All right. In this episode I talk about election security with retired Air Force Major General Earl Matthews who is the chief security officer at Rodan and who has been thinking about election security for over 20 years. We had a pretty wide ranging conversation taking us through the ultimate
goal of election attacks. The Iowa debacle and the likely motives for foreign intervention into U.S. elections so with that I'm happy to bring you my conversation with General oral Matthews on the topic of election security.
All right welcome General Matthews. Thanks for coming on. Unsupervised Learning.
Dan thanks very much.
Now Happy Friday dear so I will have already introduced you on the show and looking at your background it looks like we actually both worked at HP oh that also at same time I think it might have been. Yeah it was. Was it called ESPN the timer ISIS or something like that.
No I it was so when I tried security products. Yes. Yeah I belonged in ESF That's right.
Yes. So I worked for Jason Schmidt and fortify him for Ryan English and fortifying demand.
Wonderful that I did when I fell in contact with Jason and others and I think fortify is still an outstanding private. I recommend it still did it yeah.
Absolutely. Very cool. I guess told me how you got started in election security. I assume 2016 was probably a catalyst of some sort.
Yeah. And it's actually you know my military background elections I've been front and center most of my entire career adult life. I voted the absentee ballot and it actually really started peaking my interest in there in 2000 right when we had the hanging chads and what the impact was at that time about you know supposedly all these absentee ballots from the military sway and sway the vote and hadn't been counted.
And then many years later I find myself in the RAF in Germany and I am responsible for all the
postal distribution throughout Europe. Now that comes by air and the army then would be responsible for by trucking it out to all the different bases but I really had to focus in on election years because after the 2000 elections we had to account now for all the ballots that were coming into the military post offices overseas and actually tracking them to make sure that the people who got voted and put it back in there it got delivered on time and then just as an aside my
wife also works in the I.T. sector and she was helping with the first voting.
This is in Uganda to thousands of military folks. So I have been associated for a long time and now that know after 2016 and that all the influence on infrastructure security but really about the disinformation it has been used really got my attention leading up to that.
Up to that election and so now today you know social media is really my biggest concern on disinformation.
And you know we're seeing social media really start take a hold of this start deleting accounts and I firmly believe that social media companies should be accountable that the accounts that are being created are truly real accounts and are not being done falsely.
Yeah absolutely. So are you familiar with our Rene de Resta.
Yeah I am familiar yes sir.
Yeah. So really interesting she she does a lot of work on the social media stuff and the both the misinformation and the disinformation. And one of the things she talks about is how difficult it can be to lock on to a bad account because what they'll do is months before the campaign they they create a legitimate account with like legitimate sounding you know user name or whatever and then they go in and they drop tons of
content related to that particular thing. So let's say it's cars or fast cars or car modifications it'll be months and months and months of a precedent of legitimate content just so they could track the algorithms that look for you know pure misinformation.
Yeah but when those accounts get January what I would say the corollary to that is that you have to supply name information telephone numbers and things like that. The more obscure that that becomes I think should be an indicator to a social media platform that something isn't exactly
right here. And I think it's also interesting perhaps for your listeners to understand that 61 percent of all the traffic on the internet is actually created by bots and not by humans putting content on there and of that about 30 some percent are actually fairly defeated. So what we're going to talk about today. But I do think it's an interesting factoid that actually you know more than 60 percent of the traffic on the Internet is not human created yeah.
Interesting. And what would you say most of that traffic is is that like clicking on youtube links like trying to vote up content on Twitter. Is it a voting type fraud or what type of bot activity is that.
Yeah. So I would take most of that bot activity it's just taking information from one location and then moving it to another location or trolling where news organizations are continually looking for new types of news stories that are being out there whether they're generated by me putting up a video or that another news organization has has put up there. And so it's just you have these algorithms out there just to get that information and so forth.
OK that makes sense. So who crawlers.
Yes great traps. Yeah.
Yeah sure. Awesome. And I noticed in researching some of your work you had some tenants you had five tenants. I have them here. But if you would like to go through them the first one was stop making assumptions the second one was transparency. You won't talk about those.
Yeah. And I think that what our listeners really don't they'll have a hard time struggling with with all these new exposures of our information is that there really isn't anything new right that's happening here.
Most of it is coming from mis mis configurations and part of that is just because we start assuming that things are actually working like they're supposed to be and their security controls really aren't doing that. I think there's a lack of transparency right in how the electronic voting companies are letting us know that the vulnerability of their platforms and that there's a lack of software independence in
the voting machines and third parties. But now I think it's gotten significantly better since 2016 but I just think the whole all the assurance piece of what happens to these proprietary systems just aren't there for us.
Yeah and you've got here mandate transparency from commercial hardware software companies many of these are transparency based data driven evaluation of providers that provide the technology alignment between state CEOs and CEOs and secretaries of state. These all seem really solid and continuous and quantified evaluation and validation of security controls. I think these are fantastic recommendations.
Yeah probably for our listeners they may not well understand that by the way all elections are run by the states not run by the federal government. You know that this voting piece of this falls underneath the secretary of state and not underneath the governor. Day to day routine business. And so as a result there hasn't been a very tight alignment between the state CIO OWS and the state information security officers with the secretary of state's election State Committee.
So I'm a huge fan of those organizations coming together and I've seen that I've seen it in Michigan and I've seen it in Indiana and then in Iowa. We just saw that the chief security officer for the state has now resigned from that position and actually has moved over to the secretary of state election office to help them with cyber security. So this is and that is primarily been because we have a treaty on infrastructure as a holistic problem. We've been looking at it in isolation.
Interesting. So is that similar to like a jurisdictional problem. Not quite at the scale of 9/11 but where you have different groups and they're not designed to work with each other and therefore the information's not being exchanged. Is that kind of what you're describing with the secretary of state versus governors group.
I think it's traditional. So I've been of functions versus the commingling of functions across an organization. And you and I saw this when we were at HP you two things got siloed off and then the left hand doesn't know what the right what the right hand is doing.
But I think that since 2016 we've seen a significant change in all of this because of the one that designation against critical infrastructure. We've seen the DHS create a special office for election to look since her day oversight and we've seen the US government create the US election commission and then we've also seen the federal government designate funding for states specifically for election security.
So I think that I think it's gotten very interesting I guess. So you currently work at is a very dinner or Rodin verdant probably yeah.
Yes buried in and that's a common you mispronunciation of the organization but it comes from the god burritos for Truth o knife in the God put in for wisdom in battle and what Odin would do is send out dogs and ravens to collect intelligence about his enemy and then bring that intelligence back and then he would go into battle which is why he was so successful.
I consider ourselves the warrior troop company because what we do is we instrument your network looking for your security controls. Current instantiation. Are they working like you are supposed to be working. And we do that by running like malware in your production environment to give you the No Kidding truth. This is how my controls are actually working. So that's what their net burden is about.
Nice and Verizon is now part of FireEye. Is that correct.
That is very true.
So last summer we were one of the few cybersecurity companies that gets acquired and we were acquired by FireEye which is really considered the number one threat intelligence in the world and Mandiant is a part of fire right that does the most efficient response around the world in our platform runs off of intelligence. So it was a superb marriage for us.
Now in this space that's fantastic Degrassi.
Yeah. And actually I knew I recognized the name Veridian and I looked it up it's actually one of my favorite spaces in all of the security tools. I love the idea of continuous checking. So I guess can you go in a little more detail about how it works like Do you have a center and a receiver and you sprinkle these throughout the environment and then you send malware from the center to the receiver to see if it's caught by various controls or how does that work.
Yeah. You've described that you've nailed it.
You could be a spokesman for us and what is all automated mail software driven and what we are really attacking is the number one problem which is false with. And so we are both the attacker and the target we are. We sit in your operational environment but we're not on anybody's operational assets meaning if you have a server that has customer data on it. We're not sitting on that server. We just look like a virtual image of that server with the same security controls. And then
is the. And then we put one and another side of your network where it could be external or to be internal to look for segmentation and then the you know the National console tells this actor to go attack this other actor. And we know that it's successful or not successful because we are controlling both the originating in IP address and the target IP address. And if it makes it from one end to the other we know
that your security stack didn't block it. And then what we do is we produce all the data to show what in your security stack could have blocked it but you don't have it together correctly the painful to do that.
Mm hmm interesting. Yeah. Yeah.
And just to let everyone know who's listening. This is not about the vendor thing. So we have lots more questions about elections itself but I think this is important. And I actually want to ask you does this interact at all with election security devices like do you put it on a network where polling devices are in use this technology to defend elections in any way or is it unrelated.
No you would actually put it into the segment in which those voting polling devices are going to be located and then what you would be doing is just assessing that the controls that are protect to protect that voting device are actually working like they're supposed to be working because many of these voting devices are connected to either a separate network or an outer band network and you monitor that from a defensive staff who's actually doing what it's supposed to be doing OK.
That makes sense. So you're you're basically looking at the health of the networks and the connectivity around that environment. So it's not like running an age and like on the voting machine or something like that and looking out for anybody making standpoint that's all right.
The voting machines have enough going on up there and they don't need any more heavyweight things put on there.
Speaking of that what did you think about the Iowa situation yeah.
And so this was really fascinating to me. I belong to a Forbes Technology Council and it was immediately sent a note by another member who was on the council and me on there like five or six others in this little dialogue.
And as soon as I got it the next morning I just was easy for me to respond back and I knew in my heart that it was not because of the cyber vulnerability but development then you know I was a CIO myself at U.S. Transportation Command and what always happens in software is that there is a rush to finalize the code and then that generally leads to a lack of amount of time for the testing organization to do their full vetting of it before that app
goes into production. Sure. That was my first suspicion and that that's the one that actually turned out to be true. My second suspicion was that there wasn't enough data sets available for them to actually go do the testing at scale and we see this all the time. It doesn't matter how large a organization is having that real production data it gets hard to come by. And then my third suspicion was there was no never a dry run
of the entire system from end. So it turned out that the number one hey this rush to get there actually happened because we did x and the number to beat 360 or do a dry run with that.
Interesting what that application. Yeah yeah.
Now M.I.T. has done a review of their code. Now they've got all these other vulnerabilities but that wasn't the cause of the problem on top of that.
Interesting. How do you see the relative threats of overall incompetence. Like you said just not necessarily incompetence but like software is hard and complex and there are lots of failures versus a lack of transparency into voting versus actual for an intervention into the system. How do you stock those as as threats.
Well I would certainly stack. Number one foreign intervention through either miss or disinformation using social media platforms as being the number one threat and that is primarily because I think we've done a very good reason for this show about addressing the hardware and software pieces of it and to your point. Software is never going to be perfect. So that's how I would say that's the the order of those of those two threats is when we look
at the voting process. Dan it's actually pretty simple. You have an eligible voter. You have one vote and that vote has to be kept secret.
And then what happens is we have a chain of custody and it needs to be an end and verifiable structure. We have to guarantee integrity of the. And then that the ballot was actually cast was collected and that's been counted. And now we need to verify that. I mean it's a pretty pretty simple thing actually in the end.
Interesting. What would you say. I actually agree with you for the record. But what would you say to somebody who says well yeah there was foreign interaction you know interference with the 2016 election but it didn't seem to have that much impact in a tangible way. I'm not sure we have great data on that. I think a lot might be conjecture. But let's say it wasn't that much of a tangible impact in 2016. How would you respond to those numbers.
Yeah I would say where it had the most tangible impact was creating divisiveness between groups. All right. So that's where it had the biggest impact versus you know pitting the Republicans versus the Democrats are actually influencing the election through the voting infrastructure itself but certainly creating dissent and animosity amongst groups played it played a big role in it.
And that problem is not going to go away. And we've looked and have tracked this now since the early 2000s and then you know specific some would say 40. Up to earlier this year we've seen them in the Philippines. We've seen it in the US elections we've seen it in France. We've seen it in Kenya seen it in Russia itself. We've seen it in Catalonia Andorra Cambodia and Mexico. Most recently in Hong Kong are not Hong Kong and
Taiwan and their elections. So it's really our viewers and your listeners really have to pay attention to what is the source of the information in the media outlet that they're getting their data from and how they're making their decisions. That's what I would say that we have to just be smarter in that regard.
Yeah I think that's crucial it seems like we can end up in November of 2020 with half of the country thinking the election was stolen whichever way it goes. What do you think we have to do to be able to address that.
I don't think that will be the case.
What I think more importantly right would be this whole issue on where did it. Where am I getting my my news media from and where am I getting my information from what are my trusted sources of that. And I think people have to educate themselves on getting you know familiar that hey there is a evolving threat landscape that is trying to impact the way that I think and what it is that I read and that if I'm only getting my information from one source I'm probably
likely to get the least amount of right information. So it should be get kind of get cooperated. So I think people should try to get their news from you know well established news organizations versus some pop up site that has created some because they really don't know.
I find it so that would probably be the the biggest thing. Then the second thing is that there are a lot of actually online resources that are voters if they are concerned about the voting infrastructure.
If they can go to such an as the center net for Internet Security has a great election place Belfer Center at Harvard University also has one and then the DHS also has a collection services place where people can read up to you know make themselves more confident that you know things are being addressed and we will have a secure and uneventful.
Yes even in 2020. That makes sense to me it all combines though into a single threat. Right. Which is the single goal for the attacker which is to reduce the legitimacy of the U.S. government in the mind of its citizens. Right. And it's all about this polarization. There's actually a conversation about how a lot of social media networks are trying to optimize for predictability in the user. Right. They actually don't want someone who's going to not be
sure what to do with a piece of content. They want someone who's definitely going to like or hate something. And when we're training the algorithms we're actually training them to teach people to be more polarized which is which is kind of scary. And that's why I think I think we do have to worry about the 2020 situation because it's one thing to say well we should just take better sources.
I think the problem is if they believe they have good sources they're not going to search for better ones. Right. And if you know what I mean so it's like basically. I think it was Hitchens that said if you have someone who doesn't accept evidence there's no evidence you could provide them to convince them.
I would agree wholeheartedly with that.
Right. And so again I just. There's no way you're going to come back I have no.
No way to offer any solutions in that regard. In my personal view what we're seeing here are classic psychological operations being done at scale to influence elections that.
Are Done. That's that's that's right.
Yeah I agree with you. I mean what do you think are the main threads like what are the main messages that are trying to like advance it. I mean what we've saw before in 2016 it was very much along the lines of what you said earlier which is divisiveness. So they would find these niche groups that felt very strongly about a small topic and then they would inflame the counter side. In fact they they organized a physical
one in Texas. I'm sure you heard of this one where they they managed to bring protesters from both sides of a topic and arranged them in the same physical location presumably to try to create an actual physical altercation. But it seems like they were doing that over and
over with various topics. So that seems to be one like a tactical view to do it at a small scale for a small number of issues and get people really riled up about a specific thing but it seems to me like there's an overarching you know strategic narrative which is you can't trust the election system because it's all bad and it's all fake news and that just makes people want to check out. And it also makes them want to not accept an outcome if they don't like it yes to all of that.
And the grand strategic play that's been done on the world stage in my view is that Russia China Iran and North Korea right are trying to create this decisiveness so that we will end up with this position of that we've got all these things happening at home. We're not going to engage anywhere else overseas when something else is happening. Right. That we normally might get involved in
but we go ahead. We've got too much at home dander or we can divert our time and energy to focus on those other world part that a really one 100 percent.
I think they're basically trying to get us basically trying to get us out of the global theater because we're too consumed with our own internal strife so that whoever can step up right. I think particularly Russia.
Would love to see that happen so they could regain some of their previous glory right.
Yes that's exactly right. But don't discount the you know the Chinese and in this either especially within their region of influence right now Hong Kong specifically Taiwan Vietnam. I just saw a news report right the other day saying that the Philippines may back out of the defense protection you know pack. Go that's dangerous for us if that if that's to happen in my personal personal view.
So the Chinese are going to be heavily targeting elections within their within within our post Asian region. So look why we focus a lot on the Russians and our own. The Chinese are actively doing this and in Asia.
Oh that's a great point.
And then they could potentially do the same thing internally with causing strife internally because that would be one less person aggravating them overseas telling them not to do those things. For example if we were so consumed with our own problems maybe we wouldn't notice or wouldn't be able to act if they wanted to Taiwan.
That's right. That's exactly right. And then if we look at them at least right. The Iranians are heavily involved in election hacking too because they're trying to influence what's happening right with what the Gulf States and causing uprising uprisings there too. So it's a world problem just a world problem and governments have got to come together. Now one of the things that you know maybe some of our listeners are going to be happy about it. What
I'm going to say back. But you know our next really evolution into this kind of coming back to the Iowa pieces Mobile Voting I am a huge fan of having the capability to do mobile voting.
Interesting.
In that you know as I described my military background I spent a lot of time received most my career I did absentee voting. I would love to be able to just vote at the time and place it by the leader. If I'm deployed somewhere in the world or assigned somewhere in the world. We have a lot of expatriates write us citizens living in foreign countries this stay where you just might be on vacation. How awesome would it be that you could just use your phone to be able to go vote. Yeah and I it's come
it's coming. I think block chain is a technology that will help us in that regard which is really totally auditable. It's immutable and it's very transparent and it's secure. We saw a couple of states in 2016. I think West Virginia and Virginia you test drive it and then you know then that will probably get most people's ideas. I'm you know I'm just a fan of the national digital identity. Why shouldn't I have. We'll have to have a passport app a driver's license to prove all this stuff already.
And when I log on and I want to buy something that you know target I shouldn't target No. Yeah it's a road map is right. Here's his national identity.
OK what do you think about that Dan.
Yeah yeah I was going to ask you about this. This is very interesting that we got onto this. I was very much of the same opinion for many years that why don't we just move to digital voting like this is silly. You know it's we have all this technology why don't we just do it. And after attending the enigma conference for a few years I attended multiple elections security and actually digital election security talks and I
came away from them with my mind changed. Basically all of them actually all of them said we are nowhere near ready. I wonder if it's not possible to say we are ready or aren't ready because it depends on the population that you're talking about. It depends on the
technology you're talking about. But when you mentioned the national I.D. I think that would be a critical prerequisite because right now we just have a giant mess of different ideas like who's going to actually make sure that it's you. But what a lot of these talks actually talked about was just how easy it is to break these systems how fragile elections are already in that if you moved it to the digital world you would just have even more questions about integrity than we have now.
Well what I would say is that in anything that we do in the electronic age is going to have some type of risk associated with it because nothing is truly secure and you know you're you're a longtime practitioner in this space as I am and you know that even close networks are not closed networks. So it depends to me is how big Hamlet. How let's assess what the risk is then let's figure out how would you how do we mitigate that risk. And you go from there. Yeah that's what I would.
Yeah I agree with you. And I do think it's inevitable. And I do think that's where we should be going. I think the question is really just the cadence and what has to happen first. I think as we talked about earlier ultimately that the target for the attacker is
trust in the system. Right. So yeah if we moved into digital voting that would have to be paramount on our minds is like how do we that if it was some sort of block chain thing which somehow block chain seems to have dropped off the radar in 2020. It seems like fewer people are talking about it at
least in my circles. But yeah but if you were to have a record of every single vote that was done by the different different people and be able to say yes it was done on this device with these parameters and here's how they authenticated to that device and here's the the way we could tell it was actually them. I mean if we had a full life cycle like that that was you know cryptic graphically verifiable. I think that would be a great step.
And I do think it's sad. I don't know.
Yeah. I don't think we're too far away from it. I mean I've not gone to any of those to see what the you know the big enigma conference. You know what you're saying. But I would say if by the next you know in the next four years significant progress will be will be made it made in that if you think about it right. Every day we almost every a lot of America elevated what the markets do their banking every single day. They're comfortable enough with that risk. Right.
Why would they be comfortable enough with taking the risk to be able to have my phone encrypt. You know what. Download the whatever app my state plays is their app and they get it then when I vote it gets encrypted. Goes back to that central database and then gets that gets deposited at any different than the way that they're logging on to make a deposit from their phone to their bank.
Yeah. One 100 percent. I think that's why it comes down to the population. Right. I mean people in our outer circles I think and people listening are gonna be 100 percent able to do that and probably be able to do it securely. But I think there are other populations the elderly disenfranchised groups who maybe don't have access to the same tech. And then you have to worry about. I don't know. I mean security so I'm always worried about everything but it's like now you start paying people
for votes. So the actual vote is a hundred percent correct. But they were somehow encouraged to do that and then you know they did you got to do it already in the current voting booth.
So I think yeah that's still possible now but I would say that your assessment on that risk right is exceptionally notable that we have to pay attention to that. Right. That that certainly could drive up or even outweigh anything else that we're talking about from a cybersecurity perspective is that it's a lot easier to get people to be influenced to be able to go vote for that. Yeah right the way that they want to have it done. And that alone may say we never get there.
I don't know. Well this has been fantastic I guess. Are you optimistic going into this very crazy 2020 election year or are you optimistic for this upcoming election and beyond.
So as a recap on a very optimistic that the voting companies the machines and oversight by state officials is heightened like it's never been heightened before. We're on less optimistic is our ability to be able to detect when there isn't enough disinformation out there that is causing appraisal and consternation amongst our American population and get each other.
That is what I believe will remain concerned from from the whole year and I will be watching media very closely to see to see how that happens.
All right. Well General Matthews it's been great having you on.
And I really appreciate the conversation and again I appreciate you're inviting me to come spend time with you here on this podcast. Thank you.