Skip to main content

tv   Facebook Google and Microsoft on Campaign and Election Security  CSPAN  September 13, 2018 7:53am-8:55am EDT

7:53 am
>> i like to think all of you for being here today. and being invested in our national security. i like to think that panelist the panelists for participating. for the opportunity to be part of the conversation. [inaudible conversations] what does it mean to be american? that's this year's student cam competition question. we are asking students to do this with a short documentary. or the historic event and explain how it defines of the american experience we are warning $100,000 in total cash prizes including at the grand prize of $5,000. this year's deadline is
7:54 am
january 20, 2019. executives from facebook, google and microsoft discuss next work security. and an event hosted by the bridge. a network of tech companies it took place on tuesday in washington. can we get the people that are seen in the back to come take a seat. thank you guys, so much for coming. and the cofounder of the bridge which is an online community with the intersection of tech, policy and politics. i'm excited to have you guys here.
7:55 am
clearly, one thing we are doing is convening people innovators, regulators, policy workers working in this space. election security is a huge issue right now. we thought it would be great to get google microsoft and facebook together talking to campaigns every day trying to find solutions on these issues. thank you so much for hosting. and let's get started. they're giving a little information on what the company is doing now. i'm have of the international election. anyone involved in elections to educate them on the
7:56 am
products and services available to them. i put out the brochures that we head with a lot of our products and services in there. i will highlight two products really fast. the first is called project shield. and helps protect the website. if you are canada and you have the website. and you have not paid for some type of commercial security layer this is free for any campaign candidate or political party. they are listing polling places on the website. the second product we talk about a lot in this contact a
7:57 am
little bit more about that later. both of those are listed here or you can google either one of them and find them really easily. great, thanks. i am an advisor on the defending democracy team and microsoft. also known as cyber security and democracy. we were formed back in april but we are part of the team that already existed in microsoft. we realized that we needed to come together in a more cohesive way to address those issues have on. so our team was formed several months ago. thinking about this space in a couple different ways. we have made some
7:58 am
announcements recently which i'm happy to talk about in the course of the conversation but i'm excited to be here to talk about this really important issue. what the government organizations. one on one but also a scale and educating them on the products and services that we have. and how they can use facebook and that facebook family of apps . a couple of things that we have that are available to anybody you can take a look at politics which is a new website we rolled out a couple of months ago. it's basically a clearinghouse for all the information that we have. for every campaign and anyone running for office. who wants to know how to best use of facebook and how to secure their accounts. our safety center which is facebook.com/safety with a
7:59 am
handful of activities there that are things that you can do. take a look at your password. i'll walk you through things. and also importantly our privacy checkup. it can help a person facebook beat up social platform. what are the things that you share and it's an important part of security as well. were looking for to the conversation here. thanks guys. i plan to check out a few questions and then had you guys stay in the conversation. my biggest thing as eva has is just talked about a lot of tools and clearly all of those are out there. having worked in the cyber security space a little bit myself. the biggest issue was getting people interested and understanding that having two passwords is like wearing a seatbelt. a lot of people don't talk about it.
8:00 am
has it been an issue for you guys. also, how had you handled the individual campaign as a whole. people who work in the campaigns and elections are aware that they are a target. i think it's a new from where it was a four. .. .. the second thing is resources. even if they recognize paying attention to this, they necessarily don't have the resources. it is true campaign to more like small businesses or startups.
8:01 am
they have a very small budget to start with. they are dependent on donors for that money. they take very careful account of that money of their go to spend on the pancake breakfast rather than on additional security features or an i.t. team in-house. these are not feasible for most campaigns. a lot of people think there are huge budgets when you're talking presidential campaigns although they had the same challenges but the small campaigns don't have the budget for in total i.t. staff to educate them. it's a little bit of an interest but it's not that they don't care i would think. there may be some but our expenses been a care but if some other things to focus on and they don't have a lot of money. >> so how do we get over that hurdle or what are you guys doing to help that in the midterms? >> at google we have websites, my website, google.com/elections has all the products and services for securing campaign
8:02 am
so please go to the website. having events like this, all of us have done of outreach for the campaign committees this year. there's been a lot of news stories written on this as well but also having campaigns and candidates tell their stories. one of the things we've seen is difficult is there's never time to have the security conversation with people. not only the candidates but the entire campaign. we are reminded people to have this conversation at least be aware. i have seen the cyclic people are more aware when they get edema that the think somebody might be phishing them and trying to put malware on the system. there's an education that's happening. it's still not enough. we go to a number of political events and was how many of you talked about two-step authentication on your facebook account or your e-mail account if you're the candidate? the majority of consultants and campaign managers will save well, i talked about it with the candidate.
8:03 am
the candidate that they took care of the pot on the actual. it's difficult because it's sometimes uncomfortable and sometimes people think they know what they need. lastly i think we encounter a lot, people say he would want to hack my campaign? i'm running for state senate in one state and nobody want to know our plant about where to put yard signs. we try to make sure these candidates know there are people interested, you have to stick yourself. a doing is at risk. >> to piggyback on that, i think people want to be secure. they don't want to be careless with how to handle the information but sometimes have different ideas about what that means. this may be unique to us but facebook as a real identity policy. the account on facebook to represent you and be a really. what we sometimes see on campaigns people create one fake account. all log into, they all use for the candidate and that's probably the most not secure way to go about things. you had this fake account, our
8:04 am
systems to get different people walk in from different locations. it's going to think it is such fake again. you can turn on two-factor authentication. sometimes the simplest thing is using our product the way it is supposed to be use the people t do that. sometimes it's like basic hygiene. people create a facebook account ten. >> translator: jusco they probably use an email address they may not check anymore. sometimes that's an easy way for someone to gain access by an old e-mail address or account is compromised. they don't check into it and so gives basic hygiene, making sure things are updated and use the platforms the way they're supposed to be used. >> an issue with education is going to be just having conversations like this which we are not all now going to leave here with secret passwords, but i think just getting people to talk about it. it's amazing we work work in te space for years, now the fact people talk about this on campaigns -- >> it's cool. >> it's cool but very different
8:05 am
than just a couple years ago. talk about resources, and it's not cheap to secure at least yourself or your individual self or the campaign at this point. have you guys that conversations with the government or amongst each other on who should be paying for security? >> i'll jump in because last week we were very excited that we had a unanimous decision by the federal election commission agreeing to an advisory opinion that we requested essentially allowing for us to offer our new service, to political campaigns and committees, federal campaigns and committees. they create was not in-kind contribution, that what we were offering them fell within the parameters of existing law. that was wonderful for us because that was how we believed it was as well but we are constantly up against trying to do something. to help this community but not steer in a a territory that ges
8:06 am
us in trouble with the law or otherwise. it is a little bit of a dance to make sure what offering is allowable it is also useful. when you launch account guard, it starts with our customers which is a key factor to be within the permission zone. office 365 customers are eligible to enroll and they get access to education materials which is our first pillar of the program because we worked with all our security officials kind of some of can we actually give to these folks to make a more secure, and the first edge we got back was education, , teach them come work with them and in club, see how you can get them to turn a multifactor authentication at least for the admin accounts if not for the individual accounts. provide them with that information so we started with education. i think one thing that we all recognize as an issue is this
8:07 am
balance between individual accounts the people that and the corporate accounts or the enterprise accounts they have. another thing we have is if an individual is part of an organization that's in the program and the opt in themselves as an individual, if they had microsoft accounts for the personal accounts, so hotmail.com or outlook.com, they grant permission for us to not only notify them if we detect an attack from a nationstate against their individual account but they are asking us to notify the organization that they were part of. what we do in the case is closed that information gap that we can see happen in these cases where individuals are targeted because of an organization they are affiliated with, potentially because of communication they been having over those accounts and it allows us to work with them to close the information on that. >> when using individual account you mean if i work on a campaign and have a personal account, that is outlook or microsoft family, what if i have one that
8:08 am
is gmail? have you guys had conversations as tech companies, even if it's just yes, we have and were all talking about maybe it's just education, but what campaigns can do? your twitter account is just as gullible as your e24 account or your grubhub account. it's not just rowena. >> especially if use the same password for every one of those accounts. a lot of times people divulge to the password is 12345 for all those accounts. we talk a lot. we do as many events together. we feel we're all in this together. if one service you use is not to get but others are secured you are still vulnerable and we still ovulate so come together a lot. just an email i'll say real fast and i know you wanted to jump in, but for us on e-mail we always joke campaigns of the world greatest artists like we sit and they generally start with the candidate using may be
8:09 am
an aol account to talk to the campaign manager they just aren't that has a free account, then to talk to the yard sign person the heart or the digital ad from the decide that might have an outlook account. >> or volunteers. >> or volunteers. they are all talking on individual different platform e-mail systems about sensitive campaign information. at the very least we always talk about and people have heard us talking about this two-step verification or two-step authentication. what there really is on any of our platforms is the ability to be notified when someone tries to login to any of the site from a different location that hasn't been seen before. it can text you on your cell phone. they can send you email to a different account. they can notify you in some way. if anyone is looking to improve their security on e-mail or on facebook, google or bing two-step verification for whatever e-mail you use and have come up on any search engine and send you that way.
8:10 am
we really encourage people who are using individual emails e-o get a campaign started to do two-step authentication. we try to talk to campaigns about and jenny and i have lots of conversations about this, as the campaign grows what's great about our e-mail services today is that you are scalable or if you start with two or three people on the campaign and an office 365 account can be great for you with two or three people and be able to grow up to 12 people by the time you have a full-fledged campaign six months down the road, same thing for gmail enterprise e-mail service, so it expands as a campaign expands. the good thing about enterprise e-mail system is a comes with its own security letters as well as an administrator. with costly try to educate and tell people why maybe think on enterprise e-mail could be better security alternative as was more productivity, or collaboration. >> just to piggyback off what you said, in addition to the education scale whether it's
8:11 am
e-mails or notifications or what we do with individuals with taken steps to require things like to factor authentication. on facebook folks probably are familiar with but if you want to run an ad with political or an issue of national importance to greenwich, connecticut, to an authorization process. part of the process includes turning on two-factor authentication for your care. right then and there anyone who is participating in that, they have to have that security feature turned on. same thing people who now manage pages that have large reach in the trade we will lose a couple weeks ago some siblings have to turn on two-factor authentication. in addition to the outreach and education were starting to make it a requirement when engaging in certain types of activity on a platform which is a good thing. >> in addition to education which of course is the biggest issue, clearly right now the way that like you just suck but how you guys change the process for buying at the facebook if you're
8:12 am
a campaign, how many people in this room are working on campaigns or a representing a campaign or have in a fast? how many of your coming from that angle? and then how many i guess if the site would be vendor types, and then he'll i guess would be others. okay, one. one question a lot of people have is kind of what else may change i guess, so we changed political ads now but what else are you guys think as the sticky issues you have to work with government on or that campaigns that you see in the future i guess? >> a big advantage of working for these big tech companies is when it comes to security, there are people back on campus or think about security all the time and she could in technology. when we talk about multifactor authentication or two-factor authentication with talking about the technology that is commonplace. what i'm excited about looking for to is where the security
8:13 am
technology is going. the use of biometrics and ai, like there's some real great possibilities for better security moving forward. when i think forward for this community and have think about security i'm excited to see what new stuff are smart guys and girls back are working on. >> when i say for us, i mean the cycle, there's been a lot of education on two-step, two factor, sometimes mandating them at certain platforms so that's a real learning this cycle. as we look to 2020, ginny and i've talked about security keys, there's been some articles out recently that talked about google employs that you security keys and our gmail for years and have not experienced a massive hack. just last week we rolled up security keys available to trek to users. if your campaign uses g suites, that heighten security gives out there we highly recommend. if you're using gmail for personal there's called advanced
8:14 am
protection which is a security you can buy online. available online both you could google. the barrier is a security keys can run anywhere from ten, 15, $20, $50 which isn't a lot but it adds up to a campaign as i think what we'll see next cycle is that campaigns be more educated about how security keys are really strong for that risk environment and invest in them is what we're hoping. for a majority of americans, two-step verification is generally just perfect and good security for using gmail or a lot of other different platforms. for this population that's most at risk for hacker phishing which is campaigns and political consultants and candidates, we really are trying to encourage them to think about security keys. if the technical very were people have to learn but i think we will get there with 2020. >> i think for us in addition, when big thing is making it easier to use two-factor authentication which is an elected. we enable people to use keys of things like that, other tokens
8:15 am
in addition to or in lieu of the phone number. that's one element, making the process easy. another for us will be a lot of times when it comes to phishing like that actors used take accounts. it's on us to keep doing a better job of stopping the creation of bad accounts which in the order of millions every day we stop either at the point of creation or 98% before their ever reported at stopping the stake against the people don't even get the chance to go and try to phish somebody and try to get their information. >> i know you will not put a number on that but what would you guys see as success in 2020, like if we're putting security keys, would it be working with campaigns, giving it to them in bulk? i do think having worked in small campaigns and liquids, budgets, they are just maybe not there and definitely not a a priority. maybe that will change but what would you guys say forecasting 2020 when we are passing these
8:16 am
midterms now but what would be your hope for success? >> i would hope we get everybody running for office or in office can have two-factor authentication turned on, on facebook be using a a real acct to manage the page. >> do you think it will take until 2020 2020 get all campai? >> way before that. we're trying. that to me looks like it's a combination of making sure people understand how to manage the platform. if you're managing a page there's different page roles. keeping track of that in making sure you know someone is under campaign today and delete to more you should remove them. it's a lot of operational thinks but to me making sure people understand, making sure that security features turned on. it's pretty basic but that something we will keep working on. >> the tactics are important and i think the success might be more into filter change which might be reflected by the staffing a major campaigns. whether the cio?
8:17 am
will it be someone with security in their title? notches on the presidential level but our senate campaigns, gubernatorial campaigns, was a start prioritizing? if and when they do they will having budget administrative budget we'll start seeing these things deployed. they will be making sure that security keys, making sure that enterprise-level e-mail solutions. what a lot of us are working towards and others in the nonprofit space like, for example, can't believe without a campaign security panel without a shadow to the belfer center at harvard. they've done some excellent work around the education peace as well as a i think a lot of what we seem between these companies and nonprofits in academia is a shift and a push toward a culture change within the campaign community to start prioritizing this. >> dreaming big and i want to dream big, too. but as good as a for 2020 when campaign staff commitment to train on how to go door-to-door or even campaign-finance rules, if there's a training on in the security, platform security,
8:18 am
that would be a huge shift for 2020 for that to be part of initial training to join the campaign staff. and i'll give one more shot out to the belfer center secured a playbook. if you're watching adult or you're an audience and you're still wondering how to tackle this issue, just look for it. it is great information. >> has been asking of any campaigns that do have that type of person, or user in that role? >> are you available? [laughing] >> this is my aspiration for 2020. us not to to say there are not. i bet there are senate campaigns with some who has that authority. they might be the chief data officer. >> just thinking that way. >> it's a total different way to think or even when with you guys mentioned when people leave the campaign, i've let campaigns -- i will say that on stage, but people he campaigns and they just leave. they keep their computers and then you just charge them for it. things happen very quickly but
8:19 am
if there were an off boarding process, like on most come at the cybersecurity, but i used to work for there as a whole process and you kind of go through it and you don't have access anymore. >> i i can to say from experiene as is my third election cycle at facebook and the conversations we have are totally different from what we had in 2014. people were not talk about security the way they do today. it's happening. still a long way to go but the conversation to a different. >> in terms of the conversation how are you working with the federal government and what do you see as regulatory hurdles to actually getting work done, talking about success in 221? obviously a lot of those things are regulated i government or there are just places where you guys step in and offer services. where it kind of are the lines of? >> any reference, i mean making sure we are all in compliance with federal election commission in-kind contribution is always
8:20 am
something that we are constantly ensuring that we are doing but i think the giving out how to talk with him our work through the existing guidelines to make sure we're offering the best security features and consultations to this at risk audience is important. i also think i know all of us have met with for example, the dhs election task force and we continue to do so. we talk to each other -- >> a regular basis? >> we speak with the government on a regular basis when necessary and we also speak with each other. the collaboration we have with each other as well as the government being more aware of how they can be a resource to campaigns, election officials, secretaries of state, local county election clerks is a really big collaboration between all of us. because we generally speak a lot to campaigns and candidates, voters, dhs and others are speaking to the election clerks
8:21 am
and that's a whole nother audience that we continue to talk to but they have more of direct one, for example. >> another panel for another day. but, i mean, i would say that it would on the stage recognizes that this is not a problem, the problem we're all facing right now is not one that can be solved by industry. they cannot be solved alone by government. what we have really appreciated is the fact that ngos can academia, government, particularly teams at dhs have been doing some great work this year are all coming together in recognizing this is that something that one entity alone can solve, and that is going to take a little bit of effort from everybody to improve the situation. >> what would you guys say is the biggest threat facing campaigns right now, , either in working with them of what do you see on the cyber front? >> i would actually saying being
8:22 am
lackadaisical and not think about this issue are being naïve to think this issue isn't going to affect them. again we hear a lot of time some smaller campaigns. i don't even have an opponent, why would anyone want to hack me? that it's important to never let your guard down and use these tools to secure some even if you don't have an opponent, even if, no matter what. >> in terms of tactics used by attackers, what are the phishing or what would be the biggest -- phishing is probably the biggest one but are the others you are saying that unlike top three going into 2018? going to 2020 does it differ for presidential, doctor campaigns versus a senatorial campaign? >> this is anecdotal for but from my experience it some someg damage in which people who either use fake accounts which you can estimate to a whole host of issues, or again they use credentials that are outdated,, they don't check it were. i have a lot of people reach out to me, and account was compromise because they had an
8:23 am
old e-mail address they just don't check. super super specific but i see it all the time. so that by far and away up and done about from federal to local level that is what i see more often than not. simple hygiene things i could count you actually check and turning on two-factor authentication, perfect. >> when we talk about phishing, a lot of folks don't recognize there different types of phishing pictures like the don't have a big enough target which are some out affiliate with some who is or are connected to an organization that's a target, i would not underestimate the lengths to which an adversary will go to to get you to click on a link. they will craft e-mails to look like a very real email and they will create websites that look like real websites and driving to them and effect you to malware or did you to enter your credentials. it goes back to education,
8:24 am
there's a reason for that, which is give people think i know about phishing, i knew about the nudging scans, i'm not going to fall for that but they may not recognize if they're being targeted, they may not notice. then there's the concept awaiting whatever the going after one particular person can maybe it is the candidate or the campaign manager of those efforts can be astronomical stars the go to and sometimes the hard to -- as were having an i.t. infrastructure setup that is resilient and could make sure you don't come easy to get to the one big person you don't get into the admin sites and that kind of thinking can be beneficial. it's going deeper of these topics like phishing were a lot of education maybe mr. right now. >> ginny and i both have browsers as products and the browsers sometimes, having people go to the sites that have malware were both of us have browsers over people when you're going to sites that may be corrected with malware. a lot of people don't acknowledge that morning and go
8:25 am
forward. again it goes back to education. a lot of this can come from e-mail, from a platform or a can come from even rousing. so being a where is important part. >> i will do one more and then we'll open it up so you guys can start thinking about your questions. what sort of guidance, like you mentioned meeting with dhs, fbi. i know you guys admitted in groups. i know you talk to them everyday but what sort of guidance can the government give you guys now on this from the federal side? >> him i think the collaboration been less about either of us telling the other what to do even from innocent guide point and making more connection and open lines of communication. i haven't heard anything of the a guidance for us directly from any of them. >> i agree. it's more about for the candidate making the connection. naturally --
8:26 am
>> i think they are happy to hear about our outreach efforts and, frankly, sometimes magnify our outreach efforts and our products, eventually beneficial. >> one last one from me. how are you guys working with the committee's? argosy there's all that, and also vendors. campaigns are small so the outsource a lot. obviously the national campaign is a way to enter campaign and the campaign is a way to open a door to national committee which has tons of donors and people are not educated by you guys so what is your guidance on that issue? >> the committee's inventors especially large ones are excellent force multipliers. tinsley campaigns who are advantaged by or have a great relationship with the committee that are in the best should consider great job make sure they are followed on best practices. so from the perspective like terrific. the still all the people who are
8:27 am
not captured by the for the twilight additional scale about which comes in. >> we hold a series of cybersecurity united states a couple months ago in d.c. and we're trying to decide who we included that make it small enough audience they get some out of the the make sure it was broad enough to be legal but also to incorporate the right folks. we included vendor community because we recognize how incredibly important that vendors are, the frontlines when it comes to technology. >> when you say vendor -- >> the folks come several in the room today can folks into digital work for campaigns and committees or they do data work or they are even i.t. infrastructure setup. >> consultants, they run ads. >> they are allowed times that line from the technology standpoint because a lot of times will outsource a lot of that work. we also included them because for the same reasons. we recognized they were vulnerable as well. >> what do you guys do it those training? what was the outcome?
8:28 am
>> we went through, , we brought in an intro team who does security because we thought rather not us talking about the high level stuff we bring anything that does is on a daily basis so they are internal i.t. security team and we went through things like threat landscape and modeling. trying to make sure folks understood with a against other companies like microsoft view that space and we went through things account to develop an app security, cloud security. you were talking about devices. that recognize bring on device is just the reality but the truth is it is the reality of a comet like microsoft or i have my own phone but there are ways to do that securely now to both policies and technology so we walked through some of the policies we put in place to ensure a device is updated with the latest ios whatever system you using and talk to them about how they tense secure things like the cloud city. we got a lot of practitioners there who do the day-to-day work on the i.t. space that those
8:29 am
with the topics we went over. >> i was going to say the committees and the vendors are great validator for all of us and reinforcers pick sometimes i joke with some committees that they should tell the candidate or campaign they will not return the email and they show the they're using to step their vacation e-mail, but i think they are great validated for all of us and great educators and great resources for us to talk about our tools when they push a lot out to the campaigns and candidates, really helpful. >> great. i think we're going to take don, your microphone and the people of questions raise your hand and he couldn't didn't you say youd organization you are from, that would be great. nobody will have any questions. >> hey, my name is bobby cunningham. i am from dh strategies and someone who during the college and then as my first job after calls work on a campaign.
8:30 am
two years later network in a lobbying firm on behalf of a cybersecurity from. i just absolutely cringe without little i knew then and how unaware i was and how commonplace that still is. so i think this is really important topic. lee, my question is for you, sorted, forgive me if i am peering off off into the sort of election space. i know this is focus on campaigns but obviously a big part of this is sort of foreign and just general interference at the state level as well. could you all, and maybe lee, you talk about your interactions, county clerk, board of elections can how that differs from campaigns. >> so we work with the national association of secretaries of state as often as possible. first i'll tell you we work with them in a civic minded way is as
8:31 am
we get close to election day we work with each of the secretaries of state websites that has information on what is necessary to go to the vote, if you need an id, where your polling places are, how do i vote, how do i register to vote. we are really proud of that work with the voting information project and the national secretaries of state that then when a user has their location on and searches what do i need to go vote or out of registered to vote, that we able to surface that information to them very quickly. that's been a great collaboration, and we really proud of that is also given us a gateway to talk to them about more security on their own. they could be anything from why we think g suite could revive him greater security voter data or it could just include reminding them that even when they go home at night if they're answering e-mails on the work computer, we have a product
8:32 am
called -- outline which is a private vpn. and be a helpful tool for a county election clerk was maybe doing some work at home at night and possibly it possibly unsecd internet connection to use private vpn and further encrypted their messages. also talking to the secretaries of state state and election cls about the own personal e-mail and watching fracking or phishing that may come through a personal e-mail that they might use in a work computer. again, just great education tools with them. i they've been great partners and i think they're a great also amplifies all the different types of work we are doing. i think you all of work with the national association of sectors of states as well. >> do you guys see different threats come from secretary of state versus like elections and campaign sites? >> let me say one thing real fast. i talked about this earlier, one
8:33 am
way to hurt a campaign or an election is to hack into website that lists the polling places, right? we offer our products project shield the free cyber layer to anyone who is running campaigns, elections, election information. for every small town election clerk that is not paying for fa commercial cybersecurity layer under website, this may be a great tool so we really worked with the election clerks and a special on the local utilize this tool. >> from a a civic perspective would launch voter registration tool, pre-primary basically so, so you can either registered both help your friends register book. it situations like that and also integrity where you are -- the individual secretary selection board on. how these products work but also in all the activities that are undertaken on our behalf and security activity of electoral and civic activity so. >> next question.
8:34 am
i work at political consulting firm called resins campaigns where will we are one of the vendors you guys are talking or we serve nearly 100 campaigns and organizations that do political work. but we are a small company and there are not that many employees and definitely not enough to have one of them being, like a chief security officer, , chief information anything like that. what is the best way for us to maintain security when we're having lots of confidential and like, , you know, really sensite information from all of these nearly 100 campaigns. with the best way for us to go about having someone that is their monitoring our security or other companies vendors that we could use or the trainings you
8:35 am
guys have, what's the best way for us to go about that? >> you talk about committed getting significant one thing i don't think any of us is mention there's a couple of really great encrypted at you can use for information sharing that doesn't come if it doesn't need to be e-mail, you can do it over wicker or something like that, we recommend that you use those tools as well and that the same thing will tell the campaign community. a lot of the same security recommendations apply. we also do trainings in d.c. and elsewhere around security that we would welcome venture community to do as well but a lot of the same things apply for looking for phishing and to send their culture within your organization to be aware of those kinds of attacks. >> you can go back to work tomorrow and ask everyone to two-step turned on on whatever personal e-mail the use two-step on a facebook campaign and would ever use for e-mail, whether it's google or microsoft or some other type of vendor, make sure
8:36 am
the administrative has to step in of the security features turned on would be really important. at and like i said remind those campaigns have when they enough you a sensitive document maybe it's their ad buy or their town hall schedule, asking them do you have security features place on your e-mail. and then lastly making sure the websites are secure as well and so again vocalizing this to them would be really helpful. [inaudible] >> thank you for coming and having this paper my name is marine. i'm with ragtag. we are an organization that organizes tech volunteers to help campaigns.
8:37 am
and the one of the things were working on right now, with actual just launched campaign helpdesk.org and everything that you spoken about has spoken to what we are hoping to try to help especially those smaller campaigns that don't have i.t. staff just like you were describing. implement the recommendations in the belfer center playbook. so it is campaign helpdesk.org. ragtag is name of the organization and it's a helpdesk so the same way a big organization has a i.t. helpdesk, it will work the same way and we are also offering training pics of you actually sit down usual online with campaigns that were volunteers and walk them through setting up. up. it's okay to have a facebook account that is managed by several people. this is how you actually do it. so by the time they're done with that united states it will be done. and so my question for you then
8:38 am
is, what are some additional challenges that you see in engaging people on the private accounts? do you find that they are more receptive to talk about security on their campaign accounts, and how do you bridge that gap? >> first of all of what sid thanks for the work you drink and also to great to know because we get questions from our employees often about how they can be helpful as i maybe send some people your way to look at ways they can be helpful because it's not easy to plug them if necessary and that the great white they could use their skills. i would say -- what was the question? >> individual speedy private accounts, thank you. i would see on a private account side our biggest challenge is the private account we talk about, we encourage them to go to the facebook and the twitter and instagram and the interest to get them thinking a very worth a have login and we can
8:39 am
encourage that but it's not our products as much and so i don't know if they are as tuned in as when you're speaking. i don't know if people think the extent to the camp they have set up at the security they need to put on those. that's the biggest challenge i think we face. >> so like everything from your delivery food accounts to your twitter to google, like what in terms of looking forward to success, maybe it is cultural shift so it will take a while but how do we fix that? like how are the companies going to work together? is there some sort of regulatory mandate? >> i would highly, highly recommend a password management, and google has one through chrome. a lot of other companies have one. it's another tool that we suggest a lot to candidates in particular who tend to be a little bit more lazy or lax when it comes to password and management. so i think that's a real
8:40 am
education. we can use sometimes, jeannie and i talked about this, where there may be using microsoft on one side and jima under the sink. that's what it report as much e can because people are touching our products in different ways in different parts of their life. if they are following these secret he rules on their campaign e-mails and official protocol e-mail, just telling them they should be doing the same thing on a personal emails and i might even be more susceptible because they are nothing as close attention to what's coming in or whose mailing of a document that they should open. >> the only thing i would follow-up, i can with facebook, you have to use your real account in order to manage things. that's the best way to did it. the only thing i would add is we have a product called business manager which is a wonderful suite of tools if you manage your page and have lots of different entities take actions on it. if you are a campaign and work
8:41 am
with an agency who is majoring as are doing of the things, using businessmen is an easy way to separate who has permission to what they can take what actions on each page. same thing, educating people on options they have available to upset those permission levels, to help manage the page more seamlessly is just something we try but hard to do. first things first, if you go there like we walk through here's the steps of setting that up, here's links to different blueprint course we have. it's like a 15 minute training but walks people to like here is how this works. in a in the spirit of helping pe better separate, the personal activity from the business activity and make a page is a little more secure. >> anybody else? only from the middle. [inaudible] >> you've talked a little bit about, a lot about what i would call sort of standard practices
8:42 am
for any organization. could you talk a little about challenges that arise specifically because you're in the political arena? you alluded about the multiple uses for single page but any war stories about very specific things that have happened, would you consider, for example, paying for analytic to be -- was at normal business? >> no. what i think your question is a good one in a sense for campaigns and we talked about this a lot in that you have lots of people come in and out. that's one. that creates security risk at time. you will out to make sure theye removed. our systems of less to go and pick if have someone over here log in ensuring a password, by its nature that is less secure. so again taking the basic steps,
8:43 am
those all things we've seen on campaigns. they are the greatest targets, e-book on income coming up, moving faster than mentioning these things can turn in all the features we all have our again going to be the best. that applies to everybody that especially for campaigns. >> not entirely unique but more unique than others is the use of information as weapons. like the weaponization of information. typically when companies are setting up the structure and protecting against attack, protecting against attacks that will be looking to some have financial win, whether it's trying to have their information held for ransom or something like that, , whereas in the campaign space we saw this set of new element which is weaponization of information. the tactics you would take to protect yourself are not that different. which is why while we appear what we talk about is probably the same conversation would have about a small business protecting cells because the
8:44 am
steps about the same. what's different is made what's at stake and the threats they face. >> i would also say another challenge we see is campaigns are constantly looking for volunteers, donors so they're getting emails always people that they've never seen or heard or met before from various e-mail platforms. it's hard to be on the lookout and maybe a more a marker perce you only in the summer certain type of other corporate entities that are more familiar with a domain name or something of that nature. on a campaign if your organizing volunteers or donors or doorknocking, you're getting e-mails from multiple different people and it's hard to say this looks suspicious, this doesn't and that's really need to rely on the history of the technology, like to step and watching for signs of malware or not click it or opening a document our website from some of where you don't need it, made asking them to send as as a pdr something like that if you are
8:45 am
suspicious. >> i i was going to ask, weaponization definitely but i think also just like that actors. actors. i think there's a lot of focus on campaigns and even volunteers could be a bad actor. so i think in a corporate environment like what ginny was think there's a lot of focus on protecting the ceo of a massive global company. it hasn't always been that same protection for a senate race. do you know what i mean? may maybe a presidential but geg people there is interesting, like those processes to come in and out definitely are not seen as much as they are in the corporal. >> and getting everybody on the campaign. you might have digital staff and manage or work with our products but you might be buttoned up but sometimes it might be a senior, maybe achieve our campaign manager or director someone else who are not really thinking about so they don't take the steps they should. it's getting everybody to take advantage of what we have to offer.
8:46 am
>> my name is nick. i work for a company called co-fence and we provide anti-phishing solutions and services to organizations across the world and specialize in phishing awareness training, also known as phishing simulation training. we brought that technology to market in 2008 here first of all, this is extremely relevant and your insights are fantastic and i applaud you all for being a pubic thank you all for your time. this is fantastic. so as you may know october is national cybersecurity awareness month, and it also backs up to a major election cycle. so with that said and understanding that phishing is a primary threat especially for candidates, campaigns and consultants during this time of year, how can organizations like ours that specialize in defending this specific threat help boost your existing efforts come help these folks become
8:47 am
more secure during this time of year? >> i was going to say make yourself available to go on tv, go unrated. what i candidates and campaigns are doing and october? watching a lot of tv, listening to radio, reading a lot of articles because they're looking to see themselves on tv or his own commercials. >> that's deathly a good point. part of the plan. but outside of that are there other ways we can partner a continue working together as aa community of technology leaders to help those day secure when right now there's an immense amount of targeting especially through phishing as a threat factor one additional anecdote, we talked about malware blocking and things like that, all fantastic or something else top in mind is you make and there's different types of phishing. the fbi put out a psa about bec. does i don't know what a business e-mail compromise or
8:48 am
attack is? is essential phishing attack but instead of delivering a piece of malware or an executable decide to take over someone's machine, they are posing as someone within the own organization targeting some of u.s. physical response will likely save the directive accounts payable and say hey, this is the ceo. we need you to why this money to the client. it's an emergency. they never got the playoffs and we need you to where this money to a donor or whatever the case is. and there is no malware. there are no attachments. it is highly targeted and manages to bypass perimeter defenses like clockwork. the losses total for this type of attack alone, 12.5 billion for 2018. like i said what can we do to provide our thought leadership, research and things were doing in the field and in the wild we call it everyday to boost your continual effort, to help
8:49 am
educate organizations better other attacks they may not even look at deploying malware but really deliver highly targeted spear phishing attacks? >> they can be very successful and while campaigns don't necessarily think and were not talking to them as much about those types of, typical fodder still something at the face may have treasury said it and working quickly and subsequent at the door fast. it's a relevant point that when we talk about security they should also think that protecting the finances and hard-earned money they are brought in from donors. amplification of each other's efforts is always great. when we see google do some the core facebook do something cool we retweet it, talk about it. our executives talk about it and so there's this broader community again going back to this theme that we're all in this together. when when we see our peers and hosting industry doing will work, were happy to talk about it and we love it when you do the same thing for us. >> we all create a lot of chatter. we have safety guide and we
8:50 am
produced a lot of things that are both whether its health center or hard copy, collateral, identifying misinformation, like we all share each other's information. >> one last thought before you walk out. for ginny and i -- [inaudible] >> please take a kit and lettuce of. >> i was going to say i missed the organization you are from but the last organization i was working with we work with the fbi and get data roadshow aroue country so i think events like this, yes, our great. i think people don't understand the value of events like this. you guys should stand talk to each other, talk to these three, but make sure that you're talking to your peers because partnerships unjust event a really valuable for a lot of
8:51 am
campaign staff, carpet staff of the government also wants to partner. sharing information is a huge issue in cybersecurity, what quickly, industry and the whole is getting over the battle sharing information so maybe political parties will be next. but i just want to say partnering on events come on workshops committee guys can partner with microsoft on the next one or something. great. we are being cut off but i do want to say thank you very much again. check out the bridgework.com if you want to learn more about us everybody in the room please just take a talk to each other and talk to these three, and thanks again. >> thank you very much. [applause] [inaudible conversations] [inaudible conversations]
8:52 am
[inaudible conversations]
8:53 am
oil and gas has always been a big part of southwest louisiana in terms of the exploration, the discovery, but it actually really came more to fruition with the actual refining of oil because we had the ideal situation we were ideally suited in terms of where rail lines cross, where barge lines were connected, where the water, oil was able to be moved in and
8:54 am
moved up very easily in lake charles. >> at one time this this is a beautiful, wonderful, wonderful community. we had everything that there was and there was family, church, school, grocery stores, and people began to get better jobs, show them that it could be better in the future for the next generation. >> watch c-span city tours of lake charles louisiana saturday at noon eastern on c-span2 tv and send it at two p.m. eastern on history tv on c-span3. working with our cable affiliates as we explore america. >> now, raj shah discues

9 Views

info Stream Only

Uploaded by TV Archive on