Fred good afternoon. im fred kempe, president and ceo of the Atlantic Council. Im delighted to welcome you all here at the Atlantic Council today on behalf of everyone at Atlantic Council, on behalf of people of pulled this together so its to you every thing were doing and initiative for the launch of this crucially important report, and you know, people standing at the podium say things crucially important. It really is. Hacking the election lessons from the defcon voting village. Here the Atlantic Council we operate under the Enduring Mission of working together to secure the future. This has meant seriously because the founders of Atlantic Council desecration, one of the people who helped found this was dean acheson wrote the book of the International Double order. We see that order is being under threat and we see one of the things exposed that most of the threat in the order we created is the advance and the protection and security of democracies. We believe a stable prosperous world depends on building a sustaining democracy, and democracy depends on the sanctity of the boat. In recent years this fundamental quarter to our system of record has come under threat. Unprecedented assault in the United States and europe are bringing scrutiny and uncertainty to once and vibrant electoral processes. We at Atlantic Council have been doing quite a bit of work in countering this information both within our Eurasia Center and in our Digital Forensic research lab, cutting edge work. We havent done yet work in this area so its a particular pleasure and honor to be associated with this event and the work behind it. In the current geoPolitical Climate, preserving or in some cases reinstating public faith in the integrity of security of our elections is more crucial than ever before. This can only be achieved if were able to protect the technologies, to protect the technologies underpinning our democracy. While much of the discussion over the past 12 months has focused on the russian link Information Operations with carefully timed a leaks, fake news, facebook ads recently, recent revelations have made clear how vulnerable the very technologies we use to manage our records can cast a vote in town of results with our, and thats new. We now have alarming evidence of russian connected hackers successfully breaching electronic poll books and state and local voter databases in a lease 21 states across the United States this recently released by the department of Homeland Security. You have to understand how careful dhs is before it puts out this kind of information. The Technical Community including many Atlantic Council experts have attempted to raise alarm about these threats for some years. This some of the experts on todays panel and others concerned about the safety of the vote teamed up with the World Largest hacker conference, defcon, to host the first ever, and id like this, first ever voting machine hacking village. This determined group invited security researchers to probe to dozens electronic Voting Machines to dozens. Many of which are still in use today. The hackers were able to break into and gain Remote Control of the machines in a matter of minutes. These findings from the voting village are incredibly disconcerting. We Atlantic Council applaud the groundbreaking and tireless work of the organizers to shed light on these threads and this unsettling reality. We believe that transparency is about 80 of what is needed because you have to understand to know the threat in order to get the targets and others to take care of defending themselves. This is a this is a simply a Cybersecurity Issue but one of the most pressing National Security concerns eating at the bedrock of our democracy. The councils own cyber team is proud to support this critical effort by taking representatives james link of an and will las vegas this july, the first sitting congressman to ever attend the conference and witness firsthand this voting village. We are honored to continue this partnership by convening todays discussion and look forward to assisting in the next steps that is crucially important effort. You may have read in usa today that a group is coming together to try to continue to work and continue to work around this and were proud to be part of that. Before i turn over to jeff for his remarks, let me take a moment to introduce our panelists. Jeff is the founder of two of the most influential Information Security conferences in the world, defcon and black cat, and hes a senior fellow with Galactic CouncilsCyber Statecraft Initiative and are Brent Scowcroft said on interNational Security. Ambassador looked luke is a former u. S. Permanent representative of and serving under president obama from 2013. 017 prior to this and after retiring from active duty as Lieutenant General after 35 years of service he served as the assistant to the president and Deputy National adviser under president bush as well as under president obama. We had a bipartisan ethos. Youve worked in real handson bipartisan manner. John gilligan is chairman of the board at the center for the Internet Security cookies are just president of the Schafer CorporationSenior Vice President , and chief Information Officer at the u. S. Air force and department of energy. Sherri ramsay is Senior Advisor to the ceo at cyber international, engaged in Strategy Development and planning. She is the former director of the nsa css threat operations center, thats a pretty big job and pretty significant position where she led discovery and characterization of threats to National Study systems. Harri hursti is a Founding Partner of nordic Innovation Labs in one of the organizers of the defcon voting village. He has fast dating insights. Fascinating insights. I just took a little bit outside this room on this probably would talk about today. Is one of the world leading authorities in the areas of election voting security and Critical Infrastructure security, and as an ethical hacker famously demonstrated how certain Voting Machines could be hacked, ultimately altering voting results. Our moderate today is jake moderator today is jake braun. Jake is a lecturer at the university of chicago and ceo of Cambridge Global Advisors and coorganizer of the defcon voting village. Jake also serves a Strategic Advisor on cybersecurity to the department of Homeland Security and the pentagon. So this is a heavyweight group, and we are looking forward to your reflections. Huge thanks for all of you joining us today and joining us online, and thank you for everything you contributed to this work. Lastly i encourage anyone in the audience watching online to take part in the conversation by following at ac scowcroft and at , but using theof hashtag accyber. And now without further delay, let me turn the podium over to jeff. Jeff thank you. good afternoon, everyone. Im going to start with a little and then you a couple thoughts on where i think we are going. Have been talking about Voting Machines for a long time. I think kerry has been poking at them for 10 years. We had one of our first speakers talk about his concept of black 10 Voting Machines about years ago. Isis not new but what is new the intention on them and the importance they are now playing and howard democracy. How did we get here . I am going to blame jake. National security coordinator in the white house and dhs back when i first securityt the homeland council. I got to note jake and he was very passionate about voter security during the obama campaign. We were talking and jake was saying, you know i bet these machines, theres got to be problems with these machines, right . I said, oh yes. There are definitely problems but i just dont know what they are. But i can tell you, there has got to be problems. Onlinearted going looking for studies, looking for needsty analyst terry missions apart. You cannot find them. You can find an everest report in 2008, some controlled reports where the manufacturers got the researchers to sign ndas and did limiting testing but for hackers that does not count. I want to see the pictures. I want to see the trials and tribulations of the hackers attacking these machines. I could not find him but i said, i am sure they are just a disaster. Than a couple weeks went by and he said, you know what . You should get a bunch of hackers to tear these things apart. I said, that is a great idea but we are not going to be able to get any of these from the manufacturers. They are so tightly controlled. You are not going to get the machines or the software. But i started looking on ebay and sure enough, thank you ebay, there were some to be found. We have two of them here that harry will hack into later. So it turned out we can get our hands on them. These things never get updated. They have been around for like a decade so you can get them fairly inexpensively. So i allocated some space. Got some people together. We started ordering machines and then i realized, i am not a voting machine expert. I can tell you historically what kind of systems have had issues but i cannot tell you the ins and outs specifically. Harry, and some others, who of spent more than a decade looking at the said ok. You get the machines and space and we will run me village. It was fascinating because if youre not familiar with def con, we have about 25,000 people who show up. They subdivide into topic areas. As soon as we announced a voting villages i got state, local, county voting officials desperate for information. I have these machines, ive no idea what they do. I have these machines and i do not know if i can trust documentation. Tell me what you find. We would try to get them to come say, ive nowould budget i can come out. Could you just livestream people hacking me machines. I said, i do not know how much that will help you but we will have this report. It is the first step in trying to change the narrative. As you will read, these machines are pretty easy to hack. This flies in the face of the narrative sung by the manufacturers which is, you have to be an insider. You have to have specific knowledge of the technology. Random people are not going to be able to approach these machines and ask them. They need to understand them and study them to know the context. I think we opened the doors and 35 minutes later, one of the machines fell. It turns out Hacking Technology is pretty much Hacking Technology. Automobiles,d implantable medical devices, airplanes, physical locks, Access Control systems, internet toys,ngs devices, adult atm machines. So chances are, yes, we are going to hack your 10yearold election machine. The differences now it counts. No people are paying attention and they were not Pay Attention 10 years ago. Now it is not a conversation between us and the state and local officials. This needs to be a discussion that a higher, more National Security level. I was struck by something professor leak said which was essentially there are two ways to changing government. Ballot box. R the i thought about that for a while and we spend a lot of money on box. Ullet we have nuclear triads, oversight, testing ranges, we have a large amount of money and technology invested in our bullet box. How much do we have invested in our ballot box . Pretty much comment nothing. It was only just recently called infrastructure. Other important but all of our energy is in the moreimportant bullet box. It also needs to be the ballot box. This problem is not going to go away, it is going to accelerate. Three things made this possible but first we have a threeyear dmca exemption. Usually you cannot reverse engineer these things for copyright elation. They use takedown notices to prevent researches from publishing results. Year three was this was year two, next year is your three. Pickrchers will be able to this apart and provided independent view. That was not possible before. Once remove the fear sort of a litigation in lined up an impressive array of lawyers waiting to defend us of anything happened, we felt confidence Going Forward that if anybody was going to sue us, we would have enough resources to defend ourselves. Dmca and theth the way we could defend ourselves. The second one was a giant storm where the roof collapsed on a county where they were keeping their Voting Machines. The county totaled out all of the items including the Voting Machines. There was no purchase Sale Agreement on the Voting Machines. The Insurance Company did not want it. They give it away to an ,lectronics recycler who then now have the equipment with no nda and no Purchase Agreement signed. Now if we get our hands on these machines we are not violating any rules or civil law. The manufacturer contacted them pleased, could you disassemble all of the machines and you know, basically take them out of commission. He said, sure. How much do want to pay me for each machine . They said, we want to use zero. He said, well do want to buy the machines that . He said, no. He said, well, he back anytime you want to buy the back. And he started selling them on ebay. So ladies and gentlemen, the voting machine. We have this culture of exploring things and hacking them and publishing results. So there was the upcoming def dmcathe storm, and the made this possible for the first time. We have been using these machines for more than a decade. This is the first time we get to actually look under the red . That does not under the hood . That does not make any sense from a policy standpoint and we need to really understand what is going on and how do we fix that. We cant run our country like that. When will the next storm happened, right . I want to think about that. I will hand it over to jake who will go into a moderated q a session then we will go to the audience for questions. Thank you very much. [applause] sit forjust going to the q a. First off, you and professor blais were the technical leads running the hacking village. Did you find . First of all, it is established that all machine is hakuba. Is hackable. Was a learning experience. For people to find the truth themselves. People came, said can i touch . Yes, go ahead. The other thing was the speed. One of the people who of been doing these things published a study. Of course if you have a few weeks you can hack it. First of all, if it is a nationstate they have that. They dont wake up all of a sudden. They have time. Work it the scope of took a long time. Right now, i would say that we have less than half an hour. I 10 00, ate door 11 00, it was supposed to be the introduction speech. At the time one machine had already so. The guys who did that said, can we show it . No, i need to go i want to he was at the speech for 40 five minutes comic came back. At the same time, he was from denmark so at the same time during the speech another person from Northern California hacked one. When the introductory speech was over, already too machines had fallen. This technology is very old. For a lot of people who were there, they were not even born when most of these came about. People on twitter were asking for tools to do this. Aret of the current tools not that much behind. These tools came to be cost 15 may be in new york. Very old technology. Some of the findings and there are so many things but one thing is we followed vulnerabilities which have not been studied before because of the rules of the road of the previous study. Ad, those vulnerabilities put unreasonable stress to a nonexisting can be hacked anytime during its lifetime anytime it has been hacked it cannot be cleaned. Everything from Mainland China to philippines, an name it, there is element. We do not even know that extension. What extension do they have in the design and building of this . Said the chain of custody when it is in the United States in use, and how did that come to be . Where came from . How can you make sure the machine you get is clean . So these are my opening remarks. Ok. So, sherry after spending a long time at nsa what are your thoughts on the relevance . Harrysllow on with comments and the comments you and jeff have made is the first thing you want to do when you kind of look at this problem is figure out what is the target . Is it something people would be interested in . And what is the way for that target to be legitimately hacked . Would it ta