409.330.9373 Info@OhainWEB.com
Elections and Cybersecurity

Elections and Cybersecurity

In my last column I talked about propaganda and election influencing in the USA by foreign governments, as well as the US doing it to others. My basic take was, so what; if others want to meddle, they always will. Just be sure to lock the barn door before the horse (data) escapes. We need to stop complaining and be prepared for when they try.

99% of votes in the USA are either cast or counted by computers.

We have invested in computerized elections because they reduce miscounts, help voters with disabilities, improve access to voting for rural voters, and speed up delivery of results. That’s goodness.

Unfortunately, we have NOT invested in strong security for our computerized elections. The average state election cybersecurity grade in a recent report was only a C-. The average grade for states with toss-up Senate races in 2018 is an F!

 Without question, our computerized election system is vulnerable to cyber threats!

 Let’s take a look at four areas of our computerized elections:

  1. Campaigns, overall risk: severe

Cyber-attacks on campaigns have been used for selective release of private documents in which adversaries release potentially compromising data on candidates and campaigns. These attacks have undermined the credibility of candidates, exacerbated social, economic, and political divisions among the US Electorate, and fueled fears of corruption and abuse by government officials.

So far in 2018, cyber-attacks by Russians have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill of Missouri, as reported in TheDailyBeast.com.

Cybersecurity practices for political campaigns remain inconsistent, although efforts by Homeland Security and the FBI to provide cybersecurity training have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the issue of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections.

  1. Voter registration and election management systems, overall risk: serious

Attacks on voter registration systems and e-poll books could be used to steal data on American voters, or affect Americans’ ability to exercise their right to vote if their voter registration is manipulated. Blocking certain voters from the polls could even alter the results of an election.

Voter registration systems in at least 21 states were targeted by Russian hackers in the 2016 election, although there is no evidence that voter rolls were actually changed.

Voter registration systems remain vulnerable to cyber-attacks, but progress is being made on basic cybersecurity standards and training, and Homeland Security is coordinating information sharing and incident response exercises with state election officials.

  1. VOTING SYSTEMS, overall risk: serious

Cyber-attacks on voting systems could be used to disrupt the voting process, or even to directly manipulate votes, perhaps the most widely-feared form of election manipulation.

There has been no evidence of foreign tampering with US voting systems in 2018, but known vulnerabilities have been demonstrated in many of the most widely used voting systems in the USA.

Vulnerabilities in voting machines and vote counting systems have received a lot of attention since 2016, but most voting systems are not connected to the Internet, and getting physical access to such a large number of machines would be challenging, particularly for a foreign adversary. Furthermore, most states have plans to replace aging voting systems and implement a paper audit trail for all votes.

  1. ELECTION NIGHT REPORTING, overall risk: serious

While attacks on election night reporting systems cannot affect the actual outcome of the election, if reported vote tallies are manipulated it could call the real results into question even if they are ultimately verified.

No evidence has emerged of foreign tampering with election night reporting systems, but exploitable vulnerabilities in official election websites, traditional and social media platforms could be exploited by foreign actors.

Secure election night reporting has received comparatively little attention and resources relative to voter registration and voting systems, and known vulnerabilities in official election night reporting websites, traditional and social media platforms remain unaddressed.

Without question, our computerized election system is vulnerable to cyber threats, and foreign adversaries want to exploit our vulnerabilities. 

Areas with the greatest risks are 1) Influence operations, 2) cyber espionage against campaigns/ candidates, and 3) attacks on voting systems. Influence and espionage are much bigger threats than sabotage.

What countries pose the greatest overall cyber threats to US Elections? Russia (81%), China (10%) Iran (2%).

The good news:

Progress is being made. Today, Basic Best Practices for cybersecurity are currently in place for information sharing (50 states), access control (46 states), and regular vulnerability analysis and intrusion detection (43 states). 9 states are using voting machines more than 10 years old; 33 states perform post-election audits, and (to me at least) most important – 36 states have a paper-trail audit for all voters.

By 2020, 46 states will either have or be in the process of implementing a Voter Verified Paper Audit Trail. (Look up VVPAT with an Internet Search Engine.)

More is needed.

A paper audit trail is a key first step in establishing resilience if computerized election systems are compromised.

Current funds are helping to implement basic security practices, but the full cost of robust security systems is much higher. Many states and counties have developed plans to upgrade or replace vulnerable systems but lack funding to implement them.

Attacks on campaigns and election night reporting systems cannot directly disrupt of change the outcome of an election, but they can undermine the credibility of American democracy, and comparatively little money or effort is being put into securing these systems.

Campaigns and election officials should leverage every available opportunity to partner with the government and with cyber security professional s and pro bono initiatives to continuously improve security on our election systems.

Hopefully we made it through the 2018 elections without any major glitches turning up. Let’s hope we’ll be much more ready two years from now.

[Most of the information contained here was distilled from papers published by the Technology Program of the Center for Strategic & International Studies in Washington DC.]

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

Will the Russians again meddle in the upcoming American elections?

Will the Russians again meddle in the upcoming American elections?

Propaganda and election influencing by USA.

Did you know that the United States created Radio Free Europe as an overt propaganda effort during the Cold War, partially funded by CIA? Did you know that Radio Free Europe continues to this day with headquarters in Prague, a corporate office in Washington, D.C., and 17 local bureaus in countries throughout their broadcast region, broadcasting in 25 languages to 23 countries including Armenia, Russia, Iran, Afghanistan, and Pakistan. (www.RFERL.org).

The U.S. has meddled in presidential elections in other countries as many as 81 times between 1946 and 2000, according to a database amassed by political scientist Dov Levin of Carnegie Mellon University (www.dovhlevin.com/).

From Radio Free Europe to influencing elections, USA has a well-documented history of meddling in other countries’ affairs.

KremlinThink the Russians are going to try and interfere again?

I’m sure they will.

And why shouldn’t they? Especially when we do the same thing all the time.

So, if YOU think the Russians are going to try and interfere again, is that a problem?

What is the problem?

In an earlier article I wrote that problems cannot be solved…until they are broken down into issues to define the problem.

In this case, the problem is not that the Russians want to meddle in American elections; the problem is that apparently we do not have adequate counter-measures to stop them.

There is no question that we have equal or better offensive capabilities than our adversaries. We need to put more effort into having better defensive capabilities – cyber defenses in the Digital Environment. And, we should stop complaining about others, like Russia, doing what we’re doing. Just be quiet and don’t let it happen.

The Digital Environment

The Digital Environment is exploding exponentially in terms of its breadth and capabilities, and will continue to do so (I touched upon this in my article on “Changing Technology “).

Our lives are becoming increasingly dependent on the health and security of the Digital Environment.

Automation, machine learning, artificial intelligence, the Internet-of-Things (IoT), and many other advances bring tremendous opportunities…and also tremendous challenges to the Digital Environment.

Today the push is to protect privacy in the Digital Environment. That’s all well and good. However, we need to do a lot more in optimizing the security of the Digital Environment for Americans, not just privacy.

When governments collaborate with criminal hackers, such as mentioned above, it allows the governments to distance themselves from the direct perpetrators. This makes it more and more difficult to pinpoint the blame…and to point the finger at them.

We need to lock the barn door before the horse leaves, not point fingers afterwards.

On other topics…

  • REMEMBER – KNOWLEDGE IS POWER. GET OUT AND VOTE…for or against the Bond Issue and for candidates.
  • Congratulations to my friend and former mayor, Essie Bellfield, for being recognized once again for her contributions to Orange. Salem UMC is naming an education building after Ms. Bellfield, a longtime member of the congregation.
  • My next article will address strategies being discussed and put into place at the national level in the Digital Environment to add more security for Americans and our allies.

 

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

Problems cannot be solved…

Problems cannot be solved…

Dave Derosier

…without breaking them down into issues.

Like so many other things in life, problem solving activities have an “80-20 Rule”. To correctly address problems, spend 80% on your time on the problem and 20% of your time on the solution. Most people do it the other way around.

Picture this, a business meeting where it is announced that, “Sales are down and the company is losing money”. Immediately someone in the group says, “We need to increase sales.” The group agrees and they go ahead with efforts to do that, happy that it was so easy to solve the problem.

Do you think that was a good way to solve the problem?

The folks at this meeting jumped on a knee-jerk reaction and then implemented it. Like most people they spent all of their time on the solution. “We need to increase sales.”

If they had spent more time on the problem, they might have found out that their selling costs were so high that they lost money on every sale. Increasing sales would just increase the losses!

The first step in addressing problems is to answer the question, WHAT IS THE PROBLEM?

In this case, what they thought was the problem, “sales are down”, was not the problem at all. The real problem was that they were losing money.

Problem diagnosis requires getting from the “simple why” (often just a symptom) to the “real why”. The real why searches out the causes of a problem. These causes usually go beyond technical reasons. Causes are best found by the repeated asking of “why” as we dig deeper and deeper into a problem.

Problem diagnosis means seeking answers to factors that could have affected or contributed to the problem. For example:  When does the problem occur? Where does it occur? Who is involved in the problem? Are the people involved carefully selected, trained, and motivated? What equipment and facilities are involved? What events or conditions are connected to the problem? What were the hints of an impending problem? What calamities, crises, and/or unusual events may be contributing?

Solving problemsThe answers to these real why’s are the issues (factors) surrounding a problem. Not all issues contribute to the problem and some don’t need to be addressed, but always assume that there can be multiple contributing issues do contribute to the problem.

Determine any constraints you may have for solutions (like the cost, legality, etc.), then analyze the issues, and come up with possible solutions. Evaluate each possible solution and select one or more. Develop a plan and implement it. Problem solved.

Remember that fixing a symptom doesn’t cure the problem. For example, an offer of a ride from a neighbor doesn’t solve the real problem of a vehicle not starting in the morning. Another example would be failing grades at school – that’s a symptom; the problem is kids not learning.

All of these steps work on addressing bigger complex problems, like failing school grades, or choosing a new job, or a business that’s losing money. But what about the small simple problems? What can we do to simplify finding solutions? There are many “shortcuts” that can be used.

Everyday Techniques like these are simple:

  • Pros and Cons: Listing the advantages and disadvantages of each option, popularized by Plato and Benjamin Franklin.
  • Simple Prioritization: Choosing the alternative with the highest probability-weighted utility for each alternative.
  • Satisfying: using the first acceptable option found.
  • Acquiesce to a person in authority or an “expert”, just following orders.
  • Flipism: Flipping a coin, cutting a deck of playing cards, and other random or coincidence methods

…and of course, prayer, tarot cards, astrology, revelation, or similar methods.

One other thing to remember in problem solving – learn to differentiate between a PROBLEM and a FACT OF LIFE. “My mother has Alzheimer’s” is a fact of life. There are no solutions to facts of life, learn to adapt yourself and move on. When you encounter a fact of life, treating it like a problem will make you miserable as you search and try fruitless solutions.

On the other hand, “my mother has Alzheimer’s and she is going to need constant care” is a problem for which problem solving is needed.

I hope this brief exercise helped a lot of you in addressing problems at home or at work, even at play. In future columns I will be making references to some of these tools in addressing some big issues. Please stay tuned in.

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info

This article was first published in The Orange Leader on 10 October 2018.

Knowledge is Power

Knowledge is Power

Dave DerosierMy last post departed a little from the usual technology topics, although it did stay with the principal theme of trust.

I wrote about the grades that were earned by West Orange-Cove CISD (WOCCISD) from the State of Texas. Just like the schools give out grades based on student performance, the State gives out grades based on school performance. Ten out of 11 subjects got “F” grades.

The purpose of the article was to shed light on how the WOCCISD schools are doing. Not enough people know that the schools themselves get grades from the State, even fewer know how bad the grades really are. An awful lot of comments on social media were like, “I knew there were problems but I didn’t know it was that bad”; others were in denial, making excuses for the poor performance; others took the words personally and were offended that their kids were being labeled as bad learners.

Now they know, and knowledge is power.

The article was successful in that people started talking about subjects that were not so public a few weeks ago. Dialogue is spreading – both pro and con. That was the intent of shedding some light on the subject matter.

With new knowledge, hopefully more people will go to WOCCISD meetings and participate. Ask questions, share your opinions. If light can be shed on all these failing grades then the public stakeholders – parents and taxpayers – can choose whether or not to accept it or demand change.

The power is in the people.

For at least the last 10 years WOCCISD schools have been on the State’s “List of Worst Schools in Texas”. It could go back further but I stopped downloading the documents at 2006.

We can’t blame hurricanes for more than a decade of poor performance, nor can we put full blame on the current administration that has only been at the helm since 2015.

Kudos to the Orange Leader for providing a public forum in which this and other critical community issues can be brought to light and debated by the public. Also to Facebook and other social media for the forums in which a lot of that debate occurs today.

Is WOCCISD alone?

Not really. Beaumont ISD had problems and the state stepped in and took over.

Last May, ten people were killed and 13 wounded in a shooting spree at Santa Fe High School, south of Houston. Like WOCCISD, Santa Fe ISD was not technically rated by TEA for the 2017-18 school year after applying for an exemption due to Hurricane Harvey, if they had been rated, they would have received an “F.”

A Houston paper reported that family members of Santa Fe victims admonished the school board last week for the district’s poor academic performance on the Texas Education Agency’s Accountability Rating System.

“ ’What this tells me is Santa Fe is not providing an environment conducive to education; it’s providing just the opposite,’ said Steve Perkins, whose wife, Ann, a substitute teacher, was killed in the Santa Fe High School shooting. Many of those at the meeting wore T-shirts emblazoned with the letter ‘F’, for the failures reported by TEA grades for the district.”

Santa Fe failed four out of the eleven subjects mentioned in my last article. Compare that to ten out of 11 failures for WOCCISD and yet parents are not attending school board meetings and not speaking up which they have a right to.

Who cares?

According to minutes, in the last year only one outside person has taken the opportunity to present their opinion at a school board meeting, that person was Larry Spears, the Mayor of Orange.

Any presentations to the board are supposed to be recorded in the minutes of the meeting. However, it is not always an easy thing to find because, on average since the beginning of 2017, it took 5 months (147 days) before the minutes were presented to the board and approved. For example, the minutes of the November 17th 2017 meeting were on the agenda for the September 24th 2018 board meeting – nine months after the meeting happened.

You, the parents and taxpayers, have the right to speak out at the Board meetings. Go and exercise your rights. As citizens, you also have the right to vote in WOCCISD elections. Go and exercise your rights.

Knowledge is PowerYou also have the right to remain silent…and accept the status quo.

How will YOU vote for the $25 million bond issue? Where are YOUR priorities? What’s important to you as a parent, and/or a taxpayer? Early voting starts in just a few weeks on October 22nd.

Knowledge is power – exercise your rights.

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info

Originally published in the Orange Leader on Wednesday September 26th 2018.

Where there’s smoke there could be fire.

Where there’s smoke there could be fire.

Dave DerosierA senior manager in a Fortune 50 company, to whom I reported for quite a few years, always insisted that his staff understand that, “If you can smell smoke anywhere, go and investigate, because it could be fire; and part of your job is to put out fires before they happen. “

For example, if a customer is loud and unhappy, find out why and fix it. Seldom does it happen when one loud customer is not happy that there aren’t many more quiet customers also unhappy with the same issue. If you have unhappy customers than you are not doing your job.

In a recent issue of the Orange Leader, (and on the paper’s Facebook page) there was an article entitled “TEA doesn’t tell the whole story”, which reported on the most recent WOCCISD school board meeting. At that meeting, an unnamed district employee, in relation to people raising issues about the districts recent grades from the Texas Education Agency, was quoted in the local paper as saying, “Don’t listen to the noise”.

Any business manager that dismisses smoke because they can’t see the fire is a hazard to operations at hand. Likewise, when a public official says, “Don’t listen to the noise” when the noise is coming from taxpayers and voters, that person is a hazard to the operations at hand.

Let me tell you a quick story.

Two men, good friends, would take a week each year and go moose hunting in the backwoods of Maine. They would rent a cabin on a lake where there are no roads and hire a float-plane (sea-plane) to fly them out to the cabin.

After arriving at the cabin this year, the new pilot told the hunters that the plane was too small to carry out both hunters and their gear plus two moose. They could only get one moose rather than one each.

When the pilot came back a week later he found that the hunters had gotten two moose. The pilot again told them the plane was too small; that with all that weight it would not be able to take off, let alone clear the trees.

The hunters argued that the pilot last year had said the same thing and his plane was the same size and with two moose they were able to take off and clear the trees. After much argument, the pilot gave in.

As the plane taxied across the lake it shook like crazy, finally after a very long distance it got into the air and just barely cleared the trees.

Then, poof! The plane went down propeller first into the trees.

Shortly after that, the two hunters crawled out from under the wreckage. The first one, dazed, looked around and said, “Where are we?” The second one spied the lake and said, “About 100 yards further than we were last year”.

That, my friends, is one way to measure progress.

In the same newspaper article mentioned above entitled “TEA doesn’t tell the whole story”, the word PROGRESS is mentioned in the article twice.  In my experience, progress is usually judged according to one or more benchmarks. I wonder how WOCCISD measures progress?

J David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through www.OhainWEB.com He can be reached at JDAVID@Strategy-Planning.info.