equivalent to other comments. but there may be -- that's what i wanted to know, a proep lactic, i have to deal with the problem of racial confidence in the work of the jury. and that's a reason stemming from the language of the amendment to treat race specially. and we have 20 states that have done so without the reasons for limitation swamping the process. now, that's what i understand is a textual argument and purpose it that would in fact, allow constitutional protection of the kind they're asking for. >> so i think, your honor, when considering a prophylactic approach for the 6th amendments, considering the costs for this rule and other mechanisms are available, those are things the

court traditionally had under the 6th amendment. we think they are likely to be particularly available in many cases with regard to race and to the talk about first voir dire and the in-trial mechanisms that your honor mentioned. in voir dire that is a well settled principle, the law in colorado, that you will have the opportunity to ask these questions about race. and there's also been a lot of study and thinking that's gone into how to effectively detect bias with respect to race in particular. and mid trial reporting. things can be done to strengthen that safeguard. but in general, jurors are instructed the bias in general is impermissible. they can be instructed that racial base is impermissible and even to contact the judge. on the cost side of the ledger, there is a high danger and fair trial danger if you are trying to reconstruct after the fact

jury deliberations with a he said, she said about what was said, that can undermine confidence in the jury system we think that risk may be particularly acute when you talk about a very sensitive allegation like the racial balance occurred. i think we know as time goes on, racial bias can be expressed in subtle ways. when somebody goes back into the community where a sensitive issue has been debated, trying to recall what was said, there is real risks there will be -- >> the more insidious the evil, the more caution in the jury? >> no. we think this is a serious issue and it ought to be addressed in the safeguards the court has always applied. dangers are present here. to take, for instance, the danger of impeding full and fair jury room deliberation, we think that is a particular race in

talk building this kind of very -- allegation that contains a high degree of program attached to it. so your honor, there may be cases in which race is discuss in a jury room because it is appropriate. because the claim involves racial bias. there's allegations surrounding misconduct. that is difference from coin flipping or intoxication where there will never be any reason why those things should go on. this is the allegation that most likely opening the door to is most likely to impede full and fair debate in the jury room. >> it does strike me that given one of the rules that a jury can, during deliberations say something inappropriate is happening here. to the extent there is this chilling effect, why doesn't that produce the exact same chilling effect? it seems it is such on the margins of what you're saying. >> i think for hundreds of years the courts have treat the mid

trial context on the different. the reason why is you're really talking about something that sets off jurors and alarm bells at the time. once the trial is over, not only do you have other interests kick in in finality but there is the risk that jurors would have their decision in a case. they start to second-guess what they did. as a result, they start to misremember or they're subject when the trial suspect occurring. your honor, we're not suggesting this is not a serious issue even one that jurisdictions in this court can study and consider. it is a difficult balance. but what this court generally said with respect to rules of evidence, states have a lot of flexibility to adopt different approaches. we think this is a case in which the interests that the rule serves are fully present and the safeguards we have relied on historically are fully present. >> like the government or the state of colorado, the government of the united states would make this same argument in the capital case?

>> we think they have eighth amendment considerations that are not here. the court suggested different sets of rules apply. there may be different considerations in that context. but, your honor, we think to the extent the rule is attic, the appropriate way to do that is a rule making body, which is another way in which the court exercises oversight as to the role of evidence. it shouldn't impose a new constitutional rule. >> in the states that allow these kind of evidence, is it all done by legislation, by a rule of court, or has it come about by judicial decision? >> i think it's a mix. some employ basically the iowa rule. so they let in a lot of evidence about what we said in jury deliberations. they have a broader rule. some have said understate law we think this is an exception that has to exist to the rule.

and some which the petitioner relies are constitutional decisions. >> the issue of capital case could involve all sorts of misconduct in the jury room. suppose it came out later that the jurors said we don't really care what the law is. we want to oppose capital punishment. or they flip a coin. if there were a special rule for capital case, would you draw the distinction based on race? >> i don't think so, your honor. if there were a capital rule, we think it would go to whether it is permissible to fly to the 606b in this context. >>, counsel. five minutes, mr. fisher. >> thank you. i would like to make four points, please. first, just to pick up where that conversation left off, my friends are saying the eighth amendment would become relevant. in a the common sense structural

argument making and the other side is saying it is is improper. you consider other elements like the fourteenth amendment. secly, with respect to the prophylactic measures and specifically voir dire, two points. the studies they point to is where race is infused from the outset. hamm against south carolina where the defense is all about the person's race. in those settings, questioning of voir dire is almost incumbent on defense lawyers and sometimes has a good effect. that's not the question before the court today the. if they are saying it is a cure all for this situation. they are saying in every single criminal case, whether it's shoplifting, white collar crime, dui, any case a defense lawyer is required to interject race from the case from the outset. interjecting race from the outset, potentially offending

jurors, suggesting race is relevant where it doesn't exist. and our solution, which is simply having a fail safe for the once in a blue moon where you have this gray problem. we think ours does less upheaval than the opinion from this court that says voir dire is the answer here. next, let me say something where we agree with the other side. i think i heard both counsel for the other side say this is a balance. we agree. that's what 606b strikes as a balance between the interest of justice and the principle to jury secrecy. i would suggest to the court when you conduct the balance and where we disagree with the other side, the court's duty is to exclude the lesser of two evils. racial bias is never the lesser evil. the court never said racial bias is a lesser evil than something like the public policy considerations here. and i know the court is concerned about line drawing. it is is obviously in a

situation like this where you have announced a new rule as a constitutional matter you wonder what cases are coming next. the court never refused to remedy discrimination for fear of having to address other questions down the line. if you look at the court's cases, whether it is the hamm or batson or anything else, the court will have ample tools and ample time to decide down the road whether other situations are the same or whether they're different. our submission here, though, is race is unique. race is a particular poison. and that the experience of the 20 jurisdictions that have this rule shows that implementing the rule we're asking will not create any significant problems with respect to state interests or administrators -- >> mr. fisher, it is not a fear of confronting issues down the road. it is a question of understanding the scope of the rule that you are asking us to adopt. and i'll give you one last

chance. you will not tell us today whether your rule applies to discrimination on the basis of religion or gender or sexual orientation or to add another one, political affiliation. so if the jurors, if it came out the jurors said this person is a democratic, send them to jail, that would be a different result. you will not tell us whether the same -- whether the rule would apply in tse siions. >> i think it is easy to say, justice alito categories by rational basis analysis but not require the rule we're seeking today. i'm trying to be forthright with the court by saying i acknowledge there will be other hard questions as identity, i'm not representing somebody that has that case. i think the court would want full briefing on it. >> maybe the question a little differently, i understand why you don't want to say it wouldn't apply to this or that. but in what ways is race unique? >> race is unique in terms of

our history and constitutional structure, and in terms of the more practical considerations of rooting it out with the prophylactic measures we've discussed. the briefing is filled with examples of why race is particularly hard to get at through the tanner factors as compared to something like other kinds of discrimination. the scrutiny analysis is a good place for the court to look. it is not that we're saying other forms of discrimination are okay, whereas race is unconstitutional. we're saying different tools need to be available. more searching inquiries need to be done when it comes to race. that's why we think the rule of evidence gives way where it might not in other cases. >> thank you, counsel. the case is submitted. republican vice-presidential nominee, mike pence, is holding a rally in salt lake city, utah, as polls show the normally republican state is coming into play for hillary clinton. you can see that event live on c-span 2 at 5:30 eastern.

the obama administration announced this week that average prices in health insurance exchanges are going up about 25%. health and human services secretary, sylvia bur wewell wi discuss live, 6:30 eastern on c pan. congress is on break until after the elections, american history primetime continues tonight with a look at the civil war and reconstruction. it begins at 8:00 eastern, with a war in gettysburg, and reconstruction in the north. american history tv primetime, although week, at 8:00 eastern. this weekend on american history tv on c-span 3, saturday morning from 9:00 eastern until just afternoon. >> the british empire and its commonwealth last for 1,000

years, men will still say this was their finest hour. >> we're live for the 33rd international churchill conference in washington, d.c. focusing on the former british prime minister friends and contemporaries. british historian, roberts, how four titans won the war in the west. 1941-1945. later on saturday, at 7:00, texas general, george p bush, state senator, jose menendez, and musician, phil collins, talk about the alimo. >> the members i have at that time were that this group of people were going and they knew they were going to die, but they went. or they were there. crockett went, but there was something very noble and very, you know, romantic. i love that it wasn't quite as

black and white as -- that's one of the next i think would be good in this day and age, you know, that we put it into context. >> then sunday evening at 6:00, on american artifacts. >> you notice he is not wearing a weapon. he would often lead attacks, carrying nothing but the riding crock that you see in his left hand. and the men looked at this and realized, hey, if the colonel, and later thebrigdear, i can take it too. >> we visit norfolk, virginia, who commanded allied forces in the pacific during world war two. and at 8:00. >> the great leaders service as conscience in chief, their moral compass locked on true north, so we can always count on them do the right thing when times get tough or no one is looking.

>> author talmage boston, what they are and provides examples of presidents who excelled at each one. for our complete american history tv schedule, go to c-span.org. what are the vulnerabilities of the u.s. election system? the institute for critical infrastructure technology hosted a serious of discussions on cyber security threats. over the next 50 minutes, voting machines and data can be compromised. good, everyone. thank you for joining us for today's briefing. i'm a senior fellow for critical infrastructure technology. i welcome you to today's briefing on a recent series en titled hacking elections is

easy. we're holding today's briefing because of the factual conversations on the cybersecurity of our election systems have been replaced these days with two extremes. on one hand, we have conspiracy theories filled with doom and gloom, and banter that has widespread distrust of the democratic process. on the other hand, we have statements from ill informed commentators, who believe hacking an election is impossible and could never happen, because of our election system. and because of the belief that state officials are adequately prepared to defend against the adrsary. the reality is, neither of these schools of thought is accurate. as america cybersecurity think tank, thought it was necessary to introduce a hacker mind set to this conversation, to discuss the reality of the vulnerabilities that exist at the state and local, and manufacturing level. we'll hear from experts on how hackers can social engineer

their way into manufacturer, map networks and destroy the endless injection points that exist on these systems and machines to deliver malicious payload to achieve their desired outcome. during the second panel, we'll talk more about cyber hygiene best practices, which would be im mentd implemented. our motivations are simple. education the public and the election officials on what is possible, so they can then shore up the vulnerabilitievulnerabil. i'm excited to kick off the first panel, analysis, hacking elections is easy. eem ae going to introduce them today. to my immediate right is james scott, senior fellow. to his right is jim walter, contributor and senior researcher from the silent speer team. and to his right, tony cole, a

fellow and global government. thank you for taking time to be here today. i'll be identifying three major problems in the voting system and asking you and the panel to keep these in mind as we go through the next several minutes. problem one is the black box prop proprietary systems. voters and officials don't know what code is running and what vulnerabilities exist in the system. reliance on vendors is extremely worrying because it is an enormous security system. air gap defenses. state election boards believe election systems are secure because the vulnerable systems in air gap. this demonstrates how little they understand how about cybersecurity. finally, decentralization is not

a defense. to point to this common belief, i'm going to go to a quote from director comey, who said the beauty of the american voting system means it is disbursed among the 50 states and clunk key as heck the beauty is it is not part of the swift internet of thing and hard to reach the voting process. so with that in mind, we're going to breeze through a couple of questions before we get into the meat of the conversation. now, obviously all this stems from the digitzation from the 2000 election process, where gore and bush's election came down to 200 votes. allocated about $4 billion to fund all 50 states to move to electronic voting machines. so fast forward to today, there is a dozen manufacturers out there and would primary types of

machines that are used. either digital optical systems or dre systems. since moving to e-voting, have we have as a nation done enough? >> i would say absolutely not. you know, throughout the history of their use, there has been numerous vul fleur abilities in these systems across all the manufacture manufacturers. they're not at all designed with security in mind from the ground up and they seem toxistn a bubble outside of the normal hardware/software security life cycle in that when vulnerabilities or issues are publicized or disclosed in thesthese syste systems, nothing seems to occur. there is no follow-up from vendors. there is definitely, you know, not -- little if nothing being

done to address the issues, and it has been that way since these things were implemented. >> yeah, and nist put out 160, which takes the security aspect and starts it at the manufacturing level and takes it through the entire life cycle of the technology. it would be great to see something like that. >> great. now, can we touch on what security requirements and mandates have been put in place for the states and if they've been effective and is there adequate funding for states actually to deliver on these? >> i think that the funding is equipped but the people in charge, they're no longer qualified to fulfill these tasks in the digital age. so we need to start bringing in people that are familiar with the cyber kinetic state landscape that is playing our systems. >> i would add i think there

needs to be a minimum set of standards. i mean, this is what our democracy is based on, trust in this system, that you vote and your vote is counted for the candidate that you want. if we can't trust those systems, if we don't know if they've been compromised, we actually chip away foundations of democracy. >> those standards have to be, you know, mandatory. right now, most of these certified systems are certified against a standard that was drafted in 2005, the voluntary voting systems guidelines. voluntary being the active word there. there have been revisions since, and i believe there is a 2015 standard, but still is the voluntary word. so there is no requirement for these things to even follow whatever standards do ex is today. >> talking about machines for a moment. do you think that manufacturers have done an adequate job building security into the life cycle, either development or the maintenance of the machines? >> yeah, dre and optical scanner

just delaptated bear bones pcs with no end point security. when you have a black box technology with minimal transparency, it's pretty difficult to get in there and forensically analyze. >> this is a six megabyte flash card, and this was taken out of a avc edge voting machine, a machine still in used to. and i believe 13 state as cross 170 some odd different cities, counties, however you divide it up, but this is the system these things are based on. this is a very ancient variation of doss running the thing, and you know, it is very easy to open up the box and yank it out. the point is, in terms of designing things with security

in mind, from the manufacturing process i don't kn process onward, when you're talking about operating systems that run on something like this and running code from between 1999 and 2001 and in used to, i would absolutely argue that that's, you know, there is no security being paid mind there. >> i would add to that. we need to take a completely different path on that where security is baked niece these solutions. the people running these systems generally have no training as part of the -- site a paper that was done, people are getting paid $15 an hour, so you can see they're not highly skilled individuals that understan cybersecurity, that understand chain of custody, have any sufficient training to actually monitor, main taken atain and e these manufactures are doing what they're supposed to do. >> i'm going to summarize some of the things we just said. easy to read networks, employees

inadequately trained or voluntee volunteers, and we have an election system run off of black box proprietary code. what do you think is the most likely adversary given the environment we just described. >> could be anybody. you could look at the sophistication of state actors or worm projects on ap 28. you can look at posoidon, but what we're going to go over right now are tools that are readily available on forums that can make -- things that used to be sophisticated, just point and click at this point, so. >> we'll start. well, that's the big thing right there.

you know, we hear about illinois and arizona, but the reality is, for a while now, voter registration databases have been able, you know, with recently ex filtrated data on dark web forums. if you look at the minimal sophistication of the state governments, i think nasa, cdc, usps, these are sophisticated, thee defend in layers. fdpxs is readily available for a fee. i would estimate by the next election cycle, they'll be selling access as a service to state tabulators. >> this is just downloadable guide for information, internet information servers. another example of data access

as a service, this one was interesting, because they -- you you pretty much give the url, and then your money come out of escrow. this is interesting, because this is a hacker for hire service, but it's -- this is an ad by a handler. so you describe the project, what database you want to access, to what type of malware you want customized, and this individual will have maybe 10, 15 hackers he can pull from. showdan is a portable port sniffer. we'll talk more about that, injecting malicious code. same type of thing, just a different -- it is more of a purchasing the software as opposed to a service.

sequel injection tool, so easy, anybody can do it in about ten minutes. brute force, we're going to talk about that as well. you can brute force your way to pretty much anything, especially with the web x. this is interesting, because it is an all inclusive, almost encyclopedia of software to step in and be able to do some pretty interesting layered attacks with minimal technical capability. zero day for microsoft office, it is a steal, just under 50 bit coin. the excel will be important, because state tabulators oftentimes will use excel as their spreadsheets, so finding an exploit that will work with

exploit. voter machine or scanner, black box technology, which nobody can get into it. there is a lot of things that can go bad there. another zero day. you can build your own exploits for this. this is just another nifty tool for people to figure out you can start doing your own exploits. >> perfect. thank you. that gives you an example of what's out there and many of these and other images can be found in the hacking elections as part one and two, which can be downloaded from the website. so we're now going to get into the part of the conversation that will be fascinating. that is how a local election system can becompromised. i want to start out by making a statement that there is no consistency across particular

states or precincts on how machines are tallied. high level, the process is simple. they're tallied at a local level and then aggregated and sent to the state level. this is constantly a changing process, and there may be processes that are being used that we're not aware of. keeping that in mind what, characteristic would malware to be most effective in impacting an election? >> depending on where your starting point is, i mean, you mentioned right off the bat, you know, the transfer base stuff of voting data or ballot data. if you're talking about ftp the data outward, you know, anything that can monitor that traffic o anything that can monitor the initiation of that traffic. so that's any number of off the shelf tools, like has been shown, or you know, it doesn't take much to write something

that effectively sniffs and monitors or redirecting it elsewhere. you can get deeper into stuff that can actually run or be injected into code on the voting machines themselves. you know, those that run windows, it would be very, very simple to, you know, craft you know, a piece of malware to run on the machines, or use something that exists. because you know, they typically are not running any sort of end point protection. anything you drop on there, regardless of how old or ancient the malware is will do the job. we've seen people test out the machines and drop things like poison ivy or dart, which is well-known, typically very easy to detect in the security world, but definitely run on these machines and will actually exfiltrate the data as needed. >> many times the data may be

taken back to the state level to be tabulated or regional, county level, localities. if you've got people sitting in the room who are working on their own systems, maybe more modern systems. even if you have those other systems for the election that are air gapped, all it takes is one piece of remove able media, moved over to one of those and you can do a compromise. a lot of people think that if you're air gapped, air safe. there are a number of reports out there that have shown how air gap systems get compromised quite frequently today. >> yeah, air gaps, i would say you would have to know how to leverage exploits specifically, microsoft operating system, except, access. but with bypassing the air gap, it is actually since 2005, it is pretty common. we had u.s. b sealer in 2005, air hopper, bit whisperer this

year, all easily achieved bypassing the air gap. so the air gap is no longer a defense, and it is interesting to hear state officials say that it is. kind of shows how unqualified they are for their positions in the digital age. >> so gentlemen, there is three viable injections. >> oh, i had one other thing. >> sure. >> the payload should always target the tabulator. that's we're headed. so we'll talk more about that, but yeah. and then it should also activate on election day and self-delete, after tabulation. >> so there is there viable injections at the manufacture level and state level. i want to start with you, james, by talking about the local and manufacture level. how are you able to compromise machines at the manufacture level?

>> so at the manufacturer level, that's the easiest place to inject a malicious payload that will carry through to the tabulator it he state level. so you could use a port snipper, certain type of credential steeler, gain access, sniff for vulnerable ports for something as simple as showdan. the easiest way to exploit an overall campaign is to poison the update at the manufacturer level. what will happen then in because it is a black box technology, because the code is considered proprieta proprietary, no transparency, you can poison that update that poisoned update will carry through the contractors and manufacture reps in the field. also, the election consultants and the local and state level

officials that are updating and certifying. >> any additions? >> yeah, typically no real strong check summing between, you know, like you said, the update process for the machines and the code that it is updating on the machine. so you know, there has been a lot of academic and published research on poisoning firm wear updates, for example, sequoia, some other dominion systems where you can simply take a poison firm wear update, and that -- because there is no signing in place or very weak crypto, that will run on the box an generate, you know, cause the box to be running malicious code from that point forward. and most of these manufacturers have very open ftc sites to

receive data or distribute update is. if you can pop the server and stick up your malicious update, then that takes care of it. >> we're going to move onto the local level, and we have a graphic here which can help facilitate the conversation. let's talk a bit what you would do at the local level. >> sure. i mean, we could look here or i could walk you through it. so what jim had showed, one of the first things is to exploit open ports, injectable media, memory cards. if anyone is familiar with the hersty hack, this is one of the first places where they took a memory card that could manipulate the actual tabulation

process of an election. and then self-delete. >> yeah, i was just going to say, there are so many ways to go about it with these varying machines, and i'm sure everyone in the room has voted in the past. so you know a good percentage of the time when you vote especially toward the end of the day, those people making $15 an hour, $16 an hour, are really not paying attention, not only that, do they even know what you're doing when you're back there on the machine. it is not difficult to go in, and one of them had a switch on the back, you could flip, pop the panel off, hit that, so reset it. so another one had a panel, you could pop off and stuff the ballot box directly. so there are a number of things could you do to. want people to think about this. the fact that it was 400 votes in 2000, 400 votes, so for people to say you can't hack an

election, that's crazy. it was 400 votes, with, noy, a large effort, you could certainly have a much larger impact than 400 votes very easily, especially in a swing state or swing county. >> the focus would be swing state -- swing regions for a local attack. poisoni poisoning, you could add targeting feature to the code so you're only focusing on particular proximities in swing states. >> back at the local level, off he got the technical side of it and you've got the human side of it, right. going back to the sequoia, it takes 15 minutes to replace it or just leave it out, causing a, you know, denial service effectively and then the machine is rendered useless for the rest of the day. or you can replace it with your own compact flash card. there are two media ports behind the activate button that loallo

you to vote multiple times. you pop open a little latch and yank it out. then off you walk with all the results from that machine. so there is that, you know, sort of technical side but then the human side of it, you touched on the employee side of it. you know, it wouldn't be uncommon formal lischtious actors to either insert themselves as employees slash volunteers or pay off others. it works in a way like the according university, where you might have paid individuals to look the other way while you walk in and start tampering with things and make sure there is no attention being called to it. all kinds of way to go about it. >> most of these election volunteers have no social engineering training at all. they couldn't identify a physical attack if they saw one any way, you know. >> so we're going to move onto

the state level, and there is obviously at the state level, several layers that can be compromised. the report discusses seven factors. they are exploiting website vulnerabilities, breaching state servers, insider threats, infecting state pcs, poison updates at the manufacturing level. spreading malware and compromising state tabulators. we're going to go through these one by one and we have another graphic to help facilitate the conversation. we'll start with website vulnerabilities. >> dominion systems, who also owns sequoia and they also own premiere i believe, which used to be die bold, you know, they have a portal for all their custome customers, something to guess like dominion voting/portal, you know. it can be popped and you go as a

customer to view orman plate data from the portal side which includes tabulated results. you know, all the different ftp sites can be popped as well, with i is different than the website of it. so it doesn't take a nation state actor and the sophistication that they have to run civil tools to manipulate these sites or try to brute force their way to maintain access. >> i think that's a really important point you just made as well. it doesn't take a nation state to be successful doing this. so think about the resources and nation state that wanted to manipulate to bring to bear. it is not a high level of sophistication to compromise any of these situations. >> it gets down to getting into the website, bright force, sequel injection, getting into the network, stealing credentials, gaining intel yens.

yea -- intelligence. arizona was breached this way. this has already happened. they'll mimic this breach. next one, breaching state servers. >> yeah, same way. still credentials, elevate privileges. move laterally throughout the network. try to find those treasure troefs of data, voter registration databases that you can exfiltrate. then it comes down to ex fill freighting that don't go undetected. again, these websites, these servers, don't have properly layered security, so you know, if you get admin credentials for example, chances are they don't have analytics to detect the abnormality with what is happening with that behavior.

>> they'll get those credentials they have been for years now. the first stage of access has been speer fishing attacks. they'll use what works. so identify key individuals in the state that are associated with running of elections within that state. which is very easy to do through, you know, available osi & t and you know, some speer fishing e-mails to them and see what you get in return. generally, ail able to, you will get ae get one hit. you can start to collect credentials and laterally move from there. >> job offers seem to work in that one, so crafted pdf, hey, great job, take a look at this, and we would love to talk to you about this. take a look at the job announcement. they always open that announcement. >> linked in is a good starting point.

>> moving on to insider threat, we know there is insiders. talk about this vulnerability. >> it is a huge vulnerability. the unintentional, so one that we could fix, you know. most security people today will state that users of the problem. users are why we have a job. it is important to remember that. but what we need is a large campaign that's part of an enterprise somewhere to be involved in and start to understand the dos and don'ts of cyber security. there is a lot of challenges in that space, because people don't know when that wepnized attachme -- weaponized achievement comes in. instead, they just open it and it leads to compromise, and suddenly you've got the set of credentials that you can go out and utilize them. so those are a huge problem, and one that's fixable for some reason we don't seem to focus

on, on getting them trained on a regular basis. understanding what they should and shouldn't do. all the way to our kids. we simply don't do it, and we should. the insider threat, the malicious insider, very difficult to identify at this level, because it is so inexpensive to hire somebody. in my county, it is $145 a day for lauden county, virginia. most counseties do little background checks. most of the requirements were a high school diploma or ged. no background checks, that's it. they want too know if you can take simple steps in the it room and simple interpersonal skills to interact with others there. so very, very easy probably for

some nation state to come in and implant somebody so inside the environment, getting a lot more than $145 a day, to compromise our elections. >> james you and i were talking about infected state pcs. do you want to kick off that? >> yeah, so state pcs can be infected any number of ways. it could be the countractor tha comes in for janitorial services, totally exposed tower backs so you can inject any malicious payload, something as simple as a usb drive. works with spearheading, especially at the state level. cyber hygiene training, they lack. so they will click on dancing

kittens playing with baby puppy and that's cute, you have to click. they will click. there from there, there could be -- actually, it's funny. we were asked to put a sample exploit. so i think the sample exploit, if we were targeting a pc at the state level, pretty solid functionality across the board. the malicious payload would have a rat, additional droppers, key loggers, screen grabber, camera and microphone capture tool. netwo network maper. code injection mechanisms. social media spread and activation tool. and usb infection capability. also with self-deleting capability as well. >> all that stuff already exists. if you don't -- you know, the

malicious actor in the scenario, you don't have to write or code that. you can kbrab your o-- grab you cracked version, you know, you name it, all those tools are out there for you to slightly customize, like a think file and do all of those things that you just screened. >> it is an easy step, you know. much like if you run a big enterprise, you get support, you can go into the underground, rent expertise, buy tools and get maintenance and support for those tools to go in and compromise somebody's system, or do distribution of denial of service, attack against somebody's service. if somebody went after one of the states and just did a di y distributed service and knocks

it off. >> the next things we want to talk about is poison updates at the manufacturer level. >> i think we already covered that.okay spreading malware to state election systems. >> sure. a lot of these methods are interchangeable. can you use them for local pc. but it comes down to for me, like if i were the adversary coming in, i would poison the up-kate. start at the manufacturer level, also gain access to the state server. i would get access to the database exfiltrate in the right package side and malicious payload that can bridge the air gap and have full faunctionalit. i would also add a ransom wear featurement that's something

nobody is talking about to, you know, whether it is the voter registration data or the final tabulate -- tabulation. total tally of the vote for that night. it would be interesting to ransomware that. all it is is a weaponzation of encryption, injected through normal channels. >> with all these different malware discussions, there is a whole lot of overlap, but you know, at that level, you probably see a lot of the same behavior, identifying a target, do your recon on them, you know, infect them either speer fish or, you know, if you have physical access, that much more easy in terms of, you know, just plugging in the usb drive or dropping your payload, you know, any other way that's available to you. but you know, outside of that, it will be mostly the same and utilizing the same sort of

tools. >> i think that most of theses tems are so easily compromised that number one, they should have never been released. so there should have been some standard, you know, that they're held to, and it is not security through obscurity as we like to say, because quite frankly, it has been proven time and time again not to work. it is better to have a set of standards that they're actually measured against with people doing the measuring that have a large component of cyber security expertise to ensure the systems can't be compromised. today we can stand up here and you know, talk about, you know, the meth odsmethods. >> the issues are no longer obscure. you can't argue, because everything is well documented and everything is out there. you can even get technical maintenance manuals for these things. things that should be internal are all available on these machines. it has been around since the early 2000s, all those machines

are still in used to. there aren't a lot of brand new machines that are undocumented or where the documentation hasn't been leaked out there. you can go to black box voting, or any other number of sites that tend to collect this information and pull down whatever you want in terms of field service guides, or firmware updates, coding on the machines. things you would assume you would be internal and closely guarded secrets, but they're not. there is no on security to the security argument on these things. >> yeah, and i think you actually emphasized my point further wer than further better than i did. all the manuals are out there, and have been there for quite. it shows security through on security never works. >> great, i think the last one, if you have any other additional comments we talked a bit about compromising through ransom

ware. any other comments on that? >> a lot of the modern systems are using a derivative of windows and they would have behaved as any other host as how you cou infect them with. you know, a lot of states or officials will argue because of these are air gapped, you can't compromise them in that way. but you know, oftentimes you have to move data from those systems to, you know, connected systems in order to get the full results external. so that may be i have to use this usb drive or, you know, in some cases a zip kridrive over the connected system to get the results out and that could be a point of compromise. same thing if you have to, which is the case in two of the manufacturer, if you have to use the data and ftp the results.

you as the user of these tabulators and systems will end up breaking the air kbap at one point or another during the process. >> perfect. so now we're going to close out the conversation by talking a bit about the current climate we're living in, especially given the time frame around this upcoming election. so media coverage has obviously talked about dnc hack, rnc hack, certain individuals talking about the possible integrity of the results. what is your take on the theories regarding who is behind some of these incidents? >> i think it is, you know, it is very clear that most of us in the community today feel it is the russians. they've been behind some of these compromises. so whether you look at reports of my company from crowd strike and many others, it is clearly been linked back to the russians manipulating these systems. >> it is important, like with a lot of these incidents, we're

not necessarily talking about breaches or compromises about the voting systems or voting machines. maybe officials tied to the processes, but in terms of leaked data, you know, what the outcome is a sway of opinion as a result of that leaked data. it isn't necessarily compromise of the machine, but no reason to assume that wouldn't be part of the incident. a lot these things are still going on and they should be treated as ongoing or open investigations. so you know, time whether still continue to reveal a lot about what's going on with some of these leaks and some of these incidents, but it would also be safe to assume that they haven't just left the building, so to speak. that would urge people to understand that, you know, once these actors are in, they tend to hang around for a while and you know, continue to pull what they want to pull. >> there are some fascinating

reports, cozy bear, fancy bear, whatever you want to call them, good reads on the capabilities. >> i think we have to be careful with attribution with this sort of thing. when we say it is the russians, where? what russians? the apt nation state? a a aptm? could it be china their five year strategy, smash and grab aspect for technology. to dwindle our democratic process. that certainly coincides with the psychological warfare of what they do. also, taking into consideration the access as a service, hacker for hire, that levels the playing field for cyber caliphate. self-radicalized insider threats. cyber jihad, that sort of thing.

cyber self-radicalized, lone wolfs is i think the classification. so yeah. >> i think the media does tend to paint an oversimplified picture of these incidents, so when you talk about a specific group in russia, you know, they paint the -- the image in your -- or they try to infer the image in your mind of a roomful of specific individuals that are part of this super hacker team that is known as cozy bear, fancy bear, whatever mammal it happens to be. it isn't always that simple and cut and dry. oftentimes you see people traversing different teams, because there is a huge for hire aspect. whoever is behind some of these things, sore controlling the resources behind some of these groups or incidents, they will find people to carry out what they need to have carried out, and you know, one day, they may

be part of team fancy bear, but if another money comes along for the incomes job, then maybe team cozy bear or on and on and on. you see the same dynamic with all these different chinese groups as well. it is important to know that, you know, the picture of just one specific group of state affiliated actors, you know, all working together as a team, it is not always that simple. >> certainly allows for a nation state to have separation as well. >> chinese pla are known for discover radioi discovering vulnerabilities, they'll free lance at night, go through english language handlers. i had something else on the russian aspect. oh, yeah, when you forensically define what's occurred with a breach, nation state actor or high level gang with stealth and

sophistication like we see out russia, once you've defined the value of that breach, you see a lot of copycat breaches, copycat hacks. you know, and so i think that's another thing that nobody is really talking about. the copy aspect. it is not enough to say we think it is cozy bear or apt 29. or 28. so fire rye, so they know. but once you -- once you have defined from a forensic perspective the tool kits, the exploits, time stamps on the code, all of these factors you can easily duplicate with some technical sophistication and capability. so you're going to see a lot of mimicking of nation state and high level mersenary activity.

>> you also see deliberate, you know, masquerading inerms of a group utilizing tool kits that may be known to socialize with another group or infrastructure that's known specific to another group in order to throw off analysts, throw off the security industry in terms of -- so it is attributed in the wrong way. that's a really big problem with chinese stuff in particular. you see a lot of, you know, back in the common crew lash atp-1 days, all these other groups were using the same tools, same infrastructure, so attack incidents won't get wrongly attributed to common crew when it may have been someone else. so that same sort of thing, you know, extends to other regions as well, russia included. >> a lot more common in fact, where they want you to attribute it to somebody else. so a lot of methods to do that. >> you look at the stealth and

sophistication of the russian atp, or the willingness to throw as much funding at it as possible to still support their smash and grab hacking aspect is like the pla. you look at these sophisticated attack factors, these sophisticated exploits, capitalizing on odais. these guys are used to going into systems that are highly guarded. you know, if you look at energetic bear, and you know, and key ranger, perfect example of poisoning the update. these are highly sophisticated people, and what they're able to do is go into highly protected areas. this isn't a place where no layers of cybersecurity, no encryption in transit and stationary. the election system is completely fair game. think about that.

fair game. one thing. the people that should be protecting this, the people that shoulding the gatekeepers, protecting the election process, the manufactures with cybersecurity through the life cycle, and the secretaries of state, and state election officials. they're doing nothing. they're not technically sophisticated enough to do anything. so it is time to have a changing of the guard. i think. >> i wanted to add to that. it is interesting. your point there, it was just in the press yesterday or the day before yesterday. i think it came from the deputy director at nsa. it is something all of us know, attackers only bring out the tool set needed to require their objectives. they're not going to go out and bring out into a bunch of zero days that they've got vulnerabilities with and release that code if they don't need to to accomplish what they want to do. so here we are talking about this with very sophisticated

attacking taking place around the world. south korea, korean nuclear plants, went after the systems, took out atms a number of years ago and media companies with sophisticated attacks. that's a point that we're trying to make today is there is no sophistication require rd to hit these election systems today. >> script kitties. >> it is very simple to do. so for us to say these systems can't be hacked, it is being very naive on our parts. we don't want the election to happen and this get tucked away for four mour years. it needs action, funding, resources and a focus. >> on that note, we are less than 20 days away from a major election. is there anything that can be realistically done between now and then, even if it won't address all the problems, what can we do now and what can we talk about doing for the 2018 and 2020 local and federal elections? >> i think first and foremost,

protect theab at the state and local level. anything that comes in remote contact with that tabulation, algorithm process, protect it. and you know, and then, you no, forensically analyze before elections, froen sickly -- forensically analyze, bring forensic people in to hammer the swing region specifically of the swing states from a forensic perspective. the black box aspect gems tabulation software, the election system as a whole. >> physical security has got to be way better. you know, realistic or not, you know, the ideal situation would be, you know, people sort of in the know, you know, or people that are familiar with the

different ways of physically compromising the systems, should be available in observing things at the polling places. that or properly educate the people that are actually working there on what these physical compromises are. you know, in some ways, you know, that's been done in the past, but it is simply not, you know, across the board and not done at the volume it needs to be done. there are so many ways to screw with these things physically, and just the correct pair of eyes watching for those attacks, it would stop quite a bit. >> i would add to further what you said, just a pinch of paranoia on everybody they hire or that's already hired in part of this process, and give them, you know, just a five-minute spiel on it, along with a sheet of paper. these are election systems we have in the polling place, here are the ways it can be manipulated. so you should be watching everybody that comes in here to make sure they're not touching these things and you should be

watching your counterparts that are also here that are also watching you. just a pinch of paranoia so people actually understand what shouldn't be touched. they don't have to understand how it is manipulated. those are things that shouldn't be it upped on the systems. >> wonderful. well, gentlemen, that was fascinating. thank you very much. [ applause ] with that, i'll ask the second panel to come to the front of the room, please. the obama administration announced this week that average prices in health insurance exchanges are going up about 25%. health and human services secretary, sylvia burwell will discuss why this afternoon at 6:00 eastern, live on c-span. while congress is on break until after the november elections, american history tv primetime continues tonight with a look at the civil war and reconstruction. it begins at 8:00 eastern, with the war in gettysburg and euless

sees grant, primetime, at 8:00 eastern. after i came up with the idea of reproductive rights, with recent events i heard in the news, i knew i could find information on that and also help me figure out what points i wanted to say about it, and how to form my outline for my piece. >> i don't think i took it a very methodical approach to the process, which i mean you could if you wanted, but i think that really with the piece as dense as this, i would say, it is really just the process of reworking and reworking. so as i was trying to come up with what my actual theme was, i was doing research at the same time. i was coming up with more ideas for what i could film. and you know, i would come up with an idea, okay, that would

be a great shot i think about that be and that gives me a new idea to focus on and i do research about that. the process is about i woulding on other things and then scratching what doesn't work and you just keep going until you finally get what is the finished product. >> this year's theme, your message to washington, d.c. tell us, what is the most urgent issue for the new president and congress to address in 2017. our competition is open to all middle or high school students, grades 6 through 12, with $100,000 awarded in cash prizes. students can work alone or with a group of three. include c-span programming, and also explore opposing opinions. the $100,000 in cash prizes will be awarded and shared between 150 students and 53 teachers, the grand prize of $5,000 will go to the student or team with the best overall entry. this year's deadline is january 20, 2017. so mark your calendars and help

us spread the word to student filmmakers. for more information go to our website, student cam.org. we just heard issues. now, solutions. technology experts discuss best practices to improve cyber security in the federal government and the private sector. this is about a half hour. >> fantastic. as i mentioned earlier our second panel we'll talk about things that fall under the umbrella of cyber hygiene. this is not specific exclusively to the election process at the state and local level. it's best practices any public/private organization should be prioritizing. we understand and we have

discussed the issues time and time again, they are a challenge. we'll talk about the opportunities as well. so, let me first start by introducing the panelists. to my right is michael seguinot. to his right is greg cranley. to his right, trish cagiostro. and to the far right, stacey winn. panelists thank you for joining us. the first question is talking about the growing iot microcosm that is increasing the surface. despite many cios, they continue to struggle with understanding what their network topography looks like. this is obviously only going to get worse, not get better. we are going talk about why this continues to be a struggle and

what leverage they can make or understand what their network actually looks like and the device that is on it. i open it up to anybody. >> i'll start. the idea of the internet of things is a nifty idea. the problem lies, if i can access a system for my job, an hva system, a pharmacy within a store, then i can certainly transverse the network to get to where i need to go to get credit cards or any information i want to get because it's costly to have separate networks for each one. they are all networked at the physical layer. there are technologies out there

that can allow you to, through policy and software, isolate the machine so they only speak to certain machines, using pki credentialing. outbound only and use a cloud broker of sorts that will only allow and provide realtime identification of who the person is. also, by using something like that, they can ice leat the resources. >> i think there's two sides, the personal side with the smart watches, the fitbit track activity. those elements are things your users want to bring in. how do you plan for that? the second side is iot and you have business applications, too. you have different devices you bring online. it makes us smarter, better, faster. from a business perspective, especially when you're talking about manufacturing. so, i completely agree in the

sense that this problem is only going to get more complicated. if you think about this, how enterprise can figure out the topology where the devices might never touch the network. think about the instance with a fitbit device where i plug in my piece that goes into my laptop. i'm syncing my fitbit with my laptop but not actually connecting it on your network. how can you find it on your network? right? when you talk supply chain management, what if that device is then preloaded with something that could cause damage to my network, things like that. it's a apology in the network is expanded not by what is connecting to it but the devices on the network. the connections between we are talking on the business sense where if i have smart devices or different industrial systems i'm using, i might think they are only talking to each other. i have to understand not just the connections between them, but my other network as well. >> exactly.

i will echo that more to say that as cyber security developers and practitioners and vendors as a lot of us in the room are and the panel, it's our responsibility to make sure those solutions we are providing have security built in from the beginning. it's ease stoi use. it's easy for our customers using the solutions who aren't necessarily cyber security practitioners to start with as our main job. they can actually utilize these in a secure way. >> a lot of you mentioned end points and devices. when we think about protection, we think about those physical entities. as more and more users are added and more credentials are goichb get access to the network and systems and different data information, many are saying the user is the new one. my first question is, what technologies exist to help mitigate unauthorized access as

we know the numbers go as high as 98%, 99% of all breaches and involve a compromised credential? >> i guess i'll start. i wanted to make a comment. the ioc, what started it. i think the ioc was started when you think star trek. if you watch the movies, there was always a computer in the room. ask it anything, he solves it for you. i think that's where we are going with ioc. it's that convenience of doing anything, whether it's my iphone or ipad. i tell my young sons in my hand, i have answers to all of humanity questions here. that's a profound statement and pretty powerful. we want and we desire that. i think if you dovetail that with that power comes responsibilities and it comes back to the user. every user is capable of good and bad. every user as a bad day at work. they might become an insider for a minute. man, i'm going to get my boss or whatever. we have to look at the user and how we manage that. going into the question and technologies, technologies are

there. there are a lot of leading edge technologies uva is a term. my company works through uva space. i look at "star trek." there's artificial intelligence that is going to make decisions for us. are we going to empower that to make the right decisions? another quick example. baseball, everybody is watching the world series. 10% of the pitches are called inaccurately. we have the technology to solve that but we don't. same with cyber security, we have the technology, but are we going to implement it? >> i agree. there's lots of evidence from previous breaches that indicate that, you know, it is the new perimeter. the ability to do things now from afar, unlock your door, check your icebox, see if you need milk, start your drier, those type of things. it's cool. the tough thing is, if i can do it so can somebody.

so, somebody unlocking my car, there was a case of the jeeps being stolen. guys were running scripts, syncing up and getting the code for the key fob. and starting the car and driving away without really breaking into it. it's a legitimate way to get to it. there are technologies that allow you to prevent that. another panel, the previous panel identified the issue of where they were even with the weakness of technology. it's all identity. if you can remove user id passwords and something you know technology, it's hard to penetrate. i might be able to steal what you have. to have what you know, that's difficult. that combination is very hard. if you limit people's access, it controls what the damage can be. >> yeah. what's interesting, too, compromise credentials show up online for sale all the time. one of our capabilities, we will

scrape the information, pull it in. there's a tendency to think, okay, well, i had identification, i'm good. it doesn't matter these credentials are showing up out there. that's sort of true, in the sense that, even if they wobt be won't be able to extract the password, we had an incident six months ago where we discovered a $30,000 dub in a dark forum. the poster said i found these 30,000 credentials. here are 800 passwords. go try and track those and by the way, go target those users with social engineering tactics. you miss an opportunity. users do their annual security training. they don't think about it after that. think click the supple questions at the end, answer the security certificate.

what if you could reach out and say, you should expect to be targeted with social engineering tactics. by the way, here is a link to training on social engineering tactics. now, you are creating additional touch points to help them get engaged in the security process. >> to add on to that would be fairly simple policy change, a process where you could institute two-person human review for critical changes so if you have a critical user that can make changes to your administrative system. two people have to able to okay that before it goes out companywide. you are lowering your risk quite considerably. >> terrific. >> greg, you and i spoke the other day about this. i wanted to give you a chance to talk about it. there are federal agencies integrating as part of this larger conversation. several mentioned leveraging existing technology and there is a lot of technology, how do we use it more effectively. you want to share what's going on with the government in that perspective?

>> everybody has kind of red about it. their initial focus on privileges. the unfortunate thing is, as this gentleman said earlier, everybody is a privilege user. you have a smartphone in your hand. you have access to your company's data. you are a privileged user. with that, they want everybody to use a digital representation of themselves because that can't show up on a password dump, anywhere, because there is no password. getting rid of user i.d. pass word is the key to this problem. the issue the government has is getting internet wide use is the heterogenualty of the network. it can homogenize everything on the network to make it look like one type of operating system that can be leveraged out of one identity store that will

authenticate to and provide the rights to the people they are allowed to have. you goat a point where you give a rights privilege as opposed to access to a bunch of applications. the other thing is to give people these granular roles so they can only do what they want to do. nobody calls the help desk and says, can you take away this access i have? i have too much privilege. please take some away from me. right? you have to right size the roles to make sure they only have what they have. it keeps them out of trouble. it's like, you know, having the authority, but also having the responsibility, right? you know, if you give them guidelines like we are as we are being raised, we are given guidelines and boundaries. give them boundaries. it is something they have or know. you throw a third authentication

on top, it is hard to end up on a dark website. >> it's funny you mentioned that. talking about the voting, in 2000, i remember working on a project around the election. the voting conspiracy on who won the election. there was immediate funding before 2002 around a project called serve. it was letting the military do it electronically using the pip card. it was a great application. i mention this because the pip card has been around for 16 years. it's a great solution. it would have given great authentication. there are no issues with privacy, which is a major concern in voting. giving the user a password, i know who he voted for. all these solutions are there in technology. just 2000, didn't do it. still not being used today. there's a lot of reasons for that. again, i mention you talk about a great application. it's something i wish citizens had.

you want a tax, give me a u.s. postal e-mail address with a certificate. i don't need 15 e-mail addresses from yahoo! and g-mail. we need to implement these technologies. >> when you are talking about two factors, the other thing that does, how often does someone have a password for a really secure system. it means it has complex requirements. they reach in their desk and pull out a password that's written in a drawer or lift the keyboard where it's written down somewhere. that's the nice thing about two-factor that reduces the risk that your user will write it down where anyone can find it. >> several of you mentioned insider threats. with the previous panel we talked about flavors, malicious and unintentional. regardless of the type, they could have catastrophic outcomes on an organization. the federal government, despite mandates and requirements to have these programs, it is still

not being done across the board. i was curious as to some of your thoughts as to why this is the case and what can be done to change it? >> i think it is a three-pronged approach. it is people, process and technology. you have to train the people. i think it was isc squared. they did a study where they interviewed various departments across different agencies. outside the i.t. department, less than 12% of the people thought cybersecurity was important. so people in operations, hr and procurement thought it was okay. the i.t. folks, the highest they got in cybersecurity care factor was 48%. there has to be better emphasis on training people on what they should do.

the second thing is the process. i get back to, you know, providing that least privilege, providing the least access. one of the issues we have at the federal government and the insider threat is people get a chance to go other places. this person is rarely the person that has the wide-open access or needs the wide-open access. it is the person that doesn't have wide-open access but they are able to hack themselves across the network to get to the place where the goods are. if you can provide them least access, as much as they hit the button, they can't go there. you are going to keep them processed. that gives you a good process. use technology that basically enforces it. >> we had lots of mandates from the presidential executive order back in 2011 that came out and actually said, we all need to be doing protections against insider threats and programs. the trouble is, all these mandates and requirements

haven't come with funding. how do you do that? you have to buy systems and technologies to have funding to put behind people to run that program. one of the biggest challenges we all face and have to raise up and make it louder is we need funding behind this to actually implement these processes to protect all of our critical data. >> if i can add, too, you mentioned insider threat, everybody has heard the term. it is familiar. it is almost like a bad word. one of the challenges agencies have, there is a privacy concern. i don't want to be an insider threat organization looking in on my family. i don't want to find a bad guy. account lockouts, everybody has locked out their account. to the cybersecurity side, that's a headache. they have to determine what happened in the lockout. did michael fat fingers do it

and i have to reset it or is michael an insider? is he being compromised? is he coming in from t wrong place? if you can give the user, contextual information, hey, michael fat fingered on a monday morning from the same i.p. address. that's easy to reset. versus michael was locked out at 3:00 a.m. on saturday trying to use services he's never touched before. if you take that approach as i can make your business easier and be more efficient in your job. to answer your question, they bring a lot of visibility. there's a recent case a few weeks ago, another guy. it is never going to end. how do we make our users use better technology to be faster in how they make those decisions. >> insider threat is not a new problem. it took us 22 years to find robert hanson.

we've had espionage, corporate espionage that's not new. we have an unprecedented amount of data that is ultimately going to make us more effective. it makes a much more solvable problem. you have h.r. data. knowing if someone is on a performance improvement plan or they are at risk of being fire. you also need audit log data. i think organizations get really scared of the edge cases where how would you stop a scenario where i have an employee, his manager is torturing him. there are no hr records of it. he hits the point, that's it, i'm done, i'm going after this guy. he goes and opens up some files and takes pictures on his cell phones. our users are pretty smart. they see cnn and realize you are watching. they tell you, we are watching you. our users know. now, i can go and let's say he takes his phone out and uploads it to wikileaks, how would you detect that?

that would be really hard to detect and any ramifications could be big. we can't get hung up in the edge cases. before we can worry about the really, really scary bad stuff, let's solve the 90% of the problems and then we can start to look at the edge cases. like computer network defense, with insider threat, it is not if, it is when. you need to have a recovery and response in place that people are trained on. when it happens, learn from it. were there additional technologies that i could have had that would have prevented it? all of that needs to be thought of. not just the program, but how to present it and what do we do when it actually happens? >> you also mentioned areas to track, h.r. data, travel data. a lot of disparate and technology data don't touch each other. having solutions in place that help our analysts track all of that from one central location are solutions that work together to have a holistic picture of what our users are doing fro

protect them and the company as well. >> that's great. shifting gears to cdm we've been working on phases one, two, and three the last number of years. dhs has recently started talking about phase four, which is really focused on some of the issues that you have mentioned, that is protecting data that resides on federal networks. what technology and best practices do you recommend to dhs to include in phase four of cdm as we start to put this together? >> the natural thing for phase four or protecting data is data loss prevention products and redactions products that can redact sensitive information based on use. easily filing things so that the wrong eyes don't get access to them. this technology is out there to do that.

they are just difficult to implement. they are extremely policy based and to get them fully working, it will take a lot of time and money. >> cdm phase 4 is going to focus on that. implementing the network is going to become very, very important there. it sounds clunky on the back end but if you have crossed a main technology that can help you access and transfer those multiple networks from one single location, it becomes easier for your users and you are very, the keys to the kingdom, if you will. all that data is in a very secure place. the access controls are there as several panelists mentioned. only certain people can get to that. it is very, very protected. >> there are technologies out there where you can by policy separate things, layer three, four, and five. as opposed to building separate networks. >> it's funny. when you mentioned this to me, i started laughing. i remember working on phase one years ago.

the agency was rash to deploying it. i am glad the dhs is doing it. it is a great program. one of the biggest comments and it is a challenge especially for small vendors, and that's still a major challenge. yeah, i'm buying x. why are you buying x? oh, it is cdm. not because it is the best product, because it is there. unfortunately, that's a bad thing with cybersecurity. we still need better initiatives to get better faster technology to get in quicker. i'm looking at getting my company into it which is why i laugh when i look at phase 3 and 4 right now. don't just make a decision because it is on the contract all the time. >> the problem with that is that price is right. >> i understand that. but it isn't just price. >> price and aware. >> i agree. >> again this was mentioned

earlier on some of the panels. cyber security and personnel training. what specific programs and methods have been proven most effective to change behaviors and is there a way to leverage technology and also influence people's behaviors. trish? >> sure. training something that there is really a couple things you have to do. first it needs to be engaging and people need to feel they are learning something and getting something out of it. if you're at the point where users are going through annual security training and you had these rooms and you go through the rooms and it is like someone calls you up on the phone, now what do you do? and so, you know, i would try and get through as quickly as possible and answer questions and i'm done. it needs to be engaging and they need to feel like they are getting something out of it. it has to be something they have thought about through the year. send them phishing e-mails, see what they do. someone earlier took my cat video joke but when i was working, it was the steve irwin video.

everyone wanted to see the steve irwin video. i think the st important part of training with actually improving the part of your users where there is a punitive action if you violate what actually happens. and i that i it doesn't necessarily have to be punitive. it can also be incentivizing someone where let's say you send five e-mails throughout the year that test whether or not they click on it or something like that. but maybe they get two hours per time where they are successful of extra vacation or something like that. that would cost a little bit of money but when we look at how expensive it is when we have a breach, i'm sure there would be a cost effective solution there. >> trish, i agree. i had a customer looking for positive behavior. one of them is making someone aware of touching something when you shouldn't.

did you mean to touch that server? oh, what do you mean. they are less likely to step out of bounds. give them an incentive. i get spammed all the time. i get phishing attacks and i want to press the button. i know i'm not supposed to, but i want to. why don't we share that? when you get spam, send it to the center, let them detonate it. share that knowledge with people. again, people are not involved in it. let them share what they found. the other thing is text messages. i'm getting text spam. share with me the recent attack or exploit and let them see what result was. it answers that curiosity problem we have. >> it is definitely a culture issue. i believe you brought that up earlier. we all have to be a part of that from senior executives on down to the line level employee. everyone has to be aware of it and part of it and all of the practicing the same saying hey, why did you do that? or laugh about the e-mail that

comes in and someone will say, make sure you don't click on that. >> did you see that? >> don't open that linkedin e-mail from the person you don't know. >> those are all great points. i think what tony scott said earlier is important to. we got to get them when they're young. a lot of us are, a lot of us older folks didn't grow up with technology. >> and i'm pretty sure that everyone on this panel, if i asked, what do you think the biggest risk to your network is, people would say user. on help desk we had a cartoon that said problem between keyboard and chair. we are afraid of our users, security professionals, but there are a lot more of them than us. the quicker question turn them from the biggest risk we were turned about, and where they are engaged in helping us do our jobs, the better. >> that's actually growing with the coming on of all of the millennials. folks from that age bracket with our baby boomers. retiring at ever increasing ages. so we will only see more of that. they, from the millennial generation, are used to technology doing security for

them. if there is even security at all. they just don't think about it. they are used to the technology. we take a different more cynical view of technology we don't expect it to do what it's supposed to do. they just expect it. they don't think about it. they move on. so that's only going to get worse. >> so our final question for the panel is really we're talking about some of the success stories that are out there, we know several agencies and private sector cios who are implementing wide-reaching, i should say, cyber hygiene programs. can you share programs and initiatives that you think some of the audience and folks at home can look to for guidance and or what are other ideas that you have that could help an organization put together a good program and change some behaviors you've been talking about? >> i think this success story is

in pockets. because everything is pretty much stove piped. and i think it is difficult to get everybody on the same sheet of music. and until the executives organization, he or she or the group of them get together and say, here's what we're going to do, to mandate that, and i think that's the attempt of cdm on the federal side, is to put together a standard that of technologies that are mapped to the osi model that you can deploy and that all together will orchestrate this one single cybersecurity capability that will ensure the security of the agencies. >> anyone else? >> sure. so i was in a meeting, this is probably about year and half ago and it was talking about these really advanced things that we can do, you know, to improve cybersecurity.

there is probably about a hundred people in the meeting. and someone literally stands up and says, you're talking about this. we don't even patch our systems regularly. so cyber hygiene is incredibly important. we have to think about this as a phase. if you're a 0, you're not going from 0 to hunting aps in a night. you have to think about this in layers. i do think that there are organizations that are out there and some -- i'm very fortunate, some of my customers i work with, i tend to work with customers that are forward looking and are interested in the intent instead of the letter of the requirement. and there's a great example where cdm might say thou shalt do these things, and i'm excited and getting this and it will freeze me out to get additional capabilities that will take me further. i guess my response on that is take advantage of the programs that exist. take advantage of anything that people give you. and that will give you the opportunity to look further ahead and get to more of the advanced capabilities. >> definitely. things like the modernization

rules that are coming on-line. and we need to get our systems up-to-date. and we still have a lot of systems out there especially in the government that are running very old versions. you can only do so much with that. and it is not anyone's fault. again we are back to our funding issue, right? we just have to be aware of that and actually get the policies in place so we can get systems tested in a way that is fast enough so that we as vendors can then bring technology to you. and everybody wants to be there. we just have to take that phased approach and actually just chip away at it. >> i would add, you ask about agencies and programs, there are some doing great jobs but tomorrow they could be hacked. there is a constant world of change. in 2009 i worked for opm and they won awards for being innovative as far as cybersecurity. we laugh now because they got hacked. the agency is a few months from being bad.

cyber security is changing. threats are changing. and so don't penalize people when they fail. there is not one silver bullet. it is dynamic and needs a change. >> you here cybersecurity is not a sprint. it a finish line. it is not like poof i'm magically secure. things will continue to happen. you will continue to have incidents. you have to learn from them, incorporate and make sure it doesn't happen in the future. >> i agree. it will never necessarily end. but anything you can do to reduce your risk, to minimize the points of attack and i agree, you can't go to college until you go to high school. >> great. with that, please help me in thanking our panelists. [ applause ] and i want to thank all of you

for joining us for today's briefing. papers are available on our website for download. our next meetings are our annual gala and benefit at st. regence here in d.c. on november 10th, we'll be honoring general scott and keith alexander. thank you to our speakers. see you next time. american history tv prime time continues while congress is on break until after the november lecks. tonight the civil war even recondition struction begins at 8:00 eastern with the war in gettysburg, then ulysses grant after the civil war. three people's refugee camps and reconstruction in the authority. american history tv in prime time on c-span3 all this week at 8:00 p.m. eastern. >> this weekend on c-span3,

saturday morning from 9:00 eastern 'til just afternoon. >> the british empire and its commonwealth last for a thousand years. men will still say this was their finest hour. >> focusing on the former british prime minister's speakers and contemporaries, featuring andrew roberts, author of "masters and commanders: how four titans won the battle of the west." late at 7:00, commissioner george p. bush, jose menendez and musician phil collins talk about the spanish mission, the alamo at the 2016 texas tribune festival in austin. >> the memories i have this group of people were going and knew they were going to die and

they went there but there was something very noble and romantic. i love it wasn't quite black and white, one of the things that i think would be good in this day and age and put into context. >> he's not wearing a weapon, he would often lead attacks carrying nothing but the riding crop you see in his left hand. the men realized if the colonel, later the brigadier, if the colonel can take it, i can take it, too. >> we visit the macarthur memorial in knorr follo norfolk. and at 8:00 -- >> the great leaders also serviced conscience-in-chief with the highest level of integrity, with their moral campus locked on the true north

so that we can always count on them to do the right thing when times get tough or when no one is looking. >> author explains his ten commandments for presidential leadership, what they are and provides examples of presidents who exceled at each one. for a complete american history tv schedule, go to cspan.org. >> cyber security officials say hacking of election polls is a concern. the atlantic council hosted a panel discussion on potential cyber security threats for the 016 presidential election. this is an hour and a half.

good afternoon, welcome to the atlantic council and the october atlantic council. i'm director of the strategy initiative here. i am deputy director of the center on international security. we run cyberrisk wednesday here hosted by us and in collaboration with our partners at christian science monitor with the pass code. this afternoon's conversation is on hacking the vote. i feel like there should be some ominous music here when i say that. it is part of our cyberrisk series and very timely. i woke up to a radio story on exactly this topic. it is particularly timely discussion and a particularly distinguished group of panelists that will examine our threats ranging from historical paper systems to current voting

computers to internet-based voting in many other countries. really, a great panel to help us put this whole story of hacking the vote into some context and with some real substance hyped behind it. i would like to welcome those who are watching online. i encourage you to join the conversation on twitter using #accyberand acscro cough and @cmmpasscode. we have seen how cybercrimes could impact voter registration. voting computers, they are really voting computers. even the outcome of the election. the act of tampering with and undermining trust in the electoral process goes back much further than this election. it goes back perhaps as long as

there have been elections, though the mechanisms have changed over time. the idea of influencing and possibly changing the outcome of elections is nothing new to foreign or domestic players. this is an international problems just as much as an american. there are several examples in europe and latin-american where the fear of cyberinsecurity are used to influence public opinion before, during, and after elections. in fact, in your seats, you will find a report from two years ago discussing many of these issues and the recommendations contained in it, that are still very relevant today. those of you online will not find that report in your seats but we will post a link to it so that you can find that as well. here in the u.s., voting authority started rapidly implementing voting solutions to make voting accessible and

efficient in the help american vote act in 2002. a number of electronic solutions were ill-conceived or have not aged well in the 14 years since. it certainly won't come as a surprise to the people in this room and online, that computers, even voting computers are hackable. additional alarms ring when it comes to voter registration information and assistance for tabulating votes which may be dangerously vulnerable even to relatively low skilled hackers. however, it is not just voting technology that's at risk, we've started to see recently in particular hacks of political parties and other entities that can highlight the vulnerability of the entire electoral and political process. the daily leaks we have been seeing lately are having an impact on the political campaigns.

while leaks have been common, these kind of hacks really do represent a new level of scale often dubbed as the electronic watergate where tradition many responses may no longer work. the possibility that more sensitive information is waiting to be released at an opportune moment could create opportunities for foreign powers seeking to interfere with presidential elections or even criminal entities. with one presidential candidate, warning his supports that the election is going to be rigged, quote, unquote, hackers may not even need to compromise voting computers or systems to undermine the people's trust in the election results. merely a credible claim of doing so could compare voters to cry foul and undermine the legitimacy of the vote at home, in the united states and abroad as others look at the outcome. today, we are here to find out what is truly knew about the

cyberthreats, what actions will best preserve trust in our elections and what can be done in general. before i ask the panelists to join us here on the stage, let me briefly introduce them. i will start with jeremy epstein. he is on loan to the innovation office. he was sent by sri to the national science foundation secure and trust worthy cyberspace program. also joining us is joseph hall, chief tech nolist and directory of the internet architecture project at the center for democracy and technology. i serves on the board of the california voter foundation, the verified voter foundation and the fcc's computer liability council. please to welcome masimo tomisoli, the permanent observer for the international institute for democracy and doctoral assistance.

his resume includes work at the organization for economic cooperation and in the italian ministry of foreign affairs. finally, kim er will be joining us to moderate this discussion. kim has been covering cybersecurity since 1999, including more of a decade at "wired" magazine. she is a journalist and author who is well-known for covering this range of issues. we are looking forward to her leading this discussion with us today. as always, again, thank you to our media partner pass code, the christian science monitor's new guide to security and privacy. thank you all for joining us on here and online.

let me invite the panelist to come join us to get us started. thank you for coming. >> good afternoon, everyone. he covered some of the intros i was going to go over. i want to give you some context for why we have a discussion today about hacking the vote, hacking the voting machines. we are talking about hacking the vote this year, unlike any other year. we are talking about two kinds of hacking, as he discussed in his intro, not only technically hacking the voting machines but hacking the minds of voters. what do we mean when we talk about hacking voting machines and how did we get here? started with 2002 america vote. it was passed in the wake of the 2000 debackle, the bush v. gore out of florida. it was intended to provide

disabled voters, voters that had hearing or sight impediments to give them the ability to vote without assistance in the polling place so they could have a private vote. federal government allocated about $4 billion to states so they could purchase accessible voting machines. instead of buying one or two that they considered accessible, they decided to go on a shopping spree and replace all of their voting systems with touchscreen voting machines in many precincts. they are also called direct recording electronic machines, dre. they didn't have a paper trail until academics and voting activists made an issue of it. there was no ability to check the vote and verify it record the vote that the voters intended to choose. we now have some that produce a paper trail and states that have opted for optical scan machine. you are choosing your choices

and it gets scanned into an electronic machine. that is problematic in the same way dres are when you don't have an audit. if you have a paper trail and don't do anything with it, simply having the paper trail doesn't mean anything. we are going to talk about all those issues and influence hacking. i wanted to start because the help america vote act was passed in 2002. states bought machines. we have had them for over a decade. problem throughout that decade with machines and elections. we have had some resolutions. some states have turned off wi-fi. there are other problems, the process of elections. maybe we should talk about the win vote and why it is here. jeremy brought this beautiful machine, known as the worst

voting machine in america. they were decommissioned. they had 3,000 of them. maybe you will explain why we had it. >> a lot of it has been electronics and software but a lot is also about the physical access. how many of you can see what i'm holding? you can have one as a souvenir if you would like. this is a key that is cheaper than the key that opens hotel minibars. this is what secures the usb key that stores all the votes it is symptomatic that it is very trivial protection. they were in use in virginia, mississippi and pennsylvania. they are the only three states that ever used them.

virginia was by far the largest market for them. when they were decommissioned, it was after the state discovered they had wi-fi enabled that could not be turned off. we didn't realize it couldn't be completely turned off. it turned out it used the wep encryption method. for those geeks in the room, you will know that was known to be a compromised system ten years ago. it takes a couple of seconds to compromise it. it turns out it didn't matter, because the password on it was abcde and couldn't be changed. it turned out it was just a windows machine and you could connect with any other windows machine and download or modify the files. you needed the administrator password. that was admin. it wasn't too hard to break into these. the good news is that the state

recognized the problems. >> after a decade? >> they had been using them for a decade. when they finally looked at them they said, oh, four letter word and got rid of them. about 80% of all voters this year will use optical scans. there are three states that are dre, without paper trail, i'm sorry, five states. south carolina. >> new jersey, delaware, georgia, and louisiana. >> five states have no paper trail, new jersey, delaware, georgia, louisiana, and south carolina then, there are another ten states where depending on where you live, you might or might not have a paper trail. it is great to have a paper trail. if nobody looks at t there is no audit, it does no goods.

relatively few states do audits and there are unique cases like virginia where it is illegal to do an audit. we can get into that if you care. >> so this machine you wanted to give away. >> when they were decommissioned, i got about 50 of them donated to me by the state. i have been distributing to universities and museums literally around the world for the purpose of research if you are interested in having one. please let me know. this one is available to a good home. >> we know at least five states are voting on dre machines without a paper trail. let's look at the issue of whether or not voting machines are still hackable today. this machine certainly was. now, it is being decommissioned. given be there has been so much focus and pub lisity about the system and their hackability, have we see any progress in the sense of how they are being used today? has wi-fi been disabled?

have the machines been secured in a better way? do we know? >> i definitely think we are in a better state than we were last decade. three out of four voters will cast a ballot using a paper ballot or on something that creates a paper trail. in addition to the geographic distribution, we talked about, you can be confident three out of four people have a paper record. it is different on the audit side. some of the audit styles people are doin-- thehole reason to do an audit is computer tally of the voting computer against a manual tally looking at the actual paper records. that's a way of sort of arriving at ground truth. i think i would like to claim a little bit of the responsibility for fact that voting machines and the procedures around them have gotten considerably better since the last decade. the election systems commissn