In this episode of The Security Detail, we explore the complex domain of election cybersecurity with Marci Andino, senior director of the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). From international interference threats to localized phishing attacks, discover the varied challenges election offices face and the strategies deployed to safeguard the integrity of electoral processes.
Resources:
- EI-ISAC Resources: https://www.cisecurity.org/ei-isac
- Marci Andino Bio: https://safeelections.org/marci-andino/
- EI-ISAC's Essential Guide to Election Security: https://essentialguide.docs.cisecurity.org/en/latest/index.html
- How Investigators Solved the Biden Deepfake Robocall Mystery (Bloomberg): https://www.bloomberg.com/news/newsletters/2024-02-07/how-investigators-solved-the-biden-deepfake-robocall-mystery
- Splunk research on generative AI spear phishing email translation: https://www.splunk.com/en_us/blog/security/old-school-vs-new-school.html
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:04):
Welcome to The Security Detail, a podcast by Splunk Surge, where we examine
the cyber threat landscape across different industries.
I'm Audra Streetman. And I'm Madeline Tauber. Today we're looking at election
cybersecurity and the role that the Election Infrastructure Information Sharing
and Analysis Center plays in securing elections.
And they have an acronym, it's EIISAC, so you might know them better under that acronym. know.
(00:28):
Our guest today is Marcy Andino, the Senior Director of the EI-ISAC.
With nearly two decades of experience as an election official and Executive
Director of the South Carolina State Election Commission, she brings extensive
experience in ensuring the integrity of elections.
In our conversation, Marcy will provide insights into the top digital threats
(00:49):
facing elections in the U.S., the inner workings of the EI-ISAC,
its mission and services to strengthen election infrastructure,
and also the role that it plays in both education and prevention of cyber threats. Take a listen.
I started off in IT, and then I stumbled into elections kind of by chance,
(01:13):
and I held various positions at the state election office level,
including 19 years as the state election director.
When I was in IT, I taught at a technical college, I worked as a programmer
analyst, and then I did a stint as a sales rep for a worldwide system integrator.
(01:37):
So all kinds of things there.
And when this opportunity came available,
it was really an opportunity for me to pull from all of my work experience and
continue working with election officials that I had established relationships
with across the country.
And just really a great opportunity to continue to not just work with them,
(02:01):
but to provide benefit and improve their cybersecurity posture.
So I'm really happy to be here and continuing to foster those relationships
and support election officials.
Could you tell us a little bit about some of the services available through
the EI-ISAC and what your members do, what agencies they represent?
(02:23):
EI-ISAC is almost six years old. We were stood up in March, March 1st of 2018,
and this followed foreign intervention or interference in the 2016 general election
and the Department of Homeland Security designating elections as critical infrastructure.
(02:44):
So we focus on state, local, tribal, and territorial election officials,
and we have more than 3,700 unique election offices that are members of the EII SAC.
And of course, our mission is to improve their cybersecurity posture and really
(03:05):
make election offices more secure in a connected world.
Some of the services that we provide, really the first service was an intrusion detection system.
And then we also offer malicious domain blocking and reporting.
There's endpoint detection and response.
(03:25):
We provide a vulnerability disclosure program.
So if election offices want to do so, they can open up their public-facing websites
or public-facing systems.
So security researchers Researchers can take a look and see if they find any
vulnerabilities, and if so, they would report them to us.
(03:47):
We provide tools like our Essential Guide to Election Security.
It's really written for non-technical election officials, and it's a way for
them to measure their maturity level and kind of gives them a roadmap on where
to go and how to improve going forward.
Now that we're in an election year, what does that mean for the EIISAC?
(04:10):
Does that change the way that you're communicating with members or some of the
issues that are coming up?
It's certainly a busier time for us. It's a busier time for election officials
and primaries have already started.
And some states will have as many as five statewide elections this year.
So it's really one election after another. other.
(04:31):
So we have to be a little bit more strategic in reaching out to them and engaging.
We certainly don't want to call when they're on the eve of an election and they're
heads down trying to make sure that polling places and poll managers and ballots
and voters and everything are ready for election day.
(04:51):
In many times, it's really the county or the state that's providing the network
so they can continue to focus on conducting the election and they can pass us
over to their IT staff so we can get additional coverage in place for them.
Are there any common misconceptions about election cybersecurity?
(05:14):
Sometimes people think that we only conduct elections every four years or maybe every two two years.
And it's kind of become a running joke, but elections are run by full-time election professionals.
And somewhere every, just about every Tuesday, there's an election.
(05:35):
It might be a small election, but they're ongoing. They're special elections.
Cities and towns hold their elections at different times.
So a lot of what they do to prepare for an election is the same,
whether it's a small election or a large election.
But presidential general elections create the most interest from voters,
(05:58):
from interest groups, from candidates, from the media.
So it's really like an election on steroids.
Yeah, I can't imagine that. What would you consider to be the top digital threats
facing any elections in the U.S.? Good question.
We've done a threat assessment at the EII SAC, and we've identified five cyber threat areas.
(06:22):
The first we've been talking about for a long time, and that is phishing.
And then there's data leaks, distributed denial of service or DDoS attacks,
ransomware. And then the new addition to the list this year is generative AI.
And this just amplifies existing threats that are already out there.
(06:46):
Based on those threats, do you publish recommendations on how to combat them?
Or do you let that list guide your efforts for projects, etc.?
Or how would you use that internally? When we are talking to members,
they are very, very interested in what 2024 might look like from a cyber perspective.
(07:09):
The most concern is in the generative AI area, but that's only because that
is something new to them. We were not talking about generative AI in 2022,
but we talk about phishing all the time.
And, you know, it's the most common tactic reported by our members.
(07:30):
And generative AI is just improving those phishing emails.
At one time, we would say, you know, look for choppy grammar,
incomplete sentences, and that's a hint.
It could be a phishing email. mail. Well, now they're perfect.
And, you know, they're much harder to detect.
We're also seeing impersonation of familiar figures. It could be like managers or co-workers.
(07:57):
And I get those all the time from our, allegedly from our CEO.
So, you know, those are things that everybody has to be, you know, very much aware of.
And we're telling election officials to make sure that they not not only train
and remind their staff, but train their seasonal staff.
They bring in a lot of temporary employees to help conduct elections,
(08:21):
and you don't know what kind of cybersecurity messaging they've received.
We're also starting to see QR codes embedded in emails, and a lot of times it's
to do credential harvesting.
They're portraying that sense of urgency, trying to get you to quickly scan
(08:41):
that QR code so that they can capture information about your account and your
password so that they can gain access to your systems.
A follow-up to the phishing point about that being one of the top threats that
you're tracking, that's often an initial access technique.
So I'm curious if there's any information on what adversaries are using phishing
(09:04):
to accomplish, like what their motive is. Is it for data leaks?
Is it for interfering with election capabilities?
Or what do you know in terms of what they're after? It could certainly be email
leaks, and we saw a lot of that in 2016.
Another example that we started seeing about that same time is someone would
(09:27):
be advertising voter registration data for sale on the Internet or for sale on the dark web.
And this could be a voter registration list. It could be poll worker data.
It could be campaign voter files. It could be many different things.
But it's always implied that it's the result of a leak or a hack.
(09:50):
So whenever this happens, and it's going to happen again before the general election,
our analysts in the EII SAC, they will investigate and make sure that it's not the result of any leaks.
Leaks. A lot of states have voter files that are publicly available.
(10:10):
So a lot of the information is already out there.
And all of these things just, you know, make voters uneasy and make them,
you know, wonder how secure is our election.
So, you know, we like to investigate and, you know, be able to determine,
is this a new leak or is this data that has been circulated because it's already publicly available.
(10:36):
With generative AI, I know there was an example of an audio deepfake of President
Joe Biden urging people in New Hampshire to not cast ballots in the Democratic primary.
So that was one instance where we actually saw a deepfake circulating to mislead
voters and to deter them from taking part in our elections.
(11:00):
So I'm curious what your take is on deepfakes, And is that a top generative
AI concern, or are there other examples that you're looking at of how that could be used for elections?
Generative AI is new in elections, and it's amplifying these existing threats.
So robocalls have been used for years to reach out to voters,
(11:23):
sometimes for good purposes, like reminding them there's an election,
sometimes for not so good purposes, like maybe telling them not to go and vote
like the one a couple of weeks ago.
AI just improves the content and makes it easier and faster and more cost effective to stage attacks.
(11:46):
So whether it is a deepfake, an image, whether it's a video or audio like we
had in the in the robocall, these are all distractions for election officials.
They're they're trying to conduct the election. It can lead to voter confusion
and ultimately it could lead to voter disenfranchisement.
(12:07):
And that's what we certainly want to prevent. Since election security is,
of course, not just limited to those digital threats, we're wondering about
the risk of physical violence as well.
So how much of a part is that with the EISAC, if that's something you'll focus
on at all? The focus of the EIISAC is primarily the cyber threats.
(12:30):
However, we do talk about physical threats, we talk about insider threats,
and we talk about swatting to election officials to raise their awareness.
And sometimes we find that the physical threats start out as a cyber threat
and it morphs over into the physical.
(12:50):
So we don't totally ignore it. We try to raise their awareness.
We encourage election officials to work with their local CISA physical security advisor.
They can come in and their local law enforcement and they can come into their
office and make suggestions about securing the office, securing polling places.
(13:13):
And then we also talk about personal security, both online and at home.
Despite these threats, what are some things that you believe would help Americans
to remain confident in the integrity of the election infrastructure?
I think it's important for everyone to remember that elections are conducted at the local level.
(13:38):
These are your friends, your family members, your neighbors,
and they work tirelessly to make sure that every eligible citizen,
you know, has that opportunity to register and vote and that their vote is counted.
So, you know, it's not the state or it's not the federal government out there,
(14:00):
They're, you know, conducting the election.
These are people that, you know, you go to school with, you go to church with,
you see at the grocery store, they live in your community.
And they're very committed to making sure that everybody has that ability to go and to vote.
A lot of the focus when we hear conversations about election security is focusing
(14:22):
on the actual voting machines.
But there's a lot of other infrastructure involved in the election process,
whether whether that be the voter registration databases or other software that
helps support elections.
And I think it might be worth pointing out that a lot of these machines,
the actual voting machines, are not internet-facing. They're on their own network.
(14:43):
But some of these other software systems like the voter registration databases
might be internet-facing.
I saw that the EI-ISAC has a program.
I was wondering if you could tell us a little bit about that.
Sure. That's RABID-V, and it stands for Rapid Architecture-Based Election Technology Verification.
(15:05):
And while there is a certification program for voting systems.
This is a system for non-voting systems. So that could be your voter registration
database, like you mentioned.
It could be an electronic poll book that's used at the polls to check voters in.
(15:26):
Could be an election night reporting.
These are all critical systems that election officials depend on to do their jobs.
And RabidV takes a
look at the whole company and specifically the development environment that
they use and it assesses their ability to make changes or updates and how that
(15:49):
might impact the system as a whole and it kind of streamlines the process of once an update is made,
sending it back through in a fast or a rapid fashion so that it doesn't take
six months or a year to get a new version certified for use.
(16:10):
So it was launched in December, so it's relatively new.
But prior to the launch, a number of non-voting technologies went through that process.
And we're working to recruit other vendors to go through as well.
Recently, there was a cyber incident that Georgia disclosed in Fulton County
(16:31):
where they had to restrict access to their voter registration system just as a precaution.
And from the reporting I've seen, there wasn't any indication that election
systems were targeted or impacted.
But when you see headlines like that, are you encouraged that counties are taking
the appropriate steps to be extra cautious in these events?
Sometimes election offices don't have to be targeted directly to be impacted.
(16:56):
It could be the county government was the target, and because the election office
is part of that network, they could be impacted.
And I believe that's what happened in Fulton County, and the state said,
out of an abundance of caution, we want to restrict access to the statewide
voter registration database until the security professionals can do their due diligence.
(17:18):
I was thinking back to when you said DDoS attacks distributed denial of service
as one of the top five threats from your assessment.
I'm curious, where do you think adversaries might be looking to launch those?
DDoS attacks, they try to disrupt the availability of critical systems,
and that could be an election office website.
(17:40):
It could prevent voters from looking up where their polling place is,
but they tend to happen in the election space on or very close to election day.
And it could also prevent citizens from seeing the results, the actual results
of the election on election night.
It should not interrupt the tabulation process because that's something that
(18:05):
takes place off of the network.
But this would disrupt the availability of their websites.
Ransomware, you also mentioned, is another threat. And I'm curious,
have you seen instances of ransomware groups targeting election offices?
I think we've seen more attempts to impact a city or a county than specifically
(18:29):
the election office itself.
But in many cases, the election office is sharing a network with other city or county departments.
So if the county is hit with ransomware, the entire network could be down and
that could impact the election office.
In a hypothetical scenario where someone is able to compromise a voting machine,
(18:53):
it would be limited to one physical location in the hypothetical.
Realistically, even in that scenario, that wouldn't impact the outcome of a
presidential election, right?
Because of how heterogeneous the election system is in terms of how many different
parts would need to be compromised to actually have an impact on outcomes.
There are many different voting systems in place across the country,
(19:16):
and they are not connected to each other.
And even within a state, you may have multiple voting systems.
And then at every level, from the precinct to the county or city up to the state,
there are lots of checks and balances in place to ensure that the results are accurate.
So, no, it would not impact the outcome of an election.
(19:38):
There's a way most ballots are there are paper records.
So you can always go back to a hand counted paper ballot or some sampling just
to reconcile and to verify that the results are accurate.
Welcome to I'm the CISO and I say so. This is a segment that we have where we
ask interview guests what they would recommend or even mandate if they were
(20:02):
the CISO of an organization in the industry that they're speaking about.
So we asked Marcy what she would say if she was a CISO charged with securing
election infrastructure. And here is her answer.
So I would say that the election Office must join the EI ISAC and implement
all of our defense in depth products.
(20:24):
And that's the intrusion detection system, the malicious domain blocking and
reporting, endpoint detection and response.
Those items would stop most attacks.
So as our listeners might be able to hear just based on my accent,
I personally don't vote in the U.S.
And I don't have as much experience experience with presidential elections either.
(20:48):
So I vote in Germany and I mail my ballot there.
So I'm curious, Audra, as a U.S. voter, what were your takeaways based on the
conversation that we had with Marcy?
Yeah, I think it was great to learn about all of the services that the EIISAC
provides and also the top digital threats that they're tracking.
And I think when it comes to election security, the area that concerns me the
(21:10):
most is the erosion of public trust in the the electoral process due to misinformation,
disinformation, even news headlines about voting vulnerabilities that could
be misinterpreted as more impactful than maybe they actually are.
Because the reality is that there are many decentralized entities involved in
our elections from the local, county, and state levels.
(21:31):
And that heterogeneity provides a level of resilience and checks and balances.
So if you think about what would actually need to happen happen in order to
change the outcome of a U.S. presidential election.
It would need to be coordinated at a larger scale.
And because of that, federal elections in the U.S. are actually extremely difficult to manipulate.
And I'm curious, Madeline, because of your background as well with voting,
(21:53):
what did you make of that interview?
Yeah, I do think that it is a large threat to our democratic process that certain
disinformation could affect the public's trust in elections.
And with us entering an election year,
I really think that this was a very appropriate conversation to have.
And I also thought it was a good reminder that elections happen,
(22:13):
like Marcy said, just about every Tuesday.
And that really highlights the amount of work involved in this process.
But to be honest, a big part of the interview that I enjoyed was discussing
AI usage and phishing, just because it keeps coming up.
And I'm really interested to see how this will develop or be prevented in the future as well.
(22:33):
Yeah, this is actually very timely because the search team just released research
about generative AI and phishing, where we looked at how convincing,
generative AI translated email prompts were compared to emails that were translated
by a native speaker in that language.
So it was fascinating to look at that. We'll link to that research in our show notes.
(22:55):
And I know we also have an ongoing blog series for our podcast as well.
And if you'd like to read more about cyber threats to elections,
then check out that ongoing blog series that we have at splunk.com slash surge.
That's spelled S-U-R-G-E.
And that's all the time we have for this episode of The Security Detail.
If you like what we're doing, please share the security detail with your friends.
(23:18):
You can look for us on Podbean, Apple, Spotify, or wherever you find your podcasts. Thanks for listening.
Welcome to The Security Detail, a podcast by Splunk Surge, where we examine
the cyber threat landscape across different industries.
I'm Audra Streetman. And I'm Madeline Tauber. Today we're looking at election
cybersecurity and the role that the Election Infrastructure Information Sharing
and Analysis Center plays in securing elections.
And they have an acronym, it's EIISAC, so you might know them better under that acronym. know.
(00:28):
Our guest today is Marcy Andino, the Senior Director of the EI-ISAC.
With nearly two decades of experience as an election official and Executive
Director of the South Carolina State Election Commission, she brings extensive
experience in ensuring the integrity of elections.
In our conversation, Marcy will provide insights into the top digital threats
(00:49):
facing elections in the U.S., the inner workings of the EI-ISAC,
its mission and services to strengthen election infrastructure,
and also the role that it plays in both education and prevention of cyber threats. Take a listen.
I started off in IT, and then I stumbled into elections kind of by chance,
(01:13):
and I held various positions at the state election office level,
including 19 years as the state election director.
When I was in IT, I taught at a technical college, I worked as a programmer
analyst, and then I did a stint as a sales rep for a worldwide system integrator.
(01:37):
So all kinds of things there.
And when this opportunity came available,
it was really an opportunity for me to pull from all of my work experience and
continue working with election officials that I had established relationships
with across the country.
And just really a great opportunity to continue to not just work with them,
(02:01):
but to provide benefit and improve their cybersecurity posture.
So I'm really happy to be here and continuing to foster those relationships
and support election officials.
Could you tell us a little bit about some of the services available through
the EI-ISAC and what your members do, what agencies they represent?
(02:23):
EI-ISAC is almost six years old. We were stood up in March, March 1st of 2018,
and this followed foreign intervention or interference in the 2016 general election
and the Department of Homeland Security designating elections as critical infrastructure.
(02:44):
So we focus on state, local, tribal, and territorial election officials,
and we have more than 3,700 unique election offices that are members of the EII SAC.
And of course, our mission is to improve their cybersecurity posture and really
(03:05):
make election offices more secure in a connected world.
Some of the services that we provide, really the first service was an intrusion detection system.
And then we also offer malicious domain blocking and reporting.
There's endpoint detection and response.
(03:25):
We provide a vulnerability disclosure program.
So if election offices want to do so, they can open up their public-facing websites
or public-facing systems.
So security researchers Researchers can take a look and see if they find any
vulnerabilities, and if so, they would report them to us.
(03:47):
We provide tools like our Essential Guide to Election Security.
It's really written for non-technical election officials, and it's a way for
them to measure their maturity level and kind of gives them a roadmap on where
to go and how to improve going forward.
Now that we're in an election year, what does that mean for the EIISAC?
(04:10):
Does that change the way that you're communicating with members or some of the
issues that are coming up?
It's certainly a busier time for us. It's a busier time for election officials
and primaries have already started.
And some states will have as many as five statewide elections this year.
So it's really one election after another. other.
(04:31):
So we have to be a little bit more strategic in reaching out to them and engaging.
We certainly don't want to call when they're on the eve of an election and they're
heads down trying to make sure that polling places and poll managers and ballots
and voters and everything are ready for election day.
(04:51):
In many times, it's really the county or the state that's providing the network
so they can continue to focus on conducting the election and they can pass us
over to their IT staff so we can get additional coverage in place for them.
Are there any common misconceptions about election cybersecurity?
(05:14):
Sometimes people think that we only conduct elections every four years or maybe every two two years.
And it's kind of become a running joke, but elections are run by full-time election professionals.
And somewhere every, just about every Tuesday, there's an election.
(05:35):
It might be a small election, but they're ongoing. They're special elections.
Cities and towns hold their elections at different times.
So a lot of what they do to prepare for an election is the same,
whether it's a small election or a large election.
But presidential general elections create the most interest from voters,
(05:58):
from interest groups, from candidates, from the media.
So it's really like an election on steroids.
Yeah, I can't imagine that. What would you consider to be the top digital threats
facing any elections in the U.S.? Good question.
We've done a threat assessment at the EII SAC, and we've identified five cyber threat areas.
(06:22):
The first we've been talking about for a long time, and that is phishing.
And then there's data leaks, distributed denial of service or DDoS attacks,
ransomware. And then the new addition to the list this year is generative AI.
And this just amplifies existing threats that are already out there.
(06:46):
Based on those threats, do you publish recommendations on how to combat them?
Or do you let that list guide your efforts for projects, etc.?
Or how would you use that internally? When we are talking to members,
they are very, very interested in what 2024 might look like from a cyber perspective.
(07:09):
The most concern is in the generative AI area, but that's only because that
is something new to them. We were not talking about generative AI in 2022,
but we talk about phishing all the time.
And, you know, it's the most common tactic reported by our members.
(07:30):
And generative AI is just improving those phishing emails.
At one time, we would say, you know, look for choppy grammar,
incomplete sentences, and that's a hint.
It could be a phishing email. mail. Well, now they're perfect.
And, you know, they're much harder to detect.
We're also seeing impersonation of familiar figures. It could be like managers or co-workers.
(07:57):
And I get those all the time from our, allegedly from our CEO.
So, you know, those are things that everybody has to be, you know, very much aware of.
And we're telling election officials to make sure that they not not only train
and remind their staff, but train their seasonal staff.
They bring in a lot of temporary employees to help conduct elections,
(08:21):
and you don't know what kind of cybersecurity messaging they've received.
We're also starting to see QR codes embedded in emails, and a lot of times it's
to do credential harvesting.
They're portraying that sense of urgency, trying to get you to quickly scan
(08:41):
that QR code so that they can capture information about your account and your
password so that they can gain access to your systems.
A follow-up to the phishing point about that being one of the top threats that
you're tracking, that's often an initial access technique.
So I'm curious if there's any information on what adversaries are using phishing
(09:04):
to accomplish, like what their motive is. Is it for data leaks?
Is it for interfering with election capabilities?
Or what do you know in terms of what they're after? It could certainly be email
leaks, and we saw a lot of that in 2016.
Another example that we started seeing about that same time is someone would
(09:27):
be advertising voter registration data for sale on the Internet or for sale on the dark web.
And this could be a voter registration list. It could be poll worker data.
It could be campaign voter files. It could be many different things.
But it's always implied that it's the result of a leak or a hack.
(09:50):
So whenever this happens, and it's going to happen again before the general election,
our analysts in the EII SAC, they will investigate and make sure that it's not the result of any leaks.
Leaks. A lot of states have voter files that are publicly available.
(10:10):
So a lot of the information is already out there.
And all of these things just, you know, make voters uneasy and make them,
you know, wonder how secure is our election.
So, you know, we like to investigate and, you know, be able to determine,
is this a new leak or is this data that has been circulated because it's already publicly available.
(10:36):
With generative AI, I know there was an example of an audio deepfake of President
Joe Biden urging people in New Hampshire to not cast ballots in the Democratic primary.
So that was one instance where we actually saw a deepfake circulating to mislead
voters and to deter them from taking part in our elections.
(11:00):
So I'm curious what your take is on deepfakes, And is that a top generative
AI concern, or are there other examples that you're looking at of how that could be used for elections?
Generative AI is new in elections, and it's amplifying these existing threats.
So robocalls have been used for years to reach out to voters,
(11:23):
sometimes for good purposes, like reminding them there's an election,
sometimes for not so good purposes, like maybe telling them not to go and vote
like the one a couple of weeks ago.
AI just improves the content and makes it easier and faster and more cost effective to stage attacks.
(11:46):
So whether it is a deepfake, an image, whether it's a video or audio like we
had in the in the robocall, these are all distractions for election officials.
They're they're trying to conduct the election. It can lead to voter confusion
and ultimately it could lead to voter disenfranchisement.
(12:07):
And that's what we certainly want to prevent. Since election security is,
of course, not just limited to those digital threats, we're wondering about
the risk of physical violence as well.
So how much of a part is that with the EISAC, if that's something you'll focus
on at all? The focus of the EIISAC is primarily the cyber threats.
(12:30):
However, we do talk about physical threats, we talk about insider threats,
and we talk about swatting to election officials to raise their awareness.
And sometimes we find that the physical threats start out as a cyber threat
and it morphs over into the physical.
(12:50):
So we don't totally ignore it. We try to raise their awareness.
We encourage election officials to work with their local CISA physical security advisor.
They can come in and their local law enforcement and they can come into their
office and make suggestions about securing the office, securing polling places.
(13:13):
And then we also talk about personal security, both online and at home.
Despite these threats, what are some things that you believe would help Americans
to remain confident in the integrity of the election infrastructure?
I think it's important for everyone to remember that elections are conducted at the local level.
(13:38):
These are your friends, your family members, your neighbors,
and they work tirelessly to make sure that every eligible citizen,
you know, has that opportunity to register and vote and that their vote is counted.
So, you know, it's not the state or it's not the federal government out there,
(14:00):
They're, you know, conducting the election.
These are people that, you know, you go to school with, you go to church with,
you see at the grocery store, they live in your community.
And they're very committed to making sure that everybody has that ability to go and to vote.
A lot of the focus when we hear conversations about election security is focusing
(14:22):
on the actual voting machines.
But there's a lot of other infrastructure involved in the election process,
whether whether that be the voter registration databases or other software that
helps support elections.
And I think it might be worth pointing out that a lot of these machines,
the actual voting machines, are not internet-facing. They're on their own network.
(14:43):
But some of these other software systems like the voter registration databases
might be internet-facing.
I saw that the EI-ISAC has a program.
I was wondering if you could tell us a little bit about that.
Sure. That's RABID-V, and it stands for Rapid Architecture-Based Election Technology Verification.
(15:05):
And while there is a certification program for voting systems.
This is a system for non-voting systems. So that could be your voter registration
database, like you mentioned.
It could be an electronic poll book that's used at the polls to check voters in.
(15:26):
Could be an election night reporting.
These are all critical systems that election officials depend on to do their jobs.
And RabidV takes a
look at the whole company and specifically the development environment that
they use and it assesses their ability to make changes or updates and how that
(15:49):
might impact the system as a whole and it kind of streamlines the process of once an update is made,
sending it back through in a fast or a rapid fashion so that it doesn't take
six months or a year to get a new version certified for use.
(16:10):
So it was launched in December, so it's relatively new.
But prior to the launch, a number of non-voting technologies went through that process.
And we're working to recruit other vendors to go through as well.
Recently, there was a cyber incident that Georgia disclosed in Fulton County
(16:31):
where they had to restrict access to their voter registration system just as a precaution.
And from the reporting I've seen, there wasn't any indication that election
systems were targeted or impacted.
But when you see headlines like that, are you encouraged that counties are taking
the appropriate steps to be extra cautious in these events?
Sometimes election offices don't have to be targeted directly to be impacted.
(16:56):
It could be the county government was the target, and because the election office
is part of that network, they could be impacted.
And I believe that's what happened in Fulton County, and the state said,
out of an abundance of caution, we want to restrict access to the statewide
voter registration database until the security professionals can do their due diligence.
(17:18):
I was thinking back to when you said DDoS attacks distributed denial of service
as one of the top five threats from your assessment.
I'm curious, where do you think adversaries might be looking to launch those?
DDoS attacks, they try to disrupt the availability of critical systems,
and that could be an election office website.
(17:40):
It could prevent voters from looking up where their polling place is,
but they tend to happen in the election space on or very close to election day.
And it could also prevent citizens from seeing the results, the actual results
of the election on election night.
It should not interrupt the tabulation process because that's something that
(18:05):
takes place off of the network.
But this would disrupt the availability of their websites.
Ransomware, you also mentioned, is another threat. And I'm curious,
have you seen instances of ransomware groups targeting election offices?
I think we've seen more attempts to impact a city or a county than specifically
(18:29):
the election office itself.
But in many cases, the election office is sharing a network with other city or county departments.
So if the county is hit with ransomware, the entire network could be down and
that could impact the election office.
In a hypothetical scenario where someone is able to compromise a voting machine,
(18:53):
it would be limited to one physical location in the hypothetical.
Realistically, even in that scenario, that wouldn't impact the outcome of a
presidential election, right?
Because of how heterogeneous the election system is in terms of how many different
parts would need to be compromised to actually have an impact on outcomes.
There are many different voting systems in place across the country,
(19:16):
and they are not connected to each other.
And even within a state, you may have multiple voting systems.
And then at every level, from the precinct to the county or city up to the state,
there are lots of checks and balances in place to ensure that the results are accurate.
So, no, it would not impact the outcome of an election.
(19:38):
There's a way most ballots are there are paper records.
So you can always go back to a hand counted paper ballot or some sampling just
to reconcile and to verify that the results are accurate.
Welcome to I'm the CISO and I say so. This is a segment that we have where we
ask interview guests what they would recommend or even mandate if they were
(20:02):
the CISO of an organization in the industry that they're speaking about.
So we asked Marcy what she would say if she was a CISO charged with securing
election infrastructure. And here is her answer.
So I would say that the election Office must join the EI ISAC and implement
all of our defense in depth products.
(20:24):
And that's the intrusion detection system, the malicious domain blocking and
reporting, endpoint detection and response.
Those items would stop most attacks.
So as our listeners might be able to hear just based on my accent,
I personally don't vote in the U.S.
And I don't have as much experience experience with presidential elections either.
(20:48):
So I vote in Germany and I mail my ballot there.
So I'm curious, Audra, as a U.S. voter, what were your takeaways based on the
conversation that we had with Marcy?
Yeah, I think it was great to learn about all of the services that the EIISAC
provides and also the top digital threats that they're tracking.
And I think when it comes to election security, the area that concerns me the
(21:10):
most is the erosion of public trust in the the electoral process due to misinformation,
disinformation, even news headlines about voting vulnerabilities that could
be misinterpreted as more impactful than maybe they actually are.
Because the reality is that there are many decentralized entities involved in
our elections from the local, county, and state levels.
(21:31):
And that heterogeneity provides a level of resilience and checks and balances.
So if you think about what would actually need to happen happen in order to
change the outcome of a U.S. presidential election.
It would need to be coordinated at a larger scale.
And because of that, federal elections in the U.S. are actually extremely difficult to manipulate.
And I'm curious, Madeline, because of your background as well with voting,
(21:53):
what did you make of that interview?
Yeah, I do think that it is a large threat to our democratic process that certain
disinformation could affect the public's trust in elections.
And with us entering an election year,
I really think that this was a very appropriate conversation to have.
And I also thought it was a good reminder that elections happen,
(22:13):
like Marcy said, just about every Tuesday.
And that really highlights the amount of work involved in this process.
But to be honest, a big part of the interview that I enjoyed was discussing
AI usage and phishing, just because it keeps coming up.
And I'm really interested to see how this will develop or be prevented in the future as well.
(22:33):
Yeah, this is actually very timely because the search team just released research
about generative AI and phishing, where we looked at how convincing,
generative AI translated email prompts were compared to emails that were translated
by a native speaker in that language.
So it was fascinating to look at that. We'll link to that research in our show notes.
(22:55):
And I know we also have an ongoing blog series for our podcast as well.
And if you'd like to read more about cyber threats to elections,
then check out that ongoing blog series that we have at splunk.com slash surge.
That's spelled S-U-R-G-E.
And that's all the time we have for this episode of The Security Detail.
If you like what we're doing, please share the security detail with your friends.
(23:18):
You can look for us on Podbean, Apple, Spotify, or wherever you find your podcasts. Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.