tv Election Assistance Commissioners on Election Security CSPAN July 14, 2018 10:02am-11:58am EDT
>> next on c-span with the election season underway, the chair and the commissioner of the election assistance commission talked about ways to prevent election corruption. then the meetings that the president had with leaders at the nato summit. after that, president trump holding a news conference taking question about his upcoming visit with russian president vladimir putin. elections in the u.s. this summer, the chair and the commissioner of election assistance commission talked about election security. they talked about efforts be made to prevent cyber security threats, and attempts to corrupt the upcoming election.
>> good morning. the committee will come to order. i am grateful that two of our colleagues from the senate will start us off with some observations they have about this critically have an important issue. i am glad that my fellow missourian scott is here. i had a chance to learn more about his growing company, and in this area a few weeks ago and look for to his testimony as i do the testimony of all of the others. this is the second in a series of hearings on election security. as we know, during the 20 16th election cycle, state and local like theywere tested had not been tested before, and even after the election, were more aware of the threat somewhere out there, and it
needs to be in better information about those threats and more help as to how to deal with them. at the last hearing, the local officials told us they needed timely and actual information coming needed cyber security resources as well as technical assistance. today, we turn to the federal officials in charge of helping provide that kind of assistance, and looking at how they could better provide those resources as well as private sector election vendors. efforts to secure american elections are not new following the 2000 election, the 2002 help america vote act, established the united states election assistance commission to assist states in replacing voting systems and improving election administration. that bill also created a partnership between the election assistance commission and the national institute of standards
and technology to create guidance for voting systems and to certify those voting systems. in general of 2017, the department of homeland security designated after the election year had passed, election infrastructure as critical infrastructure. the first now in election series sense that designation was made. at our last hearing, we heard how this designation would effect information sharing between state, local, and federal governments. today, we want to look for to hearing more about the other aspects of that designation, which is a formalization of information sharing and collaboration between private entities and the federal government through the sector coordinating council. fy2018cently, the
spending bill, congress appropriated $280 million to the u.s. election assistance agency to help states enhance their election infrastructure. about 49 states and territories have already requested approximately $350 million of that money, and in many cases, they have already received the money they have asked for. some of our goals today is to find out more about the tools available that the federal government can provide state and local officials. find out about information sharing that is occurring and should occur between state, federal, local election officials. and learn more about what we might do to encourage cyber security best practices. we are pleased to have senators here. i will turn to a senator for opening remarks. >> thank you, mr. chairman for holiness important hearing.
i would like to thank senator wightman for being here, and senator langford for your work. you are both of the intelligence committee and know how incredibly important this topic is and how there is a lot of focus on what has happened and what did happen, and there should be -- but we have to keep her eyes moving forward on how we protect ourselves and that it does not happen again. i am pleased with the work senator langford and i have done on the election act, as he will describe. this legislation when improve government sharing between election officials on the federal government, provide better resources and expertise to states, make it easier to confirm election outcomes. andas significant about us -- it has significant bipartisan support and has spent the last 18 months working with federal officials -- state and federal
officials and have made significant changes and have listened to people, especially the secretary of state, around the country, to make their concerns. it is truly vital we work together, and this is one effort, but there are so many others going on, especially the way the intelligence committee has handled this -- the intelligence community has handled this. it is important this be bipartisan. we have a hearing we -- we had a hearing in front of judiciary, and it became clear that although the interference has been about the interference in 2016, it was also going on in the primary, specifically targeting senator rubio's campaign and others. it is important to remind ourselves that it wasn't just going on with one party versus another. they were doing things that affected the primary and doing things that were outside of the
outside election with groups and people, trying to turn people against each other basically, whether it was a pipeline in north dakota, or whether it was rallies in florida. the state of local election officials were administering elections on the frontlines. they were working hard to ensure our election systems are secure. i know my secretary of state, who was here recently, would tell you he and his colleagues across the country are all very focused on this. during the hearing last month, we heard from some of those officials about the challenges they faced in the need for additional resources in light of the continuing threat posed by russia and other potential adversaries. today, we will hear from federal officials and representatives from voting systems companies. vote of of americans machines hungry companies. one is here today.
i wish the other two companies could have joined us. andn the threats we face the billions of state dollars that go to these companies, oversight is vital to ensure they are providing secure and reliable voting machines and services. congress must do everything we can to defend our elections and confidence inan's our democratic process. i am glad we have a system with different systems in different jurisdictions because one hack won't ruin everything, but one hack in one state could jar people's confidence. they came close last time to hack into 21 states. close to the voter list in illinois, and we don't want this to happen again. thank you very much, mr. chairman. >> i look for to working with you on this. we both worked with sarah lankford and several wightman -- in several wightman. they have both had time to think
about these issues. wightman, if you would like to start, i would like for you to go first. >> thank you very much, mr. chairman. thank you for your thoughtfulness in making it possible for me to come today. i look for to working with you. fashion look forward to working with you -- i look forward to working with you. i will try to make a few key points, and perhaps, you can put my full statement into the record. according to the latest number, at least 44 million americans, and perhaps millions more, have no choice but to use insecure voting machines that make hackers and hostile foreign governments salivate. it is, in my view, inexcusable that our democracy depends on
such taxable motor technology -- voterle technology that is been able to evade oversight, and have been stonewalling the congress for years. the efforts by russia during the 2016 election highlight the vulnerability of our election infrastructure in the serious threats that are people face. as you and i talked with the forrman, i suggested a bill the reliability on elections, and it seems to me important given the prospects that foreign hackers can have access. my legislation focuses on two common sense measures that are backed by the overwhelming numbers of cyber security experts in our country. paper ballots and risk limiting
audits. i wrote this bill in spite of this campaign of ducking and bobby and weaving, really stonewalling from the major voting machine companies. over the past year, and i have touched on this as a member of the intelligence committee, i reached out to cyber security experts and others, and i wrote the big voting machine companies, asking them basic questions about their cyber security. these were not complicated questions. they were, have you been hacked? basic, cyber hygiene 101. the companies refused to answer how or even if they are protecting the systems and the votes from the american people. earlier this year, the new york times published a story the largest voting machine manufacturer was selling
devices that came preinstalled with modems for most monitoring software. the experts say that remote access to voting infrastructure is now a five alarm crisis when it comes to security. my view is, you can only make it worse if you were to leave unguarded ballot boxes in moscow and beijing. so, i cap writing to the company, following up at the same commonsense questions. they ignored those as well. mr.s clear to make him a chairman, these companies want to be gatekeepers of our democracy, but they seem completely uninterested in safeguarding it. my state exclusively uses machines that don't produce a paper trail. the only record is a digital record that could be hacked, which is impossible to audit reliably. that strikes me is a prescription for disaster. americans need paper ballots,
marked by hand, until the system is adopted, every election that elections yet another that foreign governments, hostile foreign governments, including russia, can hack. earlier this year, congress appropriated 380 million dollars to help states upgrade their election technology. the money is now in the hands of the election system on the way to the states. it ought to be used to bolster security. unfortunately, it is not clear at all how the election assistance commission is actually using the money to do this. state could gohe out and buy a whole lot more hackable technology from these stonewalling voting machine companies. let me wrap up by saying, before we conclude, the statements of the commissioner, who is number
two at the commission, mr. mccormick, also concerned -- ms. mccormick was also concerned. she said the intelligence committee that russia thought to influence, mr. chairman, you and i have heard again and again, that it is the view command center langford has heard this -- it is the overwhelming view of the intelligence committee that russia is to influence a 2016 election. i cannot for the life of me figure out why the number two official is dismissing the analysis of the government. -- the government's experts. no matter who you pull the lever toward the last time around, all of us here in the senate have to care about defending our elections from foreign hackers going forward. fisher chairman, i want to thank you for your courtesy and a time
you and i have spent talking about this and i look forward to working with you today. >> i look forward to you and i continuing to work on this. mr. chairman, thank you. tomr. trump and, i want apologize to my colleague for ducking out because i know he has something important to say. i thank my colleague here. >> think you, senator. -- thank you, senator. >> it is good to be back in this conversation again. there is a lot that still needs to be done. hard on theed very secure election side. this has been a work in progress that was rented out in pencil -- tot it was written in pencil be reedited over and over again as we have gone through this. we do need to deal with the
obvious threats that are coming at our nation dealing with elections. we should have learned a lesson in 2016 that this will take a long time to roll out real results and responses over the course of our nation. we do need to deal with these threats. secure election acts, trust bills focusing on states to encounter issues and threats that they face in the elections. let me reiterate this. i have zeroed out -- i have zero doubt that the russians tried to influence our election and to engage to bring instability to our democracy. but i have no question that our states are not only qualified to be able to handle the elections, but they are constitutionally responsible to handle our elections. the state need to be able to control elections. formve worked on how to and how do we head off this issue from coming at us again? next not so much about the
election because quite frankly, there is a lot of attention being paid to the next election. it is what is the election structure 20 years from now? when do we let our guard down will the focus not be there? we had to put processes in place to make sure that 20 years from now, we have not forgotten the lessons should have learned from 2016 and some basic things have come out of that conversation. one is increasing communication between the government and states. there was not near enough communication leading up to 2016. there were no security clearances in the states. when issues were discovered, there was no one to communicate that was quickly that have clearance. many elections across the nation do not have audible elections. they are done completely electronically and there was no way to audit it at the end of the election to determine if everything went correctly. it was a best guess that things went correctly, but there was no way to know. there are many states that risk
missing audits after the election is over. some states do not. when it is a federal election, it is difficult if there is a threat to anyone entity in one state that affects every other state as well. there was some basic things that can be done then we felt like could be done and could be done a lot of states to be able to control their own election structure, and have flexibility on the type of machines they want to have, and the type of election systems they want to have. it should be up to the states to run that. we have worked very hard never find the secure election act, adding a lot of feedback from secretaries of states and heads of election officials from the eac and dhs. bipartisanith a group, state secretaries in april, including the president, secretary ashcroft from missouri, and secretary simon for minnesota. we incorporated their advice and
we have had feedback from the chief election official in my state. as well as former election assistance commission or matt masterson. we have talked to secretary nielsen from dhs and received a tremendous amount of feedback as well. be able to see improvements, and we do believe the coordinating councils can share a lot of that information with other states and with the federal government. but there are simple things that can be in place that we feel like do not usurp the authority of the states to run their own elections. but do give us a secure elections system for the future. the issue is not so much 2020. we're all watching. what will the elections be like 20 years from now? will we still have a process in place of protect the elections when our guard is down? idea to be is a wise able to continue that ongoing cooperation and communication,
so when issues are discovered, they can be shared state to state quickly and to the federal government to be able to make sure we can protect our elections to make the message is possible. you for the, thank invitation again to join us conversation, if only for a brief moment. thank you for holding this hearing because this will be important that we get a bill across the floor and get it passed, and help secure elections for the future. >> thank you. we will call our first full panel of. we have two panels this morning. that will be chairman fix and commissioner mccormick along with dr. romaine from the national institute of standards and technology, and mr. masterson from the department of homeland security. somebody can -- as we are getting nameplates,
your full statement will be on the record. we do have another panel after you certainly want to have a chance to ask questions, so you can deal with your time however you will like to, but if you want to summarize anything in your statement, we will have your statement on the record, and we will are glad to have it. and we are glad to have you here today. we will start with chairman hicks from the election advisory committee, and then go to commissioner mccormick and then dr. romaine. and mr. masterson. >> good morning mr. chairman. i am pleased to testify before you today to discuss u.s. elections assistance commissions work to support election leaders in her efforts to conduct efficient elections. the commission takes pride in the resources and assistance we
provide to election officials and voters, as well as the vital role we play as a national clearinghouse of election administration information for partners in congress, federal agencies, state and local governments, private industry, advocacy organizations, academia, and others in the election industry. this is emphasized by witnesses at the last hearing. we focus solely on elections, serving as a central hub for others it's been only part of their time working on this important issue, including those who specialize in technology and cyber security. our partners range from the department of homeland security, federal bureau of investigations, u.s. postal service, rely on this eac to provide deep knowledge on how elections work and a carolina communications to those in the field who administer the vote. our partner agencies have counted on the eac to fulfill this role with regard to election security.
this topic is not new to the state and local election agencies who run elections in the tens of thousands of administrators. and members of election workers who support that work. it has long been a primary focus for the men and women on the front lines of elections. something they think about 365 days a year and during a presidential year, 366 days a year. the job description of an election official is everything from compliance the voter registration to mail management and human resources. this is why it is so vital that congress and federal agencies, especially eac provide election administrators with the resources and tools they need to succeed. establishment of election systems as part of the nation's critical infrastructure is one way the federal government sought to improve the mechanisms that uses to accomplish this goal. eac's work during the 2016
federal election set a fundamental effort for this. at that time, prior to critical infrastructure designation, we worked with the fbi to distribute security alerts and threat indicators the state territories to help protect election systems from specific cyber security threats. with ouret this goal federal partner agencies by meeting with the white house to discuss these threats of election systems, security protocols, and the election 8000ms in the jurisdictions nationwide. secretaryformer johnson's critical infrastructure announcement, we actively worked to provide state and local election authorities with a seat at the table during is a section -- at the table during this discussion. an organization was formed
faster than any other counsel today, and the eac takes great pride in this role, one that we play to make that happen. of how local, state, federal government can effectively work together towards a common goal of protecting our nation's infrastructure. i serve as -- i serve on this committee that has worked thatently to ensure critical infrastructure designation has a palatable, meaningful -- has a tangible and meaningful impact. solutions and that takes resources. we are pleased that the members of this committee recognizes this reality when supporting the congressional appropriations act of 2016. that legislation contains $380 million in the states and territories to improve federal elections. just three months after that bill was signed into law, the eac has is. requests -- the eac has
distributed requests from 51 of the 55 states designated to receive funds. that is a remarkable personage and demonstrates the eac's responsiveness and the state's urgency to make election systems more resilient. lesson two weeks after president trump sign the appropriations bill into law, the eac notified each eligible jurisdiction, and issued grants and award letters to every state and territory. just one week after that, your home state, mr. chairman, received a response. in the weeks that followed, the eac conducted a webcast, public forum, and explained the funds and worked with others to share this information. conducted webinars and had other resources on our website and educated nonna
governmental groups -- and educated non-governmental groups , including a focus on -- including a focus on those funds. our teams have helped folks navigate this hurdle. on behalf of of the states interpret, i want to thank you again for these vital resources, and i assure you there be put to good use. our vice chair, commissioner mccormick will detail some of the efforts. foruld like to thank you inviting me to testify today, and i look forward to answering your questions. >> commissioner mccormick? >> chairman blunt and ranking members, thank you for inviting the eac to testify today about the vital issue of election security. my name is christie mccormick, and i'm a former chair of the eac, currently serve as the vice chair, and i been working on elections for three decades, starting
-- continues to fulfill this mission, and election officials across the nation consistently affirm that our work does indeed help america vote. on the newly focus appropriated fund and our efforts to supplement these resources. states and territories are wasting no time for applying for the $380 million appropriated in march.
votersto serve american and to protect the integrity of elections is deserving of our praise and support. thanks to them, election systems from coast to coast produced accurate results in 2016 and were resilient in the face of reported security threats. curity threats. i have every confidence the newly appropriated funds are for holding officials to continue this work to strengthen the systems ahead of the next term election and the presidential election. while officials continue to work with state legislators, local beers from advocates and other stakeholders to find him how they will spend the funds i will provide a snapshot of the efforts that we already know are underway to make the system more accessible, efficient and secure. south dakota is using the 3 million received upgrade voting equipment including the ballot marking devices and tabulators. the equipment was purchased in 2005 and the state will make
crucial upgrades to its voter registration file. new york received over $19 million into the state plans to use this to implement a state and local cybersecurity risk assessment program immediate identified vulnerabilities, monitor ongoing security operations and respond to incidents should they occur. in west virginia's secretary office developed a plan after surveying the officials for cyber and physical security assessments the state will increase the system protections, bolster the capabilities and prepare for the corrective action if necessary. the territories many of which suffer catastrophic damage during the last year's hurricane season are especially grateful for their funds for example the head of this year's elections american samoa is using their portion they receive to restore the territories election office and replace equipment damaged during the tropical cyclone.
they are upgrading to voter registration systethe voterregim increasing accessibility of the poll, broadening the voter education effort into improving the workstations and databases. as a part of the clearinghouse function we are highlighting the states initiatives of other jurisdictions may refer to them as they might determine the best way to utilize the appropriated funds. right now the priority is to get the funds out the door as quickly and responsibly as possible. the academics, federal government officials and many others to discuss approaches to strengthen a election systems and better serve american vote
voters. they traveled to nearly a dozen states to prevent elections officials. these trainings are ongoing and we are working with dhs to put the training online to the fed platform. he regularly travel to the jurisdictions throughout the nation. how they may occu occur to you o improve the assistance and we conduct and hold forums to gather feedback. earlier this year we held a public forum to discuss the funding and to hear from election officials about the ways they are working to secure the systems and improve the process. most recently we held a forum in baltimore where hundreds of americans with disabilities were gathered for the national disability rights network annual conference.
so we focus on the administration of elections we appreciate the congress support of our efforts and the states and territories we serve a. i'm the director of the information technology laboratory at the institute of standards and technology. thank you for the opportunity to appear before you today to discuss the role in the election security. the systems calls on the expertise and management science in working with standards and development stakeholder communities and the development of testing infrastructures necessary to support the standards implementation. additionally our experience working in the multi-stick with the process is critica processee success of the voting program. for more than a decade, the program partnered with the assistance commission to develop
the science, tools and standards necessary to improve the accuracy, reliability, usability, accessibility and security of the equipment used in federal elections for both domestic and overseas voters as outlined in the help america vote act of 2002 into the military overseas voter empowerment act. hava reports to the federal advisory committee and support includes research and development to support the development of a set of voluntary voting system guidelines or guideline that have been considered for adoption. version 1.1 of the guideline would have an approved and we immediately began work on the next iteration of the guidelines version 2.0. they are used as a part of the state and national certification process by the state and local
officials were evaluating the systems for the potentially using their jurisdictions and by manufacturers who need to ensure the products fulfill the requirements to be certified. the guidelines address many aspects of the systems including determining the system readiness, ballot preservation, ballot counting, safeguards against system failure and tampering and auditing. we established a set of groups together together a wide variety of stakeholders in the development of the next iteration of the guideline 2.0. there are currently 963 members across the seven working groups three of which are aimed at the us and three groups focused on the cybersecurity, usability and accessibility and interoperability command one thacome and onethat will addresd to testing. they've grown hundred 62 members and engages in discussions regarding security of u.s. elections. as the infrastructure evolves,
so have its security concerns which today range from unauthorized attempts to the axis of the voter registration systems of multiple state to the errors or motion software attacks. the guidelines address these evolving concerns including support for advanced auditing methods and a two factor authentication security protections developed by industries over the past decade are built into the voting system. other security issues to be resolved include the need for the regular and timely software updates and security patches for network communication is another important issue and many jurisdictions rely on the public telecommunications networks for certain functions such as reporting results to state agencies and media outlets the s the night of an election. they briefed the significant expansion of the service and their security requires further study. in january, 2017, the department designated the infrastructure is
critical infrastructure in support of this effort providing the creation of an election profile framework to improve their cybersecurity foster we also conduct evaluations of independent laboratories and provided the eac a list of the laboratories proposed to be accredited. nist usability accessibility and functionality requirements to achieve the uniformity and testing among laboratories. nist is addressing security by strengthening the guidelines for the voting systems and by working with our government prefers to provide guidance to state and local election officials on how to secure their systems including voter registration an and reporting systems. thank you for the opportunity to
justify and i would be pleased to answer any questions that you may have. >> thank you. >> thank you chairma >> thank you chairman blunt, ranking member klobuchar and members of the committee for the opportunity to testify regarding the department of homeland depad security's ongoing efforts to assist state and local election officials, those wh who own and operate the election systems with improving the resilience of america's elections. later this week tha the leadersp will meet with officials and private sector partners as they gathered in philadelphia the birthplace of our democracy for the national summer conference ansummer conferenceand meetingse coordinating councils throughout my career i worked with state and local officials to defend the use of technology to better serve american voters. in the last three years i served as a commissioner at the assistance commission and now i served as a senior adviser at the dhs focused on the work the department is doing to support the thousands of officials across the country.
in this decade of work i can tell you the best part is working with a dedicated professionals that administer elections in the face of sophisticated threats these officials have responded by working with us, state and local resources, private sector academia and improve resilience. the risk are real, the midterms remain a potential target for the russian actors and while we have yet to see any evidence of a robust campaign aimed at targeting the infrastructure like in 2016, the committee continues to see russia using social media, falsified personas, sympathetic spokesman and other means to influence the opposite ends of controversial issues. we remain vigilant and we will continue to work with partners to strengthen the resilience of our election systems. as i travel the country working with state and local officials, it's clear they are taking the risk seriously. for example, the officials are
engaged with dhs and the university of west florida to conduct robust training across the state and in addition to the state of florida and supervisors became the first state to have every count county joined the information sharing center and we are currently working with florida counties to employ the network sensors across the entire state. this remarkable progress in a short amount of time. the mission is to ensure that the stakeholders have the necessary information and support to assess and mitigate risk. we've made significant progress during a state and local officials as well as private sector partners who support them are at the table working with us. we've created government governt private-sector councils to collaboratively work to share information and best practices. we created the infrastructure sharing and analysis center grow into almost a thousand members including all 50 states in just under five months. this is unprecedented growth compared with others. since february, 2018, we have
quadrupled our awareness into the election infrastructure through network monitors. we are sponsoring security clearances from the multiple election officials in each state which allow the officials to receive classified threat information. the increased availability and deployment of the technical services to the officials. the dhs offers a variety of services such as cybersecurity assessments, detection capabilities, information sharing and awareness and response and training. our services will continue to mature as the requirements identified by the stakeholders mature. we understand the only way to deliver the resilient election system is to work collaboratively with those officials on the front lines running the process. dhs has been leading an interagency effort to support state and local officials during the task force. this task force brings together an election assistance commission, nist, the fbi, intelligence committee and dod. the purpose is to ensure that
specifically, we strongly support passage of legislation at dhs, which would rename and reorganize the actual protection programs directory of -- -- directive. thank you, and i look forward to your questions. the senator and i plan to stay for both panels and through this one. i think i am also interested to hear what other people's questions are. two areas where members of this congress and members of the senate specifically think they are experts at elections and air travel. you are here for the elections part of that and we will start joe,the senator cap followed by senator cortez masto. >> you for being here with us today. i would just like to ask a clarifying question. in the past i was the appropriate or on the
subcommittee which provided the $380 million to the agency. looking the previous year 2017 that eac had a $9 million budget? >> yes that is our operating budget so that additional 380 million was just for appropriation. >> i will admit to being a skeptic is if you go from nine up at 380 million can they really handle this? in the testimony that i have heard the far rest my mind. >> also we have given out $3.4 billion over the life. >> so you are all -- you are well versed so because of the
diversity, in some ways it is a naïve thought with security without a singular system all across the nation. and the secretary of state mack warner at the forefront. and we have received $3.6 million in what secretary wants to do with those dollars. with the quickest update of 2004 equipment. and with the security.
and as compared to say 12 or 13 years ago. >> and to talk directly i am not a computer expert overall but with those voting system guidelines have not truly been updated since 2007. until the smart phone and the iphone and the tablet. and technologically far into the future in terms of security with phones and other aspects of computer technology. eac has updated our standards for that. and with that voting equipment that once those guidelines are approved, they will be more
stringent and more accessible for security overall. >> nothing to the actual technologies but again and with the t5 with the development of the new guidelines. with greater emphasis on system security. >> and with the topic that i am concerned on and the senator and i have worked on this with the broadband caucus. and this is the open question
but so what will 2020 look like? do you see some difficulties with a lower reach of broadband connection? how that could affect election security in your opinion. >> and why we run elections locally to deploy those systems in the locality with the official and with that connectivity in that way. so the resource challenges are real and the money that congress appropriated to help support with the largest jurisdictions and to help them
take the states and so then the eac is built into their parameters and with those particular needs might be whether or not since i have been in this position and every state is the same but every state is different so if that is the urban or were. that is one of the misconceptions that the elections are not run by the jurisdictions basically with
the testimony to be ada compliant from a to c. >> so let me throw up on that discussion. so unable to pass the guidelines? correct? how else has lack of a quorum impacted t5? >> we can do the work the t5 has put forth. we cannot vote on new policy. and if we don't have a quorum and is that able to move
quickly? you can go see the board and board of advisors. and if we do get another commissioner to establish a quorum it is up to that commissioner to decide if he or she is comfortable with the approach we are taking. and with that commissioner and voting for the new standards. >> it is my understanding that not every van loan -- vendor is certified? that is because of the voting system guidelines. >> how long does it take to certify a vendor? >> @125 that answer.
>> half of the vendors are certified? >> just for risk and vulnerability assessments so how many have received those assessments x. >> so as it stands now 18 states have requested and to have them in process to have those teams deploy out. >> please provide you with a list and those assessments. >> i will take your request back to the office generally we don't share who we work
with on any of the services so they will continue to engage but i will go back to pull information whatever we can. >> so let me jump back so that issue that just comes back but a lot of discussion about whether or not they should be used more broadly across the country. starting with the t5 commissioners what about those that are most effective and what is the difference they may make? >> so for instance estate like oregon and so with that audit it would be helpful for them. they don't have the paper audit trail there are ways to
audit those systems as well. but it just depends on what the states want to do to have their audits run. we have the pleasure to go out to colorado recently. and that they will be taking that into account with rhode island in mexico -- new mexico to see what audits can be done. and that is where the real problem lies. >> i want to stress we need to remember every state is a canvas but then they do cover a lot of that. but based on what kinds of systems but all states do some sort of auditing.
>> that the follow-up at least with to certify those elections that is part of that if you campus before you certify. >> first and want to thank you for calling this important hearing it is a critically important issue i'm not sure gets enough attention. so this is complicated stuff with a decentralized system and machines and all of that. is it safe to say the simplest
rule there should always be a paper backup? >> it depends on the state. >> i am not discipline -- suggesting regulation but but if you don't have a paper backup it is hard to determine if you have an accurate count. >> paper is interesting because everyone can't use paper if you have a disability then it is hard to do that paper piece. if we could do security with paper to make sure it is accessible then that is 100% right with the paper backup. >> serving on the intelligence
committee with cybersecurity issues and with those bug bounties. but with those levels of security i don't want to say they are overconfident but they have a level of confidence that may not be justified. trust but verify as reagan said what about that provision. but then to penetrate the systems. and then to have that come up reading from washington. for what they need to do. and then to great effect.
until somebody shows them they are not. that is what they are suggesting. >> from this perspective outside the purview of a missed function. and to have those experts of those guidelines and standards and and that is appropriate. >> as you are aware with a friday at three services to state and local officials. and those are in depth penetration of the systems so to use the services as they see fit.
>> and those not asking for it may be the ones that need it. >> i would also add that it isn't the only offerings. and with the national guard as well as private sector partners used in the same ways so my experience and with that penetration is of value in many states they are doing that in the jurisdiction. >> and going into 2018 that is four months away? >> i have confidence the process is resilient with election officials working with us with the resources and
localities to protect based on the research that they have that also what we talked about frequently. >> and talk about voting machines but in those lists are maintained at the state level so it wouldn't take much to disrupt the election with everybody named smith then people show up at the polls and could not vote. the registration list are those secure? >> the states have taken numerous steps to improve the security and it comes back not just from protection but the plans that are in place. so that ability to respond with federal law to have that
provisional ballot is an important piece of resilience everybody can receive a ballot regardless if they show up and are not on the list. >> are those provisions in every state? >> that is mandated. >> so now we ask the next panel to take another five minute opening statement more like three minutes. [laughter] we do have votes at noon and we can work through part of that. we do want to get to you and to ask this panel questions. >> the future men. so what are your agencies
doing for the post audit and every state? >> we worked with the government coordinating council with funding considerations with the use of the funds that congress appropriated including is the important one -- and the importance for the first election audits we continue to work with the government with those practices. >> we provided a lot of information how they could use the funds and that was included in the rates to use that money to provide guidance in that regard. >> same. >> same. >> are the states working well with the assistance commission with the department of homeland security with ample
communication and resources to make sure they are secure and what can be done to improve communications with the states ? >> we're looking looking a lot better than we dead one -- then we did. to work with dhs and fbi we are functioning a lot better at this point than we were during election season. >> chairman blanche recognizes we will not have another panel. >> senator clover char. >> one --dash there have been statements indicating foreign adversaries i'm sure you are aware that they say that you know securities in this country from president obama now president tom has said
this is a threat moving forward and as the intelligence director that has said that in fact they are good one -- getting bolder can you confirm that is real and what they are doing to secure elections is warranted? >> as i said in my opening comments the elections are a target, a real risk to the systems. whether or not there are specific threats to the infrastructure is irrelevant to the importance of the information that we share with local officials to build the resilience of overall cybersecurity and so the focus remains on helping states identify to mitigate those risks.
>> several officials at the last hearing complemented the efforts with the 380 million for elections security funding and according to your testimony that uac has received disbursements for 97% of the funds from 55 states 51 of those. can you describe these varying accounts briefly? >> so to be associated with legislation the chief election official to go back to their legislatures to figure out how to request that many. >> like my state? >> not the fault of our election. >> very good. >> doctor, according to the requirements and that act of 2002 with the current configuration there should be for technical aspects how many
members of these are cybersecurity experts? >> i have to get back to you on that i don't know off the top of my head. >> as you may know that senator langford and i understand the technical guidelines with the membership to provide additional cybersecurity expertise so with this expansion do you think the committee will be better equipped to provide best practices and recommendations to cybersecurity? >> it think additional expertise would be welcome in almost every facet of anything we do. >> and then continuing on with a secure elections to implement the audit to confirm election results, do you believe that performing that audit is a best practice to use to increase confidence in
federal elections? >> yes. >> do you all agree? >> thank you. >> i will ask a couple of questions as senator warner is thinking about how you want to close these questions out. there will be a time to submit written questions and there will be rich and questions so the commissioner hicks, the $380 million allocated to the states through you. how much is now out the door? >> 97% is been requested we usually get that out in less than a week. so i can get the exact number of the dollar amounts. >> no.
i know 154 million was in the first 30 days so you are almost totally out now. the states have no required standards to meet to qualify currently? >> there are requirements they have to meet under the law. >> like having the auditable ballot trail is not a requirement? >> correct. >> so in a non- paper environment there are ways to audit the returns? i'm trying to come up with one of those ways with a certainty to guarantee what happened on election day is what happened? how would you audit those non- paper systems? >> they are audited because there is no non- paper systems.
it is a physical paper ballot that people are testifying to each has a paper of record inc. in its system that is encrypted. so that is where the audit come comes. >> so they look at the paper record generated by the individual voting device? p make yes. the issue becomes if that is voter verified. >> i understand. commissioner hughes said the canvas is the audit but really that is where local officials report to state officials the final county return is? >> right. they check overall to see the paper trails from the machines to make sure they match the numbers. in a way those are audited before they are certified.
the election reporting is not official but they have the process to check those paper receipts and the voting numbers to make sure we can certify as official results. it isn't exactly an audit that one form of an audit. >> i think it isn't exactly an audit but i understand what you say. election night returns are always unofficial and always need to be verified but on the topic, the maryland primary just completed, some some of the registrations were not downloaded appropriately. i don't know how many provisional ballots were cast because of that do either of you know? >> and don't know the numbers that we can get that from maryland to mecca think we're
in the process of getting that but what i wonder about is concerned about what happens if the election day record is not what you want it to be which is exactly what happened. so my two questions would be how much does it slow down the election day voting process if you have to cast a provisional ballot? maybe maryland is an example where most of those cast in recent times and another question is my interest is how much that is slow down with the final results. but every state has a provisional ballot requirement if the voter shows up to make the case they should be allowed to vote for whatever reason is not that applies to all federal elections. >> that is the requirement. there have been a number of
cases where los angeles was a jurisdiction to have the names list left off of the voter registration list and they do add some time and that is one of the concerns of a possible attack as well because if there were we would rely on provisional ballots to ensure that they were registered and eligible to vote in the election. that could cause a delay but a lot of those voter registrars have that process down quite well and they do a lot of training with election officials on how to do that. >> senator warner? >> mr. chairman, thank you in the ranking member for the work you have done on this subject matter.
and those of us sharing that intelligence committee also have a broad perspective and we appreciate the panel being here. i want to have two questions so to think the leadership of the committee to getting that $300 million into the budget with election officials around the country. so first, it is hard for any large enterprise to evaluate the cybersecurity claims that firms make in terms of protections they are willing to put in place. does that he ac give guidance or best practices as individual states or localities evaluate the effectiveness of the cybersecurity protection
monitored offered in the marketplace? >> we'll give that specific advice but we have worked with dhs to say these are some of the things that are free like monitors and so forth. individual election officials have to be vigilant knowing there will be pop-ups looking for a quick buck but i believe the way that he ac is done now to provide resources to the states for things like it management for election officials has helped them. basically giving them other aspects that allows them to have more confidence. >> with the independent rating
entity? >> with cybersecurity i applied all of them but sorting through is a tough challenge and for election officials in the enterprise not with the specific expertise strongly is a real challenge but the second part of my question, but what we just saw from 2016 the tip of the ear of the ability for social media to manipulate information. one of the questions that i have is as you think about the election, or any state evaluating the social media platforms how they are communicating or mis- communicating to voters in
your state? or how do they acquire that expertise? >> this is nothing new in terms of information put out. it used to be the information was close to the vote but now it is a lot quicker through social media. >> now you can touch a whole universe with a keystroke. >> correct we have met with some of the technology groups information in social media groups to find out what they are doing to ensure this does not happen again or ways to prevent it. or give some assurances to be put in place but i do feel that those funds overall could be used toward that but i could check because it is very
broad what you can use that money for but i would think if you look to improve the process of the election overall the administration should be able to use that money but i want to make sure of that before i give a definitive answer. >> we are encouraging state and local election officials to monitor social media to make sure correct information is out there if they see something incorrect to contact the platform to make sure it is taken down or corrected. >> i might hope there might be some way social media companies have been slow but are getting better there has to be a level of ongoing communication and collaboration and see how we might work on that. thank you mr. chairman it is great to have attended the hearing with you and a distinguished ranking member. >> we are delighted in the fact we have another panel.
>> thank you mr. chairman and each of the witnesses for being here and your testimony. the state election systems were declared critical infrastructure. can you discuss the practical effects of the destination and what dhs has done differently since that designation? >> thank you for your question the focus to declare elections with critical infrastructure is threefold to ensure that state and local election officials have access to timely information such that they can make a risk to their systems. largely done through information sharing and analysis so routinely share information out to ensure election officials have the information they need to
protect their systems and second is to provide services to local officials on a voluntary basis. we provide on-site risk and vulnerability assessments and hygiene scans and assessments on resilience and readiness in order to support state and local officials should they need it. working at the federal level of intelligence committee that intelligence is shared as one of the lessons we have all learned from 2016 to ensure that the operators are empowered to receiving information to protect their systems so we have been cooperating to make sure that information is shared. >> in march congress allocated $380 million of spending to be put toward election security. how is that money spent and
what's type of oversight controls to be sure money is put to good use to make elections more secure? >> i will defer to my colleague colleagues. >> we have run that through the grants division that is used for cybersecurity efforts and upgrading voting systems especially those that are quite old we require the states to provide a narrative and a budget with the drawdown of the money and we will audit how that money is used in every state is audited on the use of the money if it was used appropriately. >> how significantly do you assess the threat of an election being hacked with the results at the ballot be altered electronically? >> i think it would be very
difficult with the election infrastructure with 8000 in and jurisdiction none of those are connected to each other each have to be packed individually that is the greatest security rehab it would be extremely difficult but that said, every system is full level and things can happen but officials are vigilant we do testing on every single machine before used in the election so we can see if they are recording the votes correctly there are numerous ways to check afterwards like the postelection audit. it would be very hard but i can't ever say impossible. >> there has been a lot of discussion that there are no indications there was any
actual hacking of election equipment or alternate outcomes? >> we don't know any that was changed in any way. what happened in 2016 was characterized and overstated we see thousands and thousands of these types of scans every single day with every single system. i would say we are concerned about security of the systems with the entire election but nothing happened in 2016 and the real untold story is election officials did their job and kept the system safe from any further hacking. >> what would you characterize as the most important security reform they should put in place to ensure the integrity of our process?
>> we need to make sure that we have confidence of the voter because if we erode that confidence they will not come out to cast their ballots. a to z basically voter registration to election night reporting those are all valid. >> thank you senator and a panel at some .1 of my follow-ups will be if you have these thousands of attempts to get into the systems all the time, what do we do or how do we help state and local officials to figure out which they need to take seriously or one group of state officials here last week and one said with 100,000 attempts i believe he said every day to get into their system they report 100,000 attempts to
review what do you do about that? so now we will move to the second panel thank you obviously a great interest to the country and the panel and we are grateful you are here. with the second panel and the panel and we are grateful you are here. with the second panel of a company that provides the ipad registration booklets and more than half of the states including the district of columbia. and we have a vice president of operations and brian is the ceo and founder of democracy live representing a sector coordinating council. we move from the government part of the hearing to the nongovernment part of the hearing. and we will see how this goes. we are glad to have you here.
we have your written testimony as part of the record. so mr. leyendecker either read or summarize what that testimony has told us before we get to ask you some questions will be fine i thank you senator and ranking member and members of the committee, thank you for the opportunity to be with you i am grateful for your willingness to engage and take into consideration the perspective. i'm here to talk about specifically my experience in the past as former election director is a unique perspective i can bring to the table. i want to talk about the different things that we do to ultimately secure our products which is the electronic poll roster that basically uses the ipad and ultimately helps with the security side and to
leverage the ios operating system. so to sum up very quickly come in order to continue innovating and providing strong security initiatives we help the federal government will consider a partner and we hope that today's hearing is just the beginning of a new conversation with the committee and the federal government will have with vendors and together with the ones in missouri and minnesota on the front lines with today's elections through the process we want to offer this committee and others in federal government to help shape public policy to ensure the process. thank you. >> thank you i will keep my comments short i know we are running short on time thank you chairman and ranking member thank you for having us here.
i'm the vice president of operations that we are voting system provider based in austin texas serving 27 million voters across united states and we are part of the solution on security of dhs and eac and other members of the sector coordinating council. i will clarify voting systems are not just commodities but solutions and we are partners with our customers and constantly working with customers we don't just tell them something and expect them to run on their own but we are sharing best practices and webinars giving papers to customers and helping them run care elections. i also want to go off the relatively -- rich in record for a minute and to address the comment specifically because an important voting system provider in the united
states we have been open we did answer the letter that editor widens sent to voting system providers and our core values at heart art of candor which i am using right now and integrity that we feel is very important and one of our basic tenets is we are election geeks love elections and we feel we are helping america vote. thank you. >> mr. chairman and members of the committee here as a seattle-based technology firm delivering electronic balloting to members of military and overseas voters and the 35 million disabled voters in the united states including the military and overseas voters and in your state and senator warner in
your state. wesley had the honor to be nominated as a founding member home insecurity elections sector executive committee. this represents a broad and diverse coalition of two dozen companies and nonprofits developing elections and voting selections since 200 trillion eligible voters and thousands of hard-working administrators across united states and in addition working collaboratively with the commission as well as state and local officers have a secure stable voting system to represent the greater elections provided absolutely support the increased focus of attention on those systems and as we know those attempts to probe those platforms during
the presidential campaign were clearly aimed at undermining america's democratic institutions while the consensus among the intelligence community remains clear no vote tallies were altered or no evidence that any private sector provider was compromised the existence of foreign threats means we need to continue to be diligent in protecting the critical voting infrastructure to instill confidence in the electoral systems. the sec members are prepared to meet the threat of the challenges however less than two dozen providers serving the needs represent over 200 million voters and expectations must be aligned with existing levels of government investment must correspond with the growing threat to the entire electoral system as the partners to what
is truly the engine of our democracy it is critical we are engaged at the start of any planning or testing or other initiatives relating to voting systems. as we consider how to better look at our infrastructure remember that the voting tabulation systems although the lion share of attention is only the endpoint of a long process of hundreds of voter points before they even cast a ballot's points also must be secured like voter registration, election night reporting, and mail balloting which is the fastest-growing method and what appears on the ballot and finally what can and should be strengthened to those tabulation systems if they are corrupted or manipulated in all the working resources is put into hardening the systems and those could be negated.
so in this era of misinformation more voters are turning to officials for accurate and objective information and with information systems manipulated and not the tabulation systems i would encourage congress to support officials to offer secure objective and accessible voter information that voters can trust. thank you. >> you provide the ipad book and how many states? >> currently that is the ipad -based solution in 25 states and 600 jurisdictions nationwide. >> and canada? >> just recently acquired our solution we actually just so you know and this is good
information, we went to the ministry of defense and they did an audit and the results were just released yesterday and there was zero vulnerabilities in our source code. >> can we get a copy of that. >> us to this get a copy of it. >> and i think the senator wants to know that you are now transitioning number of minnesota counties. >> we have been working with secretary simon using our products about two years now and i think in the primary elections coming up august 15 we will be and i will be there and a number of us but we have about 50 counties moving toward that solutions mac how many voters do you think were
included and the registration material you were managing in the last election cycle? >> 2016? >> just an estimate. >> several million. >> where i'm really going is the question of how many people tried to get into the systems and what do you do to determine the vulnerability of the systems your company works with? >> there is a number of things that from our knowledge nobody tried to tamper with our products but one of the nice things using the ipad is that the baked insecurity already offered. that is what i liked about this solution as a former director in st. louis looking at the different solutions available to me. but security is a big thing so i don't have to be a security expert. i am leveraged in the apple
ipad that has the bells and whistles. so we average from security experts we are not trying to be although we do have individuals that are experts on staff and that is a big part of it to leverage the right hardware and software obviously encrypt everything on the ipad to anything in transit is encrypted so that is a big part of what we try to due to ensure we are responsible and thoughtful throughout the process with regards to security. >> is there anybody in your organization to find weaknesses of any system you try to manage? >> absolutely after we get done testing applications like the one we just got finished with a few months ago, whether
interna internal, that is the first course and then ultimately through the penetration test and that is the big thing we have been doing from day number one. not just what we decided to do because the russians decided to try to meddle in our elections process. this is something we have done from day number one to make sure we were being responsible to our clients that have provided that information that we have actually started to do more tests throughout the year because. >> and people monitoring to get into the voter registration system that could be a legitimate effort to see if that is possible to get in?
>> we don't deal directly with voter registration we are just the paper poll book. >> so what is your penetration effort xp make the only concern there are jurisdictions that like to connect devices. where the information can move from one area to the other one polling location to make sure that individual is checked off. and it is local and up to the jurisdiction if they want to do that but that is the only way. all of that is encrypted. >> i know we have the vote so i will be quick. speaking with the secretary of state's office that was brought to my attention we talked about the risk limiting audit but i also understand
others require a voting system reduce the cast vote record which is basically the identifier for the valet and many new systems have this capability but they are using the older systems that don't produce that vote of that record. and the new funds are not in those states to purchase those newer voting systems is or anything your offenders are doing to support those upgrades of risk audit processes? >> yes. we do have a new voting system we started to develop in 2015 it is new from the ground up so it takes advantage of the security features in the first person we hired was the security officer and it does support risk limiting audit
some are listed as required or optional but we doing courage every state has some sort of audit so i would say imaging technologies and almost all of them will provide like a paper trail or the cast ballot records. >> you heard the previous discussion to certify those machines is purely voluntary but my understanding the reason why they don't go through that process it is cumbersome. >> i took a note if your question about that.
and they have different approaches to that. and we always go through the eac. with that stamp of approval from the federal government not all states require the eac certification at least the voting systems. then to go through that approved and that their vote count in they have faith in the franchise. >> is there a reason why so
should we make sure everybody goes through that process? sometimes it is expected and we don't always agree with the interpretation. >> i would just caution the voting machine themselves are only one element of the entire process. you can have the cast ballot record and the verified paper trail but the way that we are registering to vote or knowing how to vote with that corrupted sample ballot matter how secure it was of that information was manipulated at
protect the democracy in the voting systems and information. >> we heard officials are limited in their ability to assess the cybersecurity vulnerabilities because of vendor contracts. do they restrict officials from conducting third-party vulnerability assessments? >> we would work with them to do so. >> our contacts don' don't preva customer from doing that. we would like to let customers know i what they are doing that. we in fact embrace that and encourage that paperless systems given what we know. my experience as a director i don't see a reason not to.
i think it is responsible to have a paper attachments to it. i understand some of the concerns like the chair man brought up, but i think there is a in-place in the help america vote act but i don't see why there wouldn't be. would be. >> we support local choice in this local choices for the paperless system, then we do provide that and it's based on state certification guidelines. i want to make clear there are records on atomic voting systems that can be audited and there are copies of the record that can be compared against each other for audits. >> i would caution the congress
always think of paper as a panacea in part because the 35 million perhaps they cannot see the ballot. they have literacy issues and there are innovations taking place like that state of california developed a successful audio capability for even things like my home state of washington where it's 100% paper that's wonderful for most of us in the room today because we can see the ballot if you can't see it because you are blind or visually impaired, what can you do about that so you have to leave room for the innovation and accessibility. >> how do you communicate about concert debate co- security concerns? do they establish responsibility for that notification cyber security incidents were reported to the?
>> we work with the jurisdiction and we've done a penetration test and help them better understand what we've done and give talking points so they can provide to outside sources like the media and things like that. we have been doing this for some time. it's not just in response to the past but this is something we've been giving almos doing almost h our jurisdictions. >> we heard how 1.8 million in chicago and potentially sensitive information being exposed and the la times explained that the data were exposed by the vendor that had placed on an amazon service a backup file.
does your company store data in the cloud services? >> we do store data in the cloud that is protected. the incident in chicago was a mistake by that vendor. >> because of the portion of the cloud of a put upon? >> they just didn't apply a password and left it open for my knowledge and that is what i would consider a stupid mistake. >> we appreciate that. senator warner has returned. >> did you say that was very blunt? [laughter] this will be a good thing. senator warner.
very efficient committee. i wish all committees worked this efficiently. first, a generalized comment. i'm very concerned about is a lot about how we did in 2016 and i think we should be very cautious in terms of some of the claims that have been made that russia and/or others will be back to try to penetrate the systems. i believe in competition, but it worries me when you've got three
vendors that control over 90% of the market for the voting systems. i have to take exception from some of the comments because i can tell you after the elections did an extraordinary thorough review i pushed to make sure we would have paper audit trail because we had to statewide elections in 2017 and during that time, the 2,017th elections many of the systems were reluctant to turn over their machines and they were that close. you are one of our vendors, yet your company refused to work with the commonwealth of virginia making that equipment available. so the comment that you are transparent and willing to work with all the systems wasn't the
case in the commonwealth of virginia and on a going forward basis, i would like to get a commitment that he will work not only with virginia and other states going through such a review and we are also going to be willing to look at a second half of the problem. one of the things we know is when you sign the contract, you've got that ongoing maintenance contract that often times means even if they want to choose a different service or they are not able to do that so i was like a commitment from you that you are willing on a going forward basis in other states and number two, what you are doing that is moving towards interoperability and how we make sure in terms of third-party servicing contracts that are existing contracts don't
preclude that. my fear is by precluding the third-party servicing, you've got that system then that does not have the ability to bring in third-party research or other to look at the systems. >> super scummy guess i make that commitment to the commonwealth of virginia and we only had a few customers in you and all of them were looking at going to the new system so the point was they all were moving on. >> the commonwealth requested the machines and you did not. that is the record. second, do we keep the customers into a surface with us, we provide other vendors to provide service to the machines and we actually make our equipment self
serviceable so we don't need to go out and touch the apartment for example. we tried to make a much more open going forward. >> so they could be the ongoing servicer. >> yes, and we have customers that do that. interoperability that is the thing of the future. we are not currently working on that and that will depend on certification and nist and all that good stuff. in terms of the vendors sitting here today, we represent different components of the system that you have the tabulation system, we have the overseas in the military voter information tools come so i believe it is critical within the elections industry so not one vendor can own the entire electoral apparatus in one
jurisdiction. i think we do believe that they blossom by the innovation mantra. making sure the three of us can work seamlessly together. if the system works within electronic poll books or provides the data for information to the overseas military voters are blind and disabled voters that are all working together i think it helps to secure and harden the overall electoral system. >> i know he's got to go vote. let me just say i believe when we've got such concentration on the system is on the backend, 90% concentration and the possibilities that exist and still exist i think that we need to at least think of this level of concentration and the ability to have at least independent cyber security researchers have some access to give that good