Seriousness. The, the thing I was asked to talk about was how to operationalize guidance around election security. And because election security is such a complex and complicated topic, I'll try to talk, you know, country agnostically about it because we could talk about Germany. We could talk about United States. We could talk about what's going on on the, on the E level, but I'll try to kind of make it counter agnostic. So there's a couple of things I will say. A lot of times, election security issues confuse different elements of it. So there's go, there are going to be organizations who will mean the election infrastructure security, which is one problem. And one set of issues. Then there's organizations who will talk about security of individuals involved in elections. And then there's disinformation. From my perspective, there has been much more focus on this information than on the hard security issues for a good reason or bad reason.
It doesn't really matter, but there has been a lot of focus on this information. I will not talk about that aspect of election security. Although I say that when it comes to this information, I am much more concerned and a lot of analysts are much more concerned about weaponization of true information rather than this information, because this information by definition is a spread of false information. And when you have spread of false information, you can go and address it with facts, with the truth, with, you know, your counter information campaign. However, when you have hacks and leagues, which is use of information, that is true, but it's not intended for public use. You know, that's where we're actually going into hard security questions. And that's what, from my perspective is even a larger issue currently. So in terms of, I have four points kind of, I wanted to wanted to discuss, but so the first is this the existing guidance.
So I think there has been a lot of existing guidance, including at the EU level, from NIS cybersecurity group, by that guidance mostly talks about, again, your election infrastructure, you know, when it comes to election infrastructure, most of the issues currently come from, especially in the United States, from the fact that there is one or two organizations who ride the code, that for machines that are used for elections. So when you do your voter registration, when you're capturing the votes, when you are telling the votes, you know, most of the software in the us is I think written by two companies, I think 95% of software. And I think, think you in the room though, this better than me, that that is not a recipe for resilience. So I think that's, that's one of the, the big issues in the United States. I do not, I am not aware of those statistics in the Europe.
So if everyone is, I would be very interested in finding out more about that. You know, then there is existing guidance from different not-for-profit organizations. You have international idea, you have international Republican Institute and many others, and these organization are not-for-profits and they work in different countries on the ground with electoral commissions day work with different members of, of parliaments and electoral campaigns. And they do hands on training. Now issue for these organizations is that they do have the guidelines, they do the training, but again, then you have the, the, the smaller electoral offices who are left without any tools, without anything to implement really they're left with nothing to do after the training. I would also say that in terms of management of some of this, if I looked at what some of the governments are trying to do is they're trying to centralize a solution to a decentralized problem.
And I think that we've seen that in many countries around the world, that the, the government is trying to push down guidance and solutions around election security, but it's, it's thought of as something very narrow it's thought of the infrastructure security problem, not more an ecosystem security problem. If you think about how elections work, I mean, if you think about all the volunteers and interns and the free staff who, who work with in elections, you know, and they do have access to information, you know, how, how do you protect those individuals who come on board for two, three months to help you with, with the campaign? And I think this is what governments are not really are not really thinking about very actively these days. So, so that, that kind of leads me to, you know, thinking about who, who is currently protected and who is not.
And so I think I'm gonna look at the kind of EU elections, not EU institutions, but elections in the United States. I think the countries have done remarkable work in terms of protecting their own infrastructure. The EU has pushed out guidance through the NIS group and the European commission. If you haven't seen it, I would encourage you to look at it because I think some of this guidance can inform how you think about the security solutions that you would come, you know, come up with for the elections, you know, but again, the ecosystem less is, is still, it's still a little bit exposed. Now I would talk about two other things, which is making the threat relative. So we, when we read, we read the newspaper, we are, we are really seeing what certain countries and, and certain threat actors are doing. I would say a lot of times, this is again, context of a nation state or nation state, but now there's very interesting research, ongoing showing how domestic political parties are exploiting some of the TTPs of the nation states to attack their dome, their domestic rivals.
So that's very interesting research as well, to look at, to understand, you know, what, what is happening. I do think there is an important work to be done by the government in opening their eyes and ears to the private sector, threat intelligence right now, again, at the EU level there's been, there's been a lot of issues. There is new threat cells. There is a center of excellence on hybrid threats. There's a lot of organizations being set up to help with election security, but the problem is the countries for understandable or not. So understandable reason are very reticent to share the threat intelligence. I will not say the threat intelligence or information sharing as a panacea. We all know it in order for that to work, you have to share it with an organization that can do something with it. But I would say that where the private sector, and this is my recommendations when we talk to the governments is look at the intelligence coming from the private sector because they have their, so, I mean, these are, I'm talking mostly about global organizations, but they have, you know, Sox 24 7 all around the globe, their visibility into understanding what certain threat actors may be doing in other countries where your own intelligence has no reach is really has a, has a huge value.
So, so I think when in the election space and where, you know, some of the threat actors are, are coming into play, you know, I think governments should be opening up their, their eyes and ears, the private sector, threat intelligence, and then the private sector providers maybe should think about how to bring value from what they're seeing and try to inform some of the understanding of, of, of the, of the action. So, and what I mean, making the fed more relative is, you know, it's so hard to measure in election security, what had, or cybersecurity in general, what, what we prevented, what we haven't prevented, what had impact and what, what didn't. But again, from my perspective, you know, trying to decouple the disinformation from the real impact, that real material impact of a attack on cybersecurity is very important. And then again, that's where organizations that, you know, I think in the private sector can, can help a little bit with, how do you see measure and think about the actions of the, of the attackers that are out there.
So, you know, I, I talk a lot about cyber H and the ecosystem. So I'll just talk again very briefly about our work a little bit, because it, it informs a lot of our thinking and a lot of the work with the community. So by talking, I'm talking mostly now about the United States, my organization, by the way, I should have said we are headquarters in New York, London, and Brussels, and I covered the, the Brussels office, but my organization has done more work around elections in the United States. And that's where we actually realize that there is a certain inequality around election security that, you know, someone's sitting in Manhattan, some someone's right to vote. And the value of his vote is disproportionately better secure that someone in a small, you know, office in Texas, I mean, we could talk about other countries and, and their regions.
And so we try to think about, okay, what can we do for those individuals that are in that ecosystem? But again, don't have resources. And, and if you follow the discussions around election security, you know, there is a lot of resources being pumped into this space, a lot of very good business opportunities, but you just can't out buy this problem. People don't scale, you can do the training, but again, what can you do in a scalable way that helps it? So GCA has built a toolkit for election officials. And again, we looked at the existing guidelines and I think that's always very interesting from business perspective as well. If you say, you know, I would, I would really like to work with the government on the election security side, you know, there's, so there's again, the wealth of wealth of guidance in this space. And so we looked at the guidance who that said, you know, you need to do these things to assure your, your cyber hygiene new electoral office, because we mostly tried to work with, with election officials and election offices.
And so we then took this guidance and found the tools that implemented and built it into this toolkit and pushed it out across the United States, across the United States to, to help these offices in a smaller towns and smaller cities, smaller municipalities to protect themselves. We're actually working on a similar project. That's going to be global or more, or Europe based. We're working with different organizations who have tools that they would like to provide for free for use for election offices. So if your organization is interested in being part of our project, please, please let me know. So these are kind of my quick prepared remarks around election security. I don't know if there are any particular issues you would like me to address or have any questions because I don't wanna go on about things that you, you know, are not relevant to you. Are there, is there anything, does anyone have any pressing issue they wonder about day and night?
Come on. Don't make me ask her about the us
Elections. Oh no. Should I, should I show you my SL passport it's in my back.
So I need predictions.
So, so I actually read an article at four 30 in the airport this morning as I was flying over here. And, you know, I think the prediction for 2020 is let me step back and say one thing. So a couple of years ago I was in a war game and in a war game, what do you do your game, the send the future scenarios. And we had, we were thinking about a black Swan scenario. And we're like, like, what is the one thing that no one would ever, you know, what is the one thing no one ever thought about? And it was a misuse of social media to manipulate a public opinion. This was about six years ago. And I think very quickly, we came to realization that this is no black Swan, that this has been actually ongoing, as we all thought how super bright we were and super innovative.
So I've, I think, you know, there's a lot happen between 2016 and 2020, especially in the United States. You know, I think there's organizations, I don't know if you know, graphica and others who are really looking at, you know, shedding some light as to how algorithms are used to skew public opinions and news. And there is. So now there is a wealth of research that helps us understand what the threat actors are doing, what is happening. But I, I honestly think that where we haven't, where we are not yet is the literacy of public is, you know, it it's really about societal resilience. It's about education. I mean, you probably heard this, you know, this goes back to school, this goes back to teaching us. So why is someone revealing me certain information, right? I mean, people consume information as it's presented to them, but there's very critical thinking where people ask.
So why I'm reading this in a newspaper today? Why would someone want me to know this about a certain candidate? And so in terms of predictions for 2020, if I knew I would go and bet and be very rich and do something else in life, but I would say that, you know, the community is much, it's much better prepared. If you read the reports, there are still gaping holes in the security of the election system, election infrastructure that is still not being addressed. You know, I follow a couple of people on Twitter and I look at it and I say, well, on one hand, they are using they're, they're saying, oh, we need more resources for election security. And on the other hand, they are not stopping, you know, they're not auditing whether it's true that the voting machines are not connecting to internet. I mean, there is so much to do United States such a big country.
So my prediction is, you know, we will be surprised again, but I think there is much more in terms of the awareness organizations know what to look at. You know, I think there's been some pretty interesting auditing mechanisms putting the place in the United States. So I think we'll, yeah, I think we're, we're better prepared, but the problem is a public perception and it's, you know, I always talk about the responsibility of journalists and how you report about, I mean, so this goes beyond cybersecurity, so I will not get into now. Now I won't get into that. But, you know, I think there is a lot of responsibility on the civil society and the journalists to responsibly report and do their due diligence and go back to journalism should be because I think we've moved away completely from that. So,
Yeah. Well, I mean, I think in terms of election security, I look at at least two different angles and there is one that's very cybersecurity related. There's the actual voting machines themselves. And I know after speaking to the director of the, the us elections ISAC a few months ago, you know, there are known and acknowledged problems. There are only two vendors in the us that make election machines, you know, they're, they're running old versions of windows. There's tons of vulnerabilities on these machines themselves, that haven't been addressed money. Hasn't been appropriated to patch these things and get them ready for the 20, 20 election yet. So there, there is a problem in that regard, but yeah, there's this whole social media influence campaign. That's kind of outside the scope of cybersecurity,
But I think cybersecurity plays a very important role there. Right? It's it's, I mean, McAfee has put out a very interesting report about some of the misuse of social media. I've never expected a report like that from them, but they have. And so the role of the cybersecurity is to relativize the, the threat to actually talk about what we see is happening, you know, because I, I am maybe naive, but I still do believe that facts matter in this conversation. And if you present one, the public with the facts and you know, this is what the actors are really doing, and I can show you that helps. And then the decision makers do need the facts to understand why it's an urgent issue. You know, I think two or three years ago, I would go brief on the hill members of Congress when I was still worked for fire eye.
And I mean, they had no idea about some of these issues and threat actors and election security. So I think the private sector has done a lot of important role in terms of talking about the threat, but also talking about technology and its limits because oftentimes we, you know, this is not meant as a criticism, but we do. We wanna ex we wanna pay for a solution. We're so desperate to buy something that can fix our problem. And they always thought it's one thing or the other thing. And I think what I've seen in the United States, at least that the cybersecurity industry really has come together as a, as a coalition and have done a lot of work together, educating decision makers, but also providing, you know, helpful tools. I mean, you all know that access management is a big issue. You know, this better than me, that access management is a big issue when it comes to election infrastructure. You know, I think there's a lot of monitoring and auditing and other things that, that have to happen. I had another thought, but it escaped me. So maybe I'll come with the next question.
Thank you. My question is about the, you talked about the role of society and journalists and questions about the role of the government. Like it seems like UK government is not publishing this report about the Russian meddling and it seems to be like very similar to what us is doing. So if it helps us, we don't talk about it. Can you speak about the importance of the government then, you know, that's their job actually, to do it and what society can do to pressure them to, to really do their
Job. Yeah. So there, so I think there's, there's a couple of things in terms of government, but I know what my other point was. So if I can just answer my other point first or, or measure my other point, which is, you know, I dunno how much this community follows all the norm building kind of initiatives around the world. You know, there's the charter of trust that Siemens had put out. There's the Paris call for trust and stability in cyberspace. There's a lot of industry and government driven initiatives right now out there to try to establish certain norms of behavior around election security, the problem. And there's also the form secretary general and my chart off, they have this, I think it's alliances for secure democracy. So there is a lot of interesting organizations initiative. We try to say, this is, this is not an acceptable behavior around elections.
However, no one is tracking it. You know, some of these principles say, well, one political party will not exploit this information to get back at at their adversaries domestically, but they still do it. And, and no one is no one is really, no one is really calling them out. So for me, part of the role of the government is also to say, if we, as a government sign up to something, or if our, you know, stakeholder community signs up for something, it's not saying it's government's role to enforce it, but it's government's role to say, we are trying to build some norms and these norms should be respected. You know, I don't think the us government and please correct me if I wrong have said that what happened in 2016 was an interference into domestic affairs of state, which is a violation of international peace time, international law.
And so governments one have a role to call out these behaviors and say what they are because they say, well, you know, it's, it's intelligence operation. I mean, there's always these murky conversation about, was it intelligence operation? What was it? So, first of all, so governments have a role to say, you know, what is absolutely a unacceptable behavior and whether this, this behavior has a certain framework in the international law that prohibits it, you know, I think the government's educational role is, is huge. I mean, I think it should, you know, I am not a big proponent of regulation, but we should not call social media companies, media, you know, we should call them advertisement companies, you know? So I think there is, you know, Facebook itself is actually calling to be regulated. They say, you know, we should, we don't want to be the arbiter of free speech government.
Tell us how we should. What, what, where are the limits? Right. And I, I don't think this is just the role for the government. It's, it's, it's a societal conversation with this organization, but I think there is a role for regulation and saying, you know, this is not like you should just not say media, because if you say media, there should be certain standards. I think the role, the other role for the government is also, you know, in terms of international collaboration and thinking about where are the places where we can jointly do something with certain countries. So, you know, for me, like the joint attribution are an important thing. They don't necessarily related to election, they related to other incidents. But if you look at governments in Europe, mostly in the United States coming together and attributing certain things to Russia or China, I mean, that is just building the coalitions of countries that then can, can go and call something out.
I mean, I haven't seen that, you know, in support of one country or the other, I mean, I, I haven't seen the us president come out and to say, you know, what happened around French election? Wasn't really the right thing to do. So I think that's where the that's where I see the role of the government is to defining what the, the role, the norms of the behavior should be. But then, you know, just with like strategic level cybersecurity, you have to be sure that you are not doing what you're preaching you are not doing, which is a problem in other strategic elements of cybersecurity, what country say, well, you shouldn't be doing this, but then the country's doing so there are some important strategic choices the governments have to take and they have to pick their battles. But I think democracy is a battle that's kind of worth picking.
Yes. From Norway quite a few years ago, we were running some trials in Norway for doing digital elections. And, you know, I should say no matter what the government ever told us in Norway, everybody today thinks that the main purpose of doing digital elections was to save money, was to do a paper. Election is quite expensive in a country. And there was putting up trials and of human municipal municipalities around Norway were to be included in, in these tests. So people could actually do a digital vote, but if they wanted it, they could also retract it and eventually do our paper vote. Instead. Now, several municipalities, they actually redacted this. They said, no, we don't wanna be part of this after public debate. And it, it ended up like the cryptographic solutions that were designed for the digital election were considered, you know, safe. They were confirmed by several independent third parties and so on, like this is to be trusted, but what we ended up with in Norway that, you know, it, it just went off off the table.
And I, I can hardly see that even the discussion will come up again in the next 10 years. And the reason for that is the, the main argument against doing digital elections was trust because people understand how paper ballots work. It's a piece of paper. You can, you know, sign off some name, step and cross 'em off. Whether you want to put 'em higher or, or lower on the list. And it's easy to understand, but as soon as you talk about digital elections, you can do this at home. You can do this on the internet, on your smartphone and you need crypto and wifi crypto. And some people just, you know, they have no idea what you're talking about. So to us, it became, you know, a very simple question about trust. It had nothing to do with digital security or photography or anything like that in other countries they do full or partial digital elections. Does the global security lines that you're part of. Do you have some sort of opinion on whether, you know, governments should do full digital elections or also partial digital elections, like using voting machines like they do in the us, which by, in my opinion, can never be secure compared to a paper ballot.
Right? So, so what I will say that, you know, elections are a issue of a domestic affair of state, and we don't comment on national decisions, but I will, I will say one thing that even if where we stand and the work we are doing is that we say, even if you vote on a paper, even if you do that, those record, you can, if you have a piece of paper, you can easily audit it. It's probably easier. There's some percentage of human error, but I say that information is still recorded somewhere, right? And it's, it's still somewhere, you know, on the computer, probably on the computer connected to the internet, because if you go to a small city in Stavenger or, you know, somewhere, maybe they don't know that that computer should not be connected to the internet. And so where we work is to say, even if you vote on a paper, just make sure that wherever you storing, whatever you're telling the votes, you are sec, the way you're communicating the election results from one email address to one to the central elect, that that is safe.
So that is secure. So we're staying on the hard security issue, you know, and, and I personally believe that maybe some things should stay off of internet. Maybe you don't need your toaster to be on internet or your baby monitor, or maybe your election. And, and, and, you know, I think technology, you know, I think a lot of the issues we have with technology in cybersecurity in more general is that we do see the enormous potential for economy, our convenience society, but we don't fully understand the downsides of the technology. And I think I am very pleased to see that people understand the downsides of the technology, but they only do it because demo, you know, electoral democracy, it just is such a fundamental right, that most of the countries in Europe and Northern America and other parts of the world hold. So dear that they know what the trade of would be, but it's absolutely about trust.
And it's absolutely about online trust. And I'll just, I know my time's up, but I'll just say 1, 1, 1 anecdote I forgot around election and heart cyber security. So I talked about DMAR earlier today and R CEO, just as we were launching this election toolkit, we ran a scan of the domains because that's a pub that's public information. And we realized that in the United States, like 90% of presidential campaigns have not had D a were not using D a C. If you think about your presidential campaign and you're communicating with your constituents and someone can spoof your email address and can say things about your candidate, other candidates, I mean, can just use your, your domain and spoofed emails to say all kinds of things. If you think about the potential impact on electoral process, that is, that is huge. So we've our CEO got on CNN, it wasn't orchestrated, it kind of happened. And he said, you know, we looked at the numbers. These are the, you know, these are the statistics.
All these presidential campaigns are not using D a C you know, just think about the, the cost of, of domains spoofing on the, on election and a trust. And in you as a candidate, you know, three days later we ran the scan. Again, the statistics were very different. I never, I was never a proponent of naming and shaming in, in this game. But I think when it comes to basic cybersecurity, it's also for citizens to demand some of that from their governments or presidential campaign, especially around this processes. But yeah, I, I do think that when it comes to election, you know, there's countries who are, I think it's also a question of scale, you know, like Estonia can do it because they have thought through a system of E like a digitization of society where everything is connected, but I think other countries, you know, they're, they're still struggling because it's a, it's a scale problem as well.
Thank you. Thank you.