►
From YouTube: Elections Cybersecurity (From a Legislative Perspective)
Description
Here’s the good news: 2020’s election saw no known cyberattacks. Here’s the bad news: The future could be—is likely to be—a different story. Find out what are the threats and what are steps lawmakers can take to protect the very core of our democracy. Learn from experts at the University of Southern California’s Election Cybersecurity Initiative, where the catch phrase is, “Our Candidate is Democracy.”
A
We
we'll
give
people
a
minute
or
two
to
get
on
board
and
then
we
will
begin.
A
That's
a
good
message
to
everyone
to
turn
your
ringers
off
all
right.
Well,
welcome
everyone
to
election
cyber
security
from
a
legislative
perspective.
It
actually
warms
me
quite
a
bit
to
know
that
so
many
of
you
are
joining
us
today.
The
topic
is
critical
to
our
democracy,
but
with
the
next
general
election
20
months
away
and
with
so
many
other
competing
legislative
priorities,
many
people
may
be
thinking
election.
Cyber
security
is
on
the
I'll
think
about
that
later
list.
A
So
for
you
all,
you
are
keeping
it
top
of
mind,
and
I
really
appreciate
that.
So,
let's
start
with,
is
there
a
problem?
I
have
that
answer
from
a
report
released
just
two
days
ago.
This
was
a
report
from
the
department
of
justice
and
the
department
of
homeland
security
and
their
top
line
was
this
no
evidence
found
that
a
foreign
government
manipulated
any
election
results
referencing
the
2020
election,
but
that
sounds
great
and
then
it
goes
on
to
say
that
russia,
chinese
and
iranian
government-affiliated
actors
quote
materially
impacted
the
security
of
certain
networks.
A
End
quote
during
the
the
2020
election.
So
I'm
glad
that
there
was
no
manipulation
of
election
results,
but
I
am
puzzled
by
those
material
impacts
that
were
had
and
we
will
learn
more
about
that
during
our
next
hour
plus
much
more.
But
let's
start
with
introductions.
I'm
wendy
underhill,
I'm
the
director
of
ncsl's
election
and
redistricting
team,
and
I
want
to
emphasize
that
word
team.
Behind
the
scenes
we
have
brian
hinkle.
A
We
have
mandy
zach
ben
williams
and
christy
zamarripa
and
those
are
the
folks
that
really
make
the
magic
happen
for
us
on
elections
and
redistricting,
and
our
goal
at
ncsl
is
to
serve
legislators
and
legislative
staff
throughout
the
nation,
and
we
do
that
primarily
by
answering
questions.
So
if
you
have
questions
that
we
might
be
able
to
answer
by
all
means,
let
us
know-
and
if
we
don't
know
the
answers,
we
may
easily
know
where
to
find
the
experts
who
do
and
of
course
that's
what
we've
done
today.
A
A
You
probably
recognize
his
name
because
he's
been
a
journalist
for
some
50
years
and
he's
worked
at
cbs
and
npr
and
the
newseum
just
to
name
three
of
his
former
affiliations,
but
for
our
purposes,
what
really
matters
is
that
he's
the
director
of
the
university
of
southern
california's
initiative
on
election
cyber
security,
which
provides
training
in
all
50
states,
to
reinforce
election
integrity
and
to
build
defense
against
digital
attacks?
Welcome
adam.
A
Oh
glad
to
have
you,
we
also
have
clifford
newman
with
us
today
he's
a
scientist
at
the
information
sciences
institute
at
usc,
and
he
also
holds
a
research
faculty
appointment
in
the
computer
science
department,
which
of
course
makes
me
wonder
how
you
have
two
jobs,
but
that's
okay.
I
learned
from
looking
at
his
bio
that
his
research
focuses
on
issues
of
scale
in
large
distribution
systems.
A
That's
issues
of
scale
in
large
distribution
systems
and
I'm
fairly
sure
that
u.s
elections
fit
that
category
of
large
and
distributed
cliff
thanks
for
taking
time
to
be
with
us
today.
C
A
Thank
you.
Thank
you.
When
I
read
your
bio
and
then
I
knew
you
were
also
key
on
this
election.
Cyber
security
part
I'm
like
whoa.
This
is
a
man
who
never
sleeps
all
right,
so
bios
for
both
adam
and
cliff
will
be
in
the
chat
box
for
you.
So
let's
just
go
ahead
and
get
started
here.
Adam
tell
us
how
it
is
that
a
journalist
ended
up
at
the
university
of
southern
california
and
involved
with
elections
cyber
security.
What
is
this
program
that
you
are
directing.
B
Well,
my
appointments
at
usc
were
both
in
I
retired
in
2010.
So
this
is
my
post-retirement
job.
My
appointments
at
usc
were
both
in
the
viterbi
school
of
engineering
and
in
the
annenberg
school
of
communication,
and
so
I
my
research
and
my
teachings
at
the
intersection
of
technology
and
content.
B
How
we
got
involved
in
cyber
security
is
that
after
I
retired
and
moved
to
the
usc
washington
dc
office,
we
used
to
have
a
quarterly
series
of
planning
meetings
to
try
to
update
cell
phone
regulations
to
try
to
work
with
agencies
to
modernize
regulations
and
other
things
that
might
have
been
out
of
out
of
date
and
in
one
of
those
meetings.
Six
years
ago,
vince
cerf
who
was
the
co-inventor
of
the
internet
back
in
the
1960s.
B
He
said:
why
aren't
we
talking
about
securing
everything
on
the
internet?
You
can
buy
a
coffee
maker
now
with
an
ip
address,
I
mean
lg
wants
to
send,
sell
you
a
refrigerator
connected
to
the
internet.
We
need
to
secure
everything
on
the
internet
and
everybody
around
the
table.
Nodded
said,
okay
from
now
on,
it's
the
internet
of
things
and
securing
the
internet.
B
Well,
our
partner
that
came
in
right
after
the
national
governors
association.
They
decided
to
make
usc
their
research
partner
on
cyber
security
and,
of
course,
after
the
2016
election,
the
security
of
elections
really
bubbled
up
to
this
top
as
as
number
one
priority.
So
we
did
programs
with
the
nga,
including
off
the
record
programs
for
state
governments
at
state
capitals
and
then
last
year
in
2020,
we
did
50
states
programs
for
all
each
of
the
50
states,
most
of
them
virtual
because
of
the
pandemic.
B
But
we
reached
almost
4
000
people,
the
state
and
campaign
election
workers
and
others
with
that
are
independent,
non-partisan
and
vendor
and
platform.
Agnostic,
we'll
be
back
again
this
year
in
2021,
starting
next
thursday
march
25th,
with
the
first
of
a
series
of
workshops
again
for
the
50
states.
A
Well,
that's
great.
It
sounds
as
though
what
people
who
are
attending
today
can
get
is
a
sense
of
what
usc
has
to
offer
on
this
topic
and
that
there's
ways
for
them
to
dig
in
deeper
with
you,
as
as
things
progress,
so
you've
mentioned
2016
and
now
we've
been
through
the
2020
election
cliff.
Can
you
tell
us
how
the
2020
election
was
different
in
terms
of
cyber
security
from
previous
elections?.
C
C
C
We
also
learned
unrelated
to
the
election
about
the
solar
winds,
breach,
which
highlighted
the
cyber
capabilities
of
the
russians
and
other
adversaries,
and
I
think
it
was
actually
the
strict
isolation
of
the
election.
Tabulating
systems
from
other
government
functions,
one
of
the
things
that
that
was
put
in
place
here
that
really
prevented
the
solar
winds,
breach
from
affecting
the
elections.
C
Now,
that's
not
to
say
that
there
weren't
incidents
surrounding
the
elections,
but
these
were
kept
away
from
the
methods
used
to
tabulate
votes
in
instead
affecting
things
like
campaigns
or
voter
registration
systems,
not
counting,
but
maybe
the
registration
system,
and
there
was
also
significant
cyber
activity,
around
disinformation
campaigns,
but
again
strong
isolation
and
awareness
training
and
that
paper
trail
were
in
place
to
protect
the
actual
chunking
of
the
box.
A
Okay,
so
it
sounds
like
2016
was
a
heads
up
2017
and
on
we
had
the
federal
government
come
in
with
dhs
and
cisa.
Can
you
tell
us
what
cis
stands
for?
I
know
what
it
is,
but
I
can't
give
you
its
what
it
means:
cyber
security
infrastructure,
okay,
we'll
get
it
in
the
chat
box.
So
we
get
that
straight.
So
a
lot
of
attention
was
paid
and
you've
made
the
point
that
the
actual
equipment
that
counts
the
votes
is
separated
from
the
internet.
A
Is
that
something
we
can
say
across
the
board
in
every
state
that
that
there's
no
connection?
Oh,
I
just
asked
a
tough
question.
Didn't
I
I'm
sorry.
C
Well,
no,
I
mean
it's
it,
it's
something
that
we
can't
say
occurs
everywhere,
but
that
level
of
isolation
is
stronger
than
just
having
you
know
the
normal
government
employees
and
you
know,
I
mean
think
of
how
often
we've
heard
about
breaches
at
the
dmv
and
things
like
that.
There
is
stronger
isolation.
C
It's
not
necessarily
what
we
would
call
an
air
gap,
but
but
if
you're
not
using
the
same
systems
that
you're
using
for
the
day-to-day
operations.
A
Got
it
got
it
now?
I
forgot
to
say
to
everyone
who's
out
in
the
audience
that
you
all
are
welcome
to
join.
In
the
conversation,
you
can
put
your
questions
in
the
chat
box
or,
if
you'd
like
to
be
unmuted
and
ask
your
question
out
loud.
That's
fine,
too.
If
you
can
find
the
the
hand
to
raise
your
hand,
please
do
so
cliff.
The
other
thing
about
the
2020
was
that
there
was
a
pandemic.
I'm
sure
you
remember
that.
How
did
that
change
the
cyber
security
threats
to
elections
if
it
did
in
any
way.
C
Well,
you
know
it
changed
the
cyber
threats
to
a
lot
of
organizations,
because
you
have
more
and
more
employees
that
are
working
from
home
now
because
of
the
strict
isolation
that
we've
got
with
the
vote,
counting.
No,
we
weren't
sending
the
employees
that
are
gonna
count
votes
to
do
it
at
home.
Okay,
we
didn't
do
that.
You
did
end
up
with
more
and
more
voters
voting
by
mail,
for
example,
but
that
didn't
have
a
strict
cyber
security
element
to
it.
C
It
did
affect
some
other
issues
around
the
election,
but
generally
because
we
are
working
more
and
more
from
home.
If
you
give
your
employees
access
to
sensitive
data
from
your
home
from
their
home
locations,
you
no
longer
have
the
level
of
physical
security
around
where
they're
accessing
that
data,
and
that
does
create
some
cyber
security
issues.
A
And
I'm
working
at
home
for
ncsl-
and
I
bet
many
of
the
people
in
the
audience-
are
also
working
from
home.
We've
just
been
asked
to
shift
over
to
multi-factor
authentication
to
turn
on
our
equipment
and
I'll.
Tell
you
all
how
naive
I
was
I
said.
Well,
I
don't
really
need
to
do
that
because
I'm
just
in
my
house
and
I
never
go
anywhere-
I
can't
lose
my
computer
and
no.
No.
That
was
not
the
right
answer.
A
The
right
answer
is
you
need
it,
even
if
you're
at
the
house,
possibly
more
so
than
when
you're
at
the
office.
C
Right
well,
the
multi-factor
authentication,
you
use
tooth
warts,
some
kinds
of
threats,
and
I
think
we're
going
to
talk
a
little
bit
about
those
a
bit
later.
There
are
other
steps
that
you
would
take
specifically
when
you're
at
home,
and
that
gets
in
line
with
sort
of
physical
takeover
of
of
locations.
A
B
Well,
they,
the
people
are
mainly,
as
you
said
at
the
beginning,
coming
from
russia,
china,
iran,
to
some
extent,
north
korea.
Actually,
david
sanger,
who
covers
intelligence
in
the
new
york
times,
told
me
that
there
are
more
than
30
countries,
3-0
more
than
30
countries
that
are
hacking
into
the
united
states,
trying
to
peer
into
how
our
systems
are
working,
including
election
systems.
But
the
big
player
by
far
is
russia
and
they
have
the
r
d
budget
to
try
to
crack
into
our
secure
systems.
B
They
have
the
people
and
the
budget,
the
resources
to
really
attack
attack
american
systems,
and
they
keep
inventing.
B
We
saw
over
the
course
of
2020
new
and
different
techniques
that
russia
was
using
and,
interestingly,
russia
turned
out
to
be
almost
like
the
r
d
center
for
all
the
bad
actors,
because
if
russia
did
something,
then
china
and
iran
might
copy
them
a
week
or
two
later
so
so
that's
the
major
threat
is
russia
and,
and
they
have
a
building
full
of
people
in
saint
petersburg,
st
petersburg,
russia.
Working
on
this.
A
Oh,
my
goodness,
so
what
you
told
us
is
that
threats
are
viral
and
spreading
around
the
nation.
I
don't
know
if
we
want
to
go
so
far
as
to
say
there's
a
pandemic
of
it,
but
when
you
get
to
30
stations,
nation
states,
maybe
so
what
about
domestic
threats
are?
Should
we
be
thinking
about
other
kinds
of
threats
as
well.
B
Well,
everyone
is
across
the
country
and
certainly
in
state
capitals
are
aware
of
ransomware
attacks
and
those
are
coming
from
organized
crime,
they're
coming
from
sometimes
just
individual
criminals
and
the
difference
between
what
the
foreign
actors
are
doing
and
the
domestic
actors
are
doing.
B
The
domestic
actors
tend
to
be
in
it
for
the
money,
the
foreign
actors
are
trying
to
discredit
our
election
system,
trying
to
discredit
democracy
itself,
but
they're,
using
some
of
the
same
techniques
to
try
to
steal
passwords,
to
try
to
get
through
lightly
lightly
guarded
systems
and
and
going
after
as
as
as
we
know,
sometimes
a
small
school
district
or
a
hospital,
and
so
it's
cyber
security
is,
is
something
which
is
it's
just
something
where
you
just
can
never
sleep.
It
just
is
all
around
you.
A
I
got
it
they're
they're
trying
to
they've
got
thousands
of
attacks
coming
and
you
have
to
defend
against
all
of
them.
It
sounds
like
so.
The
defensive
position
is
is
pretty
tough
cliff.
Let's
talk
a
little
bit
more
about
some
of
the
things
that
have
already
surfaced.
We
had
the
word.
Ransomware
come
up
already
tell
us
what
that
is,
and
can
you
put
like
an
example
around
it,
so
we
can
really
understand
that
you've
got
people
at
all
different
levels
here.
So
what
is
a
ransomware
attack
and
how?
C
Right
so
to
think
about.
C
And
actually,
I'd
like
to
broaden
the
term
a
little
bit
to
sort
of
malware
or
malicious
software
that
takes
over
your
system
and
the
term
that
we
use
sort
of
technically
is
subversion.
It
subverts
your
system
now,
if
you
install
malware
by
clicking
on
a
bad
link
to
an
attack
site,
for
example,
or
by
installing
apps
or
applications
that
you
really
shouldn't
you're,
getting
them
from
an
untrusted
source
or
something
this
software
can
then
disable
your
system
and
that's
sort
of
what
we
see
in
the
terms
of
ransomware.
C
You
need
to
send
so
much
in
bitcoin
to
some
overseas
location,
for
example,
in
order
to
get
the
information
needed
to
re-enable
your
system,
but
it
can
do
a
lot
of
other
things
than
just
disable
your
system
when
we
broaden
it
to
the
area
of
things
like
malware
and
and
viruses
and
worms
and
trojan
horses,
it
can
steal
data
from
your
system
or
in
the
worst
case,
it
could
even
potentially
modify
a
system
to
do
things
like
well,
for
example,
change
votes.
C
That's
why
the
paper
trail
is
so
important
and
there
are
many
additional
steps
that
can
be
taken
to
really
lock
down.
That
is
protect
the
integrity
of
critical
systems
and,
believe
me,
these
steps
are
being
taken
not
universally,
but
in
many
of
the
systems
that
are
out
there,
they
are-
and
that
makes
it
more
difficult
for
such
malware
to
actually
take
hold.
But
that's
the
kind
of
thing
that
could
conceivably
happen
from
and
ransomware
and
malware
are
forms
of
subversion.
Now,
there's
another
form
of
subversion.
We've
heard
a
lot
about
in
the
news
recently.
C
This
is
what
we
call
supply
chain
subversion.
That's
when
this
malicious
code
is
inserted
in
the
manufacturing
or
distribution
process
of
software
and
the
solarwinds
breach.
That
we've
heard
about
sort
of
separate
from
the
election
is
an
example
of
this
kind
of
supply,
chain
subversion
and
by
the
way
we
did
hear
in
the
aftermath
of
the
election.
The
refuted
accusations
from
the
trump
campaign
of
this
kind
of
supply
chain
subversion
in
the
dominion
voting
software.
Now
this
was
refuted,
but
but
that
is
precisely
an
example
of
the
kind
of
subversion
that
could
occur.
A
Okay,
so
that's
coming
home
to
me.
So
if
you
bought
a
piece
of
equipment
from
somebody
and
it
already
had
something
bad
in
it-
that's
supply
chain,
subversion.
C
That
is
supply
chain
subversion.
If
you
purchase
a
piece
of
software
and
the
company
from
which
you
purchased
that
software
and
downloaded
it
embedded
malware
in
that
software.
That's
also
supply
chain
subversion,
and
it
doesn't
need
to
be
necessarily
the
company
that
inserted
it
directly.
It
could
be
someone
that
hacked
into
the
company
and
inserted
it
on
their
behalf
and
now.
A
Can
I
just
you're
scaring
me:
I
just
want
to
report
that
you're
making
me
think
that
there's
nothing
safe
in
the
world
and
maybe
that
is
in
fact
the
case.
But
now
could
you
tell
us
about
fishing?
I
we've
all
heard
fishing
a
little
bit
and
hopefully
most
of
us
are
getting
training
to
try
to
avoid
it.
But
I
have
to
admit
those
of
us
who
aren't
in
your
field
are
probably
a
little
more
relaxed
about
that.
So
what
is
fishing
and
how
does
it
relate
to
elections.
C
Okay,
well,
fishing
actually
comes
back
to
your
comment
earlier
about
thinking.
Oh,
I
don't
need
second
factors
of
authentication
or
things
like
that
when
you're
working
at
home,
so
one
of
the
ways
adversaries
get
into
our
systems
is
by
stealing
our
passwords
and
a
common
way
to
do.
That
is
by
sending
us
messages
that
look
legitimate
or
that
otherwise
cause
us
to
click
on
a
link
log
into
what
we
think
is
a
legitimate
website.
C
But
then
we
just
gave
the
criminal
our
password.
So
for
an
election
official
that
was
quote
phished,
then
the
criminal
might
get
access
to
restricted
systems.
More
often,
it's
the
end
users
who
are
fished
which
could
enable
changing
of
addresses
or
other
things
to
mess
up
that
individual's
voter
registration,
for
example.
Let's
say
you
pretended
to
be
the
election
site
and
you
stole
the
user's
password
and
you
changed
where
their
their
ballots
get
sent,
for
example,
or
if
it's
a
campaign
official.
C
C
Now
the
main
takeaway
with
respect
to
phishing
is
first
really
awareness
and
second
to
employ
things
like,
and
here's
what
you
were
talking
about,
accepting
the
factors
of
authentication
such
as
the
text
message
code
that
comes
to
your
phone
or
stronger
method.
So,
in
addition
to
the
password
you
need
to
prove
you
are
actually
in
possession
of
some
physical
device
and
the
two
factors
together
provide
for
a
stronger
form
of
authentication.
A
Okay,
we're
moving
that
direction
and
I
know
we
got
to
do
it,
but
I
still
haven't
signed
up
for
it.
Now,
let's
take
on
denial
of
service,
I
think
I've
heard
about
this
in
one
of
the
states
in
a
minor
election.
What
is
the
denial
of
service
and
how
does
it
relate
to
elections?.
C
Well,
finally,
denial
of
service
attacks
simply
tries
to
shut
down
systems
by
overwhelming
them,
with
fake
queries,
for
example,
or
disabling
communications,
and
they
are
very
difficult
to
deal
with
from
a
computer
security
perspective
other
than
through
redundancy.
What
we
call
over
provisioning
of
resources
so
that
you
end
up
overwhelmed
now
the
biggest
problems
and
the
things
that
you've
sort
of
seen
with
respect
to
maybe
elections
is
things
like
the
denial
of
service
attack
on
voter
registration
systems.
Now
denial
of
service
attack
is
sometimes
indistinguishable
from
just
a
simple
failure.
C
Okay,
so
you
can
try
to
cause
these
failures
by
overwhelming
the
systems,
but
we
actually
saw
two
instances
of
of
general
failures,
not
cyber
attacks,
but
causing
this
kind
of
denial
of
service
in
florida.
The
day
that
the
vote
of
the
voter
registration
deadline,
their
system
simply
became
overwhelmed
with
the
number
of
people
trying
to
register
the
effect
of
that's
really
no
different
than
if
an
adversary
were
trying
to
call
it,
and
in
virginia
you
saw,
I
guess,
a
a
verizon
work.
C
Crew
accidentally
severed
a
communications
line
into
the
system
where
voter
registrations
were
occurring
gently
also
on
the
last
day
to
register
to
vote.
So
so
that's
really
why
denial
of
service
attacks
are
so
difficult
to
resolve.
Wendy.
If
I
can
add
a.
B
Ps
to
what
cliff
just
said,
we
did
a
an
off
the
record:
a
confidential
election
cyber
security
program
for
the
commonwealth
of
virginia
in
the
state
capitol
in
richmond
and
one
of
the
people.
The
state
invited
to
join
was
from
the
virginia
department
of
transportation
to
transportation.
B
A
C
Yeah,
actually
here
here
in
los
angeles
county
on
the
day
of
the
primary
elections
last
year,
you
actually
had
power
failures
in
some
neighborhoods
with
voting
locations
that
prevented
those
polling
locations
from
actually
being
used.
A
Some
of
what
we're
talking
about
makes
me
realize
that
cyber
security
is
sort
of
one
subset
of
an
umbrella
group
of
things
that
could
go
wrong
in
an
election.
Cyber
security
attacks
is
only
one
of
many
things.
You
could
have
a
power
outage,
you
could
have
a
line
cut,
you
could
have
a
tornado,
and
maybe
the
protection
is
similar.
Can
you
draw
any
anything
together
there
for
us.
C
Well,
absolutely,
I
often
speak
about
it
in
this
way,
so
you've
got
similarities
between
cyber
security
and
sort
of
more
general
failures
that
can
occur,
but
there
is
a
big
difference,
and
the
big
difference
is
that
when
you
look
at
things
like
hurricanes
tornadoes,
you
look
at
things
like
just
just
failures
of
of
electrical
equipment.
There
is
a
statistical
distribution
of
those
that
allows
you
to
apply
statistics
to
understand
how
you
put
redundant
resources
in
place
to
deal
with
some
number
of
failures.
C
In
the
case
of
cyber
security,
what
you
have
is
an
intelligent
adversary.
That
knows
specifically
where
your
weak
points
are.
So
you
can't
use
this
this.
The
statistical
distributions
to
make
sure
that
you
have
at
least
four
instances
of
something,
because
the
adversary
will
target
both
of
them.
A
Okay,
I
like
what
you're
what
you're
saying
there
it
does
mean
you
need
to
have
your
eye
on
the
cyber
piece,
but
yet
anything
you
do
to
kind
of
protect
on
the
cyber
front
sounds
like
it
might
also
protect
on
the
other
side
and
all
the
things
you
could
do
on
cyber
security
protection
won't
protect
you
against
those
things
that
are
outside
that
that
envelope.
A
Okay,
adam,
you
are,
in
fact
a
journalist
by
trade.
You
were
telling
us
the
other
day
a
little
bit
about
election
results
and
cyber
security.
Could
you
bring
that
link
together
for
us?
Please.
B
Sure,
well,
our
friends
at
the
homeland
security
have
a
wonderful
expression.
They
say
what
is
the
return
on
investment
for
a
bad
actor,
and
one
of
the
great
strengths
of
american
elections
is
that
we
are
decentralized.
We
have
on
the
order
of
10
000
different
elections
around
the
country,
president
of
the
united
states.
Then
we
add
all
the
numbers
together
and
we
come
up
with
the
electoral
college
on
a
winner.
B
Well,
the
so
it's
very,
very
difficult
if
you
are
sitting
in
a
foreign
country
or
if
you're,
a
bad
actor
in
the
united
states.
If
you're
trying
to
tamper
with
the
election
at
the
point
at
which
people
actually
are
casting
votes,
because
that's
just
they're
just
too
many
targets
so
they've,
they
start
to
look
for
places
where
the
election
results
are
centralized
and
the
big
central
point
on
election
night.
This
has
nothing
to
do
with
the
state's
tabulating
results
or
the
secretaries
of
states
certifying
the
results.
B
But
the
big
central
point
of
tabulation
on
election
night
is
the
associated
press.
The
ap
provides
the
the
boat
totals
to
all
of
the
news
agencies.
B
All
the
television,
all
the
cable,
all
the
radio
and
the
internet,
and
so
adversaries
now
realize
that
the
ap
is
the
place
to
to
attack
on
election
night,
whether
it's
to
take
the
system
down
and
if
the
ap
goes
down
on
election
night,
we
simply
don't
have
election
returns
that
night
until
the
states
report
the
results,
which
can
be
two
three
four
five
in
2020
seven
days
later
so
again,
the
adversaries
are
working
to
reduce
faith
in
democracy
itself.
That's
a
pretty
dramatic
reduction
of
faith
in
democracy
itself.
If
you're.
A
Excellent
point,
so
you
could
attack
voter
registration,
which
we
did
see
some
of
in
2016
without
actually
changing
any
records
and
that's
bad,
but
it
doesn't
change
the
vote.
You
could
attack
the
vote
itself.
That's
really
catastrophic,
but,
as
cliff
has
explained,
that's
not
really
happening
or
you
could
attack
as
the
results
are
heading
to
the
ap
or
the
way
I
was
thinking
of
it
as
to
the
press
more
generally
or
wherever
it's
going,
and
that
will
so
confusion
and
doubt
which
is
not
something.
That's
going
to
work
on
elections.
B
And
we
know
the
president
of
the
associated
press
is
on
our
advisory
board
and,
and
he
said
that
in
2012
you
know
a
few
attacks.
2016
serious
attacks
in
2020
major
major
attacks,
predominantly
from
russia
on
the
ap
system,.
A
Wow,
okay,
we
have
larry
in
the
chat
box.
Who's
saying
using
social
media,
for
misinformation
is
probably
a
good
roi
for
the
attacker.
We
haven't
really
gotten
to
that
yet,
but
maybe
this
is
a
good
opportunity
to
mention
that.
B
Absolutely
and
we've
seen
we've
seen
again
over
the
course
of
the
2020
election
year,
russia
in
particular,
using
new
techniques
and
they
would
roll
out
in
different
ways.
For
example,
there
was
something
called
franchising.
I
think
that's
the
word
that
homeland
security
used,
where
russia
and
and
some
other
countries
actually
paid
american
journalists
who
were
unaware
of
who
was
paying
them
to
file
phony
reports
or
file
reports
which
were
misleading.
B
Russia
actually
had
russia
and
china.
I
believe,
actually
had
websites
running
on
computers
in
the
united
states
masquerading
as
journalistic
websites,
but
actually
they
were
propaganda
and
trying
to
spread
confusion
and
in
2020
when
everybody
everybody
on
this
call
knows
that
we
were
changing
the
the
dates,
places
and
methods
of
how
you
vote.
B
It
was
really
critical
that
correct
information
reached
the
voters,
and
so
some
bad
actors
were
doing
their
best
to
so
confusion,
very
little
expense
to
them,
but
but
the
again
trying
to
dent
confidence
in
democracy
and
trying
to
create
confusion.
Sometimes
they
were
accidental.
I'm
sure
you
remember.
There
were
some
billboards
put
up
by
an
election
information
organization
and
they
had
made
a
mistake.
B
They
actually
made
a
mistake
on
on
the
election
day
and
there
it
was
on
billboards
and
they
corrected
them,
but
under
the
best
of
circumstances.
As
we
all
know,
elections
are
very,
very
complicated
things
to
to
hold
and
and
any
tampering
with
the
the
reliable
chain
of
information
can
really
be.
It
can
really
cause
confusion.
A
I
I've
heard
it
said-
and
this
is
probably
an
urgent
urban
legend-
that
that
candidates
can
say
democrats
vote
on
tuesday
and
republicans
vote
on
wednesday.
I
don't
know
if
that's
ever
happened,
or
vice
versa.
Whichever
way
you
want
to
tell
that
story,
and-
and
so
that's
misinformation
that
predates
the
internet,
but
misinformation
has
to
be
dealt
with
somehow,
no
matter
where
it's
coming
from,
and
I
don't
think
we
have
policy
solutions
yet
on
how
to
deal
with
misinformation.
Any
thoughts
about
options
at
the
state
level,
where.
B
What's
up
what
secretaries
of
state
said
and
we
had
in
in
close
to
half
the
states
where
we
did
workshops?
Last
year
we
had
the
secretary
of
state
opening
the
program
and
they
always
emphasize
that
for
reliable
information
go
to
the
state
government
to
the
secretary
of
state
or
whoever.
The
responsible
election
official
is
sometimes
lieutenant
governor,
sometimes
attorney
general.
But
that
is
your
rock
solid
source
of
of
good
information.
A
Got
it
got
it,
and
I
am
going
to
bring
this
around
soon
to
legislative
options,
so
just
be
thinking
about
that
cliff
and
adam.
What
are
things
on
any
of
the
things
we've
discussed
that
that
can
be
addressed
with
policy
as
opposed
to
with
boots
on
the
ground?
Perhaps,
but
before
we
get
there
cliff.
We
we've
mentioned
physical
security
briefly,
but
I'm
thinking
about
it
in
the
election
envelope,
but
about
locks
and
bipartisan
teams
that
kind
of
stuff.
A
C
Well,
you
know,
I
mean
we've
seen
instances
sort
of
external
from
the
election,
although
in
sort
of
the
aftermath
of
it
we
have
to
take
over
our
nation's
capital,
for
example
on
january
6th,
and
there
are
lots
of
computer
devices
that
fell
into
the
possession
of
those
storming
the
capital,
including
a
laptop
and
conference
rooms,
including
nancy
pelosi's,
desktop
systems,
for
example,
and
this
could
potentially
happen
in
state
capitals
too.
C
Now
how
physical
security
comes
into
play
here
is
that
you
need
to
understand
that
much
of
security
of
computing
devices
is
based
on
an
assumption
that
the
adversary
is
sort
of
on
the
outside
doesn't
have
necessarily
physical
access
to
that
particular
device,
and
it's
very
hard
to
protect
the
data
on
a
device
that
is
in
the
hands
of
the
adversary,
where
in
fact
the
adversary
might
actually
be,
in
some
cases,
a
legitimate
user
of
that.
C
Now,
when
the
adversary
is
a
legitimate
user,
we
use
things
like
whole
disk
encryption.
So
someone
gets
hold
of
your
laptop
as
you're
going
through
airport
security.
You
know
you
don't
want
them,
just
sucking
all
the
data
right
off
of
it,
but
I
think
that
this
physical
security
of
devices
plays
a
role
in
elections
in
the
sense
that
we're
not
going
to
anytime
soon
see
us
actually
conducting
our
elections
online.
Where
you
vote
from
your
cell
phone
or
you
vote
from
your
laptop
computer.
Why?
Not?
C
Because
it's
hard
enough
to
protect
all
the
devices
that
are
in
the
possession
of
the
election
officials,
it's
impossible
to
protect
all
the
devices
that
are
in
the
hands
of
the
individual
voters,
because
you
don't
necessarily
trust
all
those
voters
I
mean.
If
you
take
not
to
say
we
shouldn't
trust
our
populace,
but
understand
that
every
one
of
the
adversaries
that
is
trying
to
manipulate
votes
is
themselves
a
potential
voter
and,
as
a
result,
you've
got
to
be
concerned
about
securing
their
devices.
C
You've
got
to
be
concerned
about
securing
the
devices
of
all
the
legitimate
voters.
In
light
of
maybe
all
these
apps
that
you
install
on
your
cell
phone,
I
mean
I
like
to
ask
how
many
apps
you've
installed
on
your
cell
phone.
You
know
you
get
up
to
about
40,
apps
and
people
are
still
raising
their
hands.
Every
one
of
these
apps
is
a
potential
vulnerability.
It's
a
potential
one
of
those
viruses
or
malware.
A
A
All
right,
we
won't
do
it
now,
that's
good!
Okay!
So
when
I
asked
you
that
question
about
physical
security,
I
have
to
tell
you
what
I
thought
you
were
going
to
say
is
that
locks
matter
lights
matter,
cameras
matter,
those
seal,
tapes
on
voting
equipment
and
bipartisan
teams.
So
you
didn't
say
that
you
don't
have
to
say
that.
But
that's
when
I
was
thinking
about
physical
security.
I
was
literally
thinking
that
kind
of
stuff
for
the
ballots
and
for
the
voting
equipment.
Yeah.
C
Well,
the
seal
tapes
that
you
said
on
the
equipment
is
part
of
one
of
the
things
that
that
creates
sort
of
the
physical
center,
but
the
steel
tapes
is
something
you
call
tamper
evidence
rather
than
tamper
proof.
In
other
words,
that
tape
doesn't
prevent
someone
from
getting
in
and
changing
things
what
it
does
is.
A
All
right,
I
love
it,
so
we
want
physical
security
and
more
adam.
I'm
coming
back
to
you.
Let's
get
to
that
policy
part
the
folks
who
are
here
primarily
work
for
legislators
or
our
legislators,
and
so
what
is
it
that
they
can
do?
That
would
be
helpful
to
their
state's
cyber
security.
B
Well,
what
we
saw
last
year
when
we
went
to
all
50
states
again,
most
of
them
virtually
because
of
the
pandemic,
but
we
saw
that
each
state
has
interesting
and
strong
resources
and
assets,
including
and
starting,
perhaps
with
state
governments.
Each
of
the
state
governments
has
cyber
security
assets
which,
in
each
in
each
of
the
workshops
we
would
say
here
are
the
places
you
can
go
in
your
state.
Here
are
the
agencies
in
your
state
and
the
states
are
all
different,
but
the
states
and
that's
good.
B
The
states
are
the
laboratories
of
democracy
and-
and
we
saw
some
really
outstanding
examples
of
of
of
innovations
in
each
of
the
50
states.
The
national
guard
is
a
new
player
since
five
years
ago
they
really
stood
up
as
a
major
force
in
cyber
security
and
probably
already
very,
very
closely
working
very
closely
with
election
officials.
B
Something
else
we
found
in
across
the
country
is
that
universities
have
also
stepped
up.
There
are
centers
of
excellence,
cyber
security,
centers
of
excellence
throughout
the
country,
sometimes
in
places
where
you
wouldn't
expect.
So
that's
a
huge
asset
in
terms
of
state
legislatures.
B
I
think
that
in
2020,
even
as
we
were
in
perhaps
what
we
hope
will
be
the
extreme
case
of
of
of
demands
on
election
systems
again
changing
the
the
dates,
places
and
methods
of
voting,
but
even
in
the
midst
of
that
state
legislatures
were
paying
close
attention
to
to
us
election
cyber
security.
B
What
we
need
to
do
now
is
not
to
relax
our
vigilance,
because
our
adversaries
are
they're
inventive.
They
have
r
d
they're
using
different
techniques
and
and
so
stay
up
to
date
on
updates
that
are
coming
from
homeland
security
and
cisa
their
their
assets.
That
are
excuse
me,
resources
that
are
available
from
the
federal
government
and
from
industry
and
wendy.
If
I
may,
if
I
can
just
put
up
a
slide,
I
can
just
share
my
screen.
B
This
is
the
the
website
of
the
usc
election
cyber
security
initiative,
and
if
you
go
to
this
website,
www.electionsecurity.usc.edu
you'll
see
a
tab
for
resources.
There's
another
tab
for
a
weekly
blog
that
we
have
updates
on
resources.
B
B
So
that's
something
I
put
up,
because
there
are
many
resources
that
are
available
to
states
and
to
state
legislatures
that
we're
not
talking
about
things
for
which
you
need
a
forgive
me
cliff
a
computer
science
degree,
but
they
are
for
general,
general
audiences,
and
so
they
are
written
for
state
legislatures
to
become
more
informed
on
on
these
issues.
A
And
when
you
put
that
slide
up
it
reminded
me
of
your
slogan,
would
you
tell
us
a
little
bit
about
the
slogan?
Please.
B
In
2019,
when
we
were
planning
our
2020
50
state
campaign,
we
met
with
people
state
election
and
campaign
officials,
national
officials
here
in
washington,
and
we
met
with
people.
Who've
run
campaigns
again
for
governor
for
the
senate
for
the
house,
and
we
read
with
people
who
run
presidential
campaigns
and
two
of
them
who
are
actually
at
usc.
B
One
of
them
is
bob
schrump
who
ran
john
kerry's
2004
campaign
on
many
other
democratic
campaigns,
and
the
other
is
mike
murphy
who
ran
the
jeb
bush
campaign
in
2016,
and
I
said
you
know
we're
like
you
guys
we're
going
to
run
a
50-state
campaign,
but
without
a
candidate
and
bob
shrumley
and
forward-
and
he
said
adam
you're
wrong.
B
Your
candidate
is
democracy.
Whoa,
I'm
going
to
take
that
that's
going
to
be
our
slogan,
and
so,
in
fact,
just
a
few
days
ago,
I
reminded
him
that
he
gave
us
our
slogan
for
for
2020
and
beyond.
That
really
tells
a
story,
we're
we're
not
favoring
one
party
or
another.
We
are
favoring
democracy.
A
I
love
it.
I
just
think
that
that
needs
to
be
brought
out.
Every
time
we
talk,
we
should
we
should
revisit
that
question
cliff
on
your
side.
I
wonder
if
you
are
able
to
use
your
crystal
ball
and
tell
us
about
threats
that
might
be
coming.
I
mean
sort
of
more
of
the
same
or
or
maybe
it's
too
hard
to
know.
What's
the
next
step,
but
we've
already
identified
that
registration
was
where
the
interest
was
in
2016
and
misinformation
was
what
we
saw
most
of
in
2020.
C
Well,
you
know,
I
think
the
adversaries
are
going
to
continue
to
try
to
attack
the
infrastructure
itself
and
actually
the
counting
of
votes
and
you're
gonna
see
what
they
learned
in
things
like
solarwinds
being
applied
in
a
much
more
manner
to
try
to
get
them
deeper
into
these
particular
systems.
In
fact,
one
of
the
things
you
need
to
understand
about
nation-state
attacks.
C
Basically,
these
what
we
call
advanced
persistent
threats
is
that
they
are
multi-step
processes,
an
organization
will
get
into
one
company
or
one
set
of
systems
and
use
that
as
a
stepping
stone
to
get
deeper
in
and
in
fact,
you
look
at
things
like
the
solarwinds
breach
and
in
fact
it
was
very
much
staged
trying
to
get
deeper
and
deeper
into
the
supply
chain
and
those
kinds
of
threats
are
going
to
continue
to
play
out.
C
We
need
to
be
extremely
vigilant
about
them,
and
the
kinds
of
things
that
we
need
to
focus
on
in
terms
of
our
protection
of
these
systems
is
really
the
issue
of
integrity
of
our
systems.
The
assurance
that
we
have
on
the
particular
components
that
we
run.
How
can
we
best
assess
that
the
software
that
we
install
next
year
is
going
to
be
free
from
these
kinds
of
vulnerabilities
and
yeah?
C
There
are
a
lot
of
people
working
on
this
we've
been
fairly
successful
in
sort
of
the
election
space
so
far,
but
we
shouldn't
get
our
confidence
too
high
that
we're
going
to
be
immune
from
these
kinds
of
of
more
advanced
attacks.
C
A
You're,
right
and-
and
that
gets
to
the
next
question
that
could
be
for
either
one
of
you
and
that's
about
resources
when
people
are
really
scared.
When
something
bad
happens,
they
put
their
focus
on
it
and
they
put
their
money
towards
it
and
they
devote
personnel
towards
it
so
with
getting
through
the
2020
election,
as
we
saw,
no
votes
were
tampered
with
as
far
as
anybody
knows,
including
department
of
homeland
security.
A
What
what
do
we
do
in
terms
of
resources,
both
money
and
people
in
the
next
four
years,
and
particularly
where
will
that
money
come
from.
C
Okay,
so
so,
I
think,
think
a
couple
of
things.
First
of
all,
many
of
the
problems
that
we're
trying
to
address
with
cyber
security
in
the
area
of
elections
elections
are
simply
an
application
of
a
broader
problem,
so
there
should
be
more
fundamental
research
on
this
issue
of
assurance
of
our
computer
systems
in
general.
That
will
share
dividends
across
both
the
election
community
and
sort
of
government
in
general
corporations
in
general,
and
that
means
that
the
cost
of
some
of
that
work
can
be
spread.
C
It
doesn't
need
to
all
come
out
of
the
election
budget,
but
we
really
need
to
have
this
kind
of
focus
in
terms
of
our
computing.
Now
we
also
need
to,
I
think,
have
a
better
understanding
of
what
actually
constitutes
attempts
to
manipulate
elections
in
different
ways.
C
I
mean
there
are
many
kinds
of
voter
fraud
that
occur
and
things
like
that
and
understand
which
of
these
are
more
organized
they're,
going
to
have
greater
impact
versus
which
are
you
know,
even
less
than
grass
roots
sort
of
the
the
daughter
of
someone
that
passed
away.
The
terms
of
the
palette
you're
not
gonna,
expend
a
lot
of
money
dealing
with
that
because,
first
of
all,
statistically
the
effect
balances
out.
C
It
happened
on
both
sides,
but
we
do
need
to
put
measures
in
place
to
understand
with
maybe
the
increasing
reliance
in
some
states
on
on
voting
from
home,
for
example,
or
absentee
or
vote
at
home
ballots.
C
Are
there
things
that
can
be
done
to
improve
the
well
almost
physical
security
aspect
of
that
in
terms
of
distribution
of
ballots?
In
terms
of
balancing
the
let's
say,
signature:
verification
where
you
need
to
balance.
You
know
the
problem
of
maybe
too
many
ballots
being
rejected
because
of
a
minor
change
in
the
signature
versus
wholesale
attempts
to
manipulate
things
that
might
occur
in
that
one.
B
Wendy
in
terms
of
resources,
I
think
that
we
can
expect
more
resources
from
to
be
available
from
the
federal
government
this
year,
because
I
think
everybody
realizes
it's
a
problem,
and
I
mean
some
resources
were
available
last
year.
But
we
expect
to
have
some
more
and
that's
something
which
is
going
to
be
extremely
important.
A
I
completely
agree
that
more
funding
from
the
federal
government
would
be
welcomed
in
the
states,
and
I
know
that
many
of
the
local,
the
elections
are
run
by
local
counties
and
some
have
more
resources
than
others,
and
some
states
have
more
resources
on
their
own
than
others,
and
so
I
I
think
I've
heard
it
said
in
the
past
that
the
weak
link
could
easily
be
the
small
poor
county.
So
it's
to
everybody's
advantage
at
the
local
level
at
the
state
level
and
then
at
the
federal
level
to
be
looking
at
what
what's
the
appropriate
share.
A
I
I
want
to
say
I'm
going
to
wrap
us
up
fairly
soon
here,
but
I
wanted
to
kind
of
give
you
a
chance
adam
to
talk
about
what
you
experienced
in
terms
of
the
professionalism
or
the
commitment
of
election
officials
around
the
nation.
The
question
has
come
up
this
year.
Were
they
partisan
in
one
way
or
another,
and
I
think
you
have
a
very
excellent
vantage
point
to
make
some
statements
about
election
officials.
B
We
saw
in
all
50
states
a
level
of
commitment
and
professionalism
which
was
remarkable
under
the
most
difficult
circumstances,
which
we
will
probably
face
in
our
lifetimes,
and
everybody
took
security
very
seriously.
B
Everybody
took
elections
very
seriously
and
we
it
was
very
impressive
to
go
across
the
country
and
see
and
state
after
state
how
well
things
worked
and
there's
some.
There
are
some
people
who
haven't
received
the
credit.
They
should
I'll
just
mention
one
state,
nebraska
nebraska
pivoted
from
25
mail
and
voting
to
75
mail-in
voting,
and
they
did
it
in
a
matter
of
days.
People
said
that
was
impossible.
B
They
said,
oh
it'll,
take
you
months,
maybe
years
to
do
that,
no
somehow
in
nebraska
they
pulled
that
off
in
a
matter
of
very
short
time.
That
was
stunning.
That
was
stunning
and
other
states
actually
started
to
study.
How
did
nebraska
do
that,
and
so
there
are
stories
like
that
across
the
country
which
a
few
of
which
actually
wound
up
in
the
national
national
press,
but
it
was
a
quite
an
education
for
us
and
reassuring
for
us.
A
That's
fabulous.
My
experience
has
primarily
been
very
excellent,
with
local
election
officials
and
certainly
with
the
state-level
people.
So
it
feels
to
me
is
that
that's
a
subject
within
the
general
public
administration
universe,
where
people
who
are
willing
to
do
everything
from
sweep
the
floors
and
turn
out
the
lights
to
become
sort
of
the
cyber
security
expert
for
their
county
or
wherever
it
might
be.
It's
a
lot
of
hats
that
those
folks
wear.
Okay,
here's
my
wrap-up
question.
A
C
Well,
you
know,
I
think
in
some
sense
you
know
we
started
off
with
some
good
news,
at
least
around
the
2020
election,
and
that
is
that
the
awareness
and
the
commitment
as
adam
was
just
speaking
about
is
somewhat
encouraging.
So
you
know,
I
think
that
is
a
really
good
news.
In
fact,
you
know
on
some
of
our
calls:
we'd
have
the
secretary
of
state
explaining
some
of
the
things
that
they
were
doing
and
I'd
think
to
myself.
You
know
this
is
worthy
of
a
lecture.
I
might
give
my
students
in
cyber
security.
C
It
showed
some
level
of
real
understanding
of
what,
and
I
think
that
that
is
encouraging.
It's
really
all
about
awareness,
whether
it
is
awareness
from
the
low-level
individual
awareness
of
phishing's,
two-factor,
authentication
or
other
things
for
awareness
at
the
higher
level
about
the
importance
of
of
isolation
and
things
that
you
did
see
start
to
be
applied
in
these
areas,
and
I
think
that's
probably
the
biggest
encouragement
that
we've
got.
B
Well,
the
the
a
big
success
story
in
2020
was
that
we
were.
We
had
a
classic
good
election.
We
did
not
see
any
successful
tampering,
certainly,
as
attorney
general
barr
said
nothing
that
would
change
the
election
in
terms
of
cyber
security
tempering,
but
the
election
official
in
kentucky
had
a
wonderful
way
of
talking
about
it.
He
said
you
know
nobody
got
in
we,
we
could
see
the
bad
actors
trying
to
trying
the
doorknob
to
see
if
they
could
get
in
and
they
couldn't
get
in.
So
that's
that's
the
good
news.
A
I
want
to
leave
us
on
a
good
note,
and
my
good
news
here
is
that
usc
has
made
the
kind
of
commitment
that
you
all
have
made
to
being
in
this
space
and
making
your
work
available
around
the
nation.
So
I
want
to
thank
you
both
for
doing
it
mention
again
that
you
have
an
event
on
march
25th
coming
up
and
that's
in
the
chat
box.
A
If
anybody
wants
to
do
it
and
I'm
going
to
think
of
you
all
as
partners
to
ncsl
and
encourage
anyone
who's
on
the
line
to
think
of
you
as
possible
partners
in
their
state
or
their
community,
this
will
be
recorded
and
we
will
link
it
on
ncsel's
elections.
Cyber
security
webpage
and
with
that
I'm
going
to
just
say
thanks,
very
much
stay
in
touch
and
stay
engaged
with
the
work
you're
doing
and
pretend
that
everybody
in
the
outside
is
applauding
for
you
all
now.
Thank
you.