Phone Number +1-202-802-9399 (US)

Thycotic PAM, IT and Cyber Security Podcast
Listen on-demand

401 Access Denied Podcast

Welcome to the 401 Access Denied Podcast, where we dissect what’s really going on in today’s world of cyber security. Topics range from finding a job in cyber security, to dealing with insider threats, to going inside the mind of a hacker, and more.

Bi-weekly, Thycotic’s ethical hacker Joseph Carson and the cyber security training experts from Cybrary will share their insights along with our special guests.

Want to give input on our next cyber security podcast? Give us your topics

Subscribe or listen now on your favorite podcast app:
Apple | Spotify | Google Podcasts

Thycotic produces this podcast in partnership with Cybrary, the cyber security and IT career development platform.

401 Access Denied

Episode 10

Election Security – Can a Hacker Really Pick the Next U.S. President?

EPISODE SUMMARY

Join Thycotic, Cybrary, and special guest Dan Lohrmann from Security Mentor and former advisor to senior White House officials, Homeland Security, and more as we talk election security.

There are people, processes, and technologies involved to keep the upcoming U.S. presidential elections secure, but should we be confident in them? Hear what worries the experts and where security gaps lie ahead.

Free Tools

Take the first step to protecting your privileged accounts with Thycotic educational resources and free PAM software products.

→ See All Privilege Management Tools

Secret Server Icon

Secret Server Free

The perfect password management starter tool. 10 Users, 250 Secrets.

Icon - Audit

Password Security Policy Template

Icon - Project

Privileged Account Discovery for Windows

Icon - Test

Customizable Incident Response Template

Icon - Virus

Weak Password Finder for Active Directory

Joseph Carson

  • Chief Security Scientist at Thycotic
  • Over 25 years' experience in enterprise security
  • Author of "Privileged Account Management for Dummies" and "Cybersecurity for Dummies"
  • Cyber security advisor to several governments, critical infrastructure, financial and transportation industries
  • Speaker at conferences globally
mm

Mike Gruen

  • Cybrary VP of Engineering / CISO
  • Manages Cybrary’s engineering and data science teams, information technology infrastructure, and overall security posture
  • 20+ years of experience developing and overseeing the implementation of complex, secure, and scalable software solutions and products
  • Previously served as VP of Engineering and VP of Product & Platform at RedOwl
  • B.S. in Computer Science from the University of Maryland at College Park

Intro:

Invest in yourself today with our insider pro product, which gives you the career path to reach the next step in your cybersecurity journey. Join today on cybrary.it using the discount code podcast.

Mike Gruen:

You're listening to the 401 Access Denied podcast. I'm Mike Gruen, VP of engineering and CISO at Cybrary. Please join me and my cohost, Joseph Carson, chief security scientists at Thycotic as we discuss the latest news and attempt to make cybersecurity accessible, usable, and fun. Be sure to check back every two weeks for new episodes.

Joseph Carson:

Hi, everyone. Welcome to another exciting 401 Access Denied podcast. This topic today is going to be very exciting. And am back again, your host Joseph Carson. I'm joining in from Tallinn, Estonia, where it's quite hot and steamy in the country at the moment. So the temperature never lets us down. But I'm really excited. This is going to be a fun conversation. We've got a special guest on today to talk about a very, very hot topic that's on pretty much everyone's minds, not just in the US but globally. And also with me today again is, Mike. Mike, do you want to give us an introduction.

Mike Gruen:

Yeah. Mike Gruen, cohost, VP of engineering and CISO here at Cybrary, in lovely DC, which a very tightly coupled to the topic today. And Dan Lohrmann is also joining us. I'll let him introduce himself.

Dan Lohrmann:

And it's great to be with you guys. Thanks so much, Mike and Joseph. I am the Dan Lohrmann and I'm the CSO, chief security officer and chief strategist at Security Mentor. I have over 30 years in the security industry. So actually started at the National Security Agency in Washington, in the mid '80s, and worked in England with Lockheed and ManTech in the '90s and then joined Michigan government for 17 years.

So I had a lot of different roles in Michigan, agency CIO. But after 9/11, I became the state's first CISO. First CISO in all 50 state governments. And basically did that job for about seven years, and became CTO in Michigan. So all the CXO roles guys, CTO like bringing all the data centers together, a lot of consolidations. And then, Governor Rick Snyder came in, we actually created a CSO role.

So I went from CI... I dropped the I and brought physical and cyber security together. And actually, Homeland Security, when DHS did that in Washington, they actually modeled it after what we did in Michigan. So we actually brought together physical and cyber security. So all the cameras, all the badges, all the physical security in the buildings under one roof. And I ran that for over three years, before I joined Security Mentor.

So we're involved in security awareness training. I do a lot of, I blog for CSO Magazine and also Government Technology magazine. You can follow me on Lohrmann on cyber security @govcso is my Twitter handle, and really talk about really everything related to really government security, but obviously that plays in the private sector because you got a lot of private sector companies supporting government. But glad to be with you guys today.

Joseph Carson:                Awesome.

Mike Gruen:                     Awesome.

Joseph Carson:

It's great to have you on. And definitely, we've had some very interesting conversations over the past and always exciting discussions. And today is none other than the interesting and hot topic of the time, which is election hacking. It's really all about upcoming elections and presidential, and we've had a lot of experiences in the past and really get into, what have we learned from the past? Has anything changed? Are we getting better? What types of things should be concerned about, especially given the pandemic and COVID-19 also does have to play into the ability for people to vote not only securely, but also safely from that perspective. So a lot of interesting things coming, and it's really interesting. I will say that, when I think about sometimes we get overemphasized, even when I go to Black Hat and DEF CON and the conferences, we also have the hacking election … is there.

And it was interesting that we sometimes tend to focus on just one aspect of election, the voting is the infrastructure, is the actual time that you push the button on the machine to when it gets counted. And that's sometimes what we tend to focus on. But in my experience, when I look at election, I can get to the overall process end to end service. And sometimes we don't look at the end to end service of it entirely, and we get overly involved … into the machines and into the firmware and into getting physical access.

But I think we need to step back and look at the bigger picture, look at how it all connects together. And also, I think one thing that's also mistaken and not transparent enough is the transparency over the security measures of each different method, from whether you're going to vote on paper, whether you're using a mobile device, whether you're using internet voting, as we do in Estonia, or whether you're using electronic voting, … voting booth is important to really reveal what's the security differences between those. Make it transparent, make people more aware, which one they might not care about the security, they just want to get the vote.

And others might be more concerned and more worried about security and therefore might choose a more secure method, but only if they knew which one was the right one that they would choose. So getting into to Dan, when you hear about election hacking and some experiences and the lessons learned and the reports … in the past, what keeps you up? What worries you about the voting system itself and which things do you think should people be really thinking about?

Dan Lohrmann:

Well, first of all, I totally agree with your point Joseph, about, people process technology, it's the end and it is the process. It is, I think we learned a ton over the last four years, when you think about... I started blogging about election security literally like before they actually said, could the election be hacked nine months before the 2016 election? Was laughing at me literally.

I mean, I got mocked by a lot of hackers and a lot of people saying, "You're fringe, you're a idiot, you're this, you're that. Elections could never be hacked." And this was like January of '16 before the 16 election. And then all the way through after what happened afterwards and literally all the different Russian involvement, all the different stories really for the last four years.

So been covering this for five years now. And I totally agree with you that, it's much broader than the machine itself or the counting ballots, especially now. And I think that the thing keeping me up at night right now is, and we'll talk about it again, not thinking any talking points one side or the other, but the mail-in voting and especially, the process, I worry zero about mail-in voting for the states that have been doing it for awhile.

I worry the number one thing I would say starting right off and back up and talked about a number of different things, but the states that had made the changes, like literally in a matter of months, and they come up with these processes, they secure processes. I think it was a pretty good process. But the reality is that a lot of states, a number of states, and I'm not talking about the states that have had mail-in voting forever since it had been all mail-in voting, which was a number of states … we could start naming them. But up states they were making the changes like since June or since they decided to redo this under COVID. That concerns me probably the most. I also see-

Joseph Carson:                So-

Dan Lohrmann:               Go ahead.

Mike Gruen:

I was going to ask what about like the registration system, because I think we focus a lot on voting, but the fact is if you can hack earlier, the other part of the process, you can invalidate … of votes just with the registration system.

Dan Lohrmann:

Absolutely. And so that was always the number one thing. I totally agree, Mike. That was the number one thing with, when we first, I'm talking four years ago, hack the voter files. I work a lot in Michigan. We worked a lot with the secretary of state there. Say right now, I'm not formally working for any state government now. So actually I can talk to you guys … won't be able to do it. But I know … I talk to them literally every week. I know what's hot and what's not. And then a lot of blogging and writing about this and we'll talk about that maybe at the end. But people get detailed comments written on this, but you could almost go state by state.

But I agree, the voter files, the names, if you can delete people, if you can get in there. And then there's been documented interference in '16 to '18, early 2020, about those people trying to go after those voter files. There's examples of that. We can walk through those trying to access and change names, delete names, add names, whatever. And then also the other thing we haven't mentioned, we'll quickly draw. I just mentioned this, is really the fake news issue. If you can-

Mike Gruen:                     Disinformation.

Dan Lohrmann:

If you can go after, if you can change, even COVID conditions. If somebody makes it fully expect, what would you do if you were trying to disrupt an election, making some people couldn't vote, didn't vote, lack trust in the vote, in the process, any news, pile on, maybe there is a real story pile on bad news, pile on good news, you can influence things, influence behaviors. That's a big part of this as well.

Mike Gruen:                     Yep.

Joseph Carson:

Absolutely. And that's some things that even I've seen over in my entire career or what I've seen as the biggest challenge that many from a political standpoint and election standpoint is voter suppression, is how to redraw. So even in the old times, before electronic and electronic machines and stuff for voting, one way you could do it is basically rejoin county and borderlines, was to move people, to shift them around and not basically change a lot of the outcomes of a lot of elections …

Mike Gruen:

Maryland is one of the worst gerrymandered states in the country. And that's where I live. It happens to be gerrymandered in a particular way, but very differently than other states are gerrymandered, but it's one of the worst. And you see that, the whole stacking and packing and that aspect of it as well. Although I feel like that's fringe, that's gray area hacking. That's where the government has... There's a process there. It's not some outside individual doing it and having that influence. But, you're-

Dan Lohrmann:

This is transparent. I mean, whether you agree with it or not, you can argue with it. Like, 49, 51 vote in the house of the Senate … any issue … besides to an issue. The gerrymandering, we have a lot of that in Michigan, by the way as well. I totally agree with you. But at least in theory, … some backroom deals. It's in the public domain. You can see the votes, you can see … .

Mike Gruen:                     You can even challenge it.

Dan Lohrmann:               Yeah.

Mike Gruen: You can even challenge the gerrymandering or at least try to. One of the things-

Mike Gruen:                     Can I-

Joseph Carson:

I agree, Dan, on that side as well. One of the things I think though, is that voter suppression though, is what we look at today in the electronic side of things is basically is preventing people from registering to vote on time. The DDoS types of attacks. But when we think about one of the things that, sometimes what we look at is the, let's say cybercriminal, the hacking techniques. The most common thing is that they want to be stealthy. They don't want to be detected. They want to be as quiet as possible.

So what I think the biggest challenge right now, and it's something we've all touched upon, is the confidence in the system itself. If people have no confidence in the outcome, they won't vote. And I think ultimately that's the biggest thing is lack of confidence. And there's so much disinformation out there. You have so much ability and so much challenges even to get registered, then people basically will take the other option and say, we'll take whatever comes to us because we won't have an impact on the outcome.

Mike Gruen:                     Right.

Dan Lohrmann:

I agree. I would just add to that. I think it's interesting just to understand, I say more recently, and I don't know how many the listeners know the history here and know, … do understand. There've been so many committees on this, there's money being thrown at it. People think there should be more money thrown at it, but there's a lot of money going into election security. We've been talking about it for four years. There has been a lot more security. Homeland Security has gotten involved. The FBI has gotten involved, protecting those databases. A lot has been done. So on the positive side, and we can say a lot of negatives, and believe me, I could shoot holes in this hole. If you want to lift it, again, this is not Republican and Democratic.

I'm being bipartisan. They're trying to be a nonpartisan and just say, … result that we can trust and we can verify. A lot of states had, at the very basic level, a lot of states had electronic machines where there was no paper backup. You had no way of going back and verifying. All the states have pretty much gone. They have a paper in theory, again, theory of processes, on paper, they've got it on paper. They can see, what was your vote? They've made a lot of other changes to protect databases. There's a lot of good that has happened even coming in to COVID. I think I say mail-in voting and that may sound like a Trump talking point.

It's not. The concern that I have has changed. Any change that people are making in the final, like anything else, it's like changing the rules of a football game. NFL does this every year. Changing the rules, offseason, fine. You hope they don't change the rules of the baseball game or the football game, or say, we're going to go with five strikes today, not three strikes, because somebody had an idea between games last night to today. That's not what you want.

You want consistency. You want to say, these are the rules, we're all going to play by it and we're going to go with it. And I think the challenge is, I'm seeing a lot of states right now making a lot of changes that seem ad hoc. I think, we'll see a year from now, we'll come back and listen to this recording and see who was right and who was wrong. I think the concerns I'm opening, it's clear and we don't have days and maybe even weeks before we know who the winner is. I think that would be disconcerting to everybody. I also think, the challenge is going to be, what is that process? And the answer is yes, because it's different in every state.

Mike Gruen:

Well that's what I was going to ask about was, so it's different across states and you see some states have had mail-in... As you said, they've had this for a long time. You've been there. What's the cooperation look like between states so that like me and Maryland? Like the fact of the matter is, if I was going to hack the US election, tell me I'm wrong. But my impression is I probably only have to target a handful of counties. I don't need to hack across the entire country. There's a handful of counties in swing states that I would focus in on. And if I could get those, then I could probably get those states. And then it's just a whole thing, a domino effect. So how do I in Maryland know that there's confidence? How do I get confidence that states are following best practices and cooperation? Is that actually happening?

Dan Lohrmann:

I think there is cooperation, man. I generally tend to be an optimist guys. And I do think there's a lot of cooperation. There's a lot of attention being done. It is a political football on both sides right now, but again, taking the Democrat, Republican talking points out of this thing, I do think there's a lot of attention. I mean, it's in state government terms I will tell you, I'm seeing this. We were talking about this in 2019 throughout the year before COVID, it's like election security was the pixie dust for everything. Not getting funding, election security. Okay, here's the cash. Just go to room three, we got money down there.

Literally the states, because of what happened in '16, there's been a lot of attention on it. I agree with you 100%, you would just focus on certain counties. I do think there's been a lot of cooperation. I think the big change recently is, mail-in ballot. I mean, I've asked and I'm not going to name states because I'm going to get in trouble if I do that. But states that like, how do you get your mail-in ballot in? I think some states are still figuring out, can you drop it off? Can you put it in the mail? Is it by some states it's, you have to have it in there by the time the polls close. … just think about that.

Mike Gruen:

Well, I'm curious though on that, because I feel like almost every state has had absentee ballot and that's a mail-in ballot, isn't it?

Dan Lohrmann:               Yeah.

Mike Gruen:

So want to just be a matter of expanding that program a little bit or making it easier to get that absentee ballot. And then they already have the systems in place. It's not like some huge, significant change.

Dan Lohrmann:               So in theory you're right. But what happened-

Mike Gruen:                     You're right, in theory.

Dan Lohrmann:

In theory you're right, but what's happened is some states have gone, like some states have been all mail-in ballot states and that's all they've done. And that's great. I mean, they've been doing this for years. Other states are now they've changed the rules this year because of COVID and said, "Well, now we're going to mail out bouts to everybody or we're going to mail out letters to everybody offering them a ballot."

Mike Gruen:                     I see.

Dan Lohrmann:

And again, just because something was done well in Oregon or Washington state or somewhere else doesn't mean that it's been done in Florida before. Or that's been done, maybe it's, I don't know, 1% of the vote or 2% of the vote. And they're now projecting that it's going to be 50 or 60 or 80% of the vote. So it's not just think about that. Just think about, your local help desk, think about your local, whatever it is, anything you do in business and technology or not. And you're going to have 40 times, 50 times, 20 times the number-

Mike Gruen:

I mean, that was the whole bending the curve with COVID-19, right? It wasn't the, our health. It was just that we didn't want to over... well, not just. But one of the main things that we don't want to overwhelm our health care system, it'll collapse. If everybody it's like at the same time, everybody shows up at the hospital at the same time, that system won't be able to handle it. And what you're saying is basically the same is true for voting. If you had a mail-in voting system that was able to handle 2%, 3%, whatever. Now it's got a handle 30, 40, 50%, it's going to be overwhelmed. Is that-

Joseph Carson:                And there's-

Dan Lohrmann:

That's correct. … Joseph is, and I think every state has integrity in this sense. They come up with, if we talk about people, process and technology and the beginning of this, but you say, if Dan Lohrmann votes, how do you know if I mailed it in that you didn't also show up at the poll and vote twice? How do you know you didn't make copy? I mean, they're very simple. We decided we'd come up with 20 different ways you could defraud the system. So the checks need to be in place. And as states are putting in those checks, they're doing a good job of saying, here's how we know, if we get up, here's what we're going to do.

If Dan votes in person and we get a mail in ballot and what you won't have with me, I'm going to go in person. But, I would just say the reality is, how do we know that that's being followed? How do we know? So now we're down to auditing, we're down to, the rules are this three strikes. Well, why did you give bill five strikes? I mean, how do you know that it's being, it's back to the process thing. Joseph you mentioned that at the beginning is the... even when you have a process, what's the level of confidence that process is being followed across the board, in those key counties that you mentioned, Mike.

Mike Gruen:

And so I am right that it would be like, that was the scary part is that I'm thinking about that, but I wasn't sure. I've never actually like verified with someone who would know, but that is the case that like, there's just a handful of districts in purple states across the board that would need to be targeted.

Dan Lohrmann:

Well, in theory, that's right. I mean, I think there's going to be... I mean, if you look at what happened again, I have this blog that I wrote for Government Technology magazine, you can go out and read. It's a pretty long blog. It's one of my longer ones, almost 3000 words. So how election security has become a top issue. And it kinda gives you the history of all the different organizations in the national, in the state legislatures, that the auditor general's, the secretary of state offices, the governors, all the different things being done that the National Governance Association has been involved in this. There's so many organizations that have committees around election security. I mean, it's literally, it's probably well over 100 committees on election security, which is a little bit concerning in and of itself.

Mike Gruen:

Exactly. If you want to solve a problem, you definitely want to throw more people at it. The more people, definitely the better everything will be, which is … .

Joseph Carson:

And going back to how things are done that you mentioned as well is, I've very familiar with the Estonian system here, of the voting system has been done here. And nothing's perfect. It's all about making sure that the goal that the focus of the Estonian government take was actually they see themselves as being a service provider to the citizens. So their intention is to get as many people to vote as possible.

Going back to one of the points that you made it as well was about you could vote multiple times, different methods. And this the same as possible in Estonia, I can go and vote in on my phone multiple times, but it's only counted once, and it's only the last one that counts. So that should be the cases that, if somebody just changes their mind, because somebody says something that isn't agreeing with them, that should be possible.

If people are voting weeks in advance, and then they changed their mind, it should be allowed to change people's minds, but it should only the last time that they register and sign or whatever they vote over should be the one that counts. So you need to be able to make sure that you have a solid identity system. And I think that's one of the core issues is that, and this why one of the things that, Mike, you've been mentioning as well is the different swing states is that that's one of the key areas, looking back.

And that's why the registration database has become targets, is because if you can target the voter registration databases and you know what their swing states are going to be, you can then make sure that you target the right areas. I think when I stepped back and I look at, it is very complex and different states take their own methods and own ways of how to do it. But I think that's actually also one of the benefits is actually the voting system in the US is decentralized, which is a good thing.

I see that as a positive, because having it decentralized makes it a targeted attacker more difficult, because they would have to change the vote in many locations and do it physically in many locations in order to really do it that way. But I think to your point, Mike, is that, if you're able to get information of registration databases and who's going to vote what way, then you only need to target … counties that will swing a state's outcome.

Mike Gruen:

Yep. But decentralization is nice in that regard. You think about it as like, that's the benefit, but in reality, I don't think it's as... but-

Joseph Carson:

So that other question for you is, you mentioned there's a lot of investment in the security of the elections and voting system itself. Is the investment going into specific areas or is it actually getting an equal across? Because one thing that I see is that in disinformation, in social media, I think it's the companies in social media who've taken the initiative that are trying to do something about it, but I don't see any initiatives or … securing that or labeling it as from a government perspective.

And then also we've got the voter registration, and then you've got the campaigns, which then typically have unskilled people who's brought in temporarily in order to run the campaigns and secure the campaigns. I think it was awesome to see one of your colleagues, and wasn't getting hired as a … for, I think it was at DMC for actually putting people in charge of security in those areas. And then also, and then there's the infrastructure itself, Are they being secured equally, or is there one that's being preferred over the other?

Dan Lohrmann:

That's a great question. I think, you probably get different opinions on that from different people. Clearly the areas that have been getting the most money have been the machines themselves, making sure you have paper backup, you can validate things that, that was identified pretty quickly from 2016 to 2018. I think there have been a number of efforts that are done at the federal level, looking overall that, we started talking about things like hacking and foreign influence and intelligence around, what do they try to do? How are they trying to do it?

There's some great testimony. I mean, literally you can listen to hours and hours of testimony. Just Google … them as well. But you can go and you can listen to congressional testimony from different groups, different secretaries of states around the country, on all the different threats from different countries, not just Russia, China, other places money has gone too.

So some of its been an umbrella overarching thing across the nation because nobody wants, foreign governments to be, whether you talk about any traditional techniques to do a cyber attack, whether that be DDoS as you mentioned, Joseph, or whether that be, whatever, there's a whole hacking the database themselves, lot of attention on the databases, lot of attention, certainly, a lot of attempts, noted attempts.

This has been on CNN, Fox News, all of it, examples of where foreign governments have tried to influence and then a big, big push around the whole social media thing. Are you getting your news from Facebook? Are you getting it from whatever sources and try and influence Twitter, trying to influence... So I would say money is going to all those things. I would say, has it been equal?

I mean, there's always states I'll tell you that what more money. So I've never known a security officer to say, no, I've got plenty of money. I'm good. Just keep the money in Washington. State governments by default are going to ask for that. They're going to have their hands out. And like I said, the pixie dust has been election security. I think it will be probably well after this election. And this is going to be an ongoing topic guys. I mean, I would not be surprised if we're back here in four years talking about elections. I mean, … because-

Mike Gruen:                     I'm curious what the process... Sorry, go on. I'm sorry, Dan.

Dan Lohrmann:               Go ahead, Mike.

Mike Gruen:

I was just curious like, so you were talking about everything leading up to the vote, but what about the security? Like where's the money going and process and stuff post, like I've cast my vote and then there's all the counting and auditing and all of that. We talked about the registration, we talked about the voting, but what's happening on the other side of that? Because I feel like that's another area that I just don't have any insight into?

Dan Lohrmann:

So there's money being spent and I can, again, I'm not going to name states, but I know particularly I've been on calls in the last couple of months, a couple of weeks actually, where, they're looking at, how do you get... Even how can I get that in? Can I email that in? Can I take a picture of it with my cell phone and send it in? I kid you not, in some states that's allowed. How do I know that's for me? How do I know that's not from Joseph? How do you know is anybody looking? So that back office process, there is money being applied to that and making sure that's a secure process.

And I think you said, what do I worry the most about right now? There is money being spent on that process. They are looking end to end, they are looking at the back office. They are looking at election night. They are down to that individual precinct. I think there's a lot of fear around, will they have enough volunteers because of COVID, will people literally come in? A lot of the people around the country, I mean, it's just really talking non-tech, this is about as low-tech as you can get.

A lot of the people tend to be more elderly. A lot of people they volunteer, they feel like it's their civic duty. So you go in America, there are many parts of the United States, certainly in Michigan here, you have a lot of, and God bless them. They're great people. They're in their '60s, '70s, '80s. They're in their running the whole system and it's the same people been doing it for years. Will they even be there on election day because … be in there with masks on and all the rest?

So at a very basic level, is it going to be back to the people piece. Who physically is going to be there? But a lot of money being spent on that. I think that, that process my fear is, it's changing in a number of states right now. And will they get this ironed out prior to... COVID was a big wrinkle in a lot of elections security plans. It was not part of the playbook. It was not part of the exercise. I mean, I was a part of election security tabletops in 2019, and COVID was not part of the strategy.

Mike Gruen:                     A pandemic happening in an election year was not one of those.

Joseph Carson:

It wasn't in the resiliency plan. I'm pretty sure. So Dan, I've got a question, because one thing that we haven't really talked about and at least in this year, and what played a big role in 2016 was Cambridge Analytica. And one thing that I've been very adamant about is that, and it's going back to campaigns, is when campaigns are using data sources, which could be considered, Cambridge Analytica data source, and many regarded as basically an artificial intelligence type of weapon, in order that could be used in order to see about what things you need to do.

And getting that, let's say not through consent and not understanding about what that data was being collected and being used for. And that hasn't been really discussed this year. I haven't heard much discussions around. Do you think that campaigns should be allowed to use data sources such as that? And if they do, should it be transparent to the citizen about the data sources that they're using it for? I think for me that concerns me is really is where they're making the decisions or where they're getting the data sources in order to spend the money on the campaigns. But the transparency is never there.

Dan Lohrmann:

Great point, Joseph. Do I think? I'm going to be transparent with you, I'm not going to answer part of your question. I will tell you that it's happening.

Mike Gruen:

I mean, I think it's a moot point because of superpacs and other ways that campaigns can-

Dan Lohrmann:               Exactly.

Mike Gruen:

The campaign can be as transparent as you want. They have all these other people that don't fall under those same laws that are able to do all of the same things, but unofficially. So I think that's, it almost doesn't even matter what we think with regard to campaigns.

Dan Lohrmann:

Correct. And that's exactly right, Mike, I agree. The cat's out of the bag, the train has already left the station and the water's already over the waterfalls. I mean, it's happening guys. If Dan Lohrmann think it's right or not or we're going to get into campaign finance and all the rest of it. I mean, people are getting the data, they're getting data in lots of ways. Analytics is huge. It's probably bigger this year than it was in '16 in my experience.

Both campaigns are using any way and every way they can possibly get data. They're using the data and they're targeting it. They're going to target to get the vote out. They're going to use it to, I mean, you name it, slice it, dice it. We know we all know the power of data and the analytics behind that. And I think, just like the same thing with baseball … we could go in as a whole another spin on another show, but what's happening with all the big Facebook and privacy and all of that, all the global Google and what's happening with the big tech companies, will things really change? I mean, will there be more regulations? Some people say yeah, some people say no. I don't think they're going to get broken off. I don't see it. It could happen. But we discuss it, we talk about it and then we move on to the next election. It doesn't seem like much has changed.

Mike Gruen:

I mean, I look forward to when they have enough analytics and data that I don't even need to cast a vote. If you say, I have to figure out how I'm going to vote.

Joseph Carson:

So there was a movie that called The Circle, wasn't it?

Dan Lohrmann:

That brain-reading technology, it's just … and go in there and grab your vote out of your brain.

Mike Gruen:

They don't even have to read my brain. They just read my Facebook.

Joseph Carson:

Next time you travel and you walk through one of those airport scanners, it will actually cast your vote for you.

Dan Lohrmann:

Well … Make sure it's not a robot that's voting for you. We've got to do that identity theft protection thing that goes up. I mean, I think your point about what you guys do in Estonia, what people do, I'm a big admirer of what you guys do. You and I have talked about this. I think what you guys do is amazing. I think it's really a global model. It's not where we're at in America. The verification, one person, one vote, there's all kinds of jokes around this, vote early and often and all the rest of it.

I mean, it's, I don't think fraud is as bad as the Republicans say it is, but I don't think it's as good as the Democrats think it is. I think it's somewhere in between. And I think that, this is going to be a really, really interesting year, because of the raves that was thrown in the engine is the pandemic.

Mike Gruen:

Well, I think what's also interesting, and again, back to the what happens after, I think it's a really good example of security that I deal with on a regular basis, which is where that push and pull of a secure process and a fast process. You said it earlier, you don't want a process where it's going to take us months to figure out who actually won the election. You need to know you have some votes that are coming in immediately, so you're going to start seeing those results.

And then if people start counting votes manually through the mail or through whatever, and it starts to swing the other way, then there's going to be all kinds of questions of like, was there fraud, it wasn't there? So you need this efficient process. And that's a push and pull that's so typical between security and the business side of the business, whatever, we need this done and that push and pull and making like, and that's what worries me is that speed and the business side is going to drive a lot of decisions where maybe security or that, we'll have to make compromises, which is never a good thing.

Joseph Carson:

This is one of the things in Estonia that is something focused on, the whole thing here is, it actually started off post-Soviet era back in 1991, the whole reason why … this path of digital identity and electronic voting was back during the Soviet era was that their history was changed so many times. It was the history kept getting changed. And going back to the whole purpose why you have paper ballots is integrity and auditability and none repudiation of the vote itself.

And ultimately Estonia realized and they went on a paperless society, which turned into a digital society, which turned into the government being a service provider. And ultimately to the point where that we'd got to really having a very efficient digital identity online, where I can go to get online prescriptions, I can vote, I can go to the vending machine. I can park my car. There's many things I can do my tax in two clicks literally within less than three minutes. It just depends on how fast your computer's internet connection.

Mike Gruen:

Because that's you trust your government. I mean, the problem in the US is that digital identity is definitely going to be controversial here.

Joseph Carson:

And it goes back to ….  It's the way that the government took it was, is that they didn't take it as a backdoor, that the government can actually see everything you're doing. They actually made it as a front door, meaning that the government is also transparent to the citizen, but everything that the government has access to and sees. So if you actually make it that it's a reversal situation, because then it builds, it's a two way trust. And that's the only way to build it is that trust is bi-directional, it's not one direction.

And for the citizens to trust the government, the government has to be transparent to the citizen and vice versa. You have to have that ability in order to create that. And during the pandemic in Estonia, people were able to still do online shopping, online schooling, and also vote online, online safety of their home. So that was one things. And it got to the point where even the innovations, even in a post 2000, it's not perfect. There is security flaws. It's about being transparent and the security flaws, it's about knowing the risks and doing things to reduce those, and some of the implementations was, they're all using block chain for … of the digital data. So therefore your government can't manipulate the results themselves directly.

Dan Lohrmann:

I think Estonia is going to be the model. I mean, we've got to head there and we've got to get there. I think not enough, we're going to be there in four years, but we're certainly not there this year. And I do agree with you, Joseph, that the challenge is going to be the process this year. How do we know? Again, back to, I'm hoping it's not a really close vote. I mean… In some states it may not make any difference. I mean, counting laid balance or whatever in California, probably isn't going to make a whole lot of difference. But at some states, obviously the swing states, the six or seven, one of them is Michigan here that I live in, it's going to be really key. And I think, it's going to be really interesting to see, and I just hope we don't have guys that fear we might.

I hope we don't have that hanging chad moment of 2000 of, and everyone's leaning on those pictures of the guy looking at the chads and what happened in Florida with Bush beating Gore. It won't be the hanging chads this time. It will be like, Joseph, you mentioned, was it his vote in person? Was it the mail in ballot? And how do we know it wasn't counted twice. And again, I think there are processes in place. I don't want to instill fear in the audience. I think there are processes that can do this. The question is, how do we know they're going to be followed? And how do we verify those things, especially where the changes have been made in the last 90 to 120 days during the pandemic?

Mike Gruen:

And how well are they being communicated because Joe brought up a great point which was, if I do vote twice, if I vote in person and I vote by mail and whatever, I don't actually know in Maryland which of those... I mean, I'm sure I can look it up. I just don't know which of those would actually count. And I don't know where I'd even... I'm sure if I Google it hard enough I'll probably find it, but I don't know that that's being communicated effectively either.

Dan Lohrmann:

When you think about that process too, it's like, what if you voted for a different person.

Mike Gruen:

Exactly. What if they don't line up.

Dan Lohrmann:

… does your vote not count at all? I mean, in some states... I mean, so I kind of go back to the hanging chad story. It's funny to go back and read those stories it's like, under this condition we're going to count it as a Gore voter, and this condition is the George W. vote. And then if it's this condition, it's a wasted ballots. It's a spent ballot. So nobody gets to vote.

So, I mean, in the case of … it couldn't even be the process. Again, different states may have different processes, but, what if you vote three times for the same person, do you throw out all three votes? Because … because the law says, you can do one or the other and you're not supposed to do both. So, I mean, again, the challenge is, I hope we don't get down to that close of a vote. That's …

Mike Gruen:

I also hope that that collision process doesn't invalidate votes. If it's that easy for me to... if somebody votes and it's all I have to do is send it another contradictory ballot to invalidate their ballot, their vote, that's also problematic. I mean, that's... so hopefully there's some really solid rules to make sure that the vote... like, I don't know. Like how do you verify that I voted for this and that which one of those …

Dan Lohrmann:

That … I mean, how do we know that somebody didn't make 10 copies and mail in 10 different things, or somebody, your guy across the street got your mail or somehow … How do we know it was you?

Joseph Carson:

This is the transparency piece. This is going back to the transparency is that how does every citizen in the US know that their vote counted? That actually it went to the final vote. And if they made a mistake, how do they know? What can you do in the future to rectify it? It's that transparency with the citizens. And that's what I'm saying, it's always a two way trust. It's always bi-directional. You have to know what you did was correct so you don't repeat the same mistake and maybe people didn't know that they were doing something incorrectly and they just repeat the same mistake. And therefore they continually over multiple votes over years are voting incorrectly and it never gets counted.

Mike Gruen:

But I think that's such a cultural thing. I mean, the US is founded on question your government, question... That trust, I think it's actually a really hard problem to solve in the sense that we don't have a lot of trust in our government officials and in our governments in general. There is a lot of skepticism about what they do with our data and how they handle our data. I mean, I know things that I don't want to take this conversation in a totally different direction, but you know what I mean? And so I think the idea of a national ID that's very, very controversial and national, or even a statewide digital ID is going to be just a really sticky wicket.

Joseph Carson:

So I did a calculation and I think it's the same model that Estonia had. And I actually applied it. And it doesn't have to be the same model, it just has to look at how do you stop people from wasting their time, which is ultimately the process of the voting. You have a process that wastes a lot of people's time. And in Estonia, it was that they were saving up to six to seven days per year of GDP of the country, by having this process in place. And if you actually apply that model to the US, even just getting close to it, the US would save one trillion US dollars per year in stopping people from wasting their time.

Mike Gruen:

… if we all use public transit instead of clogging up the beltway, that same logic applies. But yet-

Joseph Carson:                Correct.

Mike Gruen:                     ... there's a cultural thing of, that that's just, it doesn't translate.

Dan Lohrmann:               Especially during a pandemic people … .

Mike Gruen:                     Well, there's that.

Dan Lohrmann:

You come up with a great process and then along comes a pandemic. I mean, I really do think we were on track for a much better result this time. I do think the pandemic... I really mean that. I'm an optimist. I'm actually, I'm a government bureaucrat. Sorry. But I actually think we had a really good thing going, we were ready to rock and roll, but I think people were more aware that people try to influence them. Just being aware that, hey, Russia is trying to influence your vote, China is trying to influence your vote. Your Facebook.

I mean, people were more aware. People saw what happened last time, but not going to be maybe as I said, not as trusting that that message is really from my friend or whatever. A lot of those things were corrected. I think the challenge is going to be again, how do we know? And by the way, the other piece we have, and you didn't mention Mike, I just want to go say real quick. In the US we have more lawyers than anywhere in the world.

Mike Gruen:                     Yeah. You're right. Exactly. … reform is a huge issue.

Dan Lohrmann:

… have their people there. I mean, it was just always so funny. I get that picture that go back to 2000. I'm thinking … You got a Republican lawyer, a Democratic lawyer, the … . You got six people all looking at this card with the microscope and with the magnifying glass, and it's some really funny pictures from Florida in 2000. So, I mean, you're going to have a lot of lawyers, there's going to be processes in watching it. And again, I think that's the thing that's keeping me up at night, even more than hacking of voter files or hacking of machines. That's personally for Dan Lohrmann.

Joseph Carson:

I think absolutely, Dan, there's a lot has been improved over the last four years. Absolutely. One thing as I do say, the social media companies, starting to flag political or even prevent political statements and those platforms, I think that was one step forward. So people get a bit more of context because the biggest problem we lose an internet is context is, is where was the original source of things that came into … it really come from my friend? Those trends.

So I think that's one great thing. And I think also the reports that came out from the agencies in the US about what happened in 2016 as well, and in prior to that being transparent. And I think even starting to see, even I think that even started the trend even now we're seeing a lot more reports getting revealed about not just election hacking attempts, but also other types of things like ransomware and malware that's also attempted that has now got the agencies more willing to be more shareful and more revealing those public reports.

And that's a great step forward as well. So we're now getting people having visibility and then also investment from the states and actually proving the electric machines themselves and also protecting the databases. So out of all of those things, what's the fear that you have in the upcoming elections? Is it the COVID scenario that, the resource issue? Or is there any type of hacking thing that would be the one that we should be aware about. Which is the one that you would indicate is the problem or the confidence side? It's just the different information of the confidence and the outcome as well, but it does become very close.

Dan Lohrmann:

I think it's the timing. I think, in America people want to hear on election night, they want to hear, the concession speech and they want to see the president by midnight, whoever wins. A lot of people are predicting again, I don't know that I want to make a prediction here, but it literally, if it's really close, could come down to days and it may not be by, you wake up in the morning, you go to bed at midnight, you wake up in the morning, you may not know who the next president.

I mean, I think that scenario of, that's what the stock market doesn't like. The stock market doesn't like unknowns. It doesn't like to know indecision. I think if it comes down to a handful of states and it's really close, you're going to see a lot more scrutiny around these processes we're talking about. And what changed in the last, since April 1st.

And maybe even, hopefully it becomes clear who the winner is, and hopefully, maybe we'll dodge this bullet. I really pray that we do. But I just, if we get down to that level of hanging chads, that's where I think it's going to get ugly, because it's going to be like, well, how was this decided? And who said that it's, back to your scenarios Mike, who said that if I send in two ballots and if you change the rules, does that change the winner?

If we changed the rules, like I changed my mind that I voted the day of. And so I flopped my vote. Do we count that vote or does it wash because I voted for the other candidate three days earlier when I mailed in my ballot? I mean, if somebody then says, if you change that decision that was made in April or whatever, and that changes the result. I mean, now we're talking really close. Right?

Mike Gruen:                     Yeah.

Dan Lohrmann:               That's my biggest fear, Joseph.

Mike Gruen:

I think we should maybe wrap it up on something. But maybe something on the positive side, maybe rather than fears and whatever. I mean, I think we already touched on it a fair bit of all the benefits, all the things that have happened recently and all of the strides we've made. I don't know, Dan, if you had any final thoughts on that before we go.

Dan Lohrmann:

I mean, guys, listen, I do think that we have a lot of very good capable, competent people that are looking at this both in, at a state by state level. I'm a believer in state government technology. I mean-

Mike Gruen:                     I hope so.

Dan Lohrmann:

... 17 years, I generally, I don't think you could be in cyber security without being an optimist. The good's going to find out over evil. I really believe that. I really believe that guys. And I think you got the FBI, you got the all intelligence agencies helping out. I think, we can do this, we can do it successfully and we can have a really good election result. The harder it gets is the closer it gets. And I think what happened in 2000, it doesn't have to be. I'm not pretending that it's going to be the same.

I actually am optimistic that we won't have that situation. I hope we don't. But that was a very, very close election that came down with one state and it's never really happened anything like that in our history. So I feel like a lot of good progress has been made. And I think that, people should become educated if you're really interested in this, if you're nervous about this, read up. Contact your local people. And whether you co... I say congressman. Call your congressman. I say, definitely, there's a lot of really good projects happening, and I think we could be encouraged about that.

Joseph Carson:

I completely agree, Dan. I think my summary from the discussion is really is that a lot of positives have been made, a lot of improvements and transparency. And I think for my key takeaway here for the audiences is that I think it's really important, is to participate. If you are interested in it, vote. Don't let it go to waste. And if you are concerned about, what is the right way, I think that's the important part is the state should make sure it's transparent into what the options are and what actually becomes a valid vote. How to vote correctly, I think is the transparency. So you don't get into a situation where you invalidate your own vote by voting incorrectly or multiple times. So I think the key takeaways here is definitely participate, get out and vote, and do it safely as well.

The pandemic is at the heights and still, has a swing again. Do it in a way that focuses your health. Take that as a priority as well. But, Dan, your insights, it's pretty educational for me as well because I do look at it and do the comparison between Estonia in the US all the time. But I understand it's a complex system and I understand that … differences and sometimes even Estonia may not be able to fit perfectly or into that model. But I think that, it's positives have been made. But my thing I think is still what needs to be made more is that transparency, is the transparency and how it works and to the citizens, so they know how to do it correctly.

Mike Gruen:

And I think that goes into my key takeaway is more around they get involved. It's vote, but also get involved, understand how the election system in your state works, have it... That's where you have the opportunity to potentially influence, it's at the state level, you're voting for the people who are making those rules and deciding those rules. Make sure that they have a good sense of how to handle it. I think that's really my key takeaway is really how to get involved and make sure that you are getting involved.

Joseph Carson:

Absolutely. So also many thanks. Dan, is awesome having you on the show and I'm really looking forward to having more. I think it's been way too long since we've chatted.

Dan Lohrmann:

Absolutely. … my blog as well, about how you guys do elections so well in Estonia.

Joseph Carson:

So I think for the audience primarily is your safety is the number one thing. Your health and safety is the priority, but do participate. The voting does have an impact on your future and your lives and kids and everything out there. So I'm in support to participate. Hopefully this has been educational and it's given you some insights into what we fear, the worries that we have, but also the positives that has been made.

So please do get involved. Follow Dan. His blogs are awesome. I really enjoy reading them all the time. And he's a great insight to mentor and educator in awareness and security in general. So it's awesome having Dan on the show. Stay safe out there. Make sure, these podcasts come out every two weeks. So do come in and subscribe, listen, follow us. We always enjoy to help educate, share the knowledge and have a fun time at the same time. So again, Dan, thanks for having you.

Dan Lohrmann:               Thank you.

Mike Gruen:                     Thank you.

Outro:

Learn your team can get a free trial of Cybrary for business by going to www.cybrary.it/business. This podcast is also brought to you by Thycotic, the leader in privileged access management. To learn more, visit www.thycotic.com.