>>First off as you know I am a noob this is my first time speaking and also my first time to Def Con. [whoops from audience] So I wanna say thank you very much to this community for inviting me to share a little time with you and to explore what I think is a really fascinating and timely topic. As you can tell from the programs and I hope you know where you are, uh my name is Sean Kanuck for 5 years from 2011 to 2016 I was the United States First National Intelligence Officer for Cyber Issues. I was charged with leading strategic analysis including attribution assessments for a lot of the cyber breaches that happened during that period. As you can probably guess I’m quite happy to not be doing that anymore and I have great empathy and respect for my successor. [laughs from audience] [applause] But if you're familiar with the US government’s attribution of the Sony Pictures Entertainment hack or Las Vegas Sands hack and a lot of those events that happened in years past, that would have been what my office was leading the intelligence community on. So I obviously come at this from a strategic perspective I imagine most of you or many of you in this audience are much more technically skilled than I am, much better at tactically hacking things. I will tell you my role as an international attorney and as a professional intelligence analyst was to look at where the greatest vulnerabilities are and where the greatest impact could be acheived through intelligence and military operations. Sometimes helping with strategic targeting in my nation’s national security defense and often looking to prevent those kind of things happening to my nation, our allied nations and quite frankly, almost any nation in the world’s critical infrastructure from being harmed and brought down. That’s a little bit about me only to tell you where I’m coming from. When I think about systems I think a little the way you all do. I look at them as the mischief maker, of how could I harm this? Not as an engineer who builds them ‘cause I haven’t built systems and I’ve never administered a system. But what I have done is look at Al Qaeda financial networks, foreign information technology systems and say “Where is the weak point? How could this be exploited?” And then make a real effort to make sure that US systems and hardware and software that the whole world relies upon is protecting itself for our common interest. So let me start with 5 questions. This isn’t the real Socratic part this is just a little in general. Raise your hand if you think there’s anything such as a secure IT system. [laughter from crowd] Raise your hand if you think there’s anything such as an air gapped network? Raise your hand if you believe James Clapper and Jeh Johnson that Russian government entities were behind the DNC hack in f- 2016? Raise your hand if you believe Vladimir Putin that the Russian government had nothing to do with that. [mumbling and laughter audience] Ok now I assume we have a very geographically disparate audience here so raise your hand if you believe whatever country you come from hasn’t done similar things or wouldn’t do similar things if they could. [audience laughs] Alright I like the laughter ‘cause I think it means we’re on the same page. [laughter] I try to think like an offender in order to improve defense. I’m gonna start here with a few minutes of where I come on a strategic trend analysis and then I have 16 questions I wanna do an exchange with you all on about hacking democracy. So just so you know where I’m coming from. I don’t think there’s any such thing as a secure system. Particularly when you allow for not only remote hacking but supply chain operations where either the vendor willingly sells you something that has added features, or where a 3rd party could have manipulated the manufacturing or transportation process to the end user. I think insider threats remain one of the greatest concerns for both government and, well government, military, and corporate environments. And that includes both stupid and malicious people, those are all insider threats. And I think when you have the ability to use dirty tricks the way intelligent services do, the way criminal syndicates do, and the way terrorists do, you really have to expand your thinking. Give you one quick example years ago I gave a NATO secret level speech in Europe and at the end of it a Hungarian secret service officer asked me “Mr. Kanuck what’s the highest level of encryption that the national security agency can decrypt today?” [crowd laughs] So at that time I didn’t actually know the answer so I told him “Sir I respect your question but I don’t know the answer. Secondly, if I did I probably wouldn’t be able to tell you at a NATO secret level. And third, how good is the lock on your upstairs back window?” Do you think we’re gonna use a cray server farm in Maryland to get one person's password? If I’m a criminal I’m gonna beat you up in the alley and get it or kidnap a family member. If I’m an intel service, I’m gonna be providing you the cell tower you’re using or the other links you’re using, or I’m gonna be filming you doing it. Or finding out from one of your peers or from your assistant. So expand your thinking that’s why I’m really excited to talk to this audience about democracy, because I’ve been doing a lot of research on this topic in the last year ever since CNN, ABC, NBC all started calling me in the fall. I was out of government so when the government says “We can’t discuss that ongoing investigation” or “That’s classified we can’t discuss that with you now.” The first thing the media does is call the people who used to be in that job, and hoping that they can now talk. But that got me thinking. I put on my hat and I said “If I were actually trying to undermine democracy how would I think about going about it?” Just like on September 13, 2001 a friend of mine at CIA and I wrote an unrequested paper called “What we would have done with 4 airplanes.” All due respect to the 3,000 lives we lost that day, and the property damage, but if you understand the infrastructures of the United States’ financial system and government system 4 explosions of that size could have caused much more death, and much more destabilizing disruption. So what are the other assesment things I believe? I believe we have convergence and devices, protocols and infrastructure networks such that we’re having many more single points of failure. I participated in a Lloyd's of London insurance report that was just aired about a week ago. And one of the scenarios was where a common hypervisor software upon which multiple cloud service providers rely was compromised. It was a hypothetical scenario but you think you have uh resiliency in your infrastructures or in your products and in many cases you don’t because of the efficiencies of scale we’re looking for. This is most easily demonstrated in the fact that the government and military have very few dedicated networks anymore. And the ones they do have have l- very limited bandwidth compared to the civilian fiber optic infrastructure and undersea cables. So I think about where the strategic nodes and the tipping points. I think the threat is accelerating, both in offense’s capability over defense. I think defense is improving but I actually think the gap is still increasing because offense is increasing at even a faster rate. Part of that is due to the exponential increase in the threat surface area with the internet of things and a lot of other aspects. If you read the world wide threat assessments to congress each year that the director of national intelligence gives, which I highly recommend you do, they’re awesome open source uh and every well cited occasionally resources. Uh I believe that integrity of information is going to supersede confidentiality and availability as the most significant vector and format of attack of concern. And most importantly and most relevant to this discussion is I think the fundamental distinction between how the United States, Western Europe and some other democracies think about cyber security is fundamentally different the way other nations do. We think about it as critical infrastructure protection protecting the systems and the pipes. Russia, China, some of the Gulf countries and others think about the content, the information uh- flow through it. We talk about cyber security, they talk about information warfare, influence operations, psychological operations and perception management. And that’s what I wanna focus on here today. I’ve sworn an oath twice to protect the constitution of the United States and the form of government it represents from foreign and domestic adversaries [applause] OK that’s actually something I wasn’t expecting so I’m gonna say thank you very much because there are other people on stage at Def Con occasionally, there are people out in war zones, who dedicate and risk their lives. I mean I’ve done some fun stuff but I know the people the men and women who actually put their lives on the line to make sure we can have something like Def Con. Ok [audience applauds] I’m the guy who stands up and says “I love the fact that code pink was able to yell at a director of central intelligence nominee in the US capitol.” I know of no other country where that hearing would have been occurred televised, open to the public and the people who swore at him to his face would have gone home to sleep in their own bed. So I’ve spent 16 years of my life to protect the right to do this and I thank you for recognizing that, for all the people who have also done that. So thank you and kudos to the rest of them. [applause] Alright after that heartfelt comment let’s g- have some fun. When I think strategically about how to mess up a democracy I start with sort of a 4 grid. I have direct intervention and indirect- indirect intervention and overt and covert. What’s an example of those? Direct intervention in an overt way: not letting people get to the polls. We saw this during the Civil Rights movement in the US where folks weren’t actually allowed to vote even though they were entitled to. We’ve seen this in other countries like the Canadian 2011 election which ended up being a s- a very significant court case in their system where one party got the voter support list from the other party and very shortly before the election sent them all robocalls telling them the polling station had been moved. Kind of fun I tip my hat to that, that’s good, but that’s not what you want in a democracy. Direct intervention that’s covert, easiest example of this is the ruling party stuffing ballot boxes or changing results. You can find great historical examples of that going all the way back to Napoleon Bonaparte. Indirect influence but overt. What does that look like? I think of President Obama’s speech in London against Brexit. Public speech, invited, but he’s not a voter in the UK. Not even a constituent or a candidate. Yet his foreign voice was invited to influence that election. And of course the obvious one on the indirect influence coovert side is something like what we saw in the US and French presidential elections recently. So how ‘bout the systems themselves? When I think of voting systems and information resources to me they take on public and private aspects and in a s- open society like ours we entrust a lot of our democratic institutions, and that’s small D, nothing I’m gonna say is gonna be party specific or lambasting either party here. Small d democratic institutions so the governments, the state governments, operate the polling stations. But who creates the voting machine software and hardware? Is that the federal government? Is that the state government? No. You have a wonderful voting village here where you’re all getting a chance to hack those machines, right? I think that’s awesome. [audience member whoops] On the information resources side we can see a lot of governments who have state news channels, TV and radio. You also have a lot of private resources. Historically that’s been newspapers and radio stations, now you have social media and all kinds of other platforms. Gets very tricky when you start asking “How do you wanna regulate or protect things?” As we’re gonna see in a few minutes. Lastly I think about intentional messaging and unwitting exploitation that’s either meant to inform or deceive. And this is nothing new in the history of politics. You can go back to Thucydides's Peloponnesian war and can see the Athenians trying to convince the Melians to give up their city without a fight. That’s on the direct lobbying. On the misleading and misperceiving if you understand the history behind the nomenclature of Iceland and Greenland or Bolshevik and Menshevik. The Bolsheviks were not the majority faction but they adopted that name. And if you think this only happens in foreign countries, go read the history of the words “federalist” and “antifederalist”. Unwitting exploitation in more recent times. Think about Twitter that had been used as a platform for terrorist incitement speech. That company took active measures to start preventing some of those us incitements to violence on it’s own platform. They weren’t involved in it but it was uh- using their platform. And then of course we have issues about fake news and a good example in 2011, 13 was the Syrian Electronic Army’s hack of the Associated Press uh Twitter account to put out a fake statement that there had been a bomb at the white house. And I hope some of you are familiar with this. For a lot of people the story ended with the fact that the I think it was about 140 point drop in the Dow Jones for 5 minutes. Most people were comforted to hear that that value came back into the financial marketplace. People like me who are worried about continuity of government and public confidence in critical infrastructures asked “Did the money go back into the same accounts?” And the answer is absolutely not. That was a multi-billion dollar redistributive economic event because someone put out a false tweet. Can any of those stock trades be reversed? Are you allowed to make a dumb stock trade based on inaccurate information? Are you allowed to pick your own information sources? Absolutely. The crime there was the crime of hacking the account. The stock trades were legal. So with that brief overview of how I view this space and with underscoring the fact that for me, our very competent competitors in cyberspace and I’m gonna speak as an American ‘cause I am one. But I think a lot of the statements I’m gonna make are fairly universal. And yes I’m also not ignorant and naive to the fact that the majority of spam in the world comes through US gateways. And that there’s plenty of criminal activities stemming from the United States. At the same time, my career has been focused on foreign and external threats so that’s my point of relevance. Er. I think some of our very sophisticated adversaries along with some of our partners and allies are involved in a daily process of intelligence collection against each other. That’s something that’s not even prescribed under international law ‘cause it’s accepted to be the second oldest profession and something you’ll never get rid of. The question becomes when is it too much and when does it cross lines? And that’s what I wanna focus on here. How do we get that first slide up? What? >>[inaudible off mic] >>Oh play it out ok. So the first one is and I apologise my slide deck is literally just 16 questions in really bold print. So to start our Socratic dialogue. >>[inaudible off mic] >>Yeah. How do you know your vote was recorded correctly? And this is where we can start with. >>Yeah that’s fine >>So. Someone from the audience, please offer a thought. How would you know if your vote was recorded correctly. I vote in Alexandria, Virginia. I filled in a paper ballot, I put it into a machine that electronically recorded it and it said “You vote has been recorded!” And I got a little green icon. It didn’t even tell me who it was recorded for. Not that I would believe the name that came up on a monitor. How would I know my vote is recorded properly? >>Blockchain! >>Blockchain! OK. [sporadic applause] How many electoral systems are currently using blockchain for that? >>[unclear shouting from audience] None! >>You all know that Estonia has had 3 presidential elections completely online already right? How far before the US would have a complete online election for president. >>[crowd tittering] Never! >>[laughing] Second question. What’s more important to you: secrecy or verification? >>[crowd murmuring] Verification >>So I’m clearly talking and I did hear a couple secrecies but most is verification. I could go to most people’s social media websites and probably guess with 99 percent who they’re gonna vote for. If you go back decades or centuries the idea of a secret ballot was a critical aspect of democracy in its evolution. Fear of the governmental authorities, fear of your neighbors, your spouses I mean this is why adults over 18 go into the voting booth alone in the United States. There are countries where they don’t. I’ve gone in and watched someone vote in a foreign country in a way that I never could in the United States. And when I think about this in the sense of mutually exclusive options and blockchain may be a solution to give us our cake and eat it too, but if you wanted to p- be able to really know how your vote was recorded, should you be allowed to opt in to a system where you can check the voter database and how your vote was recorded? How many of you would prefer that opt-in option to verify your own vote even if it meant giving up a secret ballot? >>Hell no. >>I hear hell no. And I don’t know if you can all see, I’ve got lights shining in my face, but I’d say it was about a third of the hands that went up. >>[Audience murmuring responses] I’d love to sell my vote so yeah, that’s great. >>[laughs][audience laughs] That’s good! What secondary market do we then t- create there? No those are really important things to consider. So what’s the solution that gives us our cake and eat it too? Blackchain? >>[unclear audience response] >>Gimme another one. >>[unclear audience response] >>[laughs] The answer was there are more options and it would take too long to explain. That’s fine. No I respect that, uh. My next question to you all: How much error is too much for legitimacy? I personally don’t think the exact vote count I see rec- recorded and publicized that goes down to the singles digit in a multimillion dollar number is perfectly accurate. If you believe that vote counting is a science I’ll simply remind you of the 2011 election and hanging chads. Where we had Cuban and Chinese governments offer to send election monitors to Florida to help us with our democracy. True story, true story! I I think that’s great on their part. If you talk to an economist he or she would tell you you don’t want to live in a society with zero crime. Actually getting that graph all the way to zero, to the limit, the marginal value of return and the expense it costs to get there is too much. All of us would need 2 policemen walking around us all the time. We’ve seen some models where it wasn’t 2 to 1, it was probably 1 to 5, that was known as the Soviet Union and most of us don’t think that was a great way to go through life. So what percentage of error, statistical error in a US presidential election, do you think is acceptable that you wouldn’t question the legitimacy. Let’s hear some numbers. >>One tenth of one percent! >>One tenth of one percent. >>Less than the margin. >>Less than the margin. >>[unclear audience response] >>Wh- [laughs] someone doesn’t like first past the post voting. Okay. So now you’re familiar with 2 standard deviations, the standard that’s used in science for certainty levels and for the FDA to approve drugs? Well some of you probably take drugs with no FDA approval [laughs] [audience laughs] but those of you who stick to lawful prescriptions. Uh that’s a 5 percent margin of error in those studies. You’re putting toxins into your body with a 5 percent uncertainty and you expect one tenth of one percent, at least someone said that. We have a very low tolerance. Do we want to get to zero? And is it cost effective and feasible to get to zero? Who wants to get to completely verified zero statistical error in voting? >>If we don’t know the cost, we can’t answer that. >>We don’t know the cost, so we can’t answer the question. That’s a great answer. You know if you spend time in government you realize a lot of good academic and business questions just become crazy complicated when you’re in the fiduciary duty of spending taxpayer money on questions of uncertainty. So I really like that answer and unfortunately I don’t have a great response to you on what this system would cost. But I hope it’s something we’re all thinking about I hope it’s something the election commissions are thinking about and I hope it’s things that groups like Verified Voting and others are thinking about to get us to that least level of error. So that’s the election day and your actual vote tabulation. What does it take before you get to the voting booth? The next question I have for you is: Were you on the right list? Are you a registered voter? Who holds those databases? Can they be hacked and manipulated? What do you think? Voter registration lists, secure? >>No >>How much error do you want to accept in your voter registration lists? You all seem like it’s they’re compromised or they’re compromisable, and then you laughed about it. What if I told you a specific ethnic group was the one getting excluded from that voter registration list by a hate group who was able to hack it? I’m not the least bit comfortable about that and I’m not gonna laugh about that. So who’s helping secure those? Do we want the federal government involved? Or do we want that only at the state level? That public policy discussion is going on right now. >>[unclear audience response] >>More inclusive rather than less. I like that answer uh personally. >>[unclear audience response] >>Register everyone by default. Why bother with a list? >>[unclear audience response] >>What? [audience laughs] I missed that. >>[unclear audience response] >>Oh what do you mean by everyone? Well based on the constitution that would be people of all races and genders and race over the age of 18 that’s where we’ve currently set the bar. >>[unclear audience response] >>Oh there are- true there, so we heard “not felons” which means there are some people who temporarily or indefinitely lose their voting rights. >>[unclear audience response] >>Is it not my constitutional right to go play baseball on voting day? Isn’t that what freedom’s about? [hollers from crowd] 2 great successes of the Soviet Union: near perfect literacy much better than the current US rate, and almost perfect voter turnout. [crowd laughs] The third one is the beauty of their subway stations in Moscow, beautiful crystal chandeliers and mosaics on the walls. Ok. Were you on the list? How about the next question, were you in the right place on voting day? I already gave you the example of the deception in the Canadian election, what other things can happen? And when you think about being on the list and being in the right place to actually exercise your suffrage, do the policies in place disproportionately impact certain groups. >>[audience responding] Yes. >>I hear absentee voting and I hear a lot of yeses. And one of my great concerns is, so I’m an analyst I don’t think anything is a hundred percent certain which means I believe there will be some statistical error in any system. I think if you get it to that one tenth of one percent or something incredibly low, that then we’re doing well and you’re not gonna have a crisis in legitimacy. At the same time I want that to be random error. I don’t want that to be error that disproportionately affects people in a specific district, because they are in a low income area and their county can't buy the best machines. [audience members clap] I don’t want it to disadvantage in a visual audit process, I don’t want it to disadvantage visually impaired or people with other disabilities. So while I’m willing to stomach a little bit of statistical error I want it to be purely random and not harming any specific group in my electorate. To me that’s a really important criteria. >>Do you know anything about uh, India’s voting system? >>Do I know anything about India’s voting system? I know India is the largest democracy and I know India has the world's largest biometric database, which so the government is using for things. But I get the sense you have a specific question or comment so please say it really loud and if you don’t yell loud enough I’ll repeat it. >>So uh >>Turn, turn around and yell. Come here. Come here. Come here. Get up here, expert. [audience laughs] Tell us all about it. >>Now, now I’ve gotta try to throw out my youtube knowledge. Uh so in India they have it setup where there has to be a voting poll I think it’s like 2 miles within every person and uh there’s actually a Buddhist temple that is out in the middle of nowhere where there’s only one guy there and they have to go there every year and set up a booth just for him. >>Love it >>So… >>[from crowd] How much does that cost? >>How much- how much does it cost? But how much does freedom cost? Like how much, right? [crowd cheers] >>Alright so let’s stay on India w- for one second because I actually do do a lot of work on cyber issues with India just not specifically their voting system in fact I’ll be co chairing their international cyber conference with an Indian think tank in October. And to just put things in perspective about how you can manipulate populations. One of the problems they have in a very ethnically linguistic and religiously diverse society are some internism, competitions and unfortunately violence among different political and religious groups. A few years back there was actually fake SMS message- substance in SMS messages and social media that went viral about attacks on a certain religious and ethnic group in the northeast. Who a lot of those family members were working in the west and the south and sending money home to their families. This is very common in developing countries. Those threats of violence caused a mass migration of millions of Indian citizens to head back to the northeast to protect their families. You think about the impact of modern technologies of real and fake news and platforms, someone sitting in their basement could cause millions of people to migrate thinking their families were at risk of death. I’m not picking on India there, this is an example that actually happened there, I think this could happen in a lot of places and these are some of the issues that Modi’s government and others in India are thinking about a lot and countries like Bangladesh and Pakistan and other neighboring countries are also worries about. So I welcome the comment about how India is dealing with some of that, and you know let’s think about Estonia let’s think about India, let’s even think about our British friends when we think about elections and how the different systems play out. Um shifting gears a little. We talked about how you get on the lists and how you get to the voting booth, let’s go further back. Let’s pretend we’re in campaign season. Who decides what becomes news? >>[unclear audience responses] >>Who? I heard me. [chuckles] who else? >>[unclear audience response] >>Tom Brokaw. Ok. [audience laughs] You’re dating yourself. [more laughter] >>[unclear audience response] >>Large corporations. >>[unclear audience response] >>The government! [laughs] >> [audience laughter] [unclear audience response] >>Is “the government” the same people you congratulated for risking their lives to protect you 20 minutes ago? [chuckles] [audience laughs/groans] Uh lots of sources. Ok. We live in a multi uh various society where a lot of different entities can weigh in and do it but think about the process. Is it a blog post on reddit that ends up getting picked up and is it someone's tweet that goes viral? How- >>[unclear audience response] >>Robots on social media. We’re gonna get to that. No we really will. Uh. Next question. And now my now my phraseology to the questions starts to get cheeky, so as I say ‘em, try to figure out the real substance I’m getting at. Which runner is in the lead? Why would that matter to me for democracy? And of course runner is a euphemism. Which candidate is actually leading. There are actually people who vote based on what they see happening in the polls. Either because they wanna be on the winning team or because- you laugh at that, there are people who actually in many democracies who actually want to feel like they’re with and supporting the group that’s gonna be in power. But more importantly you have a lot of cases especially in a country where I’m not forced to vote if I want to play baseball, I may wait to look at the polls to decide if it’s worth those 3 hours of my time. If my candidate is so far behind in a district where I live, maybe I think it’s useless to vote. So think about hacking polls if that can have an indirect effect. So name some polling organizations for me, nongovernmental, of course. >>[unclear audience response] >>Yell at each other, I’m not gonna repeat ‘em all, but you’ve all heard of some of these, right? And what’s their IT security like? Do they have any insight or threats? Or people with political agendas working in those companies? What IT hardware and software do they rely on? Remember I’m the annoying intel guy, if I can’t get into your federal reserve bank, if I’m an Iranian person who is mad at the US, maybe I will DDoS all your commercial and investment banks instead ‘cause it’ll create economic harm. If I’m in China and I’m tryin’ to steal intellectual property and I can’t get into the pharmaceutical company or the defense contractor, or the Australian mining company, maybe I know that their auditors, their legal representatives and their financial consultants have that same information. Tons of law firms in the US and the UK have been cyber attacked to get their clients information. >>Panama papers! >>Panama papers. Thank you. So do you think people would be willing to try to hack polls if they thought it could have an effect? So just like I don’t know if my vote is recorded properly, how much faith should I put in the fact that candidate A is 5 points ahead. I think that would be great to pretend that you had no reason to go vote in order to deter you voting in a very close race. >>[unclear audience response] >>Isn’t this because of the spoiler effect because we use a first past the post voting system? We could spend all of your conference discussing the merits of first past the post constituencies, parliamentary systems and all the other variants that various countries use or that we’ve used in the past. I just want to acknowledge the importance of the question you asked and refer everyone to political science textbooks because how you do your elections, primaries to general and all kinds of things matter. If you want a really simple example compare the US system to the French system where they have multiple rounds of voting for president. OK. So it’s a good point but I’m not going to go into it in full detail ‘cause I probably wouldn’t be able to fully answer that properly anyway. Next cheeky question. We asked which runner is leading on the field, is the field made of natural grass or astro turf? [audience laughs] That goes to our botnet question. OK. What is a grassroots movement today and how the hell do I know if it’s real people or how many of them there are? >>You don’t! >>You don’t! [audience chuckles] And what’s our problem there? Hopefully some of you are like “Well, that may not be bad if it’s a little bit, but at what level does it become unacceptable?” And we’re gonna come back to that question in a second. So we I think we all need to accept that what you see… >>Ten. >> Ok ten minutes left. What we see may or may not be real individual activity. >>Does it matter the scale? >>Does it matter the scale? >>Local grassroots level elections for example like for city council versus senator? >>My answer would be: how big is the data pool and what’s the statistical level of error, right? What is the amount of error or risk you’re willing to accept. Uh I’m gonna jump a little bit ahead here ‘cause I think it’s relevant to this discussion so. On the astroturfing question, for me it actually quickly degenerates into a competition between 2 core values. Freedom of speech and equality. And we see this tension when we talk about campaign finance. We have put limits on what specific individuals and entities are allowed to donate or do as far as spending money. We want people to be able to have a disproportionate influence based on spending money in campaigns, but only up to a point. This speaks to your question ma’m. So when it comes to sharing information right, cause what’s the money used for? The money is used for TV ads. But what if I can get the same publicity by doing social media. Should I as one person be able to have the influence of 5 million on social media, when I’m d- not allowed to have the right to do that in an economic sense in donating? I don’t have the answer for this but I think we need to start thinking about it in those contexts. We want equality, one person one vote, we accept inequality in the campaign process but only up to a limit. And who should decide what that limit is? Should it be uniform over the United States of America or your respective countries? Or should it be county by county, polling station by polling station, or state by state? Do we want to invite foreign guests to our party? >>NO! >>[laughs] >>F**k no! >>We live we want to live in an open information space, we don’t want foreign governments bankrolling specific campaigns. UK invited Obama to weigh in on Brexit. Should we be inviting President Xi to weigh in on the interim election? Or President Putin? >>[unclear audience response] >>Hu- hold on. The gentleman who was yelling one more time, there’s no difference between public influence and… >>No there’s a big difference. A public speech by Obama is totally different than a foreign power having thousands of Twitter bots. >>I agree with you. For me that’s the distinction I gave in the beginning between the covert and the overt. Be- in my next question which I sh- remind me to give you something later as a plant, because that’s the perfect segue. Are we inviting foreign guests to our party? And is it a masquerade ball? [audience laughs] Right? And then, is it just the foreigners who come wearing masks, or is it all kinds of interest groups? I mean one of the saddest examples that I remember for a while was in some of the unfortunate human rights turmoils in the middle east I think this was in Syria there was a large uh online following for a very sad story regarding a persecuted and oppressed Syrian lesbian. Turned out it was a 50 year old man in Iowa, I believe. Is that the kind of world we want to be living in? I don’t know. But do I wanna let someone else be the sensor who decides what free speech is and is not allowed online? This get’s us to the classic game theory question of who guards the guardians? Ok and that'll bring me into the next few questions I have. Which innocent victims deserve protection? Last time I checked the DNC is a private organization. Does it deserve taxpayer money protection to secure its networks? Yes or no? >>[audience answers mostly “no”] >>I was not expecting that uniform answer. I know that we regulate party activities your state legislators regulate the primary process to determine those private organizations’ preferred candidate. So we do regulate it somewhat and we do spend some taxpayer money there. I did here a little yes over there so it wasn’t unanimous but so I ask the question: which victims are entitled to state funded support and protecting their systems, but that comes with a very close second question: which entities are required to accept that help? Including if it means from the opposing political party that’s currently in office. What do you think about that? >>Ask the Clinton body count. [audience whoops, laughs, and groans] >>[laughs] Ask the Clinton body count. So clearly we have recent reference points. As a strategic forecaster I’m always looking forward. I don’t think we’re gonna be able to fix our system before the midterms and maybe not even by 2020 but I sure hope we can get our act together a little better by 2024 and I hope we can start setting some good examples. And again I’m very nonpartisan, um by law I was not allowed to even participate in a lot of political activities beyond just merely voting while I was in the intelligence community. And part of that ensured the value and the um analytic authority of our team’s work when we went to brief congress or the white house on things. So I respect that there are partisan motivations behind some of this but for me I use them as examples, because what happens to one group today or this year can happen to the other group or even a 3rd, 4th, and 5th party if we ever get a viable system with more than 2 parties. >>[inaudible comment from audience member] >>Not so much the New York FBI? >>Right >>Tell me a little more >>Partisan. Conspiring with Rudy Giuliani. >>Ah! We have a comment that the New York FBI is conspiratorial with Giuliani. Just repeating it in case you didn’t hear it. Ok. [audience chuckles] Ok last 2 questions. The problem with the elections and hacking democracy and undue influence from foreign entities. Is there actually anything new about this? >>[mixed audience response] >>Citizens United is mentioned. So if I’m sitting in the p- If I’m sitting in parliament in 1775 in London how do you think I characterize the pamphlets that Sam Adams and Thomas Paine are cranking out? Do you think that’s terrorist activity inciting violence against the legitimate government authorities? >>Yes. Yes. >>How ‘bout if I write a bunch of political papers, sign them in another name that suggests that I have much more support than I really do. Federalist Papers, Publius. Madison, Hamilton. The issues we’re dealing with are not new. The question becomes: why does this matter and why is it so offensive today? Ok the scope and sophistication. And we heard that a little earlier a variant of that from a lady over here, and I agree with you. It’s the question between qualitative and quantitative change. If you heard former NSA and CIA director Michael Hayden or former director of national intelligence Jim Clapper say that the Office of Personnel Management hack that stole a bunch of government employee data was a legitimate intelligence target but that they still want to prevent it, because it was so devastating. How ‘bout the release of accurate documents, stolen documents, but accurate. Is it really wrong to share truth? So if we allow espionage and we believe that free information society and truth is desirable, those are 2 rights, how do 2 rights make a wrong? And I think it goes to that scale and scope. It goes to the nearly costless ness level with which an entity even 1 or 2 people somewhere else in the world can have a hugely disproportionate impact. Without running the risk of actually running off the printing press and hand delivering the pieces, without entering the physical jurisdiction of those locations. >>Isn’t this why we need intelligent voters? >>Isn’t this why we need intelligent voters? [sporadic applause] I believe in voter education I unfortunately am also terribly aware that education is not perfectly consistent across our society and I don’t want to exclude anyone who the constitution includes. So I don’t wanna put education standards or informational standards on what constitutes an informed voter. >>[unclear response from audience member] >>All humans are subject to influence. Should I take that personally? [audience laughs] No, point well taken so we live in a world of humans with behavioral patterns that can be influenced. I’m well aware I’ve posed a bunch of questions to you that I don’t have good answers for myself, but I respect that you’ve taken your time to join us and I hope I’ve at least been a little bit provocative and walked you through the various levels where someone like me who both tries to protect our continuity of government and continuity of our constitutional system thinks about these things because like yourselves, you think about breaking systems, not necessarily building them. And I think the more dialogue we have betweeen well minded offense with the defense who’s either building or protecting these things, I think that’s the path forward. So I think we’re out of time. So with that I’m gonna say thank you very much for sharing your time thank you very much for your comments [audience applause] and please keep this dialogue going. [audience applauds and cheers]