Skip to main content

tv   Facebook Google and Microsoft on Campaign and Election Security  CSPAN  September 16, 2018 4:00pm-5:02pm EDT

4:00 pm
more life coverage tomorrow with jeff sessions speaking at the justice department's forum on free speech on college campuses. watch at 9:30 a.m. eastern. going back to the justice department in the afternoon were a discussion on free speech in higher education and other first amendment issues. our coverage of the conversation begins at 1:15 p.m. eastern on c-span3. app.e and on the radio facebook, google, and facebook representatives discuss working ahead of the 2018 midterm elections. this is posted by the bridge, at communications organization focused on technology policy and politics.
4:01 pm
>> i am the c.e.o. and co-founder of the bridge which is an online community sitting at the intersection of tech, policy, and politics and real excited to have you guys all here. you can learn more about our organization at the bridge clearly, one thing we are doing is convening people and innovators, regulators, policy makers working in this space. and election security is a huge issue right now. so i thought it would be great to get google, facebook, and microsoft together and the people at those companies talking to campaigns every day trying to find solutions on these issues. thank you again for coming. thank you so much for hosting. let's get started.
4:02 pm
we have lee dunn from google and representatives of microsoft and facebook. i'll just let them give a little information about what they're doing at their companies now and intro themselves. >> sure. hi, i am lee dunn with google. i am head of the international elections outreach at google. we work with what i like to think campaigns, candidates, voters, governments, anyone involved in elections to educate them on our products and services available to them. i put out a brochure with a lot of our products and services. i'll highlight two products real fast. you asked us to highlight for this crowd who i assume is mostly campaign consultants, managers, others involved in politics. the first is called project shield, and it helps protect your campaign website from attack so if you are a candidate and you have your website and
4:03 pm
you haven't paid for some type of commercial security, cyber security layer, this is free for any campaign, candidate, political party, local government. we sometimes have local governments in certain areas that are listing polling places on a website use this to secure their website. so highly recommend you take a look at it. it is no cost. the second product that we talk about a lot in this cycle is advanced protection which is security keys for your personal g mail. i can talk more about that later. both of those are listed in this brochure or you can google either one of them and find them really easily and hopefully we can talk more about how they can help you throughout the campaign. >> great. thanks. >> hi. badanes.ny i am an adviser on the defending democracy team at microsoft also known as cyber security in democracy. we were formed back in april but we were really part of the teams that already existed in
4:04 pm
microsoft. the reality is microsoft was already thinking about cyber security, already thinking about elections and campaigns. but we realized that we needed to come together in a more sort of cohesive way to address those issues head on. so our team was formed several months ago, thinking about this space in a couple different ways but primarily focusing on two pillars. campaign security which we're here to talk about today as well as election integrity. we've made announcements recently. i'm happy to talk about those but mostly to talk about this important issue. >> hi. my name is don seymour. facebook head of politics and government outreach for the u.s. and canada and similar to lee and ginny we work with federal to local level one-on-one and also at scale on educating them on the products and services we have. and on how they can use facebook and the family of apps to better connect with voters and relevant to the conversation today how they can best secure their
4:05 pm
accounts. a couple things available to anybody, take a look at a gnaw -- new website we rolled out a couple months ago. it is basically a clearing house for all of the information we have. all the best practices for any campaign, everyone running for office, anyone in government who wants to know how best to use facebook but importantly how to secure their accounts. in addition, our safety center we have a handful of tools there that are valuable whether you are running a campaign or not. you can go through a security check and take a look at your password along with other steps. also importantly our privacy checkup can help a person facebook being a social platform to understand better what are the things you're sharing and who you are sharing them with which is an important part of , security, as well. we look forward to the conversation here. >> thank you guys. thanks for listening. i plan to ask a few questions
4:06 pm
and then have you ask most of the questions. you talked about a lot of tools. clearly those are out there. having worked in the cyber security space a little bit myself, our biggest issue in the retail space was getting people interested and understanding that having two passwords is like wearing a seat belt and you do need to know these things and a lot of people don't talk about it. i guess has that been an issue for you guys talking with campaign and getting them interested in participating? also, how have you handled the individual versus campaign as a whole security ?>> i would say -- >> i would say certainly there is interest i think after the 2016 election cycle. i think you find that people who work in campaigns and elections are aware that they are a target. which is i think new from where it was before. i think they are aware they should be doing things to be
4:07 pm
secure. what you run into are a couple of obstacles. the first is you are competing for attention with getting out the vote, which is ultimately what they're there to do. >> you say attention. do you mean resources? >> that was the next thing. the second thing is resources. even if they recognize and are paying attention, they do not necessarily have the resources to do it. campaigns are like small businesses or startups. they have a small budget. they are dependent on donors for money. they take careful account of that money and are going to spend it on the pancake breakfast rather than spend it on additional security features or an i.t. team in house. those are just not feasible for most campaigns. i recognize a lot of people think oh, there are these huge budgets talking about presidential campaigns though they have a lot of the same challenges as far as competing resources but the small campaigns don't have a budget for an internal i.t. staff to educate them.
4:08 pm
so it as little bit of an -- a little bit of an interest but it's not that they don't care. i mean, maybe some. but our experience has been they care but they have so many other things to focus on and they don't have a lot of money. allie: how do we get over that hurdle? or what are you doing to help with that in the midterm? lee: at google we have a website. i should plug my website, too, don. [laughter] sorry. has all of our products and services on there for securing campaigns. please go to the website. i think having events like this. i know all of us have done a ton of outreach to the campaign committees this year. there's been a lot of news stories written on this as well. but also having campaigns and candidates tell their stories. and i think one of the things we -- in fact, have seen is really difficult is, one, there is never time to have the security conversation with not only the candidates but the entire campaign so we're really , starting to get out there and remind people to have this conversation at least be aware.
4:09 pm
, i have seen this cycle that people are more aware when they get an e-mail that they think somebody might be pishing them and trying to put malware on their system. i think there is an education happening out there. it is still not enough. we've gone to a number of political events where we say how many of you have talked about two step authentication on your facebook account or your e-mail account? if you're the candidate? and the majority of consultants and campaign managers say well i talked about it with the candidate and the candidate said they took care of it but i'm not sure. so it's difficult. because it's sometimes uncomfortable and it is sometimes people think they know what they need. and then lastly, i think we encounter a lot people say, who would want to hack my campaign? i'm running for state senate in one state and nobody would want to know our plan about where to put yard signs. we try to make sure the candidates know there are people interested. you have to secure yourself. everyone is at risk. don: to piggyback on that i think people want to be secure. they don't want to be careless
4:10 pm
with how they handle their information but sometimes they , have different ideas and for us, maybe unique to us but facebook has a real identity policy. the account you have on facebook should represent you and be your real name. what we'll sometimes see on campaigns, people will create like one sort of fake account but they all log into and use it to manage their presence for their candidate and that is probably the most not secure way to actually go about things. you have this fake account. our system is looking at different people logging in from different locations. it is going to think it is a fake account. it might shut it down. you cannot turn on to backdrop authentication if multiple people are using it. sometimes the simplest thing is just using our product the way it is supposed to be used but people don't always do that. similarly sometimes it's like basic hygiene. people created a facebook account 10, 15 years ago they probably used an e-mail address they may not check anymore. sometimes that is an easy way for someone to gain access to an account is by an old address or an old account gets compromised.
4:11 pm
they don't check it. it's basic hygiene. making sure accounts are updated. using the platforms the way they are supposed to be used. allie: the biggest issue with education is having conversations like this. we're obviously not going to leave here with some secret password but i think just getting people to talk about it, it is amazing. now the fact people are talking about this >> it's cool. allie: and very different from a couple years ago. talking about resources. it is not cheap to secure at least yourself or your individual self or the campaign at this point. have you guys had conversations with the government or among each other on who should be paying for security? >> i'll jump in. last week we were very excited that we had a unanimous decision by the federal election commission agreeing to an
4:12 pm
advisory opinion we had requested essentially allowing for us to offer our new service we're calling account guard to political campaigns and committees, federal campaigns and committees. they agreed it was not an in kind contribution. what we were offering fell within the parameters of the existing law. that was really wonderful for us. because that was how we believed it was as well. but we're constantly up against trying to do something to help this community but not veer into territory that gets us into trouble. it is a little bit of a dance to make sure what we are often -- offering is allowable and useful. what is allowed starts with our customers which is a key factor to being within the permission zone. so office 365 customers are eligible to enroll and they get access to education materials, which is really our first pillar of the program because we worked with all our security officials in the company trying to
4:13 pm
understand what can we offer? what can we give these folks to make them more secure? the first answer we got back was education. teach them. work with them. hand in glove. see how you can get them to turn on multi-facet authentication at least for ad min accounts if not individual accounts. provide that information. we started education, as well. and then i think one thing we all recognize is an issue is sort of the balance between individual accounts that people have and the corporate accounts or enterprise accounts. another thing we have as part of the account guard is if an individual is part of an organization that is in the program and they opt in themselves as an individual which they'll be invited to do by their leadership, if they have a microsoft account for the -- their personal accounts,, they , grant permission for us to not only notify them if we detect an attack from a nation state across their individual account but also asking us to notify the organization that they're a part of.
4:14 pm
and so what we do in that case is kind of close the information gap that we can see happening in these cases where individuals are targeted because of an organization that they're affiliated with. potentially because of communications they've been having over the individual accounts. and it allows us to work with them to kind of close the information on that. allie: when you say individual account you mean if i work on a campaign and i have a personal account that is outlook or my microsoft family what if i have one that is g mail or something? have you had conversations among, as tech companies, even if it's just yes we have and we're all talking but about maybe just education but what, you know, what campaigns can do? your twitter account is just as vulnerable as your e 24 account or your grub hub account. it's not just your e-mail. lee: especially if you use the same password for every account which people do. [laughter] a lot of times people divulge their password is 12345 for all of those accounts. we talk a lot.
4:15 pm
we do events together. we feel we're all in this together. if one service you use is not secured but others are secure you're still vulnerable. , and we still all feel it so we come together a lot. just on e-mail i'll say real fast and i know, don, you want to jump in here but for us on e-mail, you know, we always joke that campaigns are the world's greatest start-ups like we said and generally start with the candidate using maybe an a.o.l. account to talk with the campaign manager they just hired who has a free gmail account then to talk to the yard sign person they just hired or the digital ads firm they just hired that might have an outlook account. >> or volunteers. lee: so they're all talking on individual different platform e-mail systems about sensitive campaign information. at the very least we always talk about and people have heard us talking about this two-step verification or authentication and what that really is on any of our platforms is the ability to be notified when someone
4:16 pm
tries to log into any of the sites from a different location that hasn't been seen before. it can text you on your cell phone. it can send you an e-mail to a different account. it can notify you some way. i would say if anyone is looking to improve their security right now on e-mail or on facebook, just google or bing two step verification for whatever e-mail you use and it'll come up on any server and send you that way. so we really encourage people who are using individual e-mails to get a campaign started to do two-step authentication. and we're trying to talk to the campaigns about -- and ginny and i have had a lot of conversations about this. as the campaign grows what is great about our e-mail services today is that they are scalable. so if you start with two or three people on the campaign and, you know, an office 365 account could be great for you with two or three people and be able to grow to 12 people by the time you have a full fledged campaign six months down the road. same thing for gmail's enterprise service called g
4:17 pm
sweep so it expands as your campaign expands. the good thing about enterprise e-mail systems is it comes with its own security layers as well as an administrator. so we constantly try to educate and tell people why maybe being on this e-mail could be better security and more collaboration. don: in addition to the education, e-mails or notifications or work with individual candidates we've taken steps this year to start requiring things like two factor authentication under certain circumstances. for example on facebook now which i think folks are probably familiar with but if you want to run an ad with political or on an issue of national importance in the united states you have to go through an authorization process. part of that includes turning on two factor authentication for your account. anybody participating in that system running those advertisements they have to have that security feature turned on.
4:18 pm
same thing people who now manage pages have large reach in the united states. we rolled this out a couple weeks ago. similarly have to turn on two factor authentication. in addition to the education and outreach we are making it a requirement when you engage in certain activities which i think is a good thing. allie: in addition to education which, of course, is the biggest issue, what, clearly, right now the way that the -- you were just talking about how you guys changed the process for facebook if you're a campaign. how many people in this room are working on campaigns or are representing a campaign or have? i guess in the past, like how many of you are coming from that angle? the other side would be vendor types would be the rest. right? and then hill i guess would be the others? ok. one. great. one question a lot of people have is kind of what, what else may change, i guess. like what do you, you know, we've changed political odds now. what else are you guys seeing as the sticky issues that you're
4:19 pm
going to have to work with government on or that, you know, campaigns that you foresee in the future i guess? ginny: a big advantage of working with these tech companies is when it comes to security there are people on campus who are thinking about security all the time. when we talk about multi-factor authentication we are talking about the technology that is commonplace right now but what i am excited about is where the security technology is going. biometrics and a.i. around it. there are some real great possibilities for better security moving forward. with that will probably come some regulation and that sort of thing. when i think forward for this community and how they think about security i'm excited to see what new stuff our smart guys and girls back home are working on. lee: for us this cycle i think there's been a lot of education on two step, two factor, sometimes mandating it on certain platforms. that is a real learning this cycle. as we look to 2020, we've talked
4:20 pm
about security -- some articles have come out recently talking about google employees have used security keys on our gmail for years and have not experienced a massive hack. just last week we rolled out security keys available to d suite users. if your campaign uses a g suite the tightened security key is out there and we highly recommend it. if you're using gmail for personal there is the advanced , protection which is a security key you can buy online, both available online. both you could google. the barrier is the security keys run anywhere from $10 to $50. which isn't a lot but it adds up to a campaign and so i think what we'll see next cycle is that campaigns will be more educated about how security keys are really strong for the risk environment and invest in them is what we're hoping. for the majority of americans, two step verification is generally perfect and good security for using gmail or a
4:21 pm
lot of other different platforms. but for this population most at risk for hack or phishing which is campaigns and political consultants and candidates, we really are trying to encourage them to think about security keys. it is a technical barrier people have to learn but i think we'll get there with 2020. don: for us, too, in addition -- one big thing is making it easier to use the two factor authentication. you hit the nail on the head. we recently enabled other tokens in addition to the phone number. one element to making the process easier to use it. another one for us would also be when it comes to phishing like bad actors use fake accounts to do those things. it is on us to keep doing a better job of stopping the creation of bad accounts. which we do on the order of millions every day we stop either at the point of creation or 98% before they're reported but stopping those fake accounts that people don't even get the chance to go and try to phish somebody and get their information. allie: you're not going to put a
4:22 pm
number on that but what you guys see as success in 2020? would it be working with campaigns to give them to them in bulk in terms of resource and money and who is paying for it? i do think having worked on small campaigns and big ones budgets are just maybe not there. and this is definitely not priority. maybe that will change. what would you guys say forecasting to 2020 when we're past the midterms now but what would be your hope for success? don: i would hope we'd have everybody running for office or in office have two factor turning on. using a real account to manage a page on facebook. allie: you think it will take until 2020? don: way before that. we're trying desperately. at the same time that looks like a combination of making sure people understand how to manage the platform appropriately. on facebook if you manage a page there are a variety of different page rules and keeping track and making sure you know, someone is
4:23 pm
on your campaign today and they leave tomorrow you should remove them so they don't have access. a lot of operational things. to me making sure people understand that and have the security features turned on. that is pretty basic but that's success and something we'll keep working on. ginny: i think the tactics are really important and the success might be more in a show of culture change which might be reflected by the staffing on major campaigns. will there be a c.i.o.? is there going to be someone security in their title? not just on the presidential level but are senate campaigns, gubernatorial campaigns going to start prioritizing people in those roles? if and when they do then they'll start having budget and when they start having budget we'll start seeing these things deployed. they will make sure they have security keys. they'll make sure they have enterprise levels, e-mail solutions. so what a lot of us are working toward and others in the nonprofit space for example i can't believe we've had a campaign security panel, shout out to the belfour center at harvard.
4:24 pm
they've done excellent work around the education piece as well. a lot of what we've seen is a push and shift and a culture change within the campaign community to start prioritizing this. lee: she is dreaming big and i want to dream big, too. for 2020 when campaign staff come in and they're trained on how to go door to door or even campaign finance rules, if there is a training on e-mail security, platform security, that would be a huge shift for 2020 for that to be part of the initial training to join the campaign staff. i'll give one more shout out for the belfour cyber security playbook. if you are watching at home or in the audience and air still wondering how to tackle this issue, just look for it. it has great information. allie: do you know of any campaigns that have a ciso-ish type person or do you serve in that role? or do you serve in that role that go >> are you available?
4:25 pm
>> ginny: this is my aspiration for 2020. it is not to say that there aren't. i bet there are senate campaigns that have someone with that authority. they might also be the chief data officer. allie: not even authority but just thinking that way. a totally different way to think. even when one of you guys mentioned when people leave the campaign, i've left -- i won't say that on tv. people leave campaigns and they just leave. they keep their computers. you just charge them for it. things happen. very quickly. but if there were an offboarding process like on most, you know, there is a whole process and you kind of go through it and you don't have access anymore. don: i can say from experience this is my third election cycle at facebook and the conversations we have today are totally different from 2014. people at the time just candidly weren't talking about security the way they do today. that by itself, to the point about a cultural shift is a good and positive one and is happening. still a long way to go. the conversations are totally different. allie: in terms of that
4:26 pm
conversation, how are you guys working with the federal government and what do you see as regulatory hurdles to actually getting work done, talking about success in 2020? obviously, a lot of those things are regulated by the government or they're just places where you guys step in and just offer services. where kind of are the lines on that? >> making sure we're all in compliance with the federal election commission in contribution is always something we're constantly ensuring that we're doing. lee: i think figuring out how to talk with them or work through the existing guidelines to make sure we're offering the best security features and consultations to this at risk audience is important. i also think i know all of us have met with, for example the d.h.s. election task force and we continue to do so. we talk to each other. allie: on a regular basis? lee: we speak with the government on a regular basis , when necessary and we also
4:27 pm
, speak with each other. and i think the collaboration that we have with each other as well as government being more aware of how they can be a resource to campaigns, election officials, secretaries of state, local county election clerks, is a really big collaboration between all of us. because we generally speak a lot to campaigns and candidates, voters, d.h.s. and others are speaking to the election clerks. that's a whole nother audience we continue to talk to but they have more of a direct line for example. >> another panel for another day. ginny: i would say that we -- everyone on the stage recognizes this is not a problem. the problem we're all facing right now is not one that can be solved by industry. it's not one that can be solved alone by government. what we've really appreciated, i don't mean to speak for you all but what i've appreciated is the fact n.g.o.'s, academia, government, specifically the teams at d.h.s. doing great work
4:28 pm
this year are all coming together and recognizing this is not something one entity can solve alone and it is going to take a little bit of effort from everybody to improve the situation. allie: what would you guys say is the biggest threat facing campaigns right now either in working with them or what you see on the cyber front? lee: i would say being lackadaisical and not thinking about the issue or being naive to think that the issue isn't going to affect them. we hear a lot of times from smaller campaigns. i don't even have an opponent. why would anyone want to hack me? but it's important to never let your guard down and use these tools to secure yourself even if you don't have an opponent. even if -- you know, no matter what. allie: in terms of tactics used by attackers though would it be phishing or what -- that's probably the biggest one but are there others air seeing that are top three going into 2018 and
4:29 pm
then going to 2020 does it differ for presidential, larger campaigns versus senatorial campaigns? don: from my experience it is something i already mentioned which is people who already use fake accounts which gets them into a whole host of issues or that use credentials that are out dated they don't check anymore. by far and away. a lot of people reach out to me all the time and an account is compromised because they have an old e-mail address they don't check which sounds super specific but i see it all the time. by far and away across the board federal to local level, up and down the ballot, is what i see. simple hygiene things like accounts you actually check and turning on two factor authentication critically important. ginny: when we talk about phishing a lot of folks in this space don't recognize there are different types. there is the generic phishing where you can tell the second you look at it this is not real. i can delete this. then there is spear phishing where if you are a big enough
4:30 pm
target or you yourself don't have to be but you are affiliated or connected to an organization or someone who is i would not under estimate the lengths to which an adversary will go to get you to click on a link. they will craft e-mails that look like a very real e-mail and they will create websites that look like real websites. and drive you to them and get you to enter your credentials. part of it, i know it goes back to education and there is a reason for that which is because people will think oh, i know about phishing and the nigerian scams. i'm not going to fall for that. they may not recognize if they're being targeted, if they're not paying chose -- close attention they may not , notice. then there is the whaling where they are going after one particular person maybe the candidate or the campaign manager and those efforts can be , astronomical and sometimes really hard to see past. that is where having an i.t. infrastructure set up that is resilient and can make sure you
4:31 pm
don't, if you do get to that one big person you don't get into the admin sites can be beneficial. but it is going deeper on the topics like phishing where a lot of education may be missed right now. lee: ginny and i both have browsers and sometimes having people who go to these sites that have malware where both of us have browsers that alert people when you're going to a site corrupted with malware. however a lot of people don't acknowledge the warning and go forward. so again, it goes back to education. a lot of this can come from e-mail, from a platform, or it can come from even browsing. being aware is a really important part. allie: i'll do one more and then open it up. what sort of guidance, you mentioned meeting with d.h.s., f.b.i., i know you guys have met in groups. i know you obviously talk to them every day. what sort of guidance was the government giving you guys now on this from the federal side?
4:32 pm
ginny: i think the collaborations are less about either of us telling the other one what to do even from an innocent guidance standpoint and more just making connections , and opening lines of communication. i haven't really heard anything that would be a guidance for us directly from any of them. i don't know about you all. don: i agree. it is more just about for the candidate making the connection and having the two way conversation and sharing. lee: yeah. i think they are happy to hear about our outreach efforts and frankly sometimes magnifying our outreach efforts and our products and that's really beneficial. don: right. allie: one last one for me. do you guys -- how are you working with the committees? obviously there is the rnc, dnc, and all that. and also vendors. i mean, campaigns are small so they out source a lot. obviously, the national campaign is a way to enter a campaign.
4:33 pm
a campaign is a way to open the door to a national committee which has tons of donors and people who are not being educated by you guys. what is your guidance on that issue? don: i think the committees and vendors especially the larger , ones are excellent multipliers. it tends to be campaigns managed by a great vendor or agency and have a great relationship with the committees that are in best shape. they do a great job making sure they are secure and following best practices. from that perspective terrific. but there are still people not necessarily captured by that. that is where a lot of the additional scaled outreach comes in. ginny: we hold a series of cyber security trainings, we held them a couple months ago in d.c. and when we were deciding who to include, we wanted to make a small enough audience so they'd get enough out of it, we included the vendor community because we recognized they are the front lines in a lot of cases when it comes to technology. allie: who do you mean? ginny: the folks who do -- several are in the room today -- folks who do digital work for
4:34 pm
campaigns and committees or do data work or they are even i.t. infrastructure setup -- don: they consult. they run ads. they do everything. ginny: a lot of times the front lines from the technology standpoint because the campaigns a lot of time will outsource a lot of that work. we also included them because for the same reason. we recognized they were really vulnerable as well. allie: what did you do at those trainings? i know who came. what was the outcome? ginny: we went through, we brought in the internal team from redmond who does security because we thought rather than having us talk to them about the high level stuff we'd actually , bring in a team that does this on a daily basis. they are actually our internal i.t. security team. we went through things like threat landscapes and threat modeling trying to make sure , that the folks in the room understood really what they were up against and how companies like microsoft view that space and we went through things like how to develop an app, security, cloud security. you were talking about devices earlier.
4:35 pm
we recognize that bring your own device is just the reality. but the truth is it is the reality of the company like microsoft, too. i have my own phone i brought on my own but there are ways to do that securely now through both policies and technology. we walked through some of the policies that we put in place to ensure a device is updated the latest i.o.s. or whatever system you're using. and talked about how they configure things like the cloud setup. we had practitioners there who do the day-to-day work on the i.t. space but those were the topics we went over. lee: the committees and vendors are great validator's for all of us and reinforcers. sometimes i joke with some committees they should tell the candidate or campaign they're not going to return their e-mail until they show them they are using two step verification on that e-mail. but i think they're really great validators for all of us and great educators and great resources for us to talk about our tools when they push a lot out to the campaigns and candidates. really helpful.
4:36 pm
allie: great. i think we'll take your microphone and if people have questions raise your hands and if you can say your name and organization you're from that would be great. nobody has any questions. ok. >> my name is bobby and during college and first job after college worked on a campaign. two years later, now working in a lobbying firm on behalf of a cyber security firm focused on election security, i just absolutely cringe with how little i knew then and how unaware i was and how commonplace that still is. so thank you. i think this is a really important topic. lee, my question for you sort of , and forgive me if i'm veering off into this sort of election space. i know this is focused on campaigns. but obviously a big part of this
4:37 pm
is sort of foreign and general interference at the state heavily, as well. could you all -- maybe lee you first, sort of talk about your interactions with county clerks, secretaries of state, board of elections, how it differs? lee: yeah. we work with the national association of secretaries of states as often as possible. first i'll tell you how we work with them in a civic minded way is as we get closer to election day we work with each of the secretary of state websites that has information on who is -- what is necessary to go to the vote. if you need an i.d., where the polling places are, how do i vote, how do i register to vote? we're really proud of that work with the voting information project. and the national secretaries of states that then when the user has their location on and searches, what do i need to go vote? how do i register to vote? that we are able to surface that information to them really
4:38 pm
quickly and authoritatively from the secretary of state website. that's been a great collaboration. we're really proud of that. that's also given us a gateway to talk more about more security on their own. it could be anything from why we think g suite and our cloud services could provide greater security on voter data or it couldn't just include reminding them that even when they go home at night if they're answering e-mails on the work computer we have a product called -- i have to look myself -- outline. which is a private v.p.n. it might be a helpful tool for a county election clerk maybe doing some work at home at night and then possibly an unsecured internet connection to use a private v.p.n. to further secure and encrypt their messages. also talking to the secretary of , state and election clerks about their own personal e-mail and watching for hacking or phishing that may come through a personal e-mail. that they might use on a work computer. so great education tools with
4:39 pm
them. i think they've been great partners. and i think they're great also amplifiers for all the different types of work we're doing. i think you have all worked with the national association of secretaries of states as well. allie: do you see different threats coming from the secretaries of state versus elections and campaigns? lee: one thing real fast. i talked about this earlier. one way to hurt a campaign and an election or an election is to hack into a website that lists the polling places, right? we offer our product, project shield, the free cyber layer to anyone who is running campaigns, elections, election information. for a really small town election clerk not paying for a commercial cyber security layer onth website this might be a great tool. we've really worked with the election clerks especially on the local level to utilize this
4:40 pm
tool. don: our interactions have been similar. from a civic perspective we launched a voter registration tool in all 50 states preprimary so you can register to vote or help your friends register. it is situations like that and also elections integrity where we interacted with the national association of secretaries of states and individual secretaries and boards on how the products work. then all of the activities we're undertaking on our behalf to secure the activity on the platform. the same kind of interaction. yeah. allie: next question? >> my name is amy. i work at political consulting firm called resonance campaigns where we're one of the vendors you guys are talking about where we serve nearly 100 campaigns and organizations that do political work. but we're a small company and there aren't that many employees and definitely not enough to have one of them being a -- like a chief security officer or chief information, anything like
4:41 pm
that. so what is the best way for us to maintain security when we're having lots of confidential and, you know, really sensitive information from all of these nearly a hundred campaigns, what is the best way for us to go about having someone that is there monitoring our security or are this companies or vendors we could use or training that you have, what is the best way for us to go about that? lee: when you talk about communicating securely one thing , i don't think we've mentioned is there are a couple really great encrypted apps you can use for information sharing. if it doesn't need to be in e-mail if you can do it over wicker or something like that we all -- i guess we recommend you use those kinds of tools as well. that is the same thing we'll tell the campaign community. ginny: and then a lot of the same security recommendations apply. we also do trainings in d.c. and
4:42 pm
elsewhere for, around security we would certainly welcome the vendor community to do as well. but a lot of the same things apply as far as looking out for phishing and having a culture within your organization be aware of those kinds of attack. lee: if you can go back to work tomorrow and ask everyone to have two step turned on on whatever personal e-mail they use, two step on the facebook campaign. whatever you use for enterprise e-mail whether google or microsoft or some other type of vendor make sure the administrator has two step and other security features turned on would be really important. and then remind the campaigns. when they e-mail a really sensitive document to you, maybe their ad buy or their town hall schedule, asking them do you have security features placed on your e-mail if we're going to start communicating with this type of information? lastly, making sure their websites are secure as well. so again, vocalizing this to them would be really helpful. >> you'll be happy to know a lot
4:43 pm
-- especially in places in high level campaigns they've required their vendors to do all of this. >> success. >> hi. thank you for coming and having this panel. my name is maureen. i'm with ragtag. we are an organization that organizes tech volunteers to help campaigns. so one of the things we're working on right now we actually just launched campaign help everything you have spoken about has spoken to what we are hoping to try to help especially smaller campaigns that don't have i.t. staff as you were describing implement the recommendations in the belfour center's playbook. so it's campaign help ragtag is the name of the organization. it is a help desk the same way a
4:44 pm
big organization has an i.t. help desk and you submit tickets it'll work the same way. we are also offering training so we'll sit down usually online with campaign staff or volunteers and walk them through setting it up. it is not ok to have a facebook account managed by several people. this is how you do it. by the time they are done with that training it'll be done. so my question for you then is what are some of the additional challenges you see in engaging people on their private accounts? do you find they're more receptive to talking about security on their campaign accounts? how do you bridge that gap? ginny: first, thank you for the work you're doing. it is great to know. we get questions from our employees often about how they can be helpful. i may be sending some people your way to look at ways they can be helpful. it is not so easy to plug them
4:45 pm
in necessarily and that is a great way to use their skills. what was the question? yes, private accounts. thank you. i would say on the private accounts i've our biggest , challenge is that we don't -- the private accounts we're talking about tend not to be microsoft accounts so we can , encourage them to go to their facebook and twitter and their instagram and pinterest and get them thinking of everywhere they have a log-in. we can encourage that. it is not our products as much. i don't know if they're as tuned in when we're speaking to that. it is probably not what we're emphasizing quite as much when we say generally private accounts. i don't know if people think the extent of the accounts they have set up and the security they need to put on those. that is the biggest challenge i'd say we face. allie: to follow up on that everything from your delivery food accounts to your twitter to google that's what you're asking about? what in terms of looking forward , to success in eight, 10, maybe cultural shift so it'll take a while but what -- how do we fix
4:46 pm
that? are the companies going to work together? is there some sort of regulatory mandate? lee: i would highly recommend password management system and google has one through chrome. a lot of other companies have one. it's another tool we suggest a lot to candidates in particular who tend to be a little bit more lazy or lax when it comes to passwords and management. i think it's a real education. we tend to see sometimes, ginny and i have talked about this where they use microsoft on the enterprise side and gmail on the personal side. that is another reason we partner as much as we can because people are generally touching our products in different ways in different parts of their lives. so if they're following the security rules on their campaign e-mails and official protocol e-mails, just telling them they should be doing the same thing on their personal e-mails and might even be more susceptible because they're not paying as
4:47 pm
close attention to what is coming in or who is mailing them a document that they should open. don: the only thing i'd follow up with i suppose is at least on facebook, you have to use your real account in order to manage things. that is the best and most secure way to do it. the only thing i would add is we have a product called business manager. business manager is a wonderful suite of tools if you actually manage a page and have lots of different entities taking action. if you're a campaign and you work with an agency who is maybe running ads or doing other things on the page, it's -- a better way to setting up who can take action on the page. simply educating people to help set permission levels and manage the page more seamlessly is something we try hard to do. first things first. if you go to the website like we walked through, here are the steps to set it up and the different blueprint services, an online training system much like
4:48 pm
15-minute trainings on different products. it walks people through. this is how the business manager works. in the spirit of helping people better separate a little bit their personal activity from business activity and make their pages more secure. allie: anybody else? only from the middle. [laughter] >> you talked a lot about what i would call standard practices good for any organization. could you talk about challenges that arise specifically because you're in the political arena? you've alluded to some of them about the multiple users for a single page but any war stories about very specific things that have happened? would you consider for example cambridge analytica to be a security breach or challenge or was that just normal business? don: no. i think your question is a good one in the sense that for campaigns, we've talked about this a lot, you have lots of people coming in and out. that's one.
4:49 pm
people who join a campaign and pop off. i think that by itself creates social security risk at times. -- security risk, at times. if you have someone only affiliated with your office campaign and are suddenly gone, you want to make sure they are removed and don't have permission. if you have a single account from which you're managing and everyone is logging into it that by itself is more insecure because the systems have less to go on. somebody working over here logging in and someone over there and all sharing a password by the very nature it is less secure. simply taking basic steps -- those are things we've seen across the board on campaigns. they are the greatest start-ups. people coming in and out and moving fast. managing these things smartly using your real account, turning , on all the features we all have are going to be the best. that applies for everybody but especially campaigns. >> one thing particularly different in the campaign space not entirely unique but a little , more than others is the use of , information as weapons. the weaponization of information. ginny: typically when companies are setting up their structure
4:50 pm
and protecting against attacks they're protecting against attacks that will be looking to somehow have a financial win, whether they are trying to have their information held for ransom or something whereas in the campaign space we saw this sort of new element, which is the weaponization of information. that being said the tactics you would take to protect yourself actually aren't that different which is why while we're up here what we are talking about is probably the same rough conversation we would have about a small business protecting themselves because the reality is the steps are about the same. what is different is maybe what is at stake and the threats that they face. lee: i would also say another challenge we see is campaigns are constantly looking for volunteers or donors and that they are getting emails from all of these people they have never seen or met before from various e-mail platforms. it is hard to be on the lookout for, you know, maybe in a more corporate setting you only get e-mails from a certain type of other corporate entities that are more familiar with a domain name or something of that nature. on a campaign if you're
4:51 pm
, organizing volunteers or donors or door knocking you're --, youre getting e-mails from multiple different people and it's hard to say this looks suspicious. this doesn't. and that is where you really need to rely on making sure you have the technology like two step and watching for signs of malware or not clicking on an opening a document or a website from someone where you don't need it. maybe, you know, asking them to send it as a p.d.f. or something if you're suspicious. >> i was just going to ask, weaponization definitely but i think also like bad actors i think there's a lot of focus on campaigns. and even volunteers could be a bad actor. so i think in a corporate environment like what ginny was saying there is a lot of focus , on protecting the c.e.o. of a massive global company. this hasn't always been that same protection for a senate race. maybe a presidential. but i think getting people this -- there is interesting. it's like those processes to
4:52 pm
come in and out definitely aren't seen as much as they are in the corporate world. don: getting everybody on the campaign, especially senior staff, you might have digital staff who manage a presence or work with the products. they might be buttoned up but sometimes it may be a senior, maybe a chief or campaign manager or director or somebody not really thinking about it so they don't take the steps they should. it is getting everybody on the campaign to take it seriously and take advantage of what we have to offer. >> hi. my name is nick. i work for a company called co-fence. we actually provide anti-phishing solutions and services to organizations across the world and specialize in phishing awareness training also known as phishing simulation training. we actually brought that technology to market in 2008. first of all, this is extremely relevant. and your insights are fantastic. i applaud you all for being up here. thank you all for your time. this is fantastic.
4:53 pm
so as you may know, october is national cyber security awareness month. and it also backs up to a major election cycle. so with that said, and understanding that phishing is a primary threat, especially for candidates, campaigns, and consultants during this time of year, how can organizations like ours that specialize in defending this specific threat help boost your existing efforts to help these folks become more secure during this time of year? allie: make yourself available. lee: go on tv. go on radio. what are campaigns and candidates doing in october? watching a lot of tv. listening to a lot of radio. reading a lot of articles because they are looking to see themselves on tv or hear their own commercials. >> that is definitely the plan. lee: yeah. >> outside of that, are this other ways we can partner and continue working together as a community of technology leaders
4:54 pm
to help those stay secure when right now there is an immense amount of targeting especially through phishing as a threat factor? one additional anecdote, we talk about malware blocking and things like that. all fantastic. something else to keep in mind, too. you mentioned there are different types of phishing and strains of phishing. the f.b.i. put out a p.s.a. about b.e.c. does everyone know what a business compromise or c.e.o. fraud attack is? no? it is essentially a phishing attack but instead of delivering a piece of malware or something designed to take over a machine they are posing as someone in , the organization targeting someone with fiscal responsibility say the director , of accounts payable and saying , hey this is the c.e.o. we really need you to wire this money to the client. it is an emergency. they never got the pay-off. we need you to wire this money to the don't other whatever the -- donor or whatever the case is
4:55 pm
and there is no malware. there are no attachments. it is highly targeted. and manages to bypass perimeter defenses like clock work. the losses total for this type of attack alone, $12.5 billion for 2018. so like i said, what can we do to provide our thought, leadership, research and the , things we're doing in the field in the wild as we call it every day to boost your continual efforts and help educate organizations that there are other attacks that may not even look at the deploying of malware but deliver highly targeted spear phishing attacks? ginny: they can be very successful. while campaigns don't necessarily think and we're not talking to them as much about those types of -- those typical fraud is still something they have to face. because they may have treasury set up and checks are going out the door fast. it is a relevant point they should also think about protecting their finances and
4:56 pm
the hard earned money from donors. amplication of each other's efforts is always great. when we see google do something cool or facebook we retweet it. we talk about it. our executives talk about it. and so there is sort of this broader community again going back to the theme we're all in this together where when we see our peers and those in industry doing cool work we are happy to talk about it and we love it when they do the same thing for us. >> we all create a lot of collateral. lee has the brochure. we have the safety guide and we produce a lot of things, whether help center things or hard copy collateral, we ran print ads a few months ago like identifying misinformation and things. like the more we share each other's information the better. lee: please reach out. there are brochures for ginny and i. don: mine are on poll lee: also security keys for personal e-mail if you are not a campaign, not on a campaign or federal government employee you're a vendor consultant
4:57 pm
please take a kit and let us know. allie: i was going to say i missed the organization you are from but the haft organization i -- last organization i was working with we worked with the f.b.i. and did a road show around the country about b.e.c. compromise. i think events like this are great. i think people don't really understand the value of events like this. you guys should stay and talk to each other. talk to these three. i am happy to talk to you, too. make sure you're talking to your peers. partnerships on just events are really valuable for a lot of campaign staff, government staff. the government also wants to partner. sharing information is a huge issue in cyber security but quickly industries as a whole are getting over that battle of sharing information. so maybe political parties will be next. who knows? but i just wanted to say partnering on events on work shops, maybe you guys can partner with microsoft on the next one or something. it's kind of great. we are being cut off. i do want to say thank you very much again.
4:58 pm
check out the if you want to learn more about us. and for everybody in the room please do stay. talk to each other and talk to these three. thanks again. don: thank you very much. [laughter] -- [applause] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit] week, newsmakers interview senator patrick leahy, a former chairman of the judiciary committee. one of the subjects is an allegation that supreme court
4:59 pm
nominee, judge brett kavanaugh may have assaulted a young woman when he was a teenager. >> is it appropriate that senator feinstein now, at this moment, a week before the senate judiciary committee is going to vote, makes public this letter and asks to investigate? i thought it was the people doing the background check. ifwould be inappropriate is she had an allegation sent to her and did not have somebody look into it. >> but she has had cents july -- had it since july. >> all of us are very very careful and act with integrity. i think about what would happen if there was some kind of aftertion and
5:00 pm
confirmation, some peace and we have to ask about this. this is a problem that happens when you rush something. when we get the very last minute. i had things i wanted to ask judge kavanaugh about in the hearings, especially some things in matters for committee confidential. i said i want to ask questions about that. it.ould be able to use about 3:00 in the morning, they said ok, you can use it. >> if senator feinstein had never shared this document, you think that would've been an appropriate? going to do is allow the people to do the background checks. let them make the decision. i was a prosecutor for eight years. let's get the evidence. let's make up our mind based on
5:01 pm
that, and i found the people that do the background checks, whether it is a republican or democratic nominee are very professional. if given the time to do it, you have to rely on them. senator leahy, vice chair of the appropriations committee also discusses federal spending. you can see the entire interview on c-span. and listen on c-span radio watch online at thursday morning, watch the senate judiciary committees debate and vote on the nomination of judge brett kavanaugh to the supreme court. is successfully nominated, he could become the deciding vote on major legal issues that americans care deeply about. --i now removed


info Stream Only

Uploaded by TV Archive on