Skip to main content

tv   Public Affairs Events  CSPAN  November 8, 2016 12:00am-1:16am EST

12:00 am
they got that one right. next is john carlin, he is the recently former, he was the assistant attorney general for national security until only a few days ago. he is the nation's top national security attorney overseen 400 employees. that's responsible for protecting the country against international espionage, terrorism, cyber breaches, and other and other national security interests. we have susanna who is director of common causes voting integrity campaign which is aimed at repairing and strengthening voting systems at the state and national level. she is co-author of an important report called secret ballot at risk, among various other writings.
12:01 am
finally we have trevor potter, former chairman of the federal election commission, appointed in 1991 by president george hw bush. he hw bush. he served as general counsel to senator john mccain in 2,002,008 presidential campaign. he is our go to election lawyer. he was was very involved in the reports that we had back into the 90s. also he is known to many of us as the lawyer for stephen colbert's america's for a better tomorrow, tomorrow. [laughter] our moderator is david spangler, national security correspondent with the new york times washington office and senior writer. he has identified this issue and wrote an article on it with charlie savage a couple months ago. david, take it away. >> thank you very much charlie for this.
12:02 am
thank you to alter who has given us both the space and encouragement on doing this. i can't think of a more central issue for this to be taken up. it's really at the intersection of the fundamental building blocks of our democracy, the cyber issue that walter and so many others are getting the institute so heavily involved in. the fundamental questions of what kind of society you want to be and what kind of defenses you want to have. i cannot think of a better panel for putting this together. i'm delighted to see a full house. let me leap right in at might what might be the biggest difference we see this year. levis had concerns as suzanne another separate about so eloquently about the security of the secret ballot, the ability
12:03 am
people to get to the polling place, the ability to have the assurance that your vote is being counted and being counted accurately. this year we have suddenly have a new layer of concern. that has come from the fact that i think it it is the first time that we have ever had the serious allegation that another nationstate was seeking either to influence the outcome orders simply disrupt the election. those are two quite different things. so i thought i would start with you john with your newly won freedom where you don't have to go measure every word about whether or not years speaking for the administration. might take a while to get used to that new status. i thought i would ask you to take us a little bit through the
12:04 am
discovery by the open obama administration that you're facing an adversary in russia that just to take at face value the statement that came out from the department of homeland security a few weeks ago suggest that in fact they were seeking to actively get engaged, not only break into political entities like the d&c, not their usual form of espionage, but then to weapon nice that and use that information. tell us about the debate about how to respond to that. >> will to back up and put two trends together. so, and nationstate nationstate attempted to gain information by hacking into election campaigns or other infrastructure is not new.
12:05 am
in fact, in my prior job as chief of staff and director of the fbi at the time i first met the obama campaign and mccain campaign in 2000 when we were informing each of them separately and in the classified setting that later became declassified that their emails have been compromised by china at the time. the assessment that was they were inside the system in order to gain strategic intelligence. they wanted to wanted to know how these individuals thought but they might try to use against those campaign individuals depending on who was elected and they may try to use it to recruit but they could do which is to make public the information in order to achieve a goal be it financial or political. switching to russia we have a long history of russia trying to run influence campaigns where in
12:06 am
the united states, along with the rest of the world for without revealing that it sponsored by the russian government a russian intelligence will try to plant stories in newspapers or other venues to influence the results of the election. we've we seemed russia try to undermine democracy recently in countries outside of the united states, be it in europe, as the germans have publicly discussed her elections and other parts of the world, former soviet former soviet union. what we saw here was a combination of the ability to get in through new technology, to obtain information and then pairing that up with a campaign to undermine confidence in the democratic system, weapon icing it to -- i think this is one that we should've all been able
12:07 am
to see was coming in that it is consistent with, as we have moved more of our infrastructure into analog to digital form, so say over the last 25 years we moved almost everything we've valued from analog to digital the 97% is now digital with the exception of david who continues to write on napkins laughmac. we didn't just make it digital we connected the systems in the data to the internet. and it was fundamentally never designed to communicate. we are on the cusp of right now being exploited is the next transformation. it might be significant in some sectors only think about how the society has changed from the transition of the horse and buggy to an automated car would be the transition for the car
12:08 am
with a driver to a driverless car. in 2020 we have to make 70% of the cars will essentially be computers on wheels. in the midst of another transformation when it's not just what were seen in this case which is weapon icing information. removing almost everything we value that functions, whether as the electrical grid, cars, pacemakers, missiles, drones, were connecting to the internet and the so-called internet of things. what we can't can't do is make the same mistake where we loose analog to digital the first instance which is we cannot systematically discount or not take into account the risks posed not whether this works, if it it were to work as design, but whether it will work if all the same bad guys will move to the new technology whether their critics, terrorist, nationstates or those
12:09 am
with the political agenda, all of those actors are going to try to exploit the internet of things. we have to build insecurity by design on the front-end which we are not doing effectively enough most devices, the default settings that make them unsecure. they either don't have a password or, and we simultaneously need to move to an enforcement regime where we show there can be deterrence in this new area. we need to do both into a quickly. >> let me drill down on one element, will come back to the internet of things question because it raises so many questions for all of us. in the case of dealing with russia, it poses a difficult deterrence issue. in your time in office, i think
12:10 am
you made enormous progress and making it clear that it that if there was an attack on the united states there was going to be a u.s. response. so the china attack and you ultimately managed to do indictments, the iran attack on the banks -- in new york with barely any water in it, you damage to get out indictment. so you have begun to establish that even without using intelligence data you can build a court case. but when you're dealing with a country like russia it's more complicated. it's more complicated because there's so many other things going. discussions over iran, nuclear negotiations at various points where we haven't had them. it's a big, complicated relationship. so take us a little bit inside
12:11 am
the considerations that you have been hearing about how one deals with trying to deter russia? we could strike back now but it might not be the right thing to do at this moment when you're only a week and a half out from the election and they will have another response, or could. >> i think you're right to put it in a frame. so the approach of taking nationstate related intrusions out of the world of intelligence with a primary consideration is learning about your have a syrian protecting your sources to one in which one nationstate did harm, doing the investigation and attribution in such a way that one can make it
12:12 am
public. that was important because if you don't figure out who did it, if it's anonymous which many actors think it can permanently be then there's no there's no deterrence. you can't apply the calculus that we've tried to apply. secondly make it public. that means doing investigation attribution in a way that we can be public about the results and willing to accept them. third, imposing consequences. that. that may sound like a common sense approach, we've applied it against terrorists and criminals, but it's new in this area. we really only first started reorganizing governments down this path in 2013. we brought the first case in the spring of 14. since then we brought action against china, against iran, against north korea, which we should talk about more because i think there's common traits and the
12:13 am
attack against sony wasn't just a attack against a company or business it was an attack against our core values which is free speech. it tends to undermine core value which is belief in democratic institutions. so as part of this relatively, fast-moving transition transition to this approach, each time we have contemplated an action there's been discussions around the table just like we have we think about how to confront the terrorist threat. in the other two areas where we've gotten good at a fast pace pace you go around the national security council table into the department or agency has a playbook. here's what we can do under the legal authorities. here's a range of options to apply. so the
12:14 am
treasury department might say this is an applicable order where we can apply sanctions against the individual or state. justice might say, here, here criminal indictments are here's information we collected in the way that we can make public. the commerce department might say we can use the authority we have to designate certain entity is those who are counter to national security interests of the united states and thus make it impossible to do business with or without inexpert license. and then once you take the un resolution -- so you get use to this encounter cyber depending on the particular authorities but yes, counter cyber from things that homeland security could do, ranging from covert action to openly declared military action. so we have gotten good at applying that framework of
12:15 am
coming up with a response with these other threats. what is new is applying it against nationstate cyber actors. so you saw us run this exercise was sony resulting ultimately in less than 28 days publicly naming north korea and announcing sanctions and say there'll be some things we do in some things you see in some things you don't. but there will be consequences. i think we still need to invest in creating a maximum amount of tools for decision-maker to use when it comes to cyber threats or activity. that something the next administration can focus on to put resources into figure out who did it and also put resources into continuing to develop the tools in the playbook. and that's an important point in
12:16 am
terms of you for this race which is we are going to respond at a time and place of our choosing when it comes, that's our doctrine and although we are going to figure out who did it and make public who did it make public there'll be consequences, it it doesn't mean in every case what the consequences will be public. that is to preserve the maximum amount of options for the decision-maker to craft a response that best suits that particular adversary in the scale that what they did. it's vitally important, it's because it's so new each time we have tried to apply the framework of imposing consequences of making it public it gets in the lies both within government and without in terms of the relationship with that particular country. when we indicted five members for stealing industry because
12:17 am
it's consistent with the behavior of stealing -- which is used to make the color white and oreo cookies. to things like lead pipe designs. when we said that's the after work and are treated as theft there's a lot of discussion about what is it mean for china and similarly people said was sony, north korea's notorious difficulty impact. it doesn't make sense to impose a consequence with north korea. with iran people said you just sign the steel why would you take action against iran for doing denial of services that were two years ago? what's important is to get to a place where we stop analyzing each of these to the particular country and start say this is consistent with what america said the approach would be which is when you commit this attack
12:18 am
weather is affecting hundreds of thousands are customers and costing millions of dollars by hacking our banking system, stealing, or from private companies for economic gain, we are going to figure out who did it, make it public and impose consequences tailored to what you did. that sends a message not just each country, but to the other countries as they try to figure out, we, we know generally this is the framework they will apply. part of that means continuing to clearly articulate what those lines are. when we consider something to be traditional intelligence and when we -- >> you have seen lots of cases in which election systems in the united states have gone wrong. before we gathered here you mentioned in an interesting case of colorado a number of years ago.
12:19 am
tell us how, tell us what your biggest concerns are meant tell us how the addition of a nationstate actor coming into this makes it a hard problem to solve on the ground, in the states, where many states do not have the advantage of the intelligence briefing that john would get every morning. >> so i hear from many of the election verification network which is a consortium of computer science advocates and state policymakers. for as long as we have been in existence which is over ten years, we've been looking at the issue of what happens in elections when the machines we rely fail? either a pe pole
12:20 am
books where we check-in or the statewide voter registration databases or the machines. these are questions we've been been looking at for a long time. we have come up with remedies for this. one thing that would love to point out is that the folks that are most, we recommend at least for voting systems that there always be a paper ballot or paper record. this is champion most wholeheartedly by the computer scientist the people that love technology the most, the geeks that love the computers but if you're going to vote you need to vote on paper or there needs to be a paper you have verified for every vote cast. >> there's the five states with no paper backups and a number of states including some swing states that only a partial. >> that's right. it's better than it was.
12:21 am
keep in mind those states, paper is the gold standard, the states do ever other things. there are other ways the states handle the problems. paper is absolutely the best, north carolina 2,044,000 votes were lost in the computerized voting system. the election was in limbo for months. when you don't have paper you can come back and recount. when when you have a close election, they put the paper ballots on the internet and said you decide. how how did this voter mark this ballot? there's a level of transparency, and reliability. >> do they have now full paper? absolutely. it always takes a big crisis. never let a crisis go to waste and they didn't. many states who moved to paper move to because of similar
12:22 am
incidents. all of this to say is, we have collectively we been working on these issues for a long time, urged policymakers to move to paper that's where the united states has moved to many new systems have paper. that's terrific so regardless of whether it's the machine failure or glitch or human airboat in the software, or a nationstate bad actor in a persistent threat of that kind of magnitude, it's the same. using that paper in recounting and using that paper and auditing. so we we have not seen this challenge before. i don't think the remedies different.
12:23 am
>> tell us about how you look at this is your administering this in virginia? so the first thing we've heard about in the past couple months hasn't been really about the casting of the balance as were all in agreement that most voting machines are off-line, some voting by veterans and a few other exceptions. but of course the registration rules are online now. you do have ways of backing that up. i am a new voter in virginia. i registered just before the deadlines. i go in a week from tuesday, go up there and i got whatever evidence i was given at the time i registered but they can find me. what happens? in virginia and i think across
12:24 am
the country we have elections being administered at state local level. a lot of dedicated folks out there. i think this is something that regardless of whether it's a paper-based system or an electronic system. a lot of our election administrators will look at the risk involved to figure out how to mitigate the risks as were setting up our process and procedures. in virginia we've had a big change since last presidential election related to electronic transactions. we went through a paper-based voter registration process in the state to having online voter registration. we moved our dmv to electronic registration and so we went from a fully paperless system to in september, 73% of% of our registration transactions were electronic. so it has been figuring out and
12:25 am
building then with the newer technology, building and the security of front and the ability to audit so the situation you mentioned in terms of voters showing up in the dmv process we took paperless but it's a process we built very carefully with the dmv to create an audit process for all the transactions. so somebody who doesn't appear on the pole on election day they be issued a provisional ballot, and give us time to research it at the local and state level. so we have an audit process that we can trace back and see when did the person go to the dmv, what kind of transaction they conducted. pull any additional record that the dmv has. we have the processes in place. that is mitigating, we know the
12:26 am
issues happen, it's not new, it's it's how we deal with them to make sure voters if they cast a ballot than that ballot will count. that has been our focus both at the department and at the local level in terms of the work they're doing to make sure virginia voters have the ability confidence in the system that when they go to thing counter an issue that we have a way to resolve it that their vote will get counted. >> the department of homeland security has offered services to come in and basically scan a system and look for vulnerabilities. they offered offered this after the reports that russian hackers i think they were not necessarily state based, they had scanned a number of skate states and we have seen
12:27 am
warnings about arizona, illinois, and -- do you take up dhs on that invitation? if so, what kind of things do they look for what they find? >> in virginia when comes to cyber security preparation and looking at her system they been ahead of the curve train curve. throughout the ministration we've had a focus on cyber security. a lot of the recommendations and information that homeland security in our federal partners have been putting out are things that virginia was doing. routinely scanning our systems to look for potential voter abilities how to mitigate those and resolve them. we work closely with our state it agency to make sure were consistently monitoring our systems for those activities.
12:28 am
also when there is growing concern we became the first state agency to partner with the national guard. we have a lot of things that we are happy to share with other states and look at how they can improve the awareness and work on cyber security. we been in the discussion with dhs and are leveraging the offerings they have. some we been able to do and look at before the election. many of the things they let us know postelection to review what we are doing and look at how we can strengthen our cyber security even more. i think the discussion around homeland security in the treatment of election infrastructure is a great discussion to have. not enough attention has been paid to security in the elections process.
12:29 am
unfortunately it's taken a backseat to everything else going on and so it's important conversation to have. unfortunately the timing of the discussion has fed into the fears about the security of the election. it's not that were not confident it's remaining vigilant. >> did you have a dhs team that came in and looked at your system so you had not outside the? what did they discover? >> we had folks from virginia national guard command and we've been levering the resources and will get into what specifically they found. i'm happy to say that we haven't found any specific threats in our system.
12:30 am
were in a good position, we continue to work with dhs, our state local homeland security partners and everybody else and maintaining. >> did you find any evidence that your system was scanned at all by this russian hacker group that had scanned the other states? no. our state it system just like everyone else has a routine skin that goes on. our state it agency puts out a report every about how many times there has been probing up the system. we have not been given any indication that there has been any attempt to ask us our system inappropriately. . .
12:31 am
>> as you look at the nature of the problem here, tell me first off what is this odd situation where the states run all of this but there is a limited authority about doing the mandate to change the system. it's a little bit of a survey of what the government can do and whether or not you think the emergence of the nation's data is getting interested in the process means we should be rethinking that the authority should be. >> a couple things, first the title federal election commission is a misnomer and confusing to people who don't understand our system. it would be more accurate to call it the federal
12:32 am
campaign-finance commission. the federal election commission has essentially zero to do with the running of election day activity in the united states. it wasn't set up that way. it's neither good nor bad. in the current moment where we are worried about everything being interconnected and the ability to control or in fact computer systems from the top down is probably good that the united states has one of the most decentralized systems in the world. we have 50 states and each runs its own election systems. the states with counties in almost every state the counties actually run by election systems or the cities, and they have local officials who are in charge of how that's done.
12:33 am
part of the national discussion post-florida in 2000 is a should there be national standards come either from federally mandated or at least funded through money appropriated by congress to improve our election systems, and the tension has been between the obvious benefits of having somebody look out what's happening in the established standards that become the gold standard we hope states will live up to versus our very strong tradition of truly vocal control with hundreds of thousands of volunteers on the election day and certainly tens of thousands of officials across the country. and i think we have reached some
12:34 am
compromises. as with anything sometimes we've moved the wrong way. post 2000 there was the sense that we should mechanize and one of the mistakes we made is diving into computer systems without a paper trail and pass the risk if something went wrong maliciously or not, we wouldn't be able to figure out what happened or how people voted. so i think there has been the move we spoke of towards either paper ballots, the ones that are read or you filled out by hand, or a paper trail where it's possible to figure out what happened. and i think a benefit of the discussions that have gone on the past couple weeks is the awareness of the vulnerability of the systems that will mean we move towards i would expect all states having a paper trail but
12:35 am
the distinction i want to make his even if we are talking about states that have machines, the phrase that john used is moving ahead of the horse and system and the good news i would say today is in the elections we are still essentially in the horse and buggy system and we are the antithesis of the internet of things. these machines are not interconnected. if you have a voting machine, it sits in a warehouse and it is examined before hand and afterwards, but the states haven't had the money or the interest in trying to hook everything up so that they are largely freestanding and whether you are talking about the books that the states are using to check people in, even there there has been a sort of push
12:36 am
and pull having them connected to access the central database and make changes. the disadvantage that we have seen in some states if there is a glitch in the system then nobody can check in. that's why the entire system doesn't work and the states are increasingly understanding they have to have freestanding devices and that's largely where we are as a country. while you can think of things that could go wrong on election day one of them is not a state actor could enter a central election systems doesn't exist and change the national tabulation that doesn't exist, and change the results of the winner of the election. you could do that in other countries that have exactly that system, the federal tabulation system in federal computers that
12:37 am
we don't so you would have to be dealing with something at the county level or conceivably looking around at the state level but even that would have so many checks and balances and the system is so transparent in the way the results are passed back and forth from local precincts to counties and states that you would've noticed changes along the way. way. >> there was a brief moment back in august when jay johnson, the secretary of homeland security said maybe we should designate the system to be a critical infrastructure. after all, you look around the city and the washington monument is considered criminal infrastructure -- critical infrastructure. the defense systems are considered critical infrastructure. maybe the aspen institute is. but the system is not.
12:38 am
then a few weeks ago, we heard the director of the national security agency, admiral mike rogers make the observation that we need to rethink our critical infrastructure list entirely, lesser found building and institutions and more around the data flows which seem to make enormous sense to me. what difference would it make if any if our electoral system the underpinning of our democracy was considered critical infrastructure and do you thinkk you would have individual states say this is the beginning of an effort of the federal takeover and what has always been a state process. >> there's two questions that may lead to different answers. we consider it to be critical infrastructure and the other is the value of th that designatio. of course it's critical
12:39 am
infrastructure. perhaps not our daily lives, but the entire system of government to the constitution and the representative democracy nothing is more critical than having an election that is transparent and successful and credible, believable. i can't think of a greater threat to a democracy than then suggesting somehow either that the numbers can be hooked with the system can be disrupted which is a greater threat so that people cannot successfully vote and we come away from election day thinking that it was disrupted and therefore democracy didn't work, voters didn't have their say. so it is completely critical to our system of government and the belief citizens have been a working democracy. then the question becomes do too
12:40 am
designate it as part of the critical infrastructure and what does that mean. and it seems to me that the good news out of any such designation is the possibility of establishing national standards such as a paper trail that you want to make sure all states can meet. the risk you mentioned that states will see this as a federal takeover of elections and the problem with that is the substantive risk that in fact you would ironically federalizing to centralize it in a way that makes it more vulnerable. you wouldn't want to do that. but the other is i don't think you want to have an unproductive debate will be living perhaps the civil war between the federal government and the states over who is in charge of
12:41 am
the centralization. what you want is to reach a place where you have good national standards for states can figure out how to meet on their own. you don't want to say let's relive the post for the debate or everyone has to buy x. computer system. you should have a system that you meet the following certifications that were and that's transparent so you can go back and count the vote if something goes wrong. so establishing standards is useful, and remembering that one reason some states are behind in this is a funding issue. it's not that there's not money there but they've allocated at one place rather than another and it's expensive to make changes and expensive to do the ongoing security issues. so maybe part of that is there will be federal funding to enable even the poorer states for in some cases it may be counties and municipalities to
12:42 am
bring them up to national standards but if there is a designation, it has to be clear that this is a helping hand, not assuming control and that i think would be very unsuccessf unsuccessful. >> one of the concerns is that you could have a day kind of like we had last friday where there was a internet of things organized attack on a company that was basically one of the operators on the switchboard of the internet up in new hampshire. it didn't bring everything to a halt, but it sure slowed things down during internet searches and stories of maritime.com, we
12:43 am
took that personally. you can imagine on election day when people are trying to figure out how to get to the polls and where they are supposed to go vote. this could mockup the system. how much of a worry is that and how much do you do about that in the case at least that is what general clapper seemed to suggest. >> generally trevor makes a good point on this determines strategy and risk management strategy once you accept the premise if you lose something connected on the internet it's not safe because a dedicated nationstate actor even a sophisticated criminal group, so-called persistent threat those are the capability and the
12:44 am
desire to get into the system and they will keep trying until you get it once they accept the premise, then the next part of your strategy has to be how do i handle this as a risk mitigation matter. so whether you are a company or government agency, what do i need to make sure that it still works if the worst happens and someone gets inside and at that comes with taking things in paper form or another example the russians attacked the ukrainian electrical grid. one of the reasons that wasn't as effective as it could be is that it's near 30-years-old so that people have the expertise to still work the system manually and the infrastructure wasn't actually connected. >> are you talking about the attack over the christmas holidays when they hav had to go
12:45 am
back and throw real old-time switches to get the grid back up and running. >> exactly. as we take in the mystification -- risk mitigation, there's 9,000, 10,000 different sites but there's also gains in making sure you have redundant copies. that's a lesson that applies to the finance sector, the voting system equally and as we start moving it doesn't mean we don't want to take advantage and come up with things that save as many lives when it comes to cars but if someone were to penetrate the system. are you still operating manually and can you create it if you are worried about disrupting people's ability to gain internet access and talking about it publicly befor before e dates of panic doesn't incur and
12:46 am
making sure you've thought through the resilience plans. >> as you think of your list of things that worry you the most that could have been, where does that rank in your list of concerns? >> when you talk about dedication and we have the officials trying to conduct the election. so our officials do have a lot of backups in place. we've been working with them on long time on the planning for all sorts of emergencies and we've got everything from power
12:47 am
outages to everything in between so when it comes to being able to find the information they neeneed, we've been looking at w do we make sure our system is accessible so we partner with people to put that information out so we are not dealing with kind of the single point of entry for voters. we work with the voter information projects to make sure the data is available and out there and we have had right before the registration deadline experience in the state a surge of activity people were trying to get in at the last minute to register so we learned some lessons in terms of figuring out how we can distribute that information more and so we learn things like if the system isn't accessible we now have a special
12:48 am
piece to point than they can go and access resources somewhere else that's not on the system should something happen so it's kind of making sure voters still have the ability to get the information they need and feel confident they are going to the right place to vote into their vote will count. and i think yes it is a concern and we saw what is going on friday. the system kept functioning on friday and so we are looking about and have been planning for those sorts of things for a while. it may surprise you that the state level and at the local level why don't even know how
12:49 am
many in terms of the overall state budget that little amount of funding so that policymakers anthe policymakersand legislatot are figuring out how to properly fund the government and make sure we can provide all these services and making sure they are making it a priority unfortunately it does take some sort of a crisis moment to spur some action in the federal funding that we thought so we are hopeful nothing like that happens but we are going to be working with our legislators to provide funding so that we can make all of this work and make sure we can deal with these threats moving forward.
12:50 am
>> ever since the hack we have seen a drum beat from all of these organizations that states need to be prepared and have paper backup and contingency plans, and again it's not just nationstate actors, these are problems that administrators know about and that there's been a drumbeat to prepare. the one area that i am concerned about is for the military and overseas voters, 31 states allow military and overseas voters to return their ballots by e-mail. it's not secure. we did a report with the
12:51 am
electronic privacy institute and its not secure and it's not a good way to vote. if we are concerned, we now have evidence that a nationstate is interested. i would urge the military and overseas voters to cast a paper ballot. the act requires states to be allowed to send those electronically that's fine but some states allow them to mark those ballots and send them back by e-mail. would you e-mail me your social security number? it's not something that you do with your social security number and you shouldn't do it with your ballot. i think in the voter's mind must be secure. they wouldn't let me do it if it wasn't. i think that is the problem some states have gone to some
12:52 am
cryptographic things that they are still not secure because you can still get into the server so that's something i am concerned about. there is a trend people want to do things on the internet and other smart phones. why do i have to. i can't vote for my computer and there are companies popping up every day saying we've got the solution, we've got the cryptography. we can't keep nationstate actors out of the department of defense. good luck with the group. it's not safe, it worries me and it is a dangerous time and should be reversed. >> we have about a half-hour left and i want to go to questions in the group. >> while we are waiting for people to come up, i'm reassured by the centralized and
12:53 am
unconnected voting systems of voting in our country and i'm really glad that we are looking at this before the election. my question is whether some of thwhat are some ofthe red flagsn that might concern us about what happened, in other words can we see now what things might have happened that would be a red flag that we should say that's t they consider maybe those results are not accurate. >> i don't think we are going to be in a situation that we would say that verified results at the end of the process may not be accurate. i think it's the question is what would we look at on election night or the next morning and say there's something wrong with those
12:54 am
tentative or preliminary results and we need more information or we need to go back and do the recount, that's going to depend a little on the state system. i would back up and say the first issue will be in election day issue. are there attempts to affect the workings of the intranet system and does that mean that state election commissions are not accessible to the public and are there relations that people are having trouble devoting any given state or locality the list of registered voters are not accessible and those are red flags that get picked up immediately, again, because the transparency in the decentralization both parties
12:55 am
will have election observers and lawyers focused on all of that. and as a person in the mccain process, there is a nerve center of people in every state looking at that and there is no somewhere, that's not an internet problem but it's an election day problem. there's a snowstorm. if you do go into a judge and ask for the adverse to be extended. extended. there's a hurricanethere is a hy as new jersey did that you can vote after election day in some places? we are already defined to look at that and you go in and say we want you to change the normal way elections are run for this particular reason and this particular place. and that's something that gets litigated and one party might think that disadvantages them so that will be very public. then afterwards, every state has
12:56 am
a system of certified the results going back and crosschecking and there are missing members from the precinct or a machine didn't work the system kicks in to deal with that. i do think post election we will want to go back and look at the questions of what more can the federal government to do and what funding is needed, what do we need by the way of standards, and i do think the conversation changes over time. if everyone said why don't we vote by internet i can stick my car into the machine and get money out, why can't i stick my cardin and vote and it was the computer scientist who said wait a minute, there's some issues here we have been fully
12:57 am
addressed. so i think we've learned over timwe learn over timewhen i wasd these people came to see us and said we can't really tell you who we are, but you should know that a foreign nationstate has seized control of your computers and they can do anything they want with your computers and e-mail and records and so forth. we said what did you just say, what does that mean, and what are we supposed to do about his? that was eight years ago. so i think the public is behind in the reality of what's out there in terms of the ability for people to at least intrude and realize, and now we are learning therefore to wiki leaks or somebody to put that out there and that will have an effect on how we look at things going forward and it will affect what officials are shooting for in terms of the inner
12:58 am
connectivity and given the pause where they say do we want to set that up in an e-mail i think election officials are going to say do we want to connect all of those and if we do, what is our backup system, which wasn't a conversation that was as common a couple of years ago. >> we will start right here. >> thanks so much for all of this. i want to pose a question this way. first, it seems to me there are two threats that we face in this particular election. there are cyber threats and digital threats. the cyber threat you laid out in detail. my question, is the cyber threats that we are looking at exclusively russia or are there
12:59 am
multiple players that might be at work in the room. no one has mentioned the word but i'm about to do it but of course he's going to keep us in suspense because he is stunning whether this will be a fair election. and in that room, there are two components, one is voter fraud and the other is disenfranchisement. and i'm wondering is there concern on the part of anybody on the panel on either of those analog options and historically is that bogus or is there some validity?
1:00 am
>> are there other nationstates and then maybe take on the disenfranchisement. >> i think on something that trevor said, the public was behind in terms of where the threats were compared to those that have gone through the experience. and i think we in the government were responsible for that because we were not stating publicly on what we were seeing and there were reasons for that and kind of a history dating back to the cold war in the mentality you would treat this type of activity as an intelligence and try to observe each others' capabilities and assume it can be used for strategic intelligence gathering. but as it is permeating so many parts of society and can be used for things strange into physical
1:01 am
loss of life it became more and more important for us to add government officials to be able to talk about what we were seeing also roughly in 2011 we named for the first time the espionage and it was only until recently we say iran north korea, china and russia started talking about what it is we can do. i think that's important particularly when you talk about the intent to undermine confidence in the integrity of a system because when you are forewarned that it's outer boundaries are in the media and the public it makes it very hard for them to do what they want to do and maybe it's hard for those that live in the autocratic society to understand. but here in the democratic society being public about what they are trying to do makes it
1:02 am
its own protection to whether we should worry about nationstates or criminals. so it would be a mistake to look at each separate incident and say this is just a russia issue when it comes to undermining the integrity. we need to think through how we make the system resilient regardless of who the bad guy is. you can come through and list those that might have the motive to do it and that might help in the way that one devises or thinks through the medication but we absolutely need to think more broadly than any particular threat actor in any particular threat. >> on disenfranchisement issue yes, trump said there's going to
1:03 am
be voter fraud but we have seen academic research looking at the end person voter fraud which is what he's talking about because he wants to defend observers to go down to certain places to make sure people are not putting a disguise and then taking their neighbors name and voting. that is in person fraud. that really doesn't exist empirically. maybe there are one or two cases, but we can sort of dismissed that as a threat i think out of hand. but we are concerned about is the impact of people that are going to be observing, being a force of intimidation. so we work with a large coalition of groups to run an election protection hotline. in the early voting we've
1:04 am
already seen behavior where people are voting in filming ang and taking down license plates and things that are intimidating for those casting their ballot. the reverse cure for solving the problem that doesn't exist, coming down to challenge the voters and ask them if they are registered to vote i think is worse and should be reported. if the voters see it they can call the hotline and let folks know.
1:05 am
>> this has been an interesting election between the officials in the nominee on some issues but no more than on this issue because you have seen republican elected secretaries of state and officials saying with democratic officials are saying which is if by rigging you are talking about press coverage or broad societal issues, that's different. but if somebody means the result is going to change because there will be actual broadband people that are not registered are going to be voting or people are going to be assuming someone else's identity, dare i think both parties elected officials have been clear that our system
1:06 am
is designed to ensure that doesn't happen. when i was in the general counsel eight years ago based on the noise at that stage, we sat down with a careful analysis what are the threats we have on the election day and the issues of busing people in. what are we concerned about. the answer that came back is historically they've been absentee voting, nursing home voting means somebody gets 250 ballots they go off and come back and they are all fine. who knows who actually voted of those. that's different than on election day where we have a higher number of certainty. there's a lot of safeguards in place and that is not the problem we've had. >> i'm with electronic privacy
1:07 am
information and i wanted to thank suzanne for mentioning the views of the computer scientists to the issue of online voting, and these are not just the experts, these are the people that designed the cryptographic protocols that would say it's okay to purchase a book or music online but please don't rely on the same protocols for voting. that's very important. my question is for john. i think you made an interesting analysis of how we deal with the cyber threat broadly. you are trying to rationalize this data is by saying the u.s. will identify you and respond and we have the ability to do those things that assumes that you have repeat players and you just said a moment ago i think correctly that a long-term solution may require general was silly -- resilience.
1:08 am
the question though is attribution. in almost all the james bond movies, one of the plot twists if you have somebody between the u.s. and the russians who is trying to provoke an action by one great power against the other. and it seems to me in the realm of the cyber attacks, we've already seen this. it's a real concern. to what extent do you think going forward we will be able to manage the issue when there are so many different degrees of risk and response. >> that's an important question. there were those who assumed we couldn't do it and make no mistake it is hard but it's not impossible. the difficulty of getting the attribution with the
1:09 am
collaboration of the victims is something we need to change by increasing those who are willing to come forward the uk but then there's in the system or private companies who have been hacked. if we can do in the investigation and attribution with high confidence in the intelligence community or that it's been on a reasonable doubt before the jury and the defendants. for a period of time, i think there was a mistake in that we turned this overly technical. so the idea was you have your technical expert and they speak a language the prosecutor or law enforcement doesn't understand but they are really smart. they will tell me at the end of the day or that it can't be known but that's not how we
1:10 am
investigate and other areas and it shouldn't be able to investigate. you are using all sources the way you normally would. that means figuring out what to tell you occurred. your technical analysis did it. one of the things when i was prosecuting homicides and you have the profile is, the behavioral analysis pointed out and what they would do is take a look at the crime scene and then they would say there's certain things that were not necessary to affect the crime. they situated at the body in such a way they want an impact on the viewer and that is both horrifying and a clue to give you some insight into who this person is, the cyber equivalent which is one of the first times we used one of the analysis and
1:11 am
he'd look at things like there's certain malware to turn a computer into a brick or exfiltrate and use it against sony but they also things like a splash screen so there is a visual image of the viewer sees and then on that they left things that don't have to do with turning the computer and you can look and see what other actors and deposit matchup here and it did so you combine that with other information to get your whole picture. under the nationstate or the criminal justice people bringing the charge you need to make sure you have a high degree of confidence.
1:12 am
it's the reason why we've discouraged the privacy approach taking into their own hands because it is hard to do and in the case that people use cutouts that will be a threat. we had a case like the private company that sold privately identifiable information. from the victim perspective that is like a low-level criminal trying to make a buck but he's taking that personally identifiable information in a small amount and giving it to the man living in this area and he was taking the stolen information and turning it into a kill list and he's using
1:13 am
quicker and then killing these people where they live by name. we saw the electronic army where their actions they did things like a terrorist attack on the white house that caused the stock market to get into they were reaching extorting companies to make a buck. it's going to increase the amount of time and money they spend and i have no doubt they will use things like leveraging criminal groups. we only have about ten minutes left so people ask short questions. >> before i retired, so my
1:14 am
question is what are the strategies or are there in the think tanks and groups who are going to be prepared after this election who will begin communicating with those that say that it's been rigged. how will we begin to reach those that felt disenfranchised because their candidate didn't win. is there a group strategy that will be able to say the fees are our statistics and to those that felt like it was stolen from
1:15 am
them. >> does virginia have a way to address -- for us it isn't waiting until after the election. we've been without for officials because of everybody's heightened concerns in all these questions for us it is a good day when the voter goes and and doesn't have questions. we are informing voters so come election day regardless of the result they are confident the votes were tallied accurately and that it wa

3 Views

info Stream Only

Uploaded by TV Archive on