing people from registering the vote on time. You know the DDoS types of attacks but we think about one of the things that, you know, sometimes what we look at is the, the, let's say cyber criminal hacking techniques, the most common thing is that they don't want to be, they want to be stealthy. They don't want to be detected. They want to be as quiet as possible. So what I think the biggest challenge right now, and it's something we've all touched upon is the confidence in the system itself is that if people have no confidence in the outcome, they won't vote and that's the thing, ultimately that's the biggest thing is, is, is, if your lack of confidence and there's so much disinformation out there. You know someone's ability and so much challenges even to get registered, then people basically will take the other option so, you know, we'll, we'll take whatever it comes to us because we won't have an impact on the outcome.

Mike:Right.

Dan: I mean, I would just add to that, you know, I think it's interesting just to understand, you know, I say more recently and I don't know how many the listeners have, you know, kind of know the history here and know kind of, you know, there's just some people, I do understand there've been so many committees on this there's money being thrown at it. People think there should be more money thrown at it, but there's a lot of money going into Election security. We've been talking about it for four years. There has been a lot more security, Homeland security gotten involved. The FBI has gotten involved, protecting those databases. Aot has been done okay. So on the positive side, we can say a lot of negatives in that believe me, I could shoot holes in this hole, but if you want to kind of live again, this is not Republican democratic. This is not, I'm not trying to, I'm being bipartisan here trying to be or nonpartisan and just say, we want a result that we can trust and we can verify a lot of States, you know, had, you know, at the very basic level, a lot of States had electronic machines where there was no paper backup. You had no way of going back and verifying. All the States had pretty much gone. They have a paper in theory. Again, the theory and process is they on paper, they've, they've got it on paper. They can see, you know, what was your vote? They're, they've, they've made a lot of other changes to protect databases. There's a lot of good that has happened even coming into COVID. Now I think, why my I, why, why I say mail in voting and that, that may sound like a Trump talking point. I'm not trying to, it's not, I really, I, the concern that I have is change any change that people are making in the final, like anything else, you know, it's kind of changing the rules of a football game NFL does this every year, right. You know, changing the rules off season, fine. You hope they don't change the rules of the, of the baseball game or the football game or say, you know, we're going to go with five strikes today, not three strikes. Because somebody had an idea between games getting last night to today, that's not what you want. You want consistency. You want to say these are the rules, we're all gonna play by it and we're going to go with it and, and I think the challenge is I'm seeing a lot of States right now, making a lot of changes that seem kind of ad hoc. I think, you know, we'll see a year from now, we'll come back and listen to this recording and see who was right and who is wrong. I think the concerns I'm hoping it's clear and we don't have days and maybe even weeks before we know who the winner is, I think that would be disconcerting to everybody. I also think, you know, the challenge is going to be what is that process? And the answer is yes, because every state

Mike: That's, what I was going to ask about was so it's different across States and you see some States have had mail and as you said, they've had this for a long time. What's the you've been there. What's the cooperation look like between States so that like me and Maryland, like the fact of the matter is if I was going to hack the U.S election, tell me I'm wrong but my, my impression is I probably only have to target a handful of counties. I don't need to hack across the entire country. There's a handful of counties in swing States that I would focus in on and if I could get those, then I could probably get those States and then it's just a, a whole thing, a domino effect. So how do I in Maryland know that there's confidence? You know, how do I get confidence that States are following best practices and cooperation? Is that, is that actually happening?

Dan: I think there is cooperation, man. I generally tend to be an optimist guys and, and I, you know I do think there's a lot of cooperation. There's a lot of attention being done. It is a political football on both sides right now, but again, taking the democratic, Republican talking points out of this thing, I do think there's a lot of attention. I mean, you know, it's in state government terms I would tell you, I'm seeing this. We were talking about this in 2019 throughout the year before Covid. It's like election security was the pixie dust for everything. Yeah, not getting funding, lecture security. Oh, okay. You know, here's the cash, you know, just y'all go, go, go to room three right. We got money down there. Literally the States, you know, because of what happened in 16 there's been a lot of attention on it. I agree with you a hundred percent, you would just focus on certain counties. I do think there's been a lot of cooperation. I think the big change recently is, you know, mail-in ballots. I mean, I've asked and I'm not going to name States because I'm going to get in trouble if I do that but you know, States that, like, how do you get your mail in ballot in. I think some States are still figuring out, can you drop it off? Can you put it in the mail? Is it by some States? It's, you know, you have to have it in there by the time the polls close. Which they just think about that.

Mike: Well I'm curious though on that, cause I feel like almost every state has had absentee ballot and that's a mail in ballot isn't it?

Dan: Yeah.

Mike: So wouldn't it just be a matter of sort of expanding that program a little bit or making it easier to get that absentee ballot and then they already have the systems in place. It's not a huge, it's not like some huge, significant change.

Dan: So, so in theory, you're right. But

Mike: What, I love, right in theory.

Dan: In theory you're right, but what's that happened is some States have gone, like some States have been all mail inbound States and that's all they've done and that's great. I mean, they've been doing this for years. Other states are now, have changed the rules this year because of COVID and said, well now we're going to mail out ballots to everybody, or we're going to mail out letters to everybody offering them a ballot.

Mike: I see

Dan: And, and again, just because something was done well in Oregon or Washington state or somewhere else, doesn't mean that it's been done in Florida before and again, like or that's been done maybe It's, I don't know, 1% of the vote or 2% of the vote and they're now projecting that it's going to be 50 or 60 or 80% of the vote. So, so it's not just think about that just think about, you know, your local help desk. Think about your local, whatever it is, anything you do in business and technology or not and, and, you know, you're going to have 40 times, 50 times, 20 times. The number

Mike: I mean, that was the whole bending the curve with COVID-19 right? It wasn't that our health, it was just that we didn't want to over, well, not just, but one of the main things that we don't want to overwhelm our healthcare system, it it'll collapse. If everybody gets sick at the same time, everybody shows up at the hospital at the same time that system won't be able to handle it and what you're saying is basically the same is true for voting. If you had a voting, if you had a mail in voting system that was able to handle 20, you know, 2%, 3%, whatever, now it's got a handle 30, 40, 50%. It's going to be overwhelmed. Is that correct.

Dan: Correct. One of the great things that, you're getting here Joseph is that, and you know, and I think every state, you know, has integrity in this sense. They come up with, if we talk about people processing technology in the beginning of this but you say, okay, if Dan Horman votes, okay. How do you know by mailing it in that you didn't just also show up at the poll and vote twice? How do you know you didn't make copy? I mean, they're very simple you come up, we decided we'd come up with 20 different ways you could, you know, fraud you know defraud the system. So the checks need to be in place and the States are putting in those checks so, they're doing a good job to saying, okay, here's how we know if we get up, you know, here's what we're going to do if Dan votes in person and we get a mail in ballot and, and, and which you won't have with me, I'm going to go in person but, I would just say the reality is how do we know that that's being followed? How do we know? So now we're down to auditing we're down to, okay the rules are this three strikes, Well, why did you give Bill five strikes? I mean, you know, what, how do you know that it's being it's back to the process thing? Joseph mentioned that at the beginning is the, even when you have a process, what's the level of confidence that process is being followed across the board. In those key counties that you mentioned, Mike.

Mike: Right and so I am right. That it would be like, that was the scary part is that I'm thinking about that, but I wasn't sure I've never actually like verified with someone who would know that, but that is the case that like, there's just a handful of districts in purple States across the board that would need to be targeted.

Dan: Well in theory, that's right. I mean, I, I think there's going to be, I mean, if you look at what happened again, I have this blog that I wrote for Governor technology magazine you can go out and read. It's a pretty long blog. It's like one of my longer ones, almost three thousand words. So how Election Security has become a top issue and it kind of just, it kind of gives you the history of all the different organizations in the national, you know and other state legislatures that the auditor General's, the Secretary of State Offices, the Governor, all the different things being done, the National Governors' Association has been involved in this. There's so many organizations that have committees around Election security. I mean, there's literally. It's probably well over a hundred committees on Election security, which is a little bit concerning in and of itself.

Mike: Well right exactly. If you want to solve a problem, you definitely want to throw more people at it. The more people definitely the better everything will be, which is

Joseph: Going back, Going back to how things that Dan, that you mentioned as well as it, you know, I'm very familiar with the Estonian system here, of the voting system has been done here and nothing's perfect. It's all about making sure that the goal. The focus of the Estonian government took was actually they see themselves as being a service provider to the citizens so their intention is to get as many people to vote as possible. Right. Going back to one of the points that you made as well is about you could vote multiple times, different methods and this the same as possible, there's so many I can go and vote and on my phone multiple times, but it's only counted once and it's only the last one that counts. So, you know, that should be the case, is that, you know, if somebody changes their mind, because somebody says something that isn't agreeing with them that should be possible. You shouldn't, you know, if people are voting, you know, weeks and events and then they change their mind, that should be, it should be allowed to change people's minds, but it should only the last time that they registered and sign or whatever, the, the vote over should be the one that counts you need to be able to make sure that you have a solid identity system and I think that's one of the core issues is that, and that's why one of the things that, you know, Mike you've been mentioning as well was the different swing States is that that's one of the key areas that, you know, looking back and that's why the registration databases become targets is because if we know which if you can target the voter registration databases and you know what their swing States are going to be you can then make sure that you target the right areas. I think when I step back and I look at it, it is very complex and, you know, different States take their own own methods and own ways of how to do it but I think that's actually also one of the benefits is actually the voting system in the U.S is decentralized, which is a good thing. I see that as a positive because having a decentralized makes a targeted attacker more difficult because they will have the change, the vote in many locations and do it physically in many locations in order to really do it that way but I think to your point, Mike, is that if, you know, if you're able to get information to registration databases and, who's going to vote what way, then you only need to target that very far, a few counties that will spring a state's outcome.

Mike:Yep.

Dan: Yeah the decentralization is nice in that regard. Right? You think about it as like that's the benefit, but in reality, I don't think it's as, but yeah.

Joseph: So Dan then I have a question for you is, and, you know, you mentioned there's a lot of investment in security of the elections welling system itself. Is, is the investment going into specific areas or is it actually getting an equal across? Because one thing that I see is is that in disinformation in, in social media, you know, I think it's the companies and social media who've taken the initiative that are trying to do something about it but I don't see any, you know, initiatives around securing that, or labeling it as from a government perspective and then also we've got the voter registration and then you've got the campaigns. Which then typically have unskilled people who's brought in temporarily in order to, to, to run the campaigns and secure the campaigns. I think it was awesome to see one of your, your colleagues, you know, it wasn't getting hired as a sizzle for, I think it was at the DMC for actually putting people in charge of security and those areas and then also, and then there's the infrastructure itself. Are they being secured equally? Or is there kind of one that's being preferred over the other.

Dan: Yeah, that's a great question. I think you probably get different opinions on that from different people. Clearly the areas that have been getting the most money have been the machines themselves. You know, making sure you have paper backup, you can val, you know, validate things that, that, that was kind of identified pretty quickly, you know, from kind of 2016 and 2018. I think there have been, you know, a number of efforts that are done at the federal level. You know, looking overall that, you know, we started talking about things like hacking and foreign influence and intelligence around, you know, what do they try to do? How are they trying to do it? There's some great testimony. I mean, literally you can listen to hours and hours of testimony, just you know Google or my blog listed a lot of them as well, but you can go and you can listen to congressional testimony from different groups, different secretaries of States around the country, on all the different threats from different countries, not just Russia, China, other places money has gone is gone too. You know so some of it's been kind of an umbrella over overarching kind of a thing across the nation, because nobody wants, you know, foreign governments to be, whether you talk about any kind of traditional, you know, techniques to, to do a cyber attack, whether that be DDos, as you mentioned, Joseph, or whether that be, you know, whatever there's a whole, you know, hacking the database themselves, lot of attention on the databases, a lot of attention, certainly a lot of attempts. They noted attempts. You know, this has been on CNN, Fox News, all of it, you know, examples of where foreign governments have tried to influence and then a big, big push around the whole social media thing. Or you getting your news from Facebook or you're getting it from, you know, whatever sources and trying to influence Twitter trying to influence so I I'd say money is going to all those things, I would say has it been equal? I mean, there's always States I'll tell you that that want more money. So I've never known, I've never known a security officer to say no, I I've got plenty of money. I'm good. You know, just, you know, keep the money in Washington you know state governments by default are going to ask for that they're going to have their hands out and, like I said, you know, the pixie dust has been election security. I think it will be probably well after this election. And this is going to be an ongoing topic guys. I mean, I would not be surprised if we're back here at four years talking about elections. I mean, even because

Mike: I'm curious what the process is. Sorry, go on. I'm sorry, Dan.

Dan: Go ahead

Mike: Oh, no, I was just curious, like, so you were talking about everything leading up to the vote, but what about the security? Like where's the money going and process and stuff post, like I've, I've cast my vote and then there's all the counting and auditing and all of that like, you know, we talked about the registration, we talked about the voting, but what's happening on, on the other side of that, because I feel like that's another area that I just don't have any insight into.

Dan: Yeah. So there there's money being spent and I can, again, I'm not going to name States

Mike: Right

Dan: but I know, I know particularly I've been on calls in the last couple, couple months, a couple of weeks actually where, you know, they're looking at you okay. I, you know, how do you get, so I, since to say you get an absentee ballot, you know, even how can I get that in? Can I email that in? Can I take a picture of it with my cell phone and send it in. I, I kid you not, in some States that's allowed, you know, can I, can I, you know, do I have to, how do I know that's for me? How do I know that stuff from Joseph? How do I know?

Mike:Right.

Dan: Is anybody looking? So that back office process, there is money being applied to that and making sure that's a secure process. And, and I think I said, you said, what, what do I worry the most about right now? There is money being spent on that process. You know, they are looking end to end. They are looking at the back office. They are looking at election night. They are, you know, down to that individual precinct. I think there's a lot of fear around, okay, will they have enough volunteers because of COVID when people literally come in a lot of the people around the country, I mean, it's just really talking non tech. This is about as low tech as you can get. A lot of the people tend to be more elderly. A lot of people they volunteer, they feel like it's their civic duty. So you go in America many parts of the, the United States, certainly in Michigan here, you have a lot of, and God bless them. They're, they're great people. They're, you know, in the sixties, seventies, eighties, they're in, they're kind of running the whole system and it's the same people been doing it for years and a lot, will they even be there on election day because creative cover, you know being there with masks on and all the rest. So at a very basic level, is it going to be, you know, back to the people piece who, you know, who physically is going to be there, but a lot of them, a lot of money being spent on that, I think, but that process by fear is it's, it's changing in a number of States right now and will they get this ironed out prior to, COVID was a big, was a big wrinkle in a lot of elections plans

Mike: Right.

Dan: It was not part of the playbook. It was not part of the exercise. I mean, I was a part of election security tabletops in 2019 and, and, and COVID was not part of the strategy.

Mike: Right, a pandemic happening in an election year was not one of those and it wasn't in the content,

Joseph: It wasn't in the, the resiliency plan. I'm pretty sure. So, so, so Dan, I've got, I've got a question. Cause one thing that we haven't really talked about and at least in this year, and will play a big role in 2016 was Cambridge Analytica. And one thing that I've been very adamant about is that and it's going back to to, to campaigns is one campaigns are, are using, you know, data sources, which could be considered, you know, Cambridge Analytica, data source, and many regarded as, as a, basically an artificial intelligence type of weapon. In order that could be used in order to see about what things you need to do. And getting that. Let's say through, you know, let's say not through consent and not understanding about what that data was being collected and being used for. So, and that hasn't been really kind of discussed this year. I haven't heard much, you know, discussions around. Do you think that campaign should be allowed to use data sources such as that? And if they do, you know, should it be transparent to the citizen to buy? You know, the data that the data sources that they're using it for? I think for me, that concerns me is really kind of is it where they're making the decisions, where they're getting the data sources in order to spend the money on the campaigns but the transparency is never there.

Dan: Great point, Joseph. I do. I think I'm, I'm not going to, I'm going to be transparent with you. I'm not going to answer your question. I will tell you that it's happening.

Mike: I mean, I think it's a good point because of super pacs and other ways that campaigns can, you don't need a, the campaign can be as transparent as you want. They have all these other people that don't fall under those same laws that are able to do all of the same thing, but unofficially. So I think that's, it's sort of a, it almost doesn't even matter what we think with regard to campaigns.

Dan: Correct. Yeah, that's exactly right, Mike I agree. You know, the cat's out of the bag, the train's already left the station. The water's already over the waterfall. I mean, it's happening guys, right? Whether Dan Lormon thinks it's right or not or, you know, we're going to get into campaign finance and all the rest of it. I mean, people are getting the data. They're getting data in lots of ways analytics is huge. It's probably bigger this year than it was in 16 in my experience. Both campaigns are using, you know, any, any way in every way they can possibly get data. They're using the data

Mike: Right.

Dan: and they're targeting it. They're going to target to get the vote out. They're going to use it to, I mean, you name it, slice it, dice it. We know we all know the power of data and the Analytics behind that and I think, you know, just like the same thing with baseball, we've got all these hearings. We could go in as a whole, another spin on another another show, but what's happening with all the big, you know, Facebook and privacy and, and, and all of that, you know, the, all the global Google and what's happening with the big tech companies, will things really change? I mean, will there be more regulations? People say, yeah, some people say, no, I don't think they're going to get broken off.

Mike: Right.

Dan: I don't see it. It could happen. But, we discuss it, we talk about it and then we move on to the next election. It doesn't seem like much has changed.

Mike: I mean, I look forward to when they have enough analytics and data that I don't even need to cast a vote. Right. They've already, they've used the AI to figure out how I'm going to vote so

Joseph: Wasn't, there was a movie called The Circle. Wasn't it? Don: That brain reading technology would just, you know, automatically go in there and grab that. I grabbed your vote out of your brain.

Mike: Right, they don't even have to read my brain.They just read my Facebook yes.

Joseph: Next time you're in trouble and you walk through one of those airport scanners and it will actually, you know, cast your vote for you.

Dan: Well, Hey, I sent their guy to make sure it's not a robot that's voting for you. We got to do that. We got to do the identity theft protection thing at Joseph, I mean, I think your point about what you guys do in Estonia, what people do, I'm a big admirer of what you guys have. You and I have talked about this. I think what you guys do is amazing. I think it's really a global bottle. It's not where we're at in America, you know, the verification, you know, one person, one vote, you know, it's all kinds of jokes around this. You know, vote, vote, you know, early and often and all the rest of it. I mean, you know it's I, I don't think fraud is as bad as the Republicans say it is, but I don't think it's as good as the Democrats think it is. I think it's somewhere in between. And I think that this is going to be a really, really interesting year because the rest that was thrown in the engine is the pandemic.

Mike: Well, I think what's also interesting and again, back to the, sort of what happens after, I think it's an example, a really good example of Security that I deal with on a regular basis, which is where that push and pull of a secure process and a fast process. Right? You said it earlier, you don't want a process where it's going to take us months to figure out who actually won the election. You need to know you have some votes that are coming in immediately so you're going to start seeing those results and then if people start counting votes manually through the mail or through whatever, and it starts to swing the other way, then there's going to be all kinds of questions of like, was there fraud wasn't there? So you need this like efficient process and that's like that push that like such a like push and pull that's so typical between security and sort of the business side of the business, whatever, you know, we need this done and that push and pull and making like, and that's what worries me is that speed and the sort of the business side is going to drive a lot of decisions where maybe Security or, or that, we'll have to make compromises, which is never a good thing.

Joseph: Yeah this is one of the things in Estonia that is funny focused on, you know, the whole thing here is, and actually started off, you know, post-Soviet era back in 1991, the whole reason why something went down this path of digital identity and, and, you know, electronic voting was back in, in, in, during the Soviet Soviet era was that their history was changed so many times. It was the history kept getting changed and going back to the whole purpose, while you have paper balance is integrity and auditability, non repudiation of the board itself and ultimately Estonia realized, and, and, and they went down a paperless society, which turned into a digital study, which turned into the government, being a service provider, and ultimately to the point where that we got to really having a very efficient digital identity online or I can go to get online prescriptions. I can vote. I can go to vending machines, I can park my car. There's many things I can do my tax in two clicks. Literally within less than three minutes, it just depends on how fast your computer is and internet connection.

Mike: But thats also because you trust your government. I mean, there's, there's the problem in the U.S is that digital identity is definitely going to be controversial here.

Joseph: And it goes back to, it's not about the way the government ticket was, is that they didn't take it as a backdoor, that the government can actually see everything you're doing. They actually made it as a front door, meaning that the government has also transplanted to the citizen, but everything that the government has access to and sees. So if you actually make it that it's a reversal situation, because it, then it builds it's a two way trust and that's the only way to build it is that trust is bi-directional. It's not one direction and for the citizens, just the government, the government has to be transparent to the citizen and vice versa. You have to have that ability in order to create that and during, during the pandemic in Estonia, people were able to still do online shopping, online schooling, and also vote online all in the safety of the home. So that was one of the things that, and it got to the point where even the innovations, even in a post-2000, it's not perfect. There is security flaws, but it's about being transparent in the security flaws it's about knowing the risks and doing things to reduce those and some of the, you know, the implementations are only using block chain for them, non repudiation of that digital data. So therefore your government can't manipulate the results themselves directly.

Dan: I think Estonia is going to be the model. I mean, we've got, we've got a head there and we've got to get there. I think not enough, we're going to be doing four years, but we're certainly not there this year and I do agree with you, Joseph, that the challenge is going to be the process this year. You know, how do we, how do we know, you know, again, back to you know, I'm kind of hoping it's not a really close vote. I mean.

Joseph: Right.

Dan: I mean in some States it may not make any difference. I mean, you know, you know, counting late ballots or whatever in California, probably isn't going to make a whole lot of difference but you know, in some States, obviously the swing States, the six or seven, one of them is Michigan here that Ilive in, it's going to be really key and I think. It's going to be really interesting to see, and I just hope we don't have guys that have fear w might, I hope we don't have that kind of that hanging Chad moment of 2000 of, you know, and everyone's leaning at those pictures of the guy looking at the CHADS and what happened in Florida with, you know, Bush beating Gore. You know, I, I. It won't be the hanging CHADS this time. It will be like, was it, you know, Joseph, you mentioned, is it, was it his vote in person? Was it, was it the mail in ballot? Was it counted and how do we know it wasn't counted twice. And again, I think there are processes in place. I don't want to, I don't want to instill fear in the audience. I think there are, there are processes that can, that can do this. The question is. How do we know they're going to be followed? And how do we verify those things, especially where the changes have been made in the last 90 to 120 days during the pandemic?

Mike: And how are they being communicated? Because Joe brought up a great point, which was, you know, if, if I do vote twice, if I vote in person, I vote by mail and whatever I don't actually know in Maryland which of those, I mean, I'm sure I can look it up, I just don't know which of those would actually count and I don't know where I'd even, you know, I'm sure if I Google it hard enough, I'll, I'll probably find it, but I don't know that that's being communicated effectively either.

Dan: When you think about that process too, it's like, what if you voted for a different person?

Mike: Well right. Exactly. What if they don't line up?

Dan: vote out, does your vote not count at all?

Mike: Right

Dan: I mean, in some States, so I can kind of go back to the hanging chad story, it's funny to go back and read those stories, it's like under this condition, we're going to, we're going to count it as a Gore voter and under this condition is the George w vote and then if it's this condition, it's, it's, it's a, it's a, it's a wasted ballots. It's a, it's a spent ballot, so nobody gets to vote. So, I mean, in the case of, or it even be the process again, different States, may have different processes, but, You know, what, if you vote three times for the same person, do you do throw out all three votes? Because you're not, you know, the law says, you know, you can do one or the other and you're not supposed to do both. So, I mean, again, the challenge is I hope we don't get down to that close of a vote. That's about the fear.

Mike: I also hope that the sort of that collision process doesn't invalidate votes, right? If that's, if it's that easy for me to. If, if somebody votes and it's all I have to do is send it another sort of contradictory ballot to invalidate their ballot, their vote that's also problematic. I mean, that's, you know, like, so hopefully there's some really solid rules to make sure that the vote like, I don't know, like how do you verify that I voted for this and that? Which one of those? How do we know what you're about?

Dan: That, right i think the Republican fear, I mean, how do we know that somebody didn't make 10 copies in mail and mail in 10 different things or, or somebody, your guy across the street, got your mail or some, you know, somehow, how do we know it was you?

Joseph: This is the transparency piece. This is going back to the transparency. Is that how does every citizen in the U.S know that their vote counted?

Mike: Right.

Joseph: It actually went to the final vote and if they made a mistake, how do they know? You know, what can they do in the future to rectify it? It's that transparency with the citizens and that's, that's what I'm saying. It's always a two way trust. It's always bi-directional you have to know what you did was correct so you don't repeat the same mistake and maybe people didn't know that they were doing something incorrectly and they just repeat the same mistake and therefore they continually over multiple votes over years are voting incorrectly and never gets counted.

Mike: Right but I think that's such a cultural thing. I mean the U.S is founded on question your government question, you know, like, so the, the, that trust. I think it's actually a really hard problem to solve in the sense that we don't have a lot of trust in our government officials and in our governments in general. There is a lot of skepticism about what they do with their data and how they handle our data. I mean, I, I mean, I know things that I don't know, want to take this conversation in a totally different direction.

Joseph: Yeah.

Mike: But you know what I mean and so I think the idea of a national idea that's very, very controversial national, or even a statewide, like digital ID is going to be just a really sticky, wicket.

Joseph: So I got to, I know they've helped calculation and I think the second model that is Estonia had and I actually applied if it doesn't have to be the same model. It just has to look at how do you stop people from wasting their time, which is ultimately the process of the voting. You have a process that wastes a lot of people's time and in Estonia, it was that they saving up to six to seven days per year of GDP of the country, by having this process in place and if you actually applied that model to the U.S even, even, you know, just getting close to it, the U.S would save 1 trillion US dollars per year in wasted, you know, stopping people from wasting their time,

Mike: What we all use, If we all use public trans, use public transit, instead of clogging up the beltway, the same la, the same logic applies, but yet

Joseph: Correct.

Mike: There's a cultural thing of, I don't that that's just, it doesn't doesn't translate.

Dan: Especially during a pandemic

Mike: Well, there's that too

Dan: You come up with a great process and then, you know, along comes a pandemic. I mean, I, I think I really do think we were on track for a much better result this time, pandemic. I really mean that I was I'm an optimist. I'm actually you I'm a government bureaucrat. Sorry, no, but I actually think we have a real, we had a really good thing going, we were ready to rock and roll, but I, I think people were more aware that people try to influence in them just being aware that, Hey, Russia is trying to influence your vote. China is trying to influence your vote you know your Facebook. I mean, people were more aware people saw what happened last time, they're not going to be. Maybe, as I said, not as trusting that that message is really from my friend or, you know, whatever. I think people, a lot of those things were corrected. I think the challenge is going to be again, how do we know? You know, and by the way, the other piece we didn't mention Mike I just want to, will say real quick, listen In the U.S we have more lawyers than anywhere in the world.

Mike: Oh yeah. No, don't get me right. Exactly. Tort reform is a huge issue.

 

Dan: They don't have their people there, I mean, it was just always so funny again I picture back to 2000.I'm thinking is there Cassidy too. You got a Republican lawyer, a democratic lawyer, the counter, you got six people all looking at this card with the microscope and with the magnifying glass, you know, it's a really funny picture from, from Florida 2000.

Mike: Right.

Dan: So I mean, you're going to have a lot of lawyers you're going to have, there's going to be processes and watching it and again, it's, I think. That's the thing that's keeping me up at night, even more than hacking of voter files or hacking of machines. That's personally for Dan Lorman.

Joseph: I think absolutely Dan there's a lot has been improved over the last four years. Absolutely. You know, from one thing, as I do say, you know, the social media companies, you know, starting to flag political or even prevent political statements and these platforms. I think that was one step forward. So people get a bit more of context because the biggest problem we lose on internet is context is, is where was the original source of things that came into my, you know, did it really come from my friend, you know, those, those, trends. So I think that's one great thing amd I think also the reports that came out from the agencies in the U.S about what happened in 2016 as well and in prior to that, being transparent and I think even starting to see, even I think that even started a trend, even now seeing a lot more reports getting revealed about not just election hacking attempts, but also other types of things like ransomware and malware that's also attempted that has now got the agencies more willing to be more shareful and more, you know, really revealing those public reports amd that's a great step forward as well. We're not getting people having visibility and then also investment in the States and actually improving the election machines themselves and also protecting the databases so out of all of those things that, you know, what, what's your kind of, what's the, what's the, the fear that you have in the upcoming elections? Is it the COVID scenario that, you know, the resource issue, is there any type of hacking thing that would be the one that we should be aware about, which is the kind of the one that you would kind of indicate this problem or the confidence side, it's just the different information of the confidence and the outcome as well, if it does become very close.

Dan: Yeah. I think it's the timing. I think, you know, people in America, people want to hear on election night, they want to hear, you know, the concession speech in the, and they want to see the president by midnight, whoever wins. I, you know, a lot of people are predicting again. I don't know that I wanna make a prediction here but I, it literally, if it's really close, could, could come down to days and it won't be. It may not be by, you know, you wake up in the morning, you go to bed at midnight, you wake up in the morning. You may not know the next president. I mean, I think that that scenario of, of, you know, that's what the stock market doesn't like. The stock market doesn't like like unknowns. It, doesn't like to know indecision. I think if it comes down to a handful of States and it's really close, you're going to see a lot more scrutiny around these processes we're talking about and what changed in the last, you know, since, since April 1st. And I think, and, and, and, and maybe even, hopefully it becomes clear who the winner is and, and, and hopefully, maybe we won't, maybe we'll Dodge this bullet. I really pray that we do, but, you know, I, I just. If we get down to that level of hanging CHADS, that's where I think it's going to get ugly because

Mike: Right.

Dan: It's going to be like, well, how was this decided? And who said that it's, you know, back to your scenarios Mike, who said that if I sent in two you know two ballots in and you know, if you changed the rules, does that change the winner? If we changed the rules, like I could, Oh I changed my mind that I voted the day of and so I, I, I flopped my vote. Do we count that vote or does it, does it wash because I voted for the other candidate three days earlier when I mailed in my ballot. I mean,if, if, if, if somebody then says you change, if you change that decision that was made in April or whatever, and that changes the result. I mean, we get that, that, and that we'll talk really close. Right. That's my biggest fear, Joseph.

Mike: I think we should, maybe wrap it up on something, but maybe something on the positive side, maybe rather than fears and whatever. I mean, I think we already touched on a fair bit of all of the, all of the benefits. We, you know, all the things that have happened recently and all of the strides we've made. I don't know, Dan, if you had any final thoughts on that before we go on.

Dan: I mean, guys, listen, I do think that we have a lot of very good capable, competent people that are looking at this, both in, at a state, by state level. I'm a believer in state government technology. I, I mean.

Mike: I hope so.

Dan: 17 years, I generally, I don't think you can be in cyber security without being an optimist. The good's going to triumph out evil. I really, I really believe that guys and I think you got the FBI, you got all the intelligence agencies helping out, you know, I think, you know, we can, we can do this. We can do it successfully and we can, we can have a really good election result. You know, the harder it gets is the closer it gets and I think what happened in 2000 it doesn't have to be. Yeah, I'm not pretending that it's going to be the same. I actually am optimistic that we won't have that situation. I hope we don't. That was a very, very close election that came down with one date and that's never really happened anything like that in our, in our history but, yeah, I, I feel like a lot of good progress has been made. And, I think that people should become educated if you're really interested in this. If you're nervous about this, read up, you know, contact your, your local people. And you know, whether you say Congressman call your Congressman, I'd say, you know, definitely, you know, there's a lot of really, good projects happening and I think we could be encouraged about that.

Joseph: I completely agree Dan, and I think but my summary, from, from, from the discussion is really, is that a lot of positives have been made a lot of, you know, improvements in transparency. And I think for my key takeaway here for the audiences that I think it's really important, it is is to participate. If you, if you are interested in it vote, don't, don't let it go to waste and if you are concerned about, you know, what is the right way, I think that's the important part as the state should make sure it's transparent into what the options are and what actually becomes a valid vote. How to vote correctly, I think, is the transparency. So you don't get into a situation where you invalidate your own vote by voting incorrectly or multiple times. So I think the key takeaway here is, is definitely participate. Get out and vote and do do it safely as well. You know, the epidemic is at the heights and still, you know, how's the swing again, I'm do it in a way that, you know, focuses your health, you know, to take that as a priority as well, but, you know, Don your insights and it's very educational for me as well cause I do kind of look at it and do the comparison between Estonia and the U.S all the time. But I, I, you know, I understand it's a complex system and I understand it. There is very differences and, you know, sometimes even Estonia may not be able to fit perfectly or anything to that model. But I think that, you know, it's positives have been made but my thing, I think the still what needs to be made more is that transparency. Is the transparency and how it works and to the citizens so they know how to do it correctly.

Mike: Right and i think that goes into my sort of my, my key takeaway is, is more around the get involved. It's it's vote, but also get involved, understand how the electric system in your, in your state works, have it operate. That's where you have the opportunity to potentially influence, you know, it's at the state level, you're voting for the people who are making those rules,deciding those rules, make sure that they have a good sense of how to, how to handle it. I think that's really, my key takeaway is really how, how to get involved in and make sure that you are getting involved. So, yeah,

Joseph: Absolutely. So also many. Thanks, Dan. It's awesome having you on the show and I'm really looking forward to having more. I think it's been way too long since we chatted so.

Dan: Absolutely, interviews with you for my blog as well, talk about how you guys do so well, election so well in Estonia.

Joseph: Yeah. So I think from my, summary, as you know, for the audience, you know, primarily is your safety is the number one thing, your health and safety is the priority. But do participate. You know, the voting does have an impact on your future and your lives and kids and everything out there. So, it's important to participate. Hopefully this has been educational and, you know, it was giving you some insights into what we fear, you know, the worries that we have, but also the positives that's been made. So please do get involved. You'll follow Dan his blogs are awesome. I really enjoy reading them all the time. And he's a great insight, and mentor and educator in awareness and security in general. So it's awesome having Dan on the show, stay safe out there, make sure you know, these podcasts come out every two weeks. So, you know, do come in and subscribe, listen, follow us. You know, we always, you know, Enjoy to help educate, share the knowledge and have a fun time at the same time. So again, Dan, thanks for having you.

Mike:Thank you