Skip to main content

tv   Facebook Google and Microsoft on Campaign and Election Security  CSPAN  September 14, 2018 12:01pm-1:03pm EDT

12:01 pm
we appreciate the time you have spent with the audience here. it's been a very in-depth analysis and a comprehensive view of what's going on. so please everyone joined in a a round of applause for the secretary-general. [applause] [inaudible conversations] [inaudible conversations] >> trump administration
12:02 pm
officials testified before the senate agriculture, nutrition and forestry committee on how trade policy is impacting american agriculture. you can see the entire hearing tonight at eight eastern on c-span2. >> a look at how facebook, google and microsoft are helping campaigns to protect themselves against cyber attacks ahead of the 2010 midterm elections. this is about one hour. [inaudible conversations] >> hi, everyone. can we get the people to stand in the back to take a seat? thank you guys so much for coming. great turnout. i and ceo and cofounder of the bridge which is an online community in the intersection of tech policy and politics and
12:03 pm
really happy to have you all here. you can learn more about our work at the mccleary one thing we're doing is convene people and innovators, regulators, policymakers working in this space and election security is a huge issue right now. i thought would be great to get google, facebook and microsoft together in the people that are at those companies talking to campaigns every day trying to find solutions on these issues. thank you again for coming. thank you so much for hosting and let's get started. we have google, microsoft and facebook. i'm going to let them give intros themselves and give a little information about what they're doing at the companies now. >> kindly done with google. head of international outreach at google so we work with what i
12:04 pm
like to say campaigns, candidates, voters, governments, anyone involved in elections to educate them on our products and services available to them. i put out up front to push sure that we have with a lot of our products and services. i will highlight two products. you asked us about, that'll highlight for this crowd who i seem is mostly campaign consultants, managers, others involved in politics. the first is called project shield. it helps protect your campaign website from a d dos attack so if you're a candidate and you have your website and you have not paid for some type of commercial security, cybersecurity layer, this is free for any campaign, candidate, political party, local government. we have local governments in certain areas that are listing polling places on the website come uses to secure the website. highly recommend you take a look at it. it's no cost. the second product we talk about
12:05 pm
is a transportation which is security keys for your personal gmail and i can talk more about that later but both of those listed in this brochure here or you can google is the one of them, you can find them easily hopefully we can talk more about how these can help you throughout the campaign. >> great, thanks. >> i'm trying to come and advisor on the defending democracy team at microsoft, also known cybersecurity and democracy. we were formed back in april but we were part of the teams that existed in microsoft. the reality is microsoft is only think about cybersecurity, elections and campaigns but we realize we need to come together anymore cohesive way to address those issues head-on. our team was formed several months ago thinking about this space than a couple of different ways but primarily focusing on two pillars, campaign security
12:06 pm
which were here to talk about today as well as election integrity. we've made some announcements recently which of happy to talk but in the course of the conversation but mostly i'm excited to be to talk about this really important issue. >> awesome. my name is don seymour. i'm sorry that was really loud. i'm facebook at the politics and government outreach for the u.s. and canada and we work with campaigns, government officials, organizations up and down the ballot at the federal and local level 101 but at skill and educating them on the products and services we have and have they can use facebook and the family of apps to better connect with voters and relevant to the conversation today how they can best secure account. a couple things available to anybody, take a look at politics -- a a new website we rolled oa couple months ago which is basically a clearinghouse for all information we have come all the best practices we have for every campaign, anyone running for office, anyone who wants to best use facebook but how to secure their accounts. in addition to that are safety
12:07 pm
center which is, we have a handful tools that are valuable whether you're running a campaign or not including our safety check so you can go through that and secure to check. take a look at your password. it will walk you through things like two-factor authentication and also poorly our privacy cheka. a privacy cheka can help a person facebook and social clapper platform elope you understand better what is the danger sharing, who are you showing with, so we're looking for to the conversation. >> thanks. i plan to ask you guys a few questions and then have you guys purchase but in the conversation and ask most of the questions. my biggest thing is you guys talk about -- a bottle of tools include all the traffic. having worked in cybersecurity space myself a bit our biggest issue with getting people interested and understanding that having to pass what is like wearing a seatbelt and you do
12:08 pm
need to do those things that a lot of people don't talk about it. i guess has that been issue for you guys talking with campaign and giving them interested in participating and also how have you handled the individual versus campaign as a whole security? >> i will start. i would say there is interest, i think after the 2016 election cycle i think if i people working campaigns and elections are aware that they are a target, which is i think new where it was before. i think they are where they should be doing things to be secure. what you run into are a couple of obstacles. the first is you are competing for attention with getting out the vote which is ultimately what they are there to do. >> when you say attention to you also mean resources? >> the second thing is resources. even if they recognize paying attention to this is important they don't have the resources.
12:09 pm
i'm not the first to say this but it is true that campaigns are more like small businesses or startups. they have a very small budget to start with, depend on donors for that money. they take very careful account of the money and they're going to spin on the pancake breakfasts rather than spend it on additional security features or an idt and in-house. those are just not feasible for most campaigns. i recognized a lot of people think there are these huge budgets talking about presidential campaigns though they do have the same challenge as a source computing resources but the small campaigns don't have a budget for internal i.t. staff to educate them. it is a little bit of interest but it's not that they don't care i would think. there may be some but our experience is they care but if some of the things to focus on and they don't have a lot of money. >> how do we get over that hurdle or what are you guys do to help with that in the midterm? >> at google we have a website. i should plug my website.
12:10 pm as all our products and services for securing campaigns so please go to the website. having events like this. and all of us have done attentive outreach to the campaign committees this year. there's been a lot of news stories written on this as well but also having campaigns and candidates tell their stories. one of the things we've seen is difficult is, one, there's no time to the security conversation with not only the candidate but the entire campaign so we really started to get out there and remind people have this conversation, at least be aware. i have seen the cycle that people are more aware when they get enough of the think somebody might be phishing them and trying to put malware on the system. i think there's an education that is happening out there. it's still not enough. we going to a number of political events what we say how many have talked about two-step authentication on your facebook account for your e-mail account if you're the candidate?
12:11 pm
a majority of consultants and campaign managers will say well, i talked about with the candidate. the candidates that they took care of it but i'm not sure. it's difficult because it's sometimes uncomfortable and sometimes people think they know what they need. lastly i think we encounter a lot, people say who would want hack my campaign? i'm running for state senate in one state and nobody would want to know our plant about where to put yard signs. we try to make sure they know there are people interested. you have to secure yourself. everyone is at risk. >> to piggyback on that i think people want to be secure. they don't want to be careless with how they handle their information assigned times they had different ideas about what that means. for us this may be unique to us but facebook as a real identity policy. he the catch up on facebook to represent you and be a really. what we'll see on campaigns is people create like one for fake account that they all walk into, are used to manage the presence
12:12 pm
for the candidate and this pop the most not secure way to go about things. you have this take account, are citizens look at different people logging in from different locations, it's going to think it's a fake account. it might shut down. you can't turn on two-factor authentication and so sometimes the simple things use a product that was supposed to be used but people don't always do that. similarly sometimes it's like basic hygiene. people created a facebook account ten, 15 to zico and how to use address that they may not check anymore. sometimes that's an easy way for someone to gain access to account by an old email address and not checking it, they don't know someone logged into it and so did its basic hygiene making sure the accounts are updated and jews in the platforms the way they are supposed be used. >> the biggest issue with education is going to be just having conversations like this. we are obviously not now going to leave it was some secret password but i think just getting people to talk about it,
12:13 pm
it's amazing, like now the fact that people are talking about this on campaigns. >> it's cool. >> it's cool but is very different than a couple years ago. talking about resources and you know, , it's not cheap to secure at least yourself or your individual self or the campaign at this point. have you guys had conversations with the government or among each other on who should be paying for security? >> i'll jump in. last week we were very excited that we had a unanimous decision by the federal election commission of green to an advisory opinion we had requested essentially allowing us to offer our new service we're calling account guard to political campaigns and committees, federal campaigns and committees. the great was not an in-kind contribution, what we were offering fell within the parameters of the existing law. that was was a wonderful for us because that was how we believed it was as well but we are constantly up against trying to
12:14 pm
do something to help this community but not fear into territory that gets us into trouble. with the law otherwise. it is a bit of a dance to make sure what we're offering is a level but it's also useful. when relaunched account guard, it starts with our customers which is a key factor to being within deformation zone. so office 365 customers are eligible to enroll and they tot access to education materials which is our first pillar of the program because we worked with all are secured officials in the company trying to understand what can we offer? what can we give it to these folks to make the more secure? the first answer we got back was education, teaching them come work with them and in glove, see how you can get him to turn a multi factor authentication at least with admin accounts if not for the individual accounts. provide them with that information, so we started education as well.
12:15 pm
i think one thing that we all recognize is an issue is that this balance between individual accounts people have and the corporate account of the enterprise accounts they have. another thing we had as part of account guard is if an individual is part of an organization that's in the program and they often this is as individual which there will be invited by the leadership, if in a microsoft account or their personal account,, they grant permission for us to not only notify them if we detect an attack from a nationstate against the individual account but they are also asking us to notify the organization that they are a part of. what we do in that case is closed that information gap that we see happening in this case were individuals are targeted because of an organization their affiliated with, potential because of communications they been having over those individual accounts and it allows us to work with them to close the information on that. >> whinges the individual account you mean if i worked on
12:16 pm
a campaign and i have personal account that is outlook or microsoft family, what if i have one that is gmail or something? have you had conversations among aztec company can even if it's just yes, we have ever all talk about educate, maybe it's just education, but what campaigns can do? your twitter account is just as vulnerable as your e24 account or your grubhub account. it's not just your e-mail. >> especial if use of the same password for every one of those accounts. a lot of times people divulge to us the password is 12345 for all those accounts. we talk a lot. we do as many events together that we feel we are all in this together. if one service you use is not secured but others are secure, you are still vulnerable and we're still all feel it so we can together a lot. just on e-mail also real fast and i know you wanted to jump in, but for us an e-mail, we
12:17 pm
always joke that campaigns of the world's greatest artists like we said and they generally sought with the candidate using maybe an aol account to talk with the campaign manager if they decide that has a free gmail account, then to talk to the yard sign person they just hired for the digital ad firm they decide that might have an outlook account. >> or volunteers. >> or volunteers. they are all talking on individual different platform e-mail systems about sensitive campaign information. at the very least we always talk about a people have heard us talking about this two-step verification or two-factor authentication and what that really isn't any of our platforms is the ability to be notified when someone tries to log into any of the site from a different location that hasn't been seen before. it can text you on your cell phone. they continue e-mail to a different account. it can notify you in some way. if anyone is looking to improve their security right now on e-mail on facebook, just google or bing two-step verification will for whatever you know you
12:18 pm
use and it will come up on any search engine and send you that way. we encourage people using individual e-mails to get a campaign started to do two-factor authentication. we are try to talk to campaigns about and we had lots of conversations about this, as they campaign grows what's great about our e-mail services today is that you are scalable. if used over to a three people people on the campaign and an office 365 account would be great for you with two or three people and be able to grow to 12 people by the time you have a full-fledged campaign six months down the road, same thing for gmail enterprise service. so it expands as you campaign expands. the good thing about enterprise email systems as it comes with its own security layers as well as an administrator. we concentrated educate and tell people why maybe being on enterprise e-mail could be a better security alternative as both more heart activity, more
12:19 pm
collaboration. >> to piggyback off that, in addition to the education scaled whether emails or notifications are what we do with individual candidates, we taken steps to start recording things like two-factor authentication under certain circumstances. so, for example, a a facebook w what you think folks are publicly with but if you want to run an ad with political or on an asian national boards in the united states he had to go through an authorization process. part of that includes turning on two-factor authentication or your account. anybody who is participating in that running those advertisements they have cat toe that security feature turned on. same thing, people are now manage pages that have large reach in the united states, we will decide a couple weeks ago similarly have to turn on two-factor authentication. in addition to the outreach and the education were started to make it a requirement when you're engaging in certain kinds of activities on the platform which i think is a good thing. >> so in addition to education which of course is the biggest issue, clearly right now the way
12:20 pm
that like you just talk about how you guys change the process for facebook if your campaign, how many people in this room are working on campaigns are representing the campaign or have, i guess, and the past? bike come , how many of you areg from that angle? i just give the site would be vendor types would be the rest. and then the hill i guess would be others. okay, one. great. one question a lot of people have is kind of what else may change i guess, like so we change political ads now but what else are you guys seen as the sticky issues that joinder to work with government on or that campaigns that university in the future, i guess? >> a big advantage of working with these tech companies is when it comes to security, there are people on campus who are thinking about security all the time, and when we talk about
12:21 pm
multifactor authentication or two-factor authentication we're talking about sort of the technology that is, place right now but what i'm excited about looking forward to is where that security technology is going. the use of biometrics and use of ai around it, like there's some really great possibles for better security moving forward. with that will come some regulation and that sort of thing. when i think forward for this community and has a think about security i'm excited to see what new stuff our smart guys and girls back home are working on. >> when i say for us i mean this cycle i think there's been a lot of education on two-step come to factor, sometimes mandating it on certain platforms and so that's a real learning this cycle. as we look to 2020, we talked about security keys. there's some articles that have come out recently talked about google employees have used security keys on our gmail for years and have not experienced a massive hack. just last week we will security keys available to g suite users. if your campaign users by g
12:22 pm
suite, the key is out there and we highly recommend it if you're using gmail for personal, there's called the best protection which is a security you can buy online, both available online, but you could google. the barrier is is the securitys can run anywhere from ten dollars-$50 which isn't a lot but if that's up to the campaign, so i think what we'll see next cycle is that campaigns will be more educated about how security keys are really strong for that with confinement and invest in them is what we are hoping. majority of americans two-step verification is generally just perfect and good security for using gmail or a lot of other different platforms. but for this population that is most at risk for hacker phishing which is campaigns and political consultants and candidates, we really are trying to encourage them to think about security keys. it's a tactical they were people have to learn but i think we'll get there with 2020. >> us in addition, i think of one they think is making it easier to use two-factor
12:23 pm
authentication what you hit the nail on the head like a silly when able people to use other tokens in addition to or in lieu of the phone number. that's one hell of it to make the process easier to use. another us will be when it comes to phishing like bad actors used take account to do those kinds of things. it's on us to defend a better job of stopping the creation of bad accounts which we do on the order of millions everyday we studied at the point of creation or 90% before they are reported, but stopping the fake accounts that people don't even get the chance to go and try to phish somebody and try to get their information. >> i know you're not going to put a number on that but what would you guys see as success in 2020? if we're putting security keys, with if you worked with campaigns to given to them in bulk in terms of resource and money and who is paying for it? because i do think have worked on small campaigns and big ones, budgets are just, there may be not there and deathly not a priority. maybe that will change but what
12:24 pm
would you guys say forecasting to 2020 2020 when we are past e midterms now but what would be your hope for success? >> i would hope we would have everybody who was running for office or in office again have two-factor authentication turned on on facebook, using a real account management page. >> do you think it will take until 2020? >> way before that. we're trying desperately but at the same time that to me looks like its accommodation of making sure people understand how to mention the platform appropriate. on facebook if you're managing a page there are different page rules and keeping track make sure you know someone is on your campaign today and early tomorrow, you should remove them. a lot of operational things but to me making sure people understand that, make sure that security features turned on. it's pretty basic but that's success and it's something we'll keep working. >> the tactics are important and the success still might be more in a show of culture change, which might be reflected by the
12:25 pm
staffing on major campaigns. will there be a cio? is a great be someone was secured in their title? notches on the presidential level but senate campaigns, gubernatorial campaigns going to start prioritizing people in those roles? if and when did you do after having budget and we will start seeing these things deployed. they would be making sure they have security keys. they would be making sure that enterprise levels e-mail solutions. what a lot of us are working towards and others in the nonprofit space for example, i can't believe we've had a campaign to get a panel without a shout out to the belfer center at harvard. they does an excellent read education piece as well so i think a lot of what we've seen between these companies and nonprofits and academia is a shift and a push toward a culture change within the campaign community to start prioritizing this. >> dreaming big and i want to dream big, too but i was going to say for 2020 when campaign staff coming and there trained on how to go door-to-door or
12:26 pm
even campaign-finance rules, if there's a united states on email security, platform security, that would be a huge shift for 2020 for that being part of initial training to join camping camping staff. one more shot up for the belfer center persnickety playbook. if you're watching at home or in the audience and still wondering how to tackle this issue, just look for it and it has great information. >> i was going ask even of any campaigns that do have a -- that type of person or if you serve in that role? >> this is my operation for 2020. -- aspiration. i bet there are senate campaigns that someone without authority. they might also be the chief data officer. >> not even authority but just thinking that way. it's a totally different way to think, even when one of you guys just mentioned when people leave campaign, i've left, i won't say that on tv, the people that campaigns and they just leave.
12:27 pm
they keep their computers and vintages charging for it. things happen very quickly, but if there were an off boarding process like on most, at the cybersecurity company used to work for there's a whole process and he kind of go through it and you don't have access in more. >> i can say from experience this is my third election cycle at facebook and the conversation went today are totally different from what we had in 2014. people at the time were not talk about security like the way to do today. they're still a long way to go but the conversations are totally different. >> in terms of the conversation, how are you guys working with the federal government and what do you see as regulatory hurdles to action getting work done? talk about success in 2020. a lot of those things are originated by government or they are just places where you guys step and just offer services. so we're kind of like are the lines on?
12:28 pm
>> any reference, i mean make a show we are all and federal election commission in-kind contribution is always something we're constantly insuring that we are doing but i think figuring out how to talk with him our works through the existing guidelines to make sure we're offering the best security features and consultations to this at risk audience is important. i also think, i know all of us have met with, for example, the dhs and election task force and we can to do so. >> is at on a regular basis? >> we speak with the government on a regular basis when necessary and also speak with each other. the collaboration we have with each other as well as government being more aware of how they can be a resource to campaigns, election officials, sectors of state, local, county election clerks is a a really big collaboration between all of us. we generally speak a lot to campaigns and candidates,
12:29 pm
voters, dhs and others are speaking to the election clerks and that's a whole nother audience that we continue to talk to but that more of a direct line, for example. >> another panel for another da day. >> i would say that we come everyone on this stage mechanize this is not a problem. the problem we are all facing right now is not one that can be solved by industry. it not when they can be solved by government. what we've really appreciate it, i don't mean to speak for you all but what i'd appreciate it is the fact that nga's, academia government, specifically the teams at dhs doing great work this year are all coming together and recognizing this is not something that went into the alone can solve and that it's going to take a little bit of effort from everybody to improve the situation. >> what would you guys say is the biggest threat facing campaigns right now either in working within a what you see on the cyber front? >> i would say being
12:30 pm
lackadaisical and not thinking about the issue of being naïve to think that this issue is a quite effective in. again, we hear a lot of time some smaller campaigns. i don't even have an opponent, why would anyone want to hack me? but it's important to never let your guard down and use these tools to secure self, even if you don't have an opponent, no matter what. >> in terms of tactics used by attackers though, would it be phishing or what would be the biggest -- phishing is probably the biggest one that are the others you are seeing that are like top three you're looking at going into 2018 and i guess going into 2020 does it differ presidential, larger campaigns versus senatorial campaigns? >> this is anecdotal but from my experience is something i mentioned which is people who either use fake accounts which again gets them into a whole host of issues or begin that use credentials that are outdated, their check anymore.
12:31 pm
by far away people rejecting all the time, and accountants compromise because they had an old e-mail address they just don't check which sounds super super specific but but i see il the time. that by far and away across the board up and down the ballot that is what i see. so again simple hygiene things like accounts you actually check and attorney on two-factor authentication, critically important. >> when we talk about phishing a lot of folks in this space to recognize that the different types of phishing. there's like the generic phishing where you can tell the second you look at it it's not real, i can just delete this. then there is spear phishing where if you are a big enough target or you yourself don't have to be the big enough target but you're some affiliated with someone who is or connected to an organization that is a target, i would not underestimate the links to which an adversary will go to to get you to click on a link. they will craft emails that look like a very email and they will create websites that look like
12:32 pm
real websites and driving to then and then infect you with malware or teach you to enter your credentials. part of it, because back education, there's a reason for that which is because people will think i know about phishing, i know about the nigerian scam, i'm not going to fall for that but the minute records if they're being targeted, if they're not paying close attention they met not notice. and there's the concept of waiting with her going after one particular person, maybe it is the candidate for the campaign manager in those efforts can astronomical and sometimes they are hard to see past and that's where having an i.t. infrastructure set up that is resilient, make sure you don't come if you do get to the one the person you don't get into the admin sites and the kind of thing can be beneficial to you. it's going deeper on these topics like phishing where a lot of education may be missed. >> we both browsers as products and the browsers sometimes,, having people go to these sites that have malware where both of us have browsers that alert people when you're going to a
12:33 pm
site that may be credited with malware. however, a lot of people don't actually that morning and go forward. so again it goes back education. a lot of this can come from email, from a platform or it can come from even browsing so being aware as a really important par part. >> i'll do one more and then we will open it up so you guys can start thinking about your questions. what sort of guidance, like you mention meeting with dhs, fbi. i know you can't separate in groups. i know you talk to them everyday but what sort of guidance was the government giving you guys now on this from the federal side? >> i think the collaborations have been less about either of us telling the other one what did he even from an innocent guidance standpoint and more just making connections and open lines of communication. i haven't really heard anything that would be a guidance for us directly from any of them. i don't know but you'll. >> i agree. it's more about the candidate
12:34 pm
making the connection and having a two-way conversation and sharing. >> i think they're happy to about our outreach efforts and prickly sometimes magnify our outreach efforts and the products, eventually beneficial. >> right. >> one last one from me. how are you guys what you with the committees? obviously there's the rnc, dnc and all that and then also vendors. i mean, campaigns are small so the outsource a lot. obviously the national campaign has a way to enter a campaign. i can't paint his way to open the door to a national committee which has tons of donors and people who are not being educated by you guys, so what is your guidance on that issue? >> i think the committees and vendors especially the larger ones are excellent force multipliers. it tends to be campaigns managed by a great fender or agency and have a great relationship with the committees that are in the best shape the custody do a
12:35 pm
great job making sure their secure and following best practices. from the perspective terrific. there still a lot of people who are not necessarily captured by that and that's where a lot of the additional skilled outreach comes in. >> we hold a series of cybersecurity training a couple months ago in d.c. and were trying to decide who included that, make sure is a small enough audience they would get enough out of it but also to incorporate the right folks. we included the vendor community because we recognize how incredibly important that vendors are. they are the front lines in a lot of cases when it comes to technology. >> who do you mean? >> several of them are in the room today. these are folks who do digital work for campaigns and committees or they do data work or they are even i.t. infrastructure set up. >> they consoled, , they run ad, everything. >> a lot of times the frontline from a technology standpoint because i campaigns a lot of times of outsource a lot of work. we also included them because for the same reason, we
12:36 pm
recognize they were really vulnerable as well. >> what did you do it those trainings? i know you can't but what was the outcome? >> we went through, we brought in an integral team from redmond who desiccated because we thought rather than have asked to talk to him about high-level stuff we would bring anything that does this on a daily basis so there are internal i.t. security teams. we went through things like threat modeling, try to make sure the folks in the room understood what they're up against and at companies like microsoft use that space and we went through things like how to develop an app security, cloud security. you were talking about devices. we recognize that bring your own device is just the reality but the truth is it's the reality of a company like microsoft, too. there are ways to do that securely through both policy and technology we walked through some of the policies we put in place to ensure the device is updated with the latest ios or whatever system you are using, and talked to them about how
12:37 pm
they can figure things like the cloud settled. it got a little in the weeds. we got a lot of practitioners there who do the day-to-day work on the i.t. space but those with the topics we went over. >> i was going to say the committees and the vendors are great validator for all of us and reinforcers. sometimes i joke with some committees that they should tell the candidate or campaign there were not returned or e-mail until they show the air using two-factor authentication on that e-mail but i think they're really great validator is for all of us and great educators and great resources for us to talk about our tools when you put a lot up to the campaigns and candidates. they are really helpful. >> great. i think will take your microphone and the people of questions raise your hand. if you can just say your name and organization you are from that would be great. nobody has any questions. okay. >> hey, my name is bobby cunningham. i'm from dh strategies and as
12:38 pm
someone who during college and then asked my first job after college worked on a campaign. two years later now working in a lobbying firm on behalf of a cybersecurity firm that is focus on election security. i just absolutely cringe with how little i knew then and how unaware i was and how, place that still lives, so thank you. i think this is a really important topic. lee, , my question is for you, sort of, and forgive me if i'm getting off into this election space. i know this is focus on campaigns but a big part of this is sort of foreign and just general interference at the state level as well. maybe lee, you talk about your interactions with county clerks, securing the state, boards of elections, how that differs from campaigns. >> so we work with the national
12:39 pm
association of sectors of states as often as possible. first i'll tell you how we work with them in a civic minded weight is, as we get closer to election day we work with each of the secretary of states websites that has information on what is necessary to go to the vote, if you need an id, where the polling places are, how do i vote, how do i register to vote. we are really proud of that work with the voting information project, and the national secretaries of states that then when a user has their location on it searches what doing you to go vote or how do i register? that we are able to service that information to them really quickly and authoritatively from the secretary of state website. that's been a great collaboration. we are really proud of that but that's also given us again we to talk to them about more security on their own. they can be anything from why we think g suite and our cloud services to provide them greater security on voter data or it could just include reminding
12:40 pm
them that even when they go home at night if they're answering e-mails on their work computer we have a product called -- i have to look myself -- outline, which is a private vpn and so it might be helpful tool for a county election clerk who's maybe doing work at home at night and then possibly unsecure internet connections use a private vpn to for the secure and encrypted the messages. also just talking to the secretaries of state and election quotes about their own personal e-mail and watching for hacking or phishing that may come through personal e-mail that they might use on a work computer. so again just great education tools within. i think they've been great partners and i think they're great also amplifiers for all the different types of work we are doing. i think you all have worked with a national sensation of sectors of states as well. >> do you guys see different threats coming from sectors the state versus or like elections and campaigns? >> one thing real fast.
12:41 pm
i talked about this earlier is, one way to hurt a campaign and an election or an election is to hack into website that lists the polling places. we offer our product, project pt shield, the free cyber layer hummocky dos attack to anyone who is romney campaign elections come election information. for for a really small town elen clerk that is not paying for a commercial cybersecurity layer on the website this might be a great tool so we further worked with the election clerks and a special on the local level to utilize this tool. >> our interactions and consumer from a civic perspective. we launched a voter registration tool in all 50 states can preprimary see can register to vote or help your friends registered to vote. its situations like that and then elections in activity -- integrity where we interact with the national association of secretaries of state and individuals sectors in part on
12:42 pm
how the products work. then all of the activities we are undertaking on our behalf to secure the activity on the platform. the same kind of interaction. >> next question. >> i work at political consulting firm called residents campaigns where we are one of the vendors you guys are talking about when we serve nearly 100 campaigns and organizations that do political work. but we are a small company and there are not that many employees and that was not enough to one of them being like a chief security officer or chief information, anything like that. so what is the best way for us to maintain security when we are having lots of confidential and, you know, really sensitive information from all of these nearly 100 campaigns? what's the best way for us to go about having someone that is
12:43 pm
their moderate our security, or other companies are vendors we could use, or the trainings you guys have to what's the best way for us to go about that? >> when you talk about me getting security can one think it don't think we've mention is there's a couple of really great encrypted apps you can use for information sharing that doesn't, if it does need to be an ego, you can do over wicker or something like that, we recommend you use those kinds of tools as well and that's the same thing will tell the campaign community. and that a lot of the same security recommendations apply. we also do trainings in d.c. and elsewhere for around security that we would welcome the vendor community to do as well. a lot of the same things apply as far as looking out for phishing and diving a culture within your organization to be aware of those types of attack. >> if you can go back to work tomorrow and ask everyone to have two step turned onto whatever personal e-mail they use, two-step on a facebook
12:44 pm
campaign and then whatever used for enterprise e-mail, whether it's a google or microsoft for some other type of vendor, nature that the administrator has two-step and other secretive features turned on would be really important. and they like us to remind those campaigns, when the e-mail you a really sensitive document, maybe it is their is the ad buy or tn hall schedule, asking them do you have security features placed on your e-mail if were going to start start to medicag with this type of information? and then lastly making sure their websites are secure as well. vocalizing this to them would be really helpful. >> you will be happy to know that -- especially places in high-level campaign they have required their vendors to do all of this. >> success. >> thank you for coming in having this panel. my name is maureen. i'm with ragtag.
12:45 pm
we are an organization that organizes tech volunteers to help campaigns. so one of the things that we're working on right now we actually just launched campaign, and everything that you spoke about, has spoken to what we are hoping to try to help especially the smaller campaigns that don't have i.t. staff just like you are describing. implement the recommendations in the belfer center is playbook. so it's campaign, ragtag is the name of the organization, and it's a helpdesk so the same way like a big organization has an i.t. help desk and use of tickets it will work the same way. we are also offering training so we will sit down usually online with campaign staff or volunteers and walk them through setting up. it's not okay to have a facebook account that is managed by several people here this is how
12:46 pm
you actually do. by the time they're done with the training it will be done. and so my question for you then is, what are some of the additional challenges you see an engaging people on their private accounts? do you find that they are more receptive to talking about security on their campaign accounts, and how do you bridge that gap? >> first of all, thank you for the work you are doing and also it's great to know because we could question from our employees often about how they can be helpful so i maybe since the people your way to look at ways they can be helpful because it's not so easy to plug in necessarily and that's a great way they could use their skills. i would say -- what was in the question? yes, private accounts. thank you. i would say on the private account side our biggest challenge is that we don't, the private accounts we're talking about ten not to be microsoft accounts and so we can encourage them to go to the facebook and
12:47 pm
twitter and instagram answer interest to get them thinking android have a login have a login and we can encourage that but it's not our products as much as i don't know if there is tuned in when we're speaking to that. probably not we are we are emphasizing quite as much when we say generally private accounts. i don't people think the extent of the accounts they have set up and the security they need what of those. that's the biggest challenge i say we face. >> like everything from your delivery food account to your twitter to google, that's what you're asking about? in terms of looking for to success in eight, ten, may be cultural so it will take a while but how do we fix that? how are the compass going to work together? is there some sort of regulatory mandate? >> i would highly recommend password management system, google has one to grow. a lot of other companies have one. it's another to be suggest a lot to candidates in particular who tend to be a little bit more
12:48 pm
lazy or lacks when it comes to passwords and management. i think that's a real education. we tend to see sometimes, we have talked about this where they're using microsoft on enterprise side and gina on the personal side. that's another reason why we part as much as again because people are generally touching our products into the ways into the part of their life. if they are following these security roles on their campaign e-mails and official protocol e-mails, just telling them they should be doing the same thing on the personal e-mails and they might even be more susceptible because they're not playing as close attention to what's coming in or who is made into a document that they should open. >> the only thing i follow up with i suppose is at least on facebook, you have to use your real account in order to manage things. that is the best and most secure way to do it. the only thing i would add is we have a product called mrs. manager. mrs. manager is a wonderful
12:49 pm
suite of tools if you actually managed a page and have lots of different entities taking action. if you're a campaign and you work with an agency who is maybe running ads are doing some of the things on the paycheck, using been suspended as a much cleaner way to separate. so for us the same thing like simply educate people on options they have payable to them to offset those permission levels can help manage the page more seamlessly is something we try hard to do. that's why that website i mentioned, if you go there, we walked through his the steps of significant here's links to the different blue print services. it's much like 50 minute training a different products but it walks people through this is how the business manager works. in the spirit of helping people separate a a little bit from te personal activity from business activity and make the pages more secure. >> anybody else? only from the middle.
12:50 pm
>> you talk a lot about what i would call standard practices good for any organization. could you talk a little about challenges that arise specifically because you are in the political arena? you have alluded to some of them about the multiple uses for a single page but any war stories about very specific things that happened? would you consider, for example, cambridge analytica to be a security breach challenge, or was that just normal business? >> no, i think your question is a good one in the sense that for campaigns, we talked about this a lot, in that you have lots of people come and out. that's one. i think that by itself creates a security risk at times. if yet someone only fill it with your office campaign at us on the content you want to make sure their remote and don't have permission. if you have a single account from which you are managing something and everyone is logged into it that by itself is morse insecure because the systems have less to go on. somebody working over here log
12:51 pm
in if someone over there and all sharing a password by the very nature it is less secure. taking the basic steps. those are things we encrusted the board and campaigns. they are the greatest artists, people coming in and out and moving fast. mangini these think smartly, using your real account, turning all the features we all have are going to be the best that applies to but especially campaigns. >> one thing particularly different in the campaign space not entirely unique but more unique than others is the use of information as weapons. like weaponization of information. typically, when companies are setting up their structure and protect against attacks, attacks that will be looking to sum up have financial plan, whether it is trying to have their information held for ransom or something like that whereas in the campaign space we saw this sort of new element which is the weaponization of information. that being said, the tactics you take to protect yourself are not that different which is why while we are appear what we talk
12:52 pm
about is probably the same breath conversation we would have about a small business protecting themselves because the steps are about the same. what's different is maybe what is at stake at and the threatst they face. >> right, the wrist. i would also say another child we see is campaigns are constantly looking for volunteers, donors. getting emails from all these people they've never seen or heard or met before from various email platforms so it's hard to be on the lookout for maybe a more corporate said gulick industry certain type of other corporate entities that are more familiar with the domain name or something of that nature. on a campaign if your organizing volunteers or donors or doorknocking, you're getting e-mails from multiple different people and it's hard to say this looks suspicious, this doesn't. that's where you need to rely on making sure you have the technology like to step in watching for signs of malware or not clicking on an opening a document or the website from
12:53 pm
someone where you don't need it. maybe asking them to sin as a pdf or something like that if you are suspicious. >> i was just going to ask, weaponization definitely i think also just like bad actors. i think there's a lot of focus on campaigns and even volunteers could be a a bad actor. so i think in a corporate environment like what jeannie was saying that a lot of focus on protecting the ceo of massive global company. that hasn't always been that same protection for a senate race, do know what any? maybe a presidential beginning people there is interesting, like those processes to come in and out definitely are not seen as much as they are in the corporal. >> you might have digital staff to manage a president our work with products come they might be buttoned up but didn't if it's a cheat or campaign manager or political director someone else who are not think about it so they don't take the steps they should. the skin anybody on the campaign
12:54 pm
to take it seriously and take advantage of what we have to offer. >> high. my name is nick. i work for a company called confidence and we provide anti-phishing solutions and services to organizations -- co-fence -- and specialize in phishing simulation training. we brought that technology market in 2008. first of all, this is extremely relevant and your insights are fantastic and i applaud you all for being up. and thank you all for your time. it's fantastic. so as you may know october is national cybersecurity awareness month, and it also backs up to a major election cycle. so with that said and understanding that phishing is a primary threat, especially for candidates, campaigns and consultants during this time of year, how can organizations like ours that specialize in
12:55 pm
defending this specific threat help boost your existing efforts to help these folks become more secure during this time of your? >> make yourself available. go on tv, go unrated. what are candidates and campaigns during an october? watching a lot of tv, listening to a lot of greater, reading a lot of articles because of your looking to see them selves on tv or hear their own commercials. >> that is definitely the plan. >> but outside of that are the other ways we can partner and continue working together as a community of technology leaders to help those stay secure when, right now there is an immense amount of targeting, especially through phishing as a threat factor. one additional anecdote, we talked about malware block in things like that all fantastic. something else to keep in mind is you mention there's different types of phishing.
12:56 pm
the fbi put out a psa about bec. does anyone know what a business email compromise or ceo fraud at that is? no? it is essentially a phishing attack but instead of delivering a piece of malware or inexcusable designed to take over someone's machine they are posing as someone within the own organization targeting someone who has physical spots were complicit the director of accounts payable and think hey, this is the ceo, we really need you to where this money to the client it's an emergency, , they never got the payoff or we need you to where this money to a, whatever the case is. there is no malware. there are no attachments. it is highly targeted and manages to bypass perimeter defenses like clockwork. the losses totaled for this type of attack alone, $12.5 billion for 2018. so like i said, what can we do to provide our thought leadership, research and the things were doing in the field and in the wild as we call it
12:57 pm
everyday to boost your continual effort and help educate organizations that there are other tax they may not even look at deploying malware but really deliver highly targeted spear phishing attacks? >> they can be very successful, and while campaigns don't necessarily think and we're not talking to us much about those types of, those typical fraud is so something have to face because they may have looser treasury set up and working quickly and just going out the door fast. it's a relevant point that when we talk about security they should also be think about protecting the finances and hard-earned money they are brought in from donors. amplification of each other's effort is always great. when we see google use of the core facebook do something cool, we retreated, talk about our executive talk about it. -- retweet it. there's a committee going back to this scene that we're all in it together. when we see our peers and those in industry doing cool work, where happy to talk about and we
12:58 pm
love it when he you do the same thing for us. >> we all create a lot of collateral. lee has the brochure. we have stayed to guide ever produce a lot of things whether it's help center things are hard copy collateral, we ran print ads a few months ago identifying misinformation things like that like the more we all share each other's information, the better. >> please reach out. there are brochures. >> mine are on -- >> security keys or personal e-mail if you're not on a campaign or a federal government employee or your event or consultant please take a gift and test out and let us know. >> i was going to say i missed the organization you're from but the last organization i was working with we work with the fbi and did a approach around e country about bec compromise. events like this are great i think people don't really understand the value of events like this. you guys should stand talk to each other, talk to these three.
12:59 pm
i'm happy to talk to you but make sure you're talking to your peers because partnership on just eventually valuable for a lot of campaign staff, government staff. the government also wants to part of it sharing information is a huge issue in cybersecurity, but quickly, industries as a whole are getting over that battle of sharing information, so maybe political parties will be next, who knows? but i just wanted to say partnering on events on workshops, maybe you guys can partner with microsoft on the next one or something. we are being cut off. i do want to say thank you very much again check out the if you want to learn more about us, everybody in the room please do stay, talk to each other and talk to these three, and thanks again. >> thank you very much. [applause] [inaudible conversations]
1:00 pm
[inaudible conversations] [inaudible conversations] .. >> coming up this weekend on book td saturday at 8 pm eastern, janine. oh discusses her thoughtson the trump presidency and his detractors with her book liars, leaguers and liberals . >> i went to the dairy and
1:01 pm
when i came out one of my press people said to me in the carthey said janine, there's already an article on what happened at the dairy farm i'm like , really? what did it say? and it said nothing that i said, but they alleged that i said xy and z and i remember sitting in the car . i didn't realize that it was fake news. but i said, how can i possibly win against someone where the fix is in. it's already ray. they're saying things i never said, did things that i never did five minutes ago. >> on sunday starting at 10 am eastern, coverage of the 20 18th brooklyn book festival with authors april ryan and her book under fire: reporting from the front lines of the trump house. eli zaslow, rising out of hatred and linda greenhouse
1:02 pm
with herbook just a journalist . then on "after words" at nine a.m. eastern, derek hunter discusses his book outraged incorporated: how the liberal mob ruined science, journalism and hollywood. he's injured by bike brett moselle, president of the media research center. >> does anybody get a real point across on television? >> they don't and i'm guilty of it too. you look for something that can go viral the network is looking for something it can clip into a 39 second clip, post on facebook that will go viral . it's bad, it's good for business because you get a lot of eyes but it's bad for conveying information. >> watch this weekend on cspan2's tv. from the congressional hispanic caucus institute conference, a discussion now about racial equity and the effects of racism on public education ug


info Stream Only

Uploaded by TV Archive on