Expert Interview on 2018 Election Security

David O’Berry is a leading cyberexpert, the former agency CIO in South Carolina government and an experienced thought leader in cutting-edge cybersecurity areas, including election security. In this exclusive interview, I ask him about federal, state and local cyberpreparedness regarding the upcoming 2018 and 2020 elections.

by / October 7, 2018

As we head into the final days before the 2018 elections, the media coverage of election security has never been greater. Sadly, much of the news is not very encouraging. For example:

Indeed, just this week, Vice President Mike Pence accused the Chinese government of meddling in the upcoming U.S. elections, although some cybersecurity experts disagree.

The administration’s own secretary of homeland security, Kirstjen Nielsen, said: “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure.

“We know they [the Chinese] have the capability and we know they have the will. So we’re constantly on alert to watch. But what we see with China right now are the influence campaigns, the more traditional, longstanding, holistic influence campaigns,” Nielsen said on Tuesday at a Washington Post cybersecurity conference.

Others are much more concerned with Russian election interference — again.

Brief History on U.S. Election Cybersecurity Coverage

Going back more than two years, this blog covered this election cybersecurity topic from numerous angles. In March of 2016, I was one of the first to ask: Could the Election Be Hacked?”

On the weekend before the 2016 vote, I wrote, Trust the Vote: Here’s Why.”  [Note: this piece was written when most people thought Hillary Clinton would win.]

After the 2016 election, we discussed views on the trouble with recounts in the name of hacking and later recapped the good, bad and ugly with those vote recounts that did occur.

In January 2017, after more was known about deficiencies with state voting machines, I wrote about what election technology steps were needed, and earlier this year, I took another stab at the election topic from a state government and association perspective.

I mention these specific blogs because they are all part of an ongoing election narrative which is coming to a culmination over the next few weeks (and in two years) — in the November 2018 and the 2020 elections.

As I posted these previous pieces, many security experts agreed with my analysis while others challenged my viewpoints. Sometimes, respected cyberexperts like David O’Berry, openly argued another narrative.

While I view David as a trusted colleague who I have known for a decade and who has an amazing security acumen, seeing his adamant, well-researched comments on my LinkedIn posts (and other forums) was eye-opening and sometimes even unnerving.  

Stated simply — we disagreed on various hacking points after the 2016 election. (At the same time, we always agree on numerous points as well, such as the serious nature of the election cyberthreat and the need for urgent action to protect future elections.) I always learn from him, and truly enjoy the engaging dialog. I find his professional approach to be both refreshing, challenging and sincerely helpful — so much so that I want to bring his insights and perspectives to you before the 2018 election.   

Interview with David O’Berry on Election Security

David O’Berry speaks with a wealth of knowledge and cybersecurity experience. He doesn’t pull punches, and yet offers a kind, humble demeanor in one-on-one cyberdiscussions. You can get a sense of David's style from this brief YouTube video from 2015.

I first met David when he was the South Carolina government cybersecurity lead at MS-ISAC meetings, and we have been friends ever since. After leaving South Carolina government, he held senior positions with McAfee and VMware and other security organizations. He currently is the co-founder and chief innovation officer at PreCog Security Inc. He also serves on several cyberstartup advisory boards and is a mentor for several cybersecurity leaders around the country.

Now, on to the election interview.

Dan Lohrmann (DL): Are states ready to safeguard the 2018 elections next month?

David O’Berry (DO): No, I do not believe that the vast majority of the states are even close to ready for the mid-term elections as it relates to their cybersecurity posture, and anyone that says differently is either spinning it or has no idea what they are talking about. I do believe there are going to be some states that may have a better handle on it than others but that number is far less than 30 or 40 percent, and once you factor in the various voting machine issues and the way the precincts are set up ... the way the roles are handled via databases, etc. It is not a question of if they are vulnerable, it’s a question of how bad will it be and will it undermine the confidence of the vote.

DL: What is your biggest election concern?

DO: I think my largest concern continues to be the voting rolls, phishing attacks that keep divulging astronomical amounts of targeted user data, voting machines without a paper trail, and voting machines that are hackable with their only defense being lack of physical access. 

The lack of a paper trail is a horrific design, period, and on the other front the voting machine companies are now trying to say that vulnerability/penetration testing is not a real-world environment because they have physical access. That is just ridiculous, and if they ever visited the various places these things are in with the mostly volunteer or low-paid staff and no physical security per se, then they would understand how insane that position is in general. If they have not visited the various places they serve, then it's malfeasance. 

As far as the voting rolls, my contention has all along been that without an immutable record of the rolls where every change and modification is kept in high fidelity, etched in a blockchain of some sort, we will never know what has been done or can be done to disenfranchise voters in general. When you used to get a phone book, it was only as good as the data inside it. If that data was corrupted at the source, then you were done. The checks and balances to these things right now are ad hoc at best and there is no blockchain-based (read as immutable record ... whatever that tech may be) to compare against. 

I had a personal experience seeing three minority voters in 2016 turned away (military and female) in the 45 minutes I was standing in line to early vote. It was very clear something was either amiss or I was in the middle of the largest of timely coincidences. I wrote about it back then, as a matter of fact.

DL: Which states are doing a good job? What states are lagging woefully behind?

DO: I think rather than relying on various personal conversations which could be considered subjective and anecdotal, the following score-card from the Center for American Progress lays out both the methodology and the grading system for how they went about assessing the state post-2016. I would make the comment that there were no A's but a few B's, and there should NEVER be D's and F's, yet they too were abundant. When you look at the full chart, they are giving credit for FAIR for a number of even these B's, which is just mind-boggling to me.

— B's: Alaska, Colorado, Connecticut, District of Columbia, Maryland, Minnesota, New Mexico, New York, North Carolina, Ohio (borderline C), Oregon, Rhode Island

— D's and F's: Arizona, Arkansas, Delaware, Georgia, Florida, Hawaii (borderline C/D), Indiana, Kansas, Kentucky, Louisiana, Mississippi, Missouri, New Jersey, Pennsylvania, South Carolina, Tennessee, Texas

So that means we have nearly 50 percent more D's and F's than B's with no A's, and FAIR is being counted as OK in current-state to grade to a B. Think about that?

This issue cannot be left to the states because it is a matter of national security and it cannot be treated as some line-item that state leadership can just cut or zero out in any given year. It is the very backbone of what we are as a nation and when it is compromised, it poisons our collective soul.

DL: Are our election cyber problems mainly federal, state or both?

DO: I believe election problems are both at present and include the locals as well. That is one of the single largest issues is the cross-jurisdictional mess this often is and as scary as it sounds I do think that the government (via a non-party-based governing committee or group along the lines of maybe [Federal Election Commission] expanded) should federalize the elections and take this guessing game out of the hands of people who at times are just woefully under-equipped to stave off the likes of Russia or any other nation-state that targets them. 

As much as it pains me to say it, because I was 20 years in South Carolina state government and saw so many states just do amazing work with so little in the way of resources. Something as important as the confidence in a duly elected federal, state or local representative has to be maintained at all costs. It does not help that the hyper-partisanship has created a situation where it was actually advantageous for one party to hold up funding for protections to the election system, meaning that even now with grants available, it is way too little too late for 2018 and more than likely for 2020 as well. I have seen estimates that shoring up the system to an acceptable level will take till at least 2021. Think about that.

DL:  Are the hackers just too good? Is protecting votes 100 percent even possible? 

DO: Hmm ... I think hackers are at times too good, but I also think that we continue to fail at making targets hard to find, attack and subvert. Companies continue to spew out device after device with little thought to anything besides sales and profit, and while I get that capitalism is supposed to weed out the wrong-doers, it is simply not an effective means of doing so when something as critical as voting is at stake. The lag times are too great. 

Companies don't have to care who wins or if the vote is accurate because either way, they keep selling machines. It is not unlike medical devices and the current disastrous state they are in or IoT as a whole. I have taken to calling it "The Iniquity of Ubiquity" and recently modified that to "The Iniquity of Insecure Ubiquity." Ubiquity without security threaded through it is just a beatdown waiting to happen ... and in most cases it is not waiting to happen ... it is happening constantly. So combine the above with the fact that humans have this awful tendency to short-cut just about anything ... patching ... site surveys ... cabling plant ... door locks ... insecure ceiling tiles ... and what do you have? The Digital Titanic running into the Cyber-Iceberg over and over and over again ...  

DL: How worried are you about social media influence, fake news and other attempts to influence voters from overseas in 2018? 

DO: Wherefore art thou "Fairness Doctrine" and a legal definition of news told from both sides, if not the center?

All jokes aside ... I am incredibly concerned about that entire situation because the opponents (and even many of the political commentators in this country) are absolute masters at affecting the minds of others. Not to call out names, but a certain autocratic ruler of a certain semi-rogue nation-state has outright admitted to wanting to influence the 2016 elections, and it's clear they are not stopping there. The challenge is that human psyches are absolutely fragile and so easy to manipulate especially in the ridiculously hyper-partisan environment we are in right now. A number of psychological constructs explain this situation. Dunning-Kruger, The Backfire Effect, Herd/Mob Mentality, etc. When people are able to stoke fear and hate, find a scapegoat, and then bend facts and outright lie while making it seem as though they are telling the truth, it can create a mentally and psychologically debilitating and dangerous environment. 

Historically this type of thing has repeated over and over again, but I would be invoking "Godwin's Law" if I pointed out the most recent parallel that many would be familiar with. :) Again, Ubiquity ... is not a bad by itself, but Irresponsible Ubiquity poisons minds. There are not multiple versions of the truth or alternative facts. If we could all just stop yelling at one another from the far right and far left long enough to find some middle ground, then this country would rapidly be far better off than it is at this point in time. We allow the nuts from the far right and far left who make up less than 10 or 15 percent on each side control the 70 to 80 percent of us who are center, center-left and center-right. It has to change but it won’t until there is less money in hate and intolerance and loudmouths than there is in common sense and a sense of duty to not only the country but [also] to the community around each of us.

DL: What new steps do you expect hackers to take as cyberthreats evolve?

DO: I expect them to go deeper and deeper and to run more and more silent ... transient ... disposable-type malware that takes the concept of in memory and fractionalizes what even that means such that it can be hyper-dispersed and agnostic to where it hides and even where it runs. I encapsulated all of that in a theory/conjecture of sorts from back around 2005 that I called "Decepticon Class Malware." I wrote about it and was published in the ISMH 2008, 2009, 2010 (RIP Hal) ... and I think the 2010 chapter specifically mentioned this type of new hyper-malware as a prologue to calling for us to all work together across real-time information-sharing standards on a path toward what I call "Autonomic Security." Until the last year, we were still missing a couple of the attributes in the wild to make this reality but all but one has evolved and even been diagnosed since then.  

DL: What do you predict will happen in mid-late November 2018? Will hacked elections dominate the headlines?

DO: I fear the die has been cast and yes they will. They will also dominate the headlines from 2018 to 2020 and probably beyond that because it is the fear, uncertainty and doubt that breaks confidence and trust. 

If this had occurred and it had been owned at the highest levels without all of this spin, then we would be in a better place. The systems of systems that enable the ability to cast a vote for every legal citizen in the U.S. did not just come under attack from the illegal hacking perspective. Our very foundations have been assailed such that without drastic change (blockchain, a revamp of policies and procedures, and possibly federalization) it may never recover to the levels it was trusted before 2016. 

DL: As we head toward 2020 what more needs to be done to protect the next Presidential election? Are the right steps being taken now?

DO: I don't think we can implement anything drastic like blockchain or federalization of the elections by 2020, but there is a large sum of money ($380 million) that has been allocated for grants to shore up the system. I believe a prescriptive solution (not homogeneous, but certainly not haphazard) from a non-biased, non-partisan NGE group of experts should be the goal, which means that there would be vetted solutions available to procure and install as plug and play as possible in every state. 

I believe that at least the rolls of each state should be handled by a non-partisan, non-biased group of providers who make sure the fidelity via blockchain (or some other similar solution) is maintained and verifiable by anyone such that there is no hint of a possibility of someone making changes without there being an unmodifiable trail. I also believe that we can look at what a country (as small as it is) like Estonia has done post being one of the very first victims of illegal Russian cyberaggression and learn from them rapidly. 

I think this qualifies as a national security emergency, and while we should be absolutely transparent in the process, we should not allow procurement issues or state's rights issues (lobbies included) to stand in the way of a revolutionary change in the way we vote and count the vote in this nation. There is NO REASON we should have 50 states doing so many different things with so little control, input, or even checks and balances from really anyone outside of their own state. I am sorry ... this is far too important to not take every conceivable path to some type of more certain outcome.

DL:  Anything else you want to say on this topic?

David O’Berry (DO): I am a citizen of this country, no matter who I vote for, and the reality is that as a citizen I want to know that my vote matters or is at least counted fairly along with everyone else. As a technology and business leader, I see a problem that just should not exist in this day and age, and I see solutions that can be fashioned rapidly to raise the tide for all boats. It did not get like this in a day and it will not be fixed in a day, but while the very best time to attack this was 15 or 20 years ago, the next-best time is right now. As we have seen, we already have low participation in elections as a general rule ... anything that diminishes that threatens to horribly skew the direction of our country. 

Our country is changing and it should be the goal of our election system to allow every man, woman or child (18- to 25-year-olds qualify as children at times ... lol) of voting age who maintains legal voting privileges to vote from anywhere within the next decade. What is the argument against that? Do we not want voters to actually vote? I know I do, and if someone does not, then I expect they need to take a look in the mirror and figure out exactly when and where they lost their way, because they absolutely have.

This situation is bigger than me or you or the reader ... it is bigger than any party and any person ... and one of our greatest national priorities should be to restore faith and trust in this key process so that we can move toward more civil discourse and build from there.

Dan Lohrmann: I want to thank David for sharing his important perspectives and expertise on this important election security topic. I certainly wish David (and his team) all the best with your new cybercompany.