CarahCast: Podcasts on Technology in the Public Sector

Ready for 2024: How Coordinated Vulnerability Disclosure Can Boost Election Integrity and Public Perception

Episode Summary

Join our webinar focusing on the imminent 2024 election concerns. A panel of cybersecurity and election integrity experts will uncover new coordinated vulnerability disclosure (CVD) practices, sharing insights from recent hacker challenges and discussing how CVD can fortify your security measures while enhancing trust with constituents.

Episode Transcription

Alex Rice00:00

Good afternoon everyone. Carahsoft Technologies would like to welcome you to our hacker one webinar ready for 2020 For how coordinated vulnerability disclosure can boost election security and public perception. At this time, we would like to introduce our speakers for today, Kayla, I will pass it on to you. The floor is all yours. Awesome. Thank


Kayla Underkoffler  00:20

you, sage. Hello, everyone. I'm Kayla Underkoffler lead security technologist at hacker one. And I have the pleasure of being the moderator for today's panel. So to kick things off, we're going to have our panelists introduce themselves. So we'll go ahead and follow the order on our screen here. So Trevor, if you could please introduce yourself first.


Trevor Timmons00:40

Hey, you bet. Thank you. My name is Trevor Timmons. I'm currently the CTO for the elections Group. We're a small organization that provides consulting and assistance to state and local election officials across the country. Prior to that I spent 30 years working for the Colorado Secretary of State's office. The last 16 Is their CIO with a an emphasis on election security, election Operations, Business registrations, and glad to be here today. Thank you.


Kayla Underkoffler  01:10

Thanks, Trevor. Alex, we'll hand it over to you.


Alex Rice01:13

Hi, folks. I'm Alex, the founder and CTO here at hacker one. Before that I ran product security for one of our friendly big tech companies out there but sort of the first five years of my career with in network security for the state of Florida at the state level. For the past few years I've been serving on itI sex election industry group as as an advisor, and really getting much more involved in this topic. So looking forward to covering it over the over the next hour or so with y'all.


Kayla Underkoffler  01:47

And Alana, please.


Ilona Cohen01:49

Good morning. Thanks so much. Hi, I'm Alana Cohen. I'm the Chief Legal and Policy Officer here at hacker one, I got my start in cybersecurity as a national security lawyer for the US government. And I culminated that experience with working for the Obama White House. And as the General Counsel of the Office of Management and Budget. Nice to be here.


Kayla Underkoffler  02:12

Awesome. It's a great panel makes my life easy as moderator to have such a great group. And sage, if we can move on to the next slide, we have a lot to cover today. Um, so real quick agenda, we're going to talk about an event that was held by the election Security Research Forum, focusing on the security of election technology. So we're gonna give a recap of that. And then we're going to dig into coordinated vulnerability, disclosure, and vulnerability disclosure policies. Specifically, we want to talk about how those work for state and local government. So we're gonna talk about what is it, why it's important, and how everyone here can implement one. And so to set the stage on the next slide here, just want to reinforce that the truth is election and public infrastructure security is really built on trust. It's trust in the people and processes and technology that power our systems. And really, that trust is earned in part through transparency, its transparency in the people and processes and systems. Specifically, when we talk about US elections for the people and processes. The thing is, is it's an incredibly federated model. Each polling place does things differently, each county and each state. And the truth is that diversity is resilient. There are checks and balances built in all across the system. And when it comes to anything close to single points of failure, the closest thing to that is the smaller attack surface of the technology. So if there's distrust in the security of that technology, it really emphasizes the need for trust in the people and processes to counterbalance that. So since you as our audience here are here to engage and learn about election security, and specifically vulnerability disclosure policy, we really wanted to kick this off by gauging your thoughts and on this, and we're going to do that with our first poll. So the first poll is how confident are you in the security and transparency of current election technology? So we'll give a second for everyone to vote on that. Now will help us gauge how we need to proceed with the rest of this webinar and the content. All right, so drum roll and results. So we've got the top top result of somewhat confident, and the next one is not very confident. So it's actually I think that's on par with what a lot of people might feel. And I think what I want to give for or this presentation as a boost of of hope is there are a lot of groups out there that are working on this today. Specifically, one of those groups is the election security research forum. So sage on the next slide, I want to give an overview of an event that was held specifically to help bolster that lack of confidence in election technology security. So I'm in September, this last September at the mitre Facility in Virginia. The election security research forum held an inaugural event that brought together election technology providers and security researchers for the first time in an incredibly collaborative environment to work on security for the technology footprint. So the ESRF election Security Research Forum is a collection of it, I sack, the election technology providers and a security advisory board, which hacker one is a part of that security advisory board. And for the event specifically, we brought together our ethical hackers security researchers. So this whole group met for a 48 hour event with 12 hours of dedicated hacking. And the goal was to build relationships and trust in the security of election technology. And the whole event operated under the principles of coordinated vulnerability disclosure, which was a really integral part to making sure this works successfully. So Trevor, you are also a part of the the election Security Research Forum and you were at the event. We'd love to hear recap from you on some of the highlights and takeaways. Fear Absolutely,


Trevor Timmons06:31

Kayla. So I want to highlight something Kayla just mentioned, this was really the first collaborative engagement between industry tech providers, cybersecurity researchers in the voting technology space, there have been non collaborative events. Some of you may have attended the voting Village at DEF CON, which had been going for a number of years. But this was the first time that we actually brought together elections, tech providers and hackers in a collaborative way. And again, under the principles of coordinated vulnerability disclosure, it was really a significant step. And we view this as the advisory board, as really just the first of a continuing kind of relationship. Honestly, everyone was pretty nervous coming in the technology providers, they were a little bit nervous walking into the room, the hackers, the invited hackers that came in, they were a little nervous as well. And that was actually one of the one of the key findings, I think, within just the first couple of hours is that everybody was a little bit leery, but the fact that we all came together. And actually, you know, as Kayla mentioned, establishing that trust, that's, that's really the first step and trying to make sure that we can do this effectively together. I don't think that the industry tech providers really appreciated the absence of trust from the researchers coming their way. Some of them have had not great experiences, in their interactions with different kinds of technology providers, elections and otherwise. And so but I don't think that the industry folks really appreciated that. I think half or maybe a little bit more of the researchers, they had been to the voting village before or other types of events like that. But some of them had really no exposure to technology in this space. And, you know, one of the big wins from this was actually bringing the hackers together under the principles of coordinated disclosure, not under an NDA where the research could be conducted, but then couldn't be spoken about afterwards. That was really, you know, a very key point to try to build a bridge, you know, and establish that trust.


Kayla Underkoffler  08:43

Absolutely, Alex and Alana, both of you were involved any other points you'd like to focus in on for that event?


Alex Rice08:55

Well, Trevor really nailed it. But I think the lack of trust on both sides here, it was something that we hadn't observed in too many other industries. And so I think it's really something that everyone involved in election security needs to take to heart it's there's something very unique about the nature of our democracy and elections that cause everyone to approach it with a little bit more skepticism than other areas in our space, which says a lot because most of us approach most technology with a healthy degree of skepticism. So that this goes a step further is is absolutely a fact to be to be aware of. But then seeing how much progress was made just in a short period of time of having open conversations and open dialogue about the security of these systems was so phenomenal to watch it. So it gives me a lot of hope for the future that by continuing conversations here between the different parties involved that we can make a lot of progress in a really short period of time.


Kayla Underkoffler  10:02

Definitely, I'll just add, also being there that it was, I mean that the body language between the first day of have crossed arms leaning back against the wall, too, by the end of the event, you know, everyone's peering over each other's shoulders, there's hardware scattered all across the room. It was, it's a great event, for real hands on security research. So it was a joy to watch. One of the focuses of this, as Trevor mentioned, and one of the things that made it successful was the presence of vulnerability disclosure policies for each of the technology providers now was a big part of the Security Advisory Board's input in this event and getting the lead line to get this ready. It's that it was getting the technology providers to have these policies in place. But the truth is, these vulnerability disclosure policies are not just for election technology providers, they're also critical for state and local teams, they're critical for everyone. But today, we want to spend the rest of our time talking about vulnerability disclosure policies, and what it looks like in the public sector. So we want to cover what is a vulnerability disclosure policy? Why do we need to have one? And how should we actually go about implementing them? So at this point, we're gonna go ahead and stop sharing screens, and just focusing on the panelists and the real takeaways here that will come from this conversation. And we're gonna start with Alex, Alex, you've been involved in vulnerability disclosure policies, and building them and operating them for well over a decade. Can you tell us a little bit about how vulnerability disclosures pit fit into an overall security program and why they're so important?


Alex Rice11:49

Thanks. Let's talk about why they're necessary. It's a lot of syllables in there to describe something that sounds really complicated, but it's actually incredibly straightforward at the heart of it. For as long as we building been building technology, long as any human isn't building technology, that technology has had bugs, it has had issues, it has had things that have not gone according to plan. That shouldn't be a surprise to any of us, when we just think about bugs in technology. Of course, that exists, and they're found all the time. But there's something different than happens, if it's above it could have security implications related to it, folks tend to be a little bit unsure and uncomfortable what to do with that information when they come across it. And vulnerability disclosure policies were really born out of a few decades of trial and error of different technology companies, the Microsoft's the net escapes of the world, having vulnerabilities discovered in their products and chaos ensuing every time it happened. And so the industry took about a decade to align on this norm of this is how vulnerabilities should be handled, it needs to be handled in a coordinated fashion with a clear process for if there's a bug in my technology, I need to hear about it, so that I can coordinate with everyone who uses that technology and get a fix out as quickly as possible. And today, the vast majority of technology companies have these things Google, Microsoft, Facebook, Amazon, Apple, anyone who's building and shipping technology has coordinated vulnerability disclosure policy, to their credit, the election industry, the vast majority of technology providers have one now to they were the first industries to get there collectively, as a group, really speaking to the importance of these, of these of these organizations. A number of state agencies are now starting to break out to lead the pack of introducing their own, the state of Ohio launched one state of Iowa. The DoD was one of the first federal agencies to have this out there. And so we're seeing all of these different folks who participate in deploying monitor technology realize that their technology is going to have vulnerabilities and we need to establish process to receive those vulnerabilities. It's really as straightforward as that. There's one last thing that I wanted to touch on that I think we'll come back to a handful of times throughout this. But it's important to understand that technology is a lot more connected and dependent on each other than we get them we realize any individual agency or organization has technology, in their infrastructure and on their networks that belongs to other folks. And so this really is a scenario of we all have to be in this together or it doesn't work properly. If somebody one person in your one vendor in your infrastructure doesn't have one of these policies, and that happens to be where the vulnerabilities found The whole thing grinds to a halt, and chaos ensues again. And so that's why you'll hear so much talk about the importance of coordination and getting this deployed across supply chains versus just focusing on the technology providers and the big tech companies.


Kayla Underkoffler  15:19

Awesome. quick follow up question for you there. We, we realized that vulnerability disclosure, there's a multiple parties involved with this, can you introduce us and the audience here to the community, those ethical hackers that are out there helping to secure government assets? Who are they? You know, and how do they like to interact with organizations? Yeah,


Alex Rice15:45

it's such a fun topic to touch on, because you say the word ethical hacker, and I'm sure everyone immediately starts visualizing something from Hollywood swordfish or a hoodie or the Guy Fawkes mask or something like that. But it is such a diverse group of technologies, the majority of the findings in the ecosystem do come from technologists who enjoy probing technology, looking for flaws, being really curious and creative about it. So you'll see a very diverse group of technologists in there. But there's a long tail of folks that have participated in coordinated vulnerability disclosure with no technical background whatsoever. There's quite a few lawyers that are great at finding issues with technology and policy and processes around there. All of us can imagine a time where we found something in a system where like, I don't really know if that's exactly right. You shouldn't feel empowered to participate in these programs. They really are the cyber equivalent of a See Something, Say Something policy, or my favorite stories is Microsoft, they had a submission from a seven year old who figured out how to bypass the Xbox parental controls. It doesn't take this like a lead, cyber hacker type persona to find bugs in technology folks really do come from all walks of life, and especially when it comes to election systems. It's something that all of us participate in, and somebody sees something that's wrong, we need established channels to have a coordinated collaborative conversation about what that is.


Kayla Underkoffler  17:19

Absolutely, I will echo that. It's a very diverse group, it's a joy, seeing them work in person, and just the passion that this community has for for security is really inspirational. So getting a chance to interact with them is always a plus, especially if you're in the cybersecurity field every day in and out. So to transition here, um, let's talk about why we should set these vulnerability disclosure policies up. And for that, Trevor, I'd like to start with you here. So the election group serves as an adviser to election officials who are looking to implement new programs, or improved processes for their constituents. So can you tell us why you guide a state and local official towards implementing a vulnerability disclosure policy?


Trevor Timmons18:07

Sure, a great question. I mean, the reality is that I think it's, it's a very logical next step to ensuring the security of your assets. I mean, I do want to clarify with at the election Security Research Forum, almost all of the gear that was there was gear that is not network connected. They were tabulation machines, voting devices, ballot marking devices. And again, this that's why this is kind of a pretty watershed moment is this is gear that is typically not, you know, it's not sold on the public market, they're generally pretty tightly controlled. And so the researchers were able to get their hands on this equipment, that is the core to voters, casting their casting ballots, making their choices and elections. But with respect to coordinated vulnerability, disclosure, writ large, you know, any of your network facing assets, Internet facing assets, they are great candidates for establishing a policy and being willing to accept vulnerability disclosures, and then coordinating on how you're going to react to those, how you're going to address those. And then, you know, sharing that information out with the researchers, with the hackers and on to the public as well. The reality is that malicious actors, you know, nation states, black hats, whatever, they probably already know, vulnerabilities in your assets. I mean, they can use tools to do you know, passive scanning, kind of find out what sorts of technologies that appears that you're using, and then they can, you know, they can pretty easily try to figure out if they can exploit some of those vulnerabilities. By implementing a coordinated vulnerability disclosure policy, you're actually leveraging those ethical hackers to have an open door to receiving those reports of vulnerabilities. So you'll be aware of them. You know, the bad guys are not going to tell you the Good guys can tell you, okay, and coordinated vulnerability disclosure programs, they've really become the standard. I mean, in the federal civilian space, DoD, you know, federal military. There's a, there was a policy, drafted in 2020, to make this a standard for federal civilian agencies under Sissa. And so we're starting to see states and locals start to adopt these as well. And I'll note that in the commercial space and in the federal space, folks, you know, implementing coordinated vulnerability disclosure has not been an albatross, it has not been something where, you know, there's Oh, come at me, you know, because I'm saying, I'm open to receiving reports of vulnerabilities. It's really become a positive so that people can become aware of vulnerabilities and actually close those gaps and address those issues.


Kayla Underkoffler  20:57

Absolutely, and Alana for you, you often work in the national policies and standards space as well as international. So can you tell us a little bit about where else we're seeing vulnerability, disclosure becoming the norm, and recommended sometimes even required? Sure.


Ilona Cohen21:14

Yeah. vulnerability disclosure, as Trevor mentioned, really is becoming a best practice. And it's a standard practice in the federal government. We've seen that now for several years in the federal government, starting with hack the Pentagon. And, you know, I was in the White House when that program initially took off. And I'll say the government sort of went through the five stages of grief all the way from, you know, starting with denial, all the way up to acceptance, you know, really, as Trevor mentioned, because the the cyber adversaries are already in your system, they're already doing the research. So you might as well have some of the good guys reporting as well. Since hack the Pentagon, you know, it's in 2020 became a requirement for all federal agencies that was through an OMB memo and also a binding operational directive from Sissa. Subsequently, now it's becoming mandatory for companies that do business with the government. So the Internet of Things cybersecurity Improvement Act, and 2020 made it a requirement for those covered under that bill. And there's legislation in Congress now, that would make it mandatory for all federal contractors, anyone who does business with the government will have to have a vulnerability disclosure policy in place. The states have been, you know, right behind the federal government, although they're not quite as far along. But it has vulnerability disclosure policies have been endorsed by the National Association of secretaries of state. And you know, we're seeing additional funding, additional requirements come through for state and locals, which we expect just to continue to grow. We, we were at the hacker one participated in a joint presentation with one of our customers, the Ohio Secretary of State's office, and the Sisa, their shared why she is interested in doing this at the state level, she said, look, it helps us protect our reputation, we can identify all of the blind spots. And you know, we adhere to these government best practices, which I just referenced. But most importantly, she said, I sleep better at night. And honestly, who does not want that?


Kayla Underkoffler  23:41

Absolutely, and having, you know, a whole community of people who are constantly looking for issues and ready to report them to you, that should help everybody sleep well at night engaging with that community. So those are all really great points. I especially like hearing about how the Ohio Secretary of State is going about this. And that's a really great use case for the others on this call. So we're going to be sure that we share a recap of that conversation that Ilana just mentioned with the audience here today. So we'll be sure to share that out. So we've talked about what is a vulnerability disclosure policy, and why we need to get one established. So now let's transition into how teams can go about implementing these. But before we get into those details, we want to be sure we tailor this feedback to you, the audience, and we're going to do that through our second poll here. So what is the biggest objection you expect to face or have faced in implementing a coordinated vulnerability disclosure or vulnerability disclosure policy, the budgetary constraints, internal leadership by an internal bandwidth? Or maybe just there's a weariness of hackers or something else? So let us know what you've experienced or you expect to experience as we dig in. to how we should set these policies up. And drum roll is are pretty tied up here. So we've got internal leadership buy in being a concern, as well as internal bandwidth and actually wary of hackers. Look at this, everything except for budgetary constraints, guys, oh, and other. So we're doing pretty good. That's a pretty. But the good news is, is we have all of that content covered in the rest of what we're going to talk about. So we've got you guys. So to kick that off, I'm trans ended into this transition about how we, hopefully we've made it clear that vulnerability disclosure policies are very important. And they provide immense value for cybersecurity. So as we talk about how teams are going to work to get these set up, Trevor, I'd like to start with you here. How would you advise a team to start setting the foundation even to being able to implement a vulnerability disclosure program? And


Trevor Timmons26:01

I mean, it's great. I think everyone who's kind of thinking about this, or you know, our listeners here, they're like, Well, what do I have to do? First, I'll start with kind of the, the technical side of the cybersecurity facing side. And this, I promise you, this is gonna sound pretty basic, okay? You need to be doing vulnerability scans, right, you need to know how external folks external to your organization, see your network assets, right, you need to be doing those scans, and you need to be reacting to what is found on those scans. Okay. Secondly, I recommend that folks hire out a penetration test Sissa if you're a state, local, tribal territorial entity, you may be able to use Sissa, you know, to do remote or in person penetration testing, you can hire that out there a bunch of reputable companies that do great work on that. But I recommend that, you know, do a hardcore pen test. And again, react to the findings that are coming there. Alex already mentioned that we're starting to see private sector companies, service providers, many of them are just adopting coordinated vulnerability disclosure policies, you know, openness to hearing about bones. As you're looking at your external service providers, you know, or folks who manage your Internet facing assets, make sure you've got language in contracts that allow you to hold them accountable, that vulnerabilities are found and reported, that they're actually accountable for making sure that they're remediating that and mitigating those problems, right. And if you are managing assets with internal teams, I'd suggest you make sure that you've got some bandwidth, that you've got capacity available, so that when VLANs are reported, you can actually react to it and take care of those things. Now, all that stuff sounds pretty basic, right? If you're running network facing assets, you're probably doing all that stuff anyway. The last thing I'd recommend is talk to peers who have implemented coordinated vulnerability programs. It sounds a little bit scary. Again, you know, as you're talking to your executive leadership and your management, they may say, Oh, I don't want to put a target on our back. Yeah, the reality is, the bad guys are already they're already doing the recon, they already have some stuff. By adopting a vulnerability disclosure program, you are expressing openness to hackers to actually hearing about those vulnerabilities. I just want to share I had a lightbulb moment several years ago, as we were working with security researchers and hackers. And it was really about the liability concerns that they had in reporting potential issues to a government entity. They did not want someone they were concerned. You know, if we report something, is somebody going to drop a dime to the FBI or somebody, you know, and, you know, and say that we were unfairly doing recon on assets, and a vulnerability disclosure policy will expressly give them as long as they abide by the terms of your policy. You're expressly saying, You know what, we're not going to drop a dime on you. We want to work with you. We want to coordinate our efforts to remediate any issues that are found. It's really just signaling your openness to ethical hackers to improving your security over


Kayla Underkoffler  29:29

and Ilana I know there are this isn't a this isn't a have to reinvent the wheel situation. Can you tell us about some of the guidance and examples that are out there for people to to to follow to get these things set up today?


Ilona Cohen29:40

Sure. Well, of course hacker one is always available to assist. But there are also available documents that the federal government has created in the pursuit of their mandate. So there is NIST 802 16, which helps to govern the federal government's requirements. associated with vulnerability disclosure policies. And, you know, as Trevor said, this is not, this is pretty basic, but it is helpful to sort of see it right there in writing, don't, you know, they tell you don't leave your vulnerability disclosure channel unattended, you have to have backend support in order to actually be able to accept the vulnerability reports, as they're coming in. Make sure you establish, you know, a vulnerability management process that helps you deal with those disclosures. And then also make sure you're able to communicate with those who report the vulnerabilities about sort of the timeline for mitigation, how you might handle the reports that come in. Those are, they all make sense, right, you wouldn't run a scan on your system, and then completely ignore the results. The same is true here, don't set up the program and just completely ignore the results, you're gonna have to do a little bit of work on the back end to make sure it's a successful program. But all of it is outlined for you in those documents. But


Kayla Underkoffler  31:05

it's great to hear there's so much support for teams as they're working on getting these set up. And it's one of the pluses of vulnerability disclosure policies becoming a standard. And that is that you can depend on other people who've done this. And the instructions and it's it's, it's a commodity, everybody can make sure we implement these the right ways the community knows what to expect when they're interacting with folks. Absolutely. Yeah. So the next part of this, as was one of the concerns from our, our survey here, let's talk about budget. One of the comments I remember from the ESRF event that I will let will always stick with me was that state and local teams are often scrutinizing budget requirements, the lack of budget available for all the things you need to buy the example was, what if I, this is the budget I have? So I need to decide, am I buying the new firetruck we need? Or am I buying the, you know, assistance for the program for the vulnerability disclosure? Or am I paying for the support behind the scenes? These decisions are being made all the time. And so we want to talk a little bit about budget assistance or budget prioritization or how to make that happen. So Trevor, I'd like to start with you here. How can state and local teams prioritize coordinated vulnerability disclosure policies, especially as these mandates are approaching that we've talked about earlier?


Trevor Timmons32:35

No, I mean, it's a great question. And the the good answer is there actually opportunities out there. The cybersecurity and infrastructure security agency started up a couple of years ago, a state and local cybersecurity grant program, okay. It's a billion dollars over five years, out to state local, tribal territorial entities, okay. Part of the requirement under that is that you actually participate in an annual survey that's conducted through the MSI sec, the National Cybersecurity review, so that you can get an idea of how your security posture relates to other entities within your same domain, and then across the nation as a whole. So it can give you some some information about the maturity of your cybersecurity program relative to other folks that are similarly situated. Okay. But the point is, those cybersecurity grants, they're allocated down to each state, there's a state board, state and local membership is required, they have to coordinate with the state chief information security officer or the state CIO. But there's a great avenue there for you to look at that. And, you know, to help fund implementing, you know, mitigations, you know, tracking vulnerable reports that come in, and then actually doing that coordination, reaching out to the researchers, the hackers to make sure you're closing that. And that's just one opportunity, the new and that's a new one. Okay, couple of grant programs that have existed for a while. Under the Department of Homeland Security. There's the Urban Area Security Initiative. There's the state and local Homeland Security grant program. And what we're seeing is, as that new Sissa nationwide cybersecurity grant program, one of the requirements under that is, not only are the Feds delivering grant monies, but they states and locals also have to provide a match to be able to fully leverage those funds. And so they're incentivizing state and local governments to actually put their money where their mouth is when they talk about wanting to be open to improving their cybersecurity. They're requiring them to devote some funds and some resources to actually do that. I'd encourage everyone, you know, on the call, reach out to your management, your leadership, if you don't know who the thought leaders are within your state and local government, in your jurisdiction, rest assured they're there. There are people who take this very seriously and have a lot of information. And in my experience, they're totally willing to help advise and mentor and help others kind of improve their security posture, you know, using one of those grant funds that I just mentioned.


Kayla Underkoffler  35:33

Awesome. Okay. It's there's certainly that I think that's one of the biggest takeaways here for folks is that there, there are options for funding support specifically for cybersecurity improvements. So maybe you don't have to worry about losing your firetruck budget. If there's money that's specifically focused for cybersecurity, that's a great place to start. So another challenge that we heard about in this is in getting these programs set up is that we often see leaders or decision makers who are not inside security, they don't understand necessarily the inner workings of a program, or overall why vulnerability disclosure policy is important within a security program. So I'd like to touch a little bit now on how you can work with internal politics and also help non decision or decision makers who are not due to not have security backgrounds. Help them understand why empowering vulnerability reporting is critical. So Alex, I'd like to start with you on this. And then we'll go around for other answers.


Alex Rice36:49

Sounds good. I had one thought on the on the last question you asked about what should we be doing if you have no budget? And there's one thing I'd love to add to the list there that doesn't require any budget that I generally recommend everyone do. We all have other technology providers that we're depending on to whatever situation you're in, you are regularly adding new technology vendors buying new software and new applications, new networking devices. And you can ask that they have a vulnerability disclosure policy in place like something you could start doing right now to get ahead of the curve is making sure you're not onboarding any new pieces of technology that don't have a way to report vulnerabilities into them. And there's a bunch of great examples for this as early since 2009, the very first question in Google's IT vendor onboarding questionnaire as a security questionnaire, they send it everyone they do business with? It's, do you have an easily discoverable way for external parties to report security vulnerabilities in your systems? And it's just a yes or no question. And anyone who says no to that goes through a bunch of additional scrutiny as to Well, do you not have vulnerabilities? Why not? And so I, as just an easy no budget thing to get started with, I throw that into the prior conversation. But when it comes to ourselves your question, Kayla, and what do we say to non security decision makers on this? A first and foremost, I don't think we live in a world where we can have non security decision makers, we need to ask executives leadership to take public trust, safety, security, as a serious responsibility and defer to experts in this area on what to do and what to do. And the overwhelming consensus there from all experts that you can find in this space is that vulnerabilities are going to exist in every system that gets put on the internet, and people are going to find them. So we should have a way to do that. We've touched on it a handful of times in the past. But that's really what I would cement with leaders is, look, we are behind the curve here. Now honestly, look at everyone else that is implemented these two great results. The second point I would lean on there is Trevor touched on it a handful of times earlier, if you have an IP address on the internet, it is already getting scanned by bad actors, by ethical hackers by criminal groups, you are not stopping or starting that activity with the existence of one of these programs. And wouldn't you rather know some of the things that are found through this type of just being on the internet security research before before criminals do?


Kayla Underkoffler  39:25

Awesome. basics, right, given it back to the basics of why these policies are important. Trevor, do you have any other input into how you can actually orchestrate this for state and local teams? Sure.


Trevor Timmons39:37

I mean, I think Alex, Alex hit on it already. I mean, you know, as you move into this, you're going to you're going to need to talk to your legal gonna need to talk to your comps. You can take advantage of this, to try to distinguish yourselves from someone who maybe isn't moving as fast to adopt coordinated vulnerability program If you aren't going to have to sell it to management. The reality is that an incident that where someone actively exploits the vulnerability you have will come with financial costs they will come with it would come with reputational damage, it would come with all sorts of operational impacts. And implementing a coordinated vulnerability program prepares you for those things, because you know what, it's going to happen at the time that is most inopportune. And when you are least prepared for it, and there's so much else going on. This is a way to leverage the ethical hacking community to actually better prepare yourself, for those and to close those gaps before someone, you know, picks a terrible time to make them apparent to you.


Kayla Underkoffler  40:58

Absolutely, it'll always be a terrible time. Ilana, do you have anything to add here?


Ilona Cohen41:01

Well, it's, it's just a cost benefit analysis, right? If you think about it, the average cost of a breach these days is about four and a half million dollars. That's the average cost. So you can imagine that they go much higher in some instances. And the cost of setting up these programs is very small. So I think it makes sense from a financial perspective if you have somebody who's really worried about it from that angle. But also, you know, there are significant reputational issues associated with these breaches, and you really want to get ahead of it and take proactive measures to be able to address them.


Kayla Underkoffler  41:40

I think that's one of the really cool parts about vulnerability disclosure policies that is that they, they are proactive, you're not reacting by having someone submit something in an uncoordinated fashion, you're opening the communication, right away to accept these reports and empowering the community to do that, so that you can take action before it becomes a public issue. Absolutely. Yeah. Okay. Okay, team, we are coming to the end of our content. This has been a fantastic conversation with so many takeaways for the audience here. Just a really quick recap. Let's do yes, a real quick recap stage. Before we kick off a final poll. Today, we were able to cover a very special event that took place in September specifically focused on the security of election technology. So please, folks, remember the election Security Research Forum, keep an eye out for future events, it's a great opportunity to be involved, and to see security play out in real time, which is an awesome experience. And then we dug into vulnerability disclosure. And we talked about what is a vulnerability disclosure policy, it's that see something say something policy that empowers the community to report vulnerabilities to you to the people who own the systems in a safe and concise manner. And we talked about why we need to set them up not only are they becoming just a best practice for security programs, but they're also starting to become required. That's an important why. And then finally, how can we implement these programs. So making sure you're working with budgeting constraints, looking for those resources that are specifically meant for security, and working internally, to help everyone realize the value of these programs in a way that speaks to them and their concerns? So to wrap this up, here, we have one final poll for the audience. And that is after hearing from our experts, how confident are you in establishing a coordinated vulnerability disclosure policy compared to before this webinar started? So are you more confident than before? Do you have the same level of confidence? Or are you less confident? And hopefully that is not the case? And if you are less competent, which hopefully no one's going to be, but if you would be, we have plenty of resources that will be sent out afterwards. And there's plenty of contacts here to help.


Trevor Timmons44:15

Well, and and if you are less confident now than you were? Send us a question. I want to know why. Yes.


Kayla Underkoffler  44:23

Agreed. Okay, no less confidence, everyone. Okay, so 56% more confident, and 44% with same level of confidence, which is great. I hope that there was a good portion of this audience that came in here, already knowing what vulnerability disclosure policy was because I think that in and of itself is a sign that we're on the right path. So that would make me confident in the future as well. Okay, sage, thank you. I'm going to hand it over to you first, just I want to thank our amazing panelists. Hear, Ilana and Alex, thank you so much for participating. And Trevor, thank you for representing the election group. And being here today. This was this has been a great panel and a lot of really awesome takeaways for our audience.


Alex Rice45:15

Thank you all. It is now time for our Q&A. If you have any questions, please feel free to use our Q&A pod. And it looks like we have a few questions already in the pod. So our first question is, as noted, many of us have budget constraints that force tough choices, in your view, what funding mechanisms or partnerships could be leveraged as CVD mandates approach to make it more likely to get support?


Trevor Timmons45:48

You might, if I jump ahead, go ahead. I mentioned it already, I would encourage you to reach out if you're if your governmental entity reach out to the region and the state cybersecurity advisors within your state within your region, they can help direct you to that state and local cybersecurity grant program. They can also help connect you with state and local cybersecurity savvy resources, who may have other options I already mentioned, with those new federal grant funds, there's a state and local match requirement. And by by connecting into the cybersecurity, you know, kind of group within your local jurisdiction, I think you'll have a much better opportunity to know what what options are available out there. And you're probably also going to be talking with folks who've actually confronted this themselves, and figured out how they can actually improve their cybersecurity posture, manage risk, reduce risk, you know, working within their own budget cycles.


Alex Rice47:00

Our next question is, is there any evidence or metrics you can cite to drive home the real world impacts of finding and fixing vulnerabilities through something like a CBD? I can touch on this a bit, and maybe other folks want to weigh in. Also, because I love this fire probably goes back to making the case internally for it. I'll start with the lack of a piece of evidence. And it's a little bit anecdotal, but I think it's really important to recite, you won't find anyone that has gone down this path that has launched a coordinated vulnerability disclosure program, and is now like, Oops, that was a bad idea. Or we didn't actually get more secure every single party and there's been 10s of 1000s of them that have done this now have found valuable vulnerabilities as a result, and the world didn't end. It's I think that's one of the things I would start with just to really try to emphasize that. That's very rare in the world of security controls, you usually see a lot of missed promises, or that didn't quite have what I thought it did. That is strangely absent from the world of CVD. Right? folks end up having lessons learned about how they do more efficiently or what the cost of it were, but nobody's saying it didn't help them find and fix vulnerabilities. That is that that's that's quite powerful. On the metric side, there's a bunch of examples we could run from on I was thinking about the extreme cases. Just to start from the from the extreme side, the longest running federal vulnerably disclosure policy was the Department of Defense's program, which covers all of their internet facing attack surface several million public facing IP addresses. Since launch in 2015. They've had just over 45,000, valid vulnerabilities resolved, that's 45,000 vulnerabilities that were missed by their pentesting, their vulnerability scanning the adversaries that are constantly probing it. And so I think that speaks to just the potential of the volume that's out there. Most folks aren't the size and the scale of the DoD. I would cite our hacker powered Security Report. Here's something that we release on an annual basis. And we see that the average number of findings in any given CPD program over annual periods closer to two dozen or so. And so I think it really speaks to the breadth that these programs can can operate at. Alright, next question is we have a small team, how can we overcome that be compliant without spending a ton of money upfront?


Trevor Timmons49:48

I can I'll jump into this one. Alex already mentioned it. You probably purchase devices, equipment services from external service providers. Make sure that you're holding them accountable for having a coordinated voluntary disclosure program. In terms of your small team responding to that, that it's a reality. There's a limited number of hours per day, there's a limited amount of expertise out there. I think by reaching out to organizations such as hacker one, we haven't really talked about it very much. But hacker one is one of the organizations that can help folks coordinate how they're receiving vulnerability reports. They have a, they have a number of ethical hackers that participate in their program. And so you know, that that's one option that you can reach for, the reality is that there will always be vulnerabilities in software. And in computer systems, you'd rather learn about those early than late, you know, you'd rather learn about it before someone has a chance to exploit them, rather than after it's been exploited to then discover that. And I mean, I'm sure that Alana has a ton of examples from her time in the White House, about, you know, cost avoidance risks avoided by being aware of your security posture and addressing those things early.


Ilona Cohen51:18

Well, let me just add, that, if you have a small team, and limited resources, that's the reason to create a CVD, not a reason not to. So actually, I started at a healthcare company, I was the General Counsel, we did not have a very developed security program. And so my first step was hiring hacker one, in part because I wanted to leverage security researchers to be able to help my company identify and remediate vulnerabilities before I had a full staff in place to do that in house. And so it made a lot of sense to use vulnerability disclosure policies, and you know, these really effective security researchers to help amplify my security program. And you know, I got real value in being able to prevent security incidents and unauthorized access, that would have been a lot more costly.


Kayla Underkoffler  52:21

And I'll just add in this is the emphasis of, we touched on this within the webinar about the the emphasis of making sure you set things up properly in the first place, if you're already gonna eat, if you're a small team, you need to operate highly efficiently, and you need to make sure everything is set in place, and you're prepared before something like this was to launch. So putting all that work in, in the first place to make sure you've got your open channel, you know exactly which teams are receiving these reports, you've got all your stakeholders looped in, you've got your development teams looped in so that they know when you come to them with a report. That's a priority, because it means it was discovered in the wild. So once you get all of that process in place, and you loop in the people, that that really helps to make the whole the whole vulnerability disclosure policy more efficient, even for a small team.


Alex Rice53:11

Our next question is CVD seems like a pretty high level security policy. How exactly does it help to secure elections?


Trevor Timmons53:21

Sure, great. Great question. I think I'll just reiterate something we've said before, malicious actors are probing your systems, whether they're election related or not being a, you know, leveraging ethical hackers to become aware of those things. The reality is your staff, whether it's small or large, you do not have all the expertise that exists out there within the ethical hacking community. Okay, leverage those folks to help you discover those vulnerabilities before bad people point them out to you at the most inopportune time. It applies to election technology, but it really applies to any kind of technology. It's a way to expand your ability to be aware of and to cover your vulnerability and those gaps.


Alex Rice54:11

And I'm reminded of something caillard manages up at the beginning of this specific to election security. Trust is so foundational to those systems working properly. And nothing erodes trust faster than I think I've found issue with the system. I have saw something suspicious, I want a report or something that I'm concerned about, and I can't find anyone to talk to you. That's when folks start going to media, they start asking questions on social media, they lose trust themselves. That's not where we want to be. And so even just having the existence of one of these systems to say, look, if you think you've see something, we want you to say something there is a open, transparent forward process to hear about vulnerabilities in the system because we are aware that there Those might exist and we're gonna be on top of it if they are just the act of being able to have that narrative is so foundational to having trust in a system like this. Looks like that's all the time we have for our Q&A. Thank you, Kayla, Trevor, Alana and Alex. We have our contact information or panelist displayed on the screen. I want to thank all of our participants as well as our speakers for being with us today. We hope our webinar has been helpful for you and your organization.