Skip to main content

tv   Senate Intel Panel Told 21 States Were Targeted By Russia in 2016 Election  CSPAN  June 22, 2017 1:26pm-4:35pm EDT

1:26 pm
sunday at 4:00 p.m. eastern on real america, the 1979 united nations film "the palestinian people do have rights." >> violence breeds hatred, retaliation brings further retaliation, an eye for an eye is often paid at high interest rates in our day in age. and at 6:30, president reagan's speech writer peter robinson and former u.s. ambassador to germany richard byrd recall reagan's 1987 to berlin and the brandenberg gate speech. >> i knew it was a great applause line and i knew this was authentic ronald reagan but history as, president obama says, has an arc and we would never celebrate that famous speech if the events of 1989 had not transpire it had way they did. >> from our complete american history tv schedule, go to
1:27 pm
c-sp c-sp c-spspan.or next, a look at hacking attempts by russia which may have targeted as many as 21 u.s. states. we heard yesterday from the person in charge of cyber security for the homeland security department janet manfra and other intelligence officials. from capitol hill this is a little over three hours.
1:28 pm
>> hearing is in order. today the committee convenes the sixth open hearing of 2017 to further examine russia's interference in the election. this is an opportunity for the committee and the american people to drill down on this vitally important topic. in 2016 a hostile foreign power reached down into the state and local levels to touch voter data. it employed sophisticated cyber tools and capabilities and helped moscow to potentially build detailed knowledge of how our elections work. there was another example of russian efforts to interfere into a democracy with the goal of undermining our system. in 2016 we were woefully unprepared to defend and respond and i'm hopeful that we will not
1:29 pm
be caught flat fooded again. our witnesses will tell us about 2016, what we should expect in 2018 and 2020. i'm deeply concerned that if we do not work in lockstep with the states to secure our elections, we could be here if two or four years talking about a much worse crisis. the first panel will include expert witnesses from dhs and fbi to discuss russian intervention in 2016 elections and u.s. government efforts to mitigate the threat. the second panel will include witnesses from illinois state board of elections, the national association of state elections directors, the national associations of secretary of state, and an expert on election security to get us there on the ground on how federal resources
1:30 pm
might be brought to bear on this very important issue. for our first panel, i'd like to welcome our witnesses today. dr. samuel laos, acting director of cyber division within the office of intelligence and analysis at the department of homeland security. jennifer manfra, acting deputy undersecretary, national protection and programs dick tort, also at dhs. and jeanette, i think i told you next time you came i do not want "acting" in front of your name so now i've publicly said that to everybody in front of dhs. hopefully next time that will be removed. and bill the assistant director for counterintelligence division at the federal bureau of investigation. bill, i want to thank you for the help that you have personally provided to the investigative staff of this
1:31 pm
committee as we've worked through so far over five and a half months into our investigations of the 2016 elections. as you're well aware, the committee is in the midst of the investigation. the extent to which russian government under the direction of president putin conducted intelligence activities also known as russian active measures targeted the u.s. elections. the intelligence community assesses it while russian influence obtain and maintained access to elements of multiple u.s. state and local election boards. those systems were not involved in vote tally. during the first panel, i would like to address the depth and breadth of russian government cyber activities during 2016 election cycle with the u.s. government to defend against these intrusions. we must keep the foundation of our democracy free and fair elections in 2018 and beyond.
1:32 pm
i thank all three of our first witnesses, i turn to the vice chairman. >> thank you, mr. chairman, and welcome to the witnesses and thank you for the work you've done with us. we all know that in january the entire intelligence community reached the unanimous conclusion thata took extraordinary steps to interfere in our 2016 presidential elections. russia's interference i believe was a watershed moment in our political history. this is one of the most significant events i think any of us on this dais will be asked to address in our time as senators. and woman a robust and comprehensive response we will protect our democratic processes from even more dramatic incursions in the future. much of what the russians did at this point i think at least in this room was well known. spreading fake news, flooding social media, hacking personal
1:33 pm
e-mails and leaking them for maximum political benefit. without firing a shot at a minimal cost russia sewed chaos in our political system and undermined faith in our democratic process and as we've heard from earlier witnesses is the intelligence community's conclusion that they also secured and maintained access to elements of multiple u.s. state and local electoral boards. as the chairman said, there's no reason to doubt the validity of the vote totals in the 2016 election. however, dhs and the fbi have confirmed -- and i'll come back to this repeatedly -- only two intrusions into the voter registration databases in both arizona and illinois. even though no data was modified
1:34 pm
or threadeleted in those two st. at the same time, we've seen published reports that literally dozens -- i've seen one report that said 39 states were potentially attacked. it's good news the attempts in 2016 did not change the results of that election but the bad news is this won't be their last attempt and i'm deeply concerned about the danger posed by future interference in our elections and attempts on russia to undermine confidence in our elections. we saw recently russian attempts to interfere in the elections in france and i thank the chairman that we'll be having hearings on this. we can be sure russian hackers and trolls will continue to refine their tactics in the future, et specially if there's no penalty for these malicious
1:35 pm
attacks. that's again one reason i think the senate voted so overwhelmingly last week and i thank my colleagues for that 97-2 vote to strengthen our sanctions on russia. i hope that action sends a strong message to mr. putin that there will be a heavy price to pay for attacks against the fundamental core of our democratic system. make no mistake, it's likely we'll see more attacks not just in america but against our partners. i heard coming in on the radio that the russians are already actively engaged in the german election cycle which takes place this fall. some might say well, why the urgency. i can assure you, we have elections in 2018 but my home state of virginia we have statewide elections this year so this needs a sense of urgency. the american electoral process, the actual counting and reporting primarily is a local
1:36 pm
and state responsibility and in many states, including my own, we have a very decentralized approach which can be both the strength and the weakness. in virginia, for instance, the centralization helps deter large-scale hacking or manipulation because our system is to diffuse. but virginia localities use more than a dozen different types of voting machines. none of which are connected to the internet while in use but we have a number of machine read machines so that the tabulations actually could be broken into on an individual machine basis. all this makes large cyber attacks on our electoral system because of the diffusion more difficult. but it also makes maintaining consistent coordinated cyber defenses more challenging as well. i strongly believe the threat
1:37 pm
requires us to harden our cyber defenses and to thoroughly educate the american public about the danger. yesterday i wrote to the secretary of homeland security. i urged dhs to work closely with state and local election officials to disclose publicly, emphasize publicly which states were targeted, not to embarrass any state. but how to put the american public on notice when we've only heard two states but we've heard there are reports there are dozen. that makes no sense. i know it's the position of dhs is since the states were victims it is their responsibility but i cannot believe that this was an attack on physical infrastructure in a variety of state there is wouldn't be a more coordinated response. we are not making our country safer if we don't make sure all americans realize the breadth and extent of what the russians did in 2016 and, frankly, if we
1:38 pm
don't get our act together what they will do in an even more dramatic form in 2018 and 2020 and candidly the idea of this bureaucratic it's not my responsibility, not my job i don't believe is an acceptable decision. i hope that we hear a plan on how we can get more information into the bloodstream, how we can make sure that we have better best practices so that all states are doing what's needed. i'm not urging or suggesting in any way the federal government intervenes in what is a local and state responsibility but to not put all americans on notice. to have the number of states that were hacked into or attempted to be hacked in to kept secret is crazy in my mind so my hope is that we will get some answers. i do want to thank the fact that in january dhs did designate the
1:39 pm
nation's electoral infrastructure as krit sal infrastructure. that's important. if we call it critical infrastructure but don't tell the public how many states were packed or how many could be attacked the the next cycle i don't think we get to where we need to be. so we're going to see more of this. this is the new normal. appreciate the chairman for holding this hearing and i'll look forward very much to getting my questions answered. thank you. >> thank you, vice chairman. with that, doctor, i understand you're going to go first, the floor is yours. >> chairman burr, ranking member warner, distinguished members of the committee, thank you for the invitation to be here. i represent the cyber analysis division of the department of homeland securities office of intelligence and analysis. our submission to produce cyber focus intelligence information and analysis, represent our partners like in-kick to the intelligence community, coordinate and share intelligence with our customers at the lowest classification
1:40 pm
possibility. we are a team of dedicated analysts who take threats to the critical infrastructure of the united states seriously. i'd like to begin by clarifying the threat we observe nod the infrastructure in the 2016 election. prior to the election we had no indication that criminals were planning cyber operations against the u.s. election infrastructure that would change the outcome of the coming u.s. election however throughout spring and early summer 2016 we and others in the ic began to find indications that the russian government was responsible for widely reported compromises ableak s and leaks s from u.s. political figures and institutions. as awareness of these activities grew, dhs began in august, 2016, to receive reports of cyber-enabled scanning and probing of election-related infrastructure in some states. from that point on, ina began working together, analyze and share additional information about the threat.
1:41 pm
ina participated in red team events looking at all possible scenarios, collaborated and co-authored production with other community members and the national intelligence council provided direct support to the cyber center, the national cyber security and communications integration center and worked hand in hand with state and local information. by late september, we determined internet-connected networks in 21 states were potentially targeted by russian government cyber actors it's important to note that none of the systems were involved in vote tallying. our understanding of that tallying augmented by further classified reporting is that still consistent with the scale and scope. this activity is best characterized as hackers attempting to use commonly available cyber tools to exploit known system vulnerabilities. this vast majority of the activity we observed was indicative of simple scanning for vulnerabilities analogous to somebody walking down the street and looking to see if you are home. a small number of systems were
1:42 pm
unsuccessfully explode d as though somebody rattled the doorknob. finally a small number of net t networks were exploited. they made it through the door. based on that activity, we made a series of suspects. we started out with we had no indication prior to the election that adversaries were planning operations against the infrastructure that would change the outcome of the 2016 election. we also saw diversity of systems, non-internet connected vote magazines, pre-election testing and processes for media, campaign and election officials to check, audit and validate the results. all of these made it likely that cyber manipulations of the u.s. election system would be detected. we also finally assess the types of systems russian actors targeted or compromised were not
1:43 pm
involved in vote tallying. what we continue to evaluate is any new information, dhs has not altered these prior assessments having characterized the threat as we observed it, i'll stop to allow my colleague jeanette manfra to talk about how they're working with election systems to enhance security and resiliency. i look forward to answering your questions. >> thank you, ms. manfra? >> thank you, sir, chairman burr, vice chairman warner, thank you for today's opportunity to represent the men and women that serve in the department of homeland security. today i'm here to discuss the department's mission to reduce and eliminate threats to the nation's critical, physical and cyber infrastructure, specifically as it relates to our elections. our nation's cyber infrastructure is under constant attack. in 2016 we saw cyber operations directed against u.s. election infrastructure and political entities. as awareness of these activities grew, dhs and its partners provided actionable information
1:44 pm
and capabilities to help election officials identify and mitigate vulnerabilities on their networks. actionable information led to detections of potentially malicious activity affecting internet-connected election-related networks, potentially targeted by russian cyber actors in multiple states. when we became aware of detected activity, we worked with the affected entity to understand if a successful intrusion had, in fact, occurred. many of these detections represented potentially malicious vulnerability scanning activity, not successful intrusions. this activity and partnership with these potential victims and targets enhanced our situational awareness of the threat and further informed our engagement with state and local election officials across the country. given the vital role that elections have in a free and democratic society, on january 26 of this year, the former secretary of homeland security established election infrastructure as a critical infrastructure subsector. as such, dhs is leading federal
1:45 pm
efforts to partner with state and local election officials as well as private sector vendors to formalize the prioritization of voluntary security-related assistance and to ensure that we have the communications channels and protocols as senator warner discussed to ensure that election officials receive information in a timely manner and that we understand how to jointly respond to incidents election infrastructure now receives cyber security and infrastructure protection assistance similar to what is provided to other critical infrastructure such as financial institutions and electric utilities. our election system is run by the state and local governments in thousands of jurisdictions across the country. importantly state and local officials have already been working individually and collectively to reduce risks and ensure the integrity of their elections. as threat actors become increasingly sophisticated, dhs stands in partnership to support their efforts. safeguarding and securing
1:46 pm
cyberspace spais a core mission. dhs assists state and local customers as part of our daily operations. such assistance is completely voluntary and does not sbam regulation or federal oversight. our role is limited to support. in this role we offer three types of assistance -- assessments, information and incident response. for the most part, dhs has offered two kinds of assistance to state and local officials. first, the cyber hygiene service for internet-facing systems provides a recurring report identifying vulnerabilities and mitigation recommendations. second, our cyber security experts can go on site to conduct risk and vulnerability assessments and provide recommendations to the owners of those systems for how best to reduce the risk to their network. dhs continues to share actionable information on cyber threats and incidents through multiple means. we've published best practices for securing databases and
1:47 pm
addressing potential threats to election systems. we share cyber threat indicators and other analysis network defenders can use to secure their systems. we partner with the multistate information sharing and analysis center to provide threat and vulnerability information to state and local officials. this organization is partially grant funded by dhs and has representatives that sit on our floor and can interact with our analysts and operators on a 24/7 basis. they can receive information through our field-based personnel station throughout the country and in partnership with the fbi. finally we provide incidence response assistance at request to help state and local officials identify and remediate any possible cyber incidents. in the case of an attempted compromise affecting election infrastructure, we will share that technical information with other states to assist their ability to defend their own systems from similar malicious activity. moving forward, we must recognize the nature of risk facing our election infrastructure will continue to evolve with the establishment of
1:48 pm
an election infrastructure subsector, dhs is working with the stakeholders to establish these appropriate coordinating councils and our mechanisms to engage with them. these will formalize our mechanism for collaboration and ensures long-term sustainability of this partnership. we will lead the federal efforts to support election officials with security and resilience efforts. before closing, i want to reiterate that we do have confidence in the overall integrity of our electoral system because our voting infrastructure is fundamentally resilient. it's diverse, subject to local control and has many checks and balances built in. as the risk environment evolves, the department will support state and local partners by providing assistance. thank you very much for the opportunity to testify and i look forward to any questions. >> thank you very much. >> good morning. chairman burr, vice chairman warner and mens of the committee, thank you for the opportunity to appear before you today.
1:49 pm
my statement for the record has been submitted and so rather than restating it, i'd like to step back and provide you a description of the broader threat as i see it. my understanding begins by asking one question -- what does russia want? during the cold war, the soviet union was one of the world's two great powers, however in the early 1990s it collapsed and lost power, stature and much territory. in the 2005 speech, vladimir putin referred to this as a major catastrophe. the soviet union's collapse left the u.s. as the sole superpower. since then, russia has substantially rebuilt but it hasn't been able to fully regain its former status or its former territory. the u.s. is too strong and has
1:50 pm
too many alliances for russia to want a military conflict with us. therefore hoping to regain its prior stature, russia has decided to try to weaken us us our allies. one of the ways russia has sought to do this is by influence rather than brute force. some people refer to russia's activity in this regard as information warfare because it is information that russia uses as a weapon. in regards to our most recent presidential election, russia used information to try to undermine the legitimacy of our election process. russia sought to do this in a simple manner. they collected information via computer intrusions and via their intelligence officers. and they selectively disseminated e-mails they hoped would disparage certain political figures and shed unflattering light on political
1:51 pm
processes. they also pushed fake news and propaganda. and they used online amplifiers to spread the information to as many people as possible. one of their primary goals was to sew discord and undermine a key democratic principle. free and fair elections. in summary i greatly appreciate the opportunity to be here today to discuss russia's election influence efforts. to restore power and prestige by eroding democratic values. russia will continue to pose a threat. i look forward to your questions. thank you.
1:52 pm
we will proceed for recognition up to five minutes and the chairman will tell you when you have used all your time if you proceed that far. chair would recognize itself for five minutes. yes or no to all three of you. most important question, do you have any evidence that the votes themselves were changed in any way in the 2016 presidential election? >> no, sir, there was no detected change in the vote. >> miss. >> no, sir. >> mr. epset. >> no, sir. >> they're getting more sophisticated by the day. the diversity of our election system is a strength, but the intrusions into state systems also show that moscow's willing to put considerable resources towards an unclear result.
1:53 pm
in 2016 we saw voter data stolen. how could moscow potentially use that data? they could use the data in a variety of ways. unfortunately in this setting i can't go into all of them. i think first of all i think they took the data to understand what it consisted of. what's there so they can in effect better understand and plan accordingly. when i say plan accordingly, plan accordingly in regards to possibly impacting future elections and/or targeting of particular individuals. but also by knowing what's there and studying it they can determine is it something they can manipulate or not possibly going forward. then there's a couple other things that wouldn't be appropriate in this setting as well. >> to any of you you've heard
1:54 pm
the vice chairman talk about the frustration of publicly talking about how many states. can you tell the american people why you can't disclose which states and the numbers? i'll turn to miss manford first. >> thank you for the question, sir. through the long history that the department has in working with private sector and state and local on critical infrastructure and cyber security issues, we believe it is important to protect the confidentiality that we have and the trust that we have with that community so when an entity is a victim of a cyber incident, we believe very strongly in protecting the information around that victim. that being said, what we can do is take the technical information that we learn from the engagement with that victim and anonmiez it so it's not
1:55 pm
identified as to what that entity or individual is, but we can take all the technical information and turn that around and share that broadly with whether it's an effected sector or broadly across the entire country and we have multiple mechanisms for sharing that. we believe this has been a very important key to our success in developing trusted relationships across all of the 16 critical infrastructure sectors. >> are we prepared today to say publicly how many states were targeted? >> as of right now we have evidence of 21 states -- or election-related systems in 21 states that were targeted. >> but in no case were actual vote tallies altered in any way, shape or form? >> that is correct. >> how did the french respond to the russian involvement in the french elections a month ago?
1:56 pm
is that something we followed? >> sir, from the bureau's standpoint it's something we followed from afar. we did have engagement with french officials, but just not at liberty to go into what those consistented consisted of. >> okay. we've talked about last year. russia's intent, their target. let's talk about next year. let's talk about the 17 elections in virginia, let's talk about the 18 elections, congressional and gubernatorial elections. what are we doing to prepare ourselves for this november and next november? miss manfra. >> yes, sir, as you noted we're taking this threat very seriously. and part of that is identifying
1:57 pm
this community is critical infrastructure sub sector that's allowed us to prioritize and formalize the engagement with them similar to the 2016 elections, we are identifying additional resources, prioritizing our engagement with them through information sharing products, identifying in partnership again with the state and local community those communication protocols, how do we ensure that we can declassify information quickly should we need to and get it to the individuals that need it. we're also have committed to working with state and local officials on incident response playbooks. so how do they understand where to engage with us, where do we engage with them and are we able to bring the entire resources of the federal government to bear in helping the state and local officials secure their elections systems. >> great. vice chairman. >> thank you for the answer at 21. 21 states is almost half the country. we've seen reports that were even higher.
1:58 pm
i concur with the chairman. the vote totals were not changed, but can you explain to me how we're made safer by keeping the identity of 19 of those states secret from the public? since arizona and illinois have acknowledged they were attacked. >> sir, i'd bring it back to the earlier points you made about the future elections. one of the key pieces for us within ina is our ability to work with our partners because of how our collection mechanism works it's built on a high level of trust -- >> if this was water systems or power systems, would it be -- would the public be safer by not knowing that their water system or power system in their respective state was attacked? >> sir, can -- for other sectors we apply the same principles. when we do have a victim of an
1:59 pm
incident in the electric sector or water sector, we do keep the name of that entity confidential. some of these sectors do have breach reporting requirements that requires the victim -- >> are all 21 of the states that were attacks, are they aware they were attacked? >> all of the system owners within those states are aware of the targeting. yes, sir. >> so at the state level could have had registrars there may have been attempt to penetrate at the local level and registrars in respective state would not even know their state had been subject of russian activities? >> we're currently working with state election officials to ensure communication between the local and the state -- >> but at this moment in time there may be a number of state, local election officials that don't know their state were targeted in 2016, is that right? >> the owners of the systems that were targeted do know that they were targeted. >> the owners may know, but because we have a decentralized
2:00 pm
system, many local -- i understand i understand the notion, but i do not believe our country is made safer by holding this information back from the american public. i have no interest in trying to embarrass any state, but -- we've seen this for too long in cyber. we've seen it in the financial industry and others where people simply try to sweep this under the rug and assume to go along the way. when we're talking about, i go back to initial comments, we had no idea, we had no ability to predict this beforehand. we had 21 states that were attacked. we've got two that have come forward. while no election results were changed we do know there were a number of states, perhaps you'll answer this, how many states did the russians actually exfiltrate data such as voter registration lists?
2:01 pm
>> prefer not to go into those details in this forum, sir. i can tell you we are tracking 21 states that were targeted. >> the states who had their data exfiltrated by the russians, are they aware of that? >> yes, sir. >> and is there any coordinated response on how we're going to prevent this going forward? >> yes, sir. >> how do we make sure if states are not willing to acknowledge that they had vulnerabilities, if they were subject to attack -- again, we're in a brave new world here. and i understand your position. i'm not trying to -- i'm very frustrated, but i'm not -- i get this notion, but i think we need a re-examination of this policy. you know, the designation by former secretary johnson as critical infrastructure, what does that change in terms of how our operations are going forward? by that designation in january, i appreciated it, but what does that really mean in practical terms in terms of assistance or information sharing? >> what it means for -- it means three things, sir. the first is a statement that we
2:02 pm
do recognize that these systems are critical to the functioning of american life. and so that is an important statement. the second is that it formalizes and the -- and sustains the department's priority saization engagement with this community. the last it provides particular protections for sharing of information from particular with vendors within the election community that allows us to have conversations to discuss vulnerabilities with potential systems we would not have to disclose. >> i talked with secretary kelly last week and i hope you'll take this at least the message back to him, i would like us to get more information. what i've heard today is that there were 21 states, i appreciate that information. but within those 21 states i have no guarantee that local election officials are aware that their state system may have
2:03 pm
been attacked. number one. number two, we don't know how many states actually had exfiltration. final question is, have you seen any stoppage of the russian activities after the election, or are they continue to ping and try to feel out our various election systems? >> on the first two questions, sir, i will be happy to get back to you, i spoke with the secretary this morning and look forward, and third question i'll defer to the fbi. >> vice chairman, i just can't comment on our pending investigations related to the cyber -- >> you can't say whether -- so should the public take away a sense of confidence that the russians have completely stopped as of november of 2016 trying to interfere or tap into our electoral systems? is that what you're saying? >> that's not what i'm saying, sir. i believe the russians will absolutely continue to try to conduct, influence operations in the u.s., which will include cyber intrusions.
2:04 pm
>> thank you, mr. chairman. >> thank you, vice chairman. to dhs and to the bureau a quick question. and if you can't answer it, please go back and get us an answer. would your agency be opposed to the chair and vice chair sending a letter to the 19 states that have not been publicly disclosed a classified letter asking them if they would consider publicly disclosing that they were a target in the last election? >> sir, i'd be happy to take that question back to my organization. i would just add that the role your committee is playing in regards to highlighting the russians' aims and activities, i think, is critically important for this country. the bureau is just trying to balance what i'll call it the messaging end of that with doing
2:05 pm
things that hopefully don't impact what we can learn through our investigations. i know it's a fine balance, but the bottom line is you play a key role in raising awareness of that. and i thank you. >> fair concern and if both of you would just go back and then get back with us we'll proceed from there. senator ray. >> thank you very much. so that the american people can have solid confidence in what you've done and thank you for what you've done. could you give the american people an idea if you feel numbers are classified and that sort of thing, you don't have to go into it, but the number of people that were involved on dhs and fbi in this investigation, can you give us a general idea whichever one of you want to take that question. miss manfra. >> from a dhs perspective we did mass quite a few resources both from our intelligence and analysis and our operations
2:06 pm
analysis. to put a number on it is somewhat challenging. >> would you say it was substantial? >> it was a substantial level of effort, yes, sir. >> confident you got where you wanted to go when you set out to make this investigation? >> yes, sir. one of our key priorities was developing relationships with that community and getting information out whether it was to specific victims or broader indicators we could share. we accomplished that. we have multiple sessions. we sent over 800 indicators to the community. so we do believe we accomplished that. we don't want to let that down at all. we want to continue that level of effort. and we intend to continue. >> and i'm focusing on not what you did after you got the information but how you got the information. you're confident you got what you needed to appropriately advise everyone as to what was going on? >> yes, sir. yes, we did. >> mr. preseit, to you. >> the fbi considered this a
2:07 pm
very grave threat, and so we dedicated substantial resources to this effort as well. >> okay. thank you. to both of you, both agencies, again, everyone in this committee knows the specificity and identity of the russian agencies involved. are you comfortable in identifying them here today, or do you still feel that's classified? >> yeah, other than what was mentioned in the unclassified version of the intelligence community assessment, i'd rather not go into any of those details. >> were there any of those agencies identified? any of the russian intelligence agencies identified in that? >> it's my understanding that giu was identified. >> homeland security, same answer? >> yes, sir. >> okay. thank you much. let me ask this question and i come at this from a little different perspective and i think the american people have the right to know this.
2:08 pm
from all the work that either of your agencies did, all the people involved, all the digging you did through what the russians had done and their attempts, did you find any evidence, direct or circumstantial, to any degree down to scintilla of evidence that any u.s. person colluded with, assisted or communicated with the russians in their efforts? >> sir, i just can't comment on that today. that falls under the special council's purview. have to defer to him. >> are you aware of any such evidence? >> and i'm sorry, sir, i just can't comment on that. >> miss manfra? >> i'm sorry, sir, i cannot also comment on that. >> thank you. thank you, mr. chairman. >> senator feinstein.
2:09 pm
>> thanks very much, mr. chairman. candidly i'm very disappointed by the testimony. i mean, we have learned a great deal and the public has learned a great deal of what we've learned. you've said and i think quite pointedly that russia has decided to weaken us through covert influence rather than brute force. and i think that's a correct assessment. and i thank you for having the courage to make it. here's a question, to the best of the fbi's knowledge, have they conducted covert influence in prior election campaigns in the united states? if so, when, what and how? >> yes, absolutely they've conducted influence operations in the past.
2:10 pm
what made this one different many regards was of course the degree and then with what you can do through electronic systems today. when they did it in the past, it was doing things like trying to put in biased or half-true stories, getting stories like that into the press or pamphlets that people would read, so on and so forth. the internet is just allowed russia to do so much more today than they've ever been able to do in the past. >> so you're saying prior campaigns were essentially developed to influence one campaign above another? to denigrate a candidate if she was elected and to support another candidate subtly? >> i'm saying that russia for years has conducted influence operations targeting our elections, yes.
2:11 pm
>> equal to this one? >> not equal to this one, no, ma'am. >> okay. here we go. what made this one different? >> again, i think the scale and the aggressiveness of the effort in my opinion made this one different. again, it's because of the electronic infrastructure, the internet, what have you today that it allowed russia to do things that in the past they weren't able to do. >> would you say that this effort was tailored to achieve certain goals? >> absolutely. >> and what would those goals have been? >> i think the primary goal in my mind was to sew discord. and to try to delegitimize our fair election process. i think another of their goals which the entire united states intelligence community stands behind was to denigrate secretary clinton and to try to
2:12 pm
help then current president trump. >> have they done this in prior elections in which they've been involved? >> have they -- >> denigrated a specific candidate and/or tried to help another candidate? >> yes, ma'am, they have. >> and which elections were those? >> oh, i'm sorry, i know -- i'm sorry, i can't think of an example off the top of my head, but all the way through the cold war up to our most recent election, in my opinion, they have tried to influence all of our elections since then. this is a common practice. >> have they ever targeted what is admitted here today to be 21 states? >> if they have, i am not aware of that. that scale is different than what i'm aware of what they've tried to do in the past. so, again, the scale and aggressiveness here separates this from their previous
2:13 pm
activities. >> has the fbi looked at how those states were targeted? >> absolutely, ma'am. >> and what is your finding? >> we have a number of investigations open in regards to that. in this setting -- actually, i guess because they're all still pending investigations, i'd rather not go into those details. the other thing i'd ask you to keep in mind is that we continue to learn things. so there was some activity, we were looking at prior to the election, it's not like when the election was finished our investigations stopped. so as we learn more, we share more. >> do you know if it's the intent of the fbi to make this information public at some point? >> i think this gets back to an issue the vice chairman raised. i guess i want to be clear on my position on it. i think it is critically important to raise awareness
2:14 pm
about russia's aims to undermine our democracy and then their trade craft in how they do it. my organization though part of understanding that trade craft is conducting our investigations where we learn more and more about trade craft. so we try to balance what do we need to provide to partners so they can best protect themselves versus not interrupting our investigations if the information were to be made public. >> thank you very much, my time is up. thank you. >> thank you, senator feinstein. the vice chairman and i have already decided we're going to invite the bureau in for classified briefing to update all members on the open investigations and any that we see that might warrant on their minds an opening of a new investigation. in addition, let me remind members that one of the mandates
2:15 pm
of our investigation is that we will at the end of this work with the bureau and other appropriate agencies to make a public report in as great public detail as we can our findings on russia's involvement in our election. so it is the intent of the chair at least to make sure that as much as we can declassify, it's done in the public gets a true understanding when we put out a final report. senator rubio. >> thank you, mr. chairman. and i think that's critically important. i think the most important thing we're going to do in this report is tell the american people how this happened so we're prepared for the next time. it begins, i think, by outlining what their goals were, what they tried to do in this regard and we know what they've tried to do because they've done it in other countries around the world for an extensive period of time. the first is undermine the credibility of the electoral process to be able to say it's not a real democracy, it's filled with all kinds of problems. the second is to undermine the credibility of our leaders, including the person who may win. they want that person to go into
2:16 pm
office hobbled by scandal and all sorts of questions about them. and the third ideally in their minds, i imagine, is to be able to control the outcome in some specific instance. if they think they could either through public messaging or even in the worst case scenario by being able to manipulate the vote, which i know now has been repeatedly testified did not happen here. by the way, these are not mutually exclusive. you can do all three, you can only take one, they all work in conjunction. i think you could argue that they've achieved quite a bit if you think about the amount of time that we have been consumed in this country on this important topic and that political fissures it's developed. the way i point to it and if anyone disagrees i want you to tell me, but we have something in american politics, it's legitimate, both sides do it, it's called opposition research. find out about your opponent, hopefully it's embarrassing or disqualifying information if you're the opposition research person, you package it, link it to me, they report it, you run ads on it. now, imagine being able to do that with the power of a nation
2:17 pm
state, illegally acquiring things like e-mails and being able to weaponize that by leaking it to somebody who will post that and create all sorts of noise. i think that's certainly one of the capabilities. the other is just straight out misinformation. right? the ability to find a site that looks like a real news place, have them run a story that isn't true, have your trolls begin to click on that story, it rises on facebook as a trending topic, people start to read it. by the time they figure out it isn't true, a lot of people think it is. i remember seeing one in early fall that president obama had outlawed the pledge of allegiance and i had people texting me about it. i knew that wasn't true, but my point is we had people texting about it asking if it was. just tells you -- i don't know if that was part of that effort, just somebody with too much time on their hands. and then the third of course is the access to our voting systems. and obviously people talk about affecting the tallies, but just think about this. even the news that a hacker from a foreign government could have potentially gotten into the
2:18 pm
computer system is enough to create the speck tor of a losing candidate arguing the election was rigged, the election was rigged. and because most americans, including myself, don't fully understand all of technology that surrounds voting systems per se, you give that election as rigged kind of narrative to a troll and a fake news site and that stuff starts to spread and before you know it you have the specter of a political leader in america being sworn in under the cloud of whether or not their election was stolen because vote tallies were actually changed. so i don't know why they were probing these different systems, because obviously a lot of information they were looking at was publicly available. you can buy voter rolls. campaigns do it all the time. but i would speculate that one of the reasons potentially is because they wanted these stories to be out there, that someone had pinged into these systems creating the specter of being able to argue at some point that the election was invalid because hackers had touched election systems in key states. and that is why i really truly believe, mr. chairman, it is so
2:19 pm
important to the extent possible that part of it, the systems part as much of it be available to the public as possible. because the only way to combat misinformation is with truth and with facts and explain to people, and i know some of it is proprietary, i know some of it we're trying to protect methods and so forth, but it is really critical that people have confidence when they go vote that vote is going to count and someone's not going to come in electronically a electronically and change it. i really hope we err on the side of disclosure about our system so people have full confidence that when they go vote -- because i can tell you i was on the ballot in november. and i remember people asking me repeatedly is my vote going to count. i was almost afraid people wouldn't vote because they thought their vote wouldn't count. so i just hope as we move forward, i know that's not your decisions to make in terms of declassifications and the like, but it is really, really, really important that americans understand how our voting systems work, what happened, what didn't and that we be able to communicate that in realtime
2:20 pm
in the midst of an election so that in 2018 these reports start to emerge about our voting systems being pinged again people aren't we can put out enough information in early october or november so people don't have doubts. i think it's critical for our future. >> senator wyden. >> thank you, mr. chairman. let me say to the three of you and i say it respectfully that on the big issue, which is which states were affected by russian hacking in 2016 the american people don't seem to be getting more information than what they already had before they showed up. we want to be sensitive to security concerns, but that question has to be answered sooner rather than later. i want to send that message in the strongest possible way. we obviously need to know about
2:21 pm
vulnerables so that we can find solutions. and we need better cyber security to protect elections from being hacked in the first place. and that means solutions like oregon's vote by mail system that has a strong paper trail, air gapped computers and enough time to fix the problems if they pop up. so now to my question. you all mentioned the january intelligence assessment saying that the types of systems we observe russian actors targeting or compromising are not involved in vote tallying. your prepared system -- your prepared testimony today makes another point that i think is important. you say it is likely that cyber manipulation of u.s. election
2:22 pm
systems intended to change the outcome of a national election would be detected. so that is different than we have heard thus far. so i have two questions for you, miss manfra, and you, dr. lisles. what level of confidence does the department have in its assessment that 2016 vote tallying was not targeted or compromised. and second, does that assessment apply to state and local election? >> thank you, sir, for the question. so the level and effort and scale required to change the outcome of a national election would make it nearly impossible to avoid detection. this assessment's based on the diversity of systems, the need for physical access to compromise voting machines themselves, the security of pre-election testing employed by the state and local officials,
2:23 pm
there's a level a number of standards and security protocols that are put in place. there's addition the vast majority of localities engage in logic and accuracy testing which worked ensure voting machines operate and tabulate before, during and after the election there's been an immense amount of media attention applied to this, which also brings an idea of people actually watching and making sure that the election results represent what they see. and plus there's just this statistical ano, ma'malies thatd be detected. so we have high confidence in our system. >> what about state and local election sns do you have the same level of confidence? >> so from the standpoint of a nation state actor operating against state and local election system we would have the same for an internet connected system we would have the same level of confidence. >> okay. miss manfra. >> yes, sir. and i think this also gets to senator rubio's point about the
2:24 pm
difficulty in the general public understanding the variety of systems that are used in our election process. and so we broke our level of engagement and concern down a couple of different areas. the voter registration systems which are often can be usually connected to the internet, we also are looking at the voting machines themselves which by best practice and by the voluntary voting standards and guidelines that the department of commerce works with the election assistance commission on is by best practice those are not connected to the internet. >> so can homeland security assure the public that the department would be able to detect an attempted attack on vote tallying? >> what i would suggest, sir, is that the ability as has been demonstrated by security researchers to assess remotely a
2:25 pm
voting machine to manipulate that vote and then to be able to scale that across multiple different voting machines made by different vendors would be virtually impossible to occur in undetected way within our current election systems. >> has the department conducted any kind of post election for instance on the voting machines that were used in 2016? >> we are currently engaged with many vendors of those systems to look into conducting some joint forensics with them. the vendor community is very interested in engaging with us -- >> there's been no analysis yet? >> we have not -- our department has not conducted forensics on specific voting machines. >> do you believe it's important to do that in terms of being able to reassure americans that there was no attack on vote tallying?
2:26 pm
>> sir, i would say that we do currently have voluntary standards in place that vendors are enabled and in approximately 35 states they actually require some level of certification of those voting machines that they are complying with those standards. we absolutely would be interested in working with vendors to conduct that level of analysis. >> let me ask one last question. obviously the integrity of elections depends on a lot of people, state and local, election officers, equipment vendors, third party contractors. are you all at homeland security and the fbi confident that the federal government has now identified all of the potential government and private sector targets? >> yes, sir, i'm confident that we've identified the potential targets. >> okay. thank you. mr. chairman.
2:27 pm
>> senator collins. >> mr. preiset, let me say it's great pleasure to see you here again. i remember back in 2003 you were detailed to the homeland security committee when i was the chairman and how helpful you were in our drafting the intelligence reform and terrorism prevention act. so thank you for your continued public service. you testified this morning and answered the question of what does russia want. and you said that the russians want to undermine the legitimacy of our elections and sow the seeds of doubt among the american public. despite the exposure and the publicity given to the russians' efforts in this regard, do you have any doubt at all that the russians will continue their activities in subsequent
2:28 pm
elections? >> i have no doubt. i just don't know, you know, the scale and aggressiveness whether they'll repeat that, if it will be less or if it will be more. but i have no doubt they will continue. >> is there any evidence that the russians haven't planted malware or back doors or other computer techniques to allow them easier access next time to our election systems? >> i'm sorry, senator, i just can't comment on that because of our pending investigations. >> secretary manfra, the secretaries of state who are responsible for the election systems have a pretty blistering attack on the department of homeland security in the testimony that will be given later this morning. and i want to read you part of
2:29 pm
it and have you respond. they say yet nearly six months after the designation -- and they mean the designation of election systems as critical infrastructure and in spite of comments by dhs that they're rushing to establish election protections, no secretary of state is currently authorized to receive classified threat information that would help them to protect their election systems. why not? >> thank you, ma'am, for that question. i would note that this community, the secretaries of state and for those states where they have a state election director is not one that the department has historically engaged with. and what we have done in the process of building the trust and learning about how they do their work and how we can assist, we have identified the
2:30 pm
need to provide clearances to that community. and so we have committed to them to work through that process between our department and the fbi. >> let me ask you about your own agency, which is the agency that focuses on critical infrastructure including our election systems. now, nppd is not an official element of the intelligence community that would have routine access to especially sensitive classified information, so how do you know with any certainty whether you and others in the agency are read into all the relevant classified information that may exist regarding foreign threats to our critical information including our election systems.
2:31 pm
>> i would say despite -- is network defense and operations in partnership with the critical infrastructure and the federal government. we feel very confident that with the partnership with our own intelligence analysis division that serves as an advocate for us within the intelligence community as well as our direct relationships with many of those individuals in organizations sump as the fbi, nsa and others that we receive information quickly. and when we ask to declassify that, they are responsive and we work through our partners at the intelligence analysis office to ensure that happens quickly. so it there room for improvement? absolutely, of course. but we have the full commitment of the intelligence community to support us and get us the information we need and our stakeholders need. >> and finally, how many states have implemented all the best practices recommended in the document developed by dhs
2:32 pm
regarding the protection of election systems? >> ma'am, i'd have to get back to you on a specific number of states. i don't have that with me. >> do you think most states have -- >> informal engagement many of them noted that they had already adopted some of these. and to the extent that they weren't, they were incorporating them. >> i would ask for a response for the record. >> yes, ma'am. >> that's a really important point. >> senator heinrich. >> mr. preistep, i want to thank you for your testimony this morning. i think you hit the nail on the head when you said we need to step back and ask the fundamental question, what do the russians want. and by outlining that they want to undermine legitimacy in our system, that they want to sow discord, they want to undermine our free and fair elections, we really have a better lens with
2:33 pm
which to understand the specifics of what happened in 2016. in your view, were the russians successful in reaching their goals in the 2016 elections? >> i don't know for certain whether the russians would consider themselves successful. in many ways they might argue that because of the time and energy we're spending on this topic, maybe it's distracting us from other things. but on the other hand exactly what this committee is doing as far as raising awareness of their activities, their aims for their american people in my opinion they've done the american public a service in that regard. so i guess i don't know but
2:34 pm
could argue either way. >> yeah, i think the jury's certainly out for the future, but when you look at the amount of discord that was sown and the impact on 2016 i hope that the outcome of what we're doing here is to make sure in 2018 and 2020 and 2022 that by no metric will they have been successful. mr. priestap, you stated very quickly that one of their primary goals was to delegitimize our democracy. are you familiar with the term unwitting agent? >> yes, i am. >> can you kind of summarize what that is for us? >> in an intelligence context it would be where an intelligence service is trying to advance certain names and they reach out to a variety of people, some of which they might try to convince to do certain things and the
2:35 pm
people, person or persons they contact might actually carry those out but for different reasons than the intelligence service had actually wanted them to carry it out. in other words they do it unwittingly. >> by effectively reinforcing the russian narrative and publicly saying that our system is rigged, did then-candidate trump, now-president trump become what intelligence officials call an unwitting agent? i don't blame you for not answering that question. we've got about 1:46 left. can you talk about the relationship between the election penetration that we saw and the coincident russian use of what senator rubio very aptly described of trolls, of bots, of
2:36 pm
social media, all designed to manipulate the american media cycle and how those two things fit together. >> i'm sorry to clarify, fit together the intrusions with the -- >> what's the relationship between what they were doing in our elections from a technical point of view and what they were seeking to do in our media cycle by using trolls and bots and manipulation of the media cycle. >> sure. i mean, i guess the best way i can describe it is this was a my opinion a well-planned, well-coordinated multi-faceted attack on our election process and democracy. and, while that might sound complicated, but it was actually really straightforward. they want to collect intelligence from a variety of sources in human and cyber means. they want to evaluate that
2:37 pm
intelligence. they might selectively disseminate some of it, might use more for more strategic discussions. but at the end of the day it's about collecting intelligence that would give them some type of advantage over the united states and/or attempt to influence things and then coordinated -- well coordinated, well-funded, diverse ways to disseminate things to hopefully influence american opinion. >> this was a very sophisticated highly resourced effort. >> absolutely. >> thank you. >> thank the chairman. let's start about -- let's start with the comment that dhs made in its written comment which says accesses systems russian targeters accessed or compromised were not involved in vote tallying. is that because the vote
2:38 pm
tallying systems are a whole lot harder to get into than the voter registration systems? >> i can't make a statement as to why different systems were targeted. what we can assess is that those vote tallying systems whether it was the machines, a kiosk that a voter uses at the polling station, or the systems that are used to tally votes were very difficult to access and particularly to access them remotely and then given the level of observation for vote tallying at every level of the process that adds into, you know, that we would have identified issues there. and there were no identified issues. so those two -- >> okay. i would think that if you could get into the vote tallying system and you did want to impact the outcome of an
2:39 pm
election, obviously the vote tallying system is the place to do that. and i would also suggest that all of your efforts are -- a lot of your efforts should be to continue to do whatever dhs thinks they need to advise. i don't think we should centralize this system, to give advice to state and local elected officials to be sure that that vote tallying system is protected at a level above other systems. you know, the voter registration system is public information. it is generally accessible in lots of ways. it's not nearly as protected for that reason. you have lots of input from lots of sources into that system. and i think, miss manfra, you made the point that you said in the best practice would be to not have the vote tallying system connected in any unnecessary way to the internet. is that right?
2:40 pm
>> both the kiosks themselves and vote tallying systems to not connect them to the internet and to also have ideally paper auditing trail as well. >> well, i certainly agree with that. the paper trail is significant. and i think more prevalent as people are looking at new systems. but also i think any kind of third party monitoring, the first two parties would be the voter and the counting system, just creates another way into the system. so my advice would be that dhs doesn't want to be in a situation where somehow you're connected to all the voting systems in the country. mr. louz, i think you said the diversity of our voting system is a great strength of the system. do you want to comment on that any more? >> yes, sir.
2:41 pm
when we were setting as part of red teaming activities we look at the diversity of the voting system a great strength. the fact they were not connected in any kind of centralized way, so we evaluated that when looking at risk assessment with the cia and office of cyber intelligence analysis, we looked at that as one of the great strengths. and our experts at the i.c. worked with also said the same thing. >> well, i would hope you continue to think about that as one of the great strengths as you look at this critical infrastructure because every avenue for federal monitoring is just one more avenue for somebody else to figure out how to get into that system. and, again, the voter registration system dramatically different in what it does. all public information accessible printed out, given to people to use though you are careful of what information you
2:42 pm
give. but almost all election officials that have this system now have some way to share that with the public as a system. there is no reason to share the security of the vote counting system with the public or to have it available or accessible. and i would hope that the dhs or nobody else decides that you're going to save this system by having more avenues and more avenues into the system. >> absolutely not, sir, we're fully supportive of the voluntary standards process. and we are engaging with that process with our experts. and we continue again with the voluntary partnership with the state and locals. and we intend to continue that. >> thank you. thank you, mr. chairman. >> senator cain. >> thank you, mr. chairman. starting with a couple questions, mr. priestap, you indicated this was a very real threat of russia to probe and
2:43 pm
intercept our election system. any doubt that it was the russians? >> no, sir. >> any doubt that they'll be back? >> no, sir. >> to our dhs witnesses, have the 21 states that you've mentioned that we know where had this happened been notified officially? >> sir, the owners of the systems within those 21 states have been notified. >> how about the election officials in those states? >> we are working to ensure that election officials as well understand. i'll have to get back to you on whether all 21 states -- >> have you had a conference of all state election officials, secretaries of state here in washington on this issue? >> i have had at least two teleconferences and in-person conferences we will be engaging with them in july, i believe. >> well, i would urge you to put some urgency on this. we got another election coming in 18 months and if we're talking about systems and registration rolls, time is
2:44 pm
going by. so i believe this is as we've already heard characterized a very grave threat. it's going to be back and shame on us if we're not prepared. >> yes, sir. we have bi-weekly or every other week we hold a tmpb conference with all relevant election officials, the national associations that represent those individuals have nominated bipartisan individuals to engage with us on a regular basis. this is of the utmost urgency for the department in this government to ensure that we have better protections going forward, but the community, the election community is similarly committed and has been so for years. >> just to be clear, nobody's talking about a federal takeover of local election systems. >> absolutely. >> or federal rules. what we're talking about is technical assistance and information and perhaps some funding at some point. >> sir, this is similar to our engagement with all critical infrastructure sectors, whether it's the electrical sector, nuclear sector, financial sector. it's completely voluntary and it is about this department providing information both to
2:45 pm
potential victims but to all network defenders to ensure that they have access to what we have access to and can better defend themselves. >> thank you. i'll take issue with something that you said, we have a national election and it's too large, too diverse to really crack. we don't have a national election. what we have are 50 state elections. and each election in the states can depend upon a certain number of counties. there are probably 500 people within the sound of my voice who could tell you which ten counties in the united states will determine the next presidential election. and so you really a sophisticated actor could hack a presidential election simply by focusing on particular counties. senator rubio i'm sure remembers dade county in the year 2000 and the significance that had to determining who the next president of the united states was. i don't think it works to just say, oh, it's a big system and the very diversity will protect us because it really is county by county, city by city, state by state.
2:46 pm
and a sophisticated actor, which the russians are, could easily determine where to direct their attack. so i don't want to rely on the diversity. second, a separate point is, what do we recommend? and we've talked about paper backups. the dutch just had an election where they just decided to make it all paper and count the ballots by hand. for this very reason. so what would you tell my elections clerk in brunswick, maine, miss manfra would be the top three things he or she would protect themselves in this situation? >> sir, i would say to first as previous senators mentioned prioritize the security of your voting machines and the vote tallying systems, ensure that they are not connected to the internet even if that is enabled on those particular devices. second, ensure that you have an auditing process in place where you can identify anomalies
2:47 pm
throughout the process. educate polling workers to look for suspicious activity, for example. >> but does auditing mean a paper trail, a paper backup? >> yes, sir. i would recommend a paper backup. >> and one of the worrisome things again on the issue of the national, we talk about how diverse it is, but aren't we seeing a consolidation in terms of the vendor who is are producing these machines? >> yes, sir, it is my understanding that we are seeing some consolidation in the vendor community. again, many of them are committed and have engaged on the voluntary voting standards and guidelines which partly include security. we will be updating those security guidelines in 2018. and, yes, while there's some concern about consolidation, we do look forward to engaging with them. and as of now they're very engaged community. >> i think this aspect of this question that this committee is looking at is one of the most important and frankly one of the most daunting because we've
2:48 pm
pretty well determined that they weren't successful in changing tallies and changing votes, but they weren't doing what they did in at least 21 states for fun. and they are going to be back and they're going to be back with knowledge and information that they didn't have before. so i commend you for your attention to this and certainly hope that this is treated with the absolute utmost urgency. thank you, mr. chairman. >> senator lankford. >> thanks, mr. chairman. thanks all of you for being here as well today. to senator king, just as a heads up, there are some states that are like that. for 25 years the oklahoma election system has had a paper ballot and an optical scan. and it's been a very good backup for us. we quickly count because of the optical scan, but we're able to go back and verify because of paper. this is such a big deal and such an ongoing conversation that i'm actually in two simultaneous hearings today i'm running back and forth with. in the department of homeland security what we're dealing with with state elections and with state systems is also happening
2:49 pm
in the hearing i'm also at including my own oklahoma cio that's there testifying today on this same issue. how are we protecting state systems, state elections and what's happening. i brought this with me today. y'all probably this group's very, very familiar with this e-mail. this is the famous e-mail that billy rhinehart got from the dnc while he happened to be on vacation. he was out in hawaii enjoying some quality time away from his work at the dnc and he gets an e-mail from google it appears that says someone has used your password, someone just tried to sign into your google account, sent it to him and told him someone tried to do it from the ukraine and recommended that he go in and change his password immediately. which as the "new york times" reported he groggily at 4:00 a.m. when he saw that e-mail was frustrated by it, went in, clicked on the link, changed his password and went back to bed. but what he actually did was just gave the russian government
2:50 pm
access to the dnc. and then it took off from there. multiple other staff members of the dnc got an e-mail that looked just like this. now, for everyone who has a google account will note, that really looks like a google account warning. it looked like the real thing when you hovered over the change pass wod it showed a google account connection where it was going to, but it wasn't. it was going to the russians. about 91%, my understanding is, about 1% of the hacks that come into different systems, start with a spearphish attack that looks just like this. first for you, mr. perstaff, how does russia identify a potential target? because this is not just a random email that came to him this was targeted directly at him to his address, it looked very real. because they knew who he was, and where he works.
2:51 pm
so how are the russians that savvy to be able to track that person? and how does this work in the future for an elections system for a state? >> so i can't go into great detail in this forum, but i would say what intelligence services do, not just russia there is they're looking for vulnerabilities. and that would begin in the cyber sense, with computer vulnerabilities. as far as targeting specific individuals, i don't know all of the facts surrounding that email and all the emails that were sent. but my guess is they didn't just send it to one person. sent an email like that to a whole variety of just hoping that one would click on it. >> right, but how are they getting that information? they go into their website and gathering all the emails for it? trying to figure out are they tracking individuals to get more einformation so they can get something that looks like something they would click on?
2:52 pm
>> you've hit on it, but a whole variety of ways. they might get it through reviewing open-source material. either online or otherwise. but they also collect a lot of information through their, through human means, as well. >> so miss manfred, let me did you, what someone at any information clicks on an email like this, what information do they get? >> it depends on the system itself. i imagine that's a frustrating response. but given the and i think this is important for the public to understand, is as the threat evolves, they're going to continue as we educate the public, don't click on certain things, make sure you know the sender before you click on it. as our defense gets better, the offense is going to look for other means. so we look you know in this case, ideally we want people to look and see what is it that they're actually clicking on before they click it.
2:53 pm
some organizations choose to say when an individual clicks on that link, they choose to not allow that to go to that destination. because they know it's suspicion. or they have some mechanisms in place to put that into a container and look at it. other organizations don't take those steps. and it really depends on your risk management and the technical controls you put in place. >> who has primary responsibility for federal election integrity? which agency is the prime mover in that? obviously states oversee their own. which federal entity is working with the state to say they're the prime person or the prime agency to do it? >> for election cybersecurity, our department in coordination with the fbi and others is leading the partnership with state and locals. >> great, thank you. >> senator manchin? >> i thank you all for your appearance here today and your testimony. being a former secretary of
2:54 pm
state, of my great state of west virginia and also being a former governor, my most concern was voter fraud. every time that we would have a report of fraud, we would see the election participation increase the next election cycle, thinking their vote didn't count. is there any reason at all that any person that has the knowledge that you all have or anyone that you on our committee here, from the intelligence community, would give you any doubt that russia was involved and russia was very much involved with the intent of doing harm to our election process, as far as the confidence level that voters would have? do you have any concerns whatsoever, any doubts that russians were behind this and involved at a higher level than ever? all three of you. >> no, no doubt from the fbi's end as far as the, as far as russia's involvement.
2:55 pm
>> you all have been interactive with the intelligence community, right? >> yes, sir. >> similar story, i have no doubt. >> no doubt, sir. >> so nobody, there's not an american right now should have a reasonable doubt whatsoever that russians were involved. were all 50 states notified on russia's intention activities during the election cycle? had you all put an alert out, if i had been secretary of state, would you have notified me to be on the lookout? >> sir, i can discuss our products that we put out. and i'll defer to the fbi on what they put out. we did put out products, not public products, but we did put out products primarily leveraging our multistate information sharing analysis center, which has connections to all 50 states. cio's and we engaged with the election assistance commission and other national associations that represent those
2:56 pm
individuals, to insure that we were able to reach fwan this was a community that we had not historically engaged with. so we relied on those that we did put out multiple products. >> you're not sure of the national association and secretary of states dispersed that information and put everybody on high alert. >> i believe that they did, sir. we also held conference calls where all 50 secretaries of state or election director if the secretary of state didn't have that responsibility, in august and september and again in october, both high-level engagement and network defense products. >> if i could ask this question to whoever maybe mr. prestep. what was russia's intention and do you think they were successful in what they desired to do, even though they didn't alter as you all have said, you can see no alterations of the election results. do you believe that it had an effect in this election and the
2:57 pm
outcome of this 2016 election? >> as far as russia's intention in the broader vein to undermine democracy, one of the ways they sought to do this here was to undermine the legitimacy of our free and fair election. >> do you believe they were successful in the outcome? >> the fbi doesn't look at that as far as did russia achieve its aims in that regards. >> let me ask this question, are there counter actions the u.s. could take to subvert or punish the russians in what they have done and their intention to continue? and what's your opinion of the sanctions that we have placed on russia? >> so sure. as you know, the fbi doesn't do policy, here today to provide you an overview of the threat picture as i understand and see
2:58 pm
it. but obviously the u.s. government did take action, post election. in regards to making a number of russian officials. >> have you seen them decide any of their activities since we have taken actions? >> they have less people to carry out their activities. that's certainly had a impact on the number of people. >> have we shared this with our european allies who are going through election processes? and have they seen the same intervention, in their election process, that we have seen from the russians in ours? >> i can't speak for dhs, but the fbi is sharing this information with our allies, absolutely. >> how about dhs. >> we are sharing information with our allies. >> are they seeing an over-aggressive high activity from the russians that we haven't seen at this level before. such as we did during the 2016 election. >> there is media reporting that
2:59 pm
suggests that, we don't have direct government-to-government relationships with dhs perspective. there is definitely media reporting that they're seeing increased activity. >> mr. prestep, thank you for your appearance today. enter inn response to mr. hinrich's question about whether donald trump had become an unwitting agent for russia in their efforts to sow discord and discontent with our election. you said you declined to answer which is understandable. since her election defeat, hillary clinton has blamed her loss on the russians, vladimir putin, the fbi, jim comey, fake news, wikileaks, facebook and content farms in macedonia. in her blaming her loss on these actors, has hillary clinton become an unwitting agent of russians' goals in the united states?
3:00 pm
>> i'm sorry, sir, but i would rather not comment, it's just something -- >> i understand -- >> any thoughts. >> let's turn to other matters then. which would you advise states and localities in the conduct of their elections, or more broadly in their government services, not to use or not to do business with kes bersky lapse or companies that use cakaspersky products in their systems? >> i can't comment on that in this setting. >> ms. manfred, would you advise them not to use kaspersky products? >> i can also not comment on that in this forum, sir. >> i don't have to ask dr. lyle you're reaching for your microphone. >> i can't comment, either. >> senator risch says he'll answer but i'll let him speak
3:01 pm
for himself at a later time. mr. prestep, we talked about russia's intent and activities in our election. i think it's important that the american people realize it goes farther than the elections and the 2016 campaign as well. isn't it true that russian actors have been probing u.s. critical infrastructure for years? >> yes, sir, i can't go into specifics, but they probe a lot of things of critical importance to this country. >> and is the head of counterintelligence, you right in your statement that quote russia's 2016 presidential election influencing effort was the boldest to date in the united states which implies there have been previous efforts. you also say that the fbi should strengthen the intelligence community assessment because of our history investigating russia's intelligence operations within the united states. both of which suggest this keeps you busy in your portfolio of counterintelligence, right? >> that's correct. >> and this is, this russian
3:02 pm
intelligence threat is not just a cyber threat. it's a threat from traditional human intelligence or what a layman might call spies, is that right? >> yes, sir. >> do so-called diplomats who work out of the russian embassy in washington, d.c. have a requirement to notify our state department in advance if they plan to travel more than 25 miles and give that notification 48 hours in advance? >> they do. >> and that state department is supposed to notify the fbi in advance of those travel arrangements, correct? >> is it true that the russian nationals often fail to give that notification at all or they give it at 4:55 on a friday afternoon before a weekend trip? >> i would prefer not to go into those details here. i'll leave it at that. >> does it complicate you and your agents' efforts to conduct your counterintelligence mission
3:03 pm
to have russian nationals wandering around the country, more than 25 miles outside their duty assignment? >> sure, if that were to happen that would complicate our efforts. >> the secretary of defense recently indicated at an armed services committee hearing that russia is in violation of something called the open skies treaty. a treaty we have with russia and other nations that allows us to overfly their territory and take pictures and they do the same here. do we see so-called russian diplomats traveling to places that are in conjunction with open skies flights that russia is conducting in this country? >> i can't comment on that here. >> so last summer an american diplomat in moscow was brutally assaulted on the doorstep of our embassy in moscow. did we take any steps to retaliate against russia for that assault in moscow?
3:04 pm
>> did we declare persona nongrata any of their so-called diplomats in the united states? >> if i recall correctly, we didn't immediately do anything in that regard. >> this committee passed unanimously in committee last year something that just passed as part of the omnibus committee bill in april a provision to require one the state department to notify the fbi of any requests for russian diplomats to travel more than 25 miles outside their embassy. and to report violations to you. it further requires the state department to report those violations regularly to this committee. what's the status of that provision now that it's been in law for about two months. is the state department cooperating more fully with you? >> i guess i would rather not comment on that here. we're still working through the implementation of that. >> well i certainly hope they start. thank you. >> senator harris? >> ms. manfred, you mentioned that you notified the owners. i'm not clear on who the owners are, are they the vendors?
3:05 pm
>> what i meant to clarify is in some case it may not be the secretary of state or the state election director who owns that particular system. so in some cases it could be a locality or a vendor. >> so is there a policy of who should be notified when you suspect that there's a threat? >> we are working through that policy with the secretaries of state, that's one of the commitments that we made to them. and election directors in order to insure that they have appropriate information while preserving the confidentiality of the victim publicly. >> can you tell us in which states you notified the vendor instead of notifying the secretary of state? >> we keep the vendor information confidential as well. >> are there states that you notified where you did not notify the person who was elected by the people of that state to oversee elections? >> i don't believe that's the case, but i'll get back to you.
3:06 pm
>> how specific was the warning that you sent? what exactly is it that you notified the states or the vendors of. >> depending on the scenario and the information that we had, and more generally, what we do is when we get classified information we look to declassify as much as possible -- >> let's talk -- >> for this particular, this particular one, what we took was technical information that we had, that we believe was suspicious and that was emanating from russia and was targeting their system. we asked them to look at their system, we asked and this was part of the broader dissemination as well, we asked all states to look at their system to identify whether they had an intrusion or whether they blocked it. in most cases, they blocked it. >> do you have a copy with you of the notification that you sent to the various vendors or states? >> i do not, ma'am, but we can get one. >> will you provide the
3:07 pm
committee of the copy of the notification you sent to states? >> many of them were done in person. what i can share with you is the technical information that we published in december. i can show you what we provided to the states and localities. >> and did you notify each of them the same way? or did you tailor the notification to each state? >> we tailor the notification. it's a process for all victim or potential victim notification, us and the fbi. so sometimes it may be an fbi field agent that goes out there. sometimes it may be a department official that goes out there. >> in your follow-up to the committee please provide us who notified each state and who in that state was notified, the vendor or the state elections official and what specifically they were notified of. >> yes. >> i have in 2007, california worked with leading security
3:08 pm
researchers, the secretary of state at the time was deborah bowen and they instituted some of the best practices we believe for election security. my understanding is that it is considered a gold standard. my question is does dhs have the technical capability and authority to coordinate a study like that for all the states? >> we do have the technical capability and authority to conduct those sorts of studies, ma'am, yes. >> have you pursued that as a viable option to help the states do everything they can to secure their systems? >> that is one of the areas that we're considering, yes, ma'am. >> have you taken a look at that study that was commissioned in california in 2007? >> i have not personally, but i will read it, ma'am. >> i'm concerned that the federal government does not have all the information it needs in the situations where there's been a breach. is there any requirement that a state notify the federal
3:09 pm
government when they suspect there's been a breach? >> no, ma'am. and in terms of the american public and voters in each of these states, can you tell me is there any requirement that the state notify its residents when the state suspects there may be a breach? >> i cannot comment, i know that multiple states have different sunshine laws, et cetera, that apply to data breaches within the state so i couldn't make a general statement about what their requirements are at the state level. >> do any of you have any thoughts about whether there should be such requirements both in terms of states reporting to the federal government and also states reporting to their own residents and citizens about any breaches of their election systems? required data breach reporting is a complicated area. we prefer and we've had a fair amount of success with voluntary reporting and partnerships. but we'd be happy to work with
3:10 pm
your staff and further understanding how that might apply here. >> any other thoughts as we think about how we can improve notification and sharing of information? >> no. >> okay, thank you. >> i'll move to senator reed. let me just say that a number of members have questioned the agencies, especially those that are here and sharing with congress of the investigation. i'll just say that the chair and the vice chair were briefed at the earliest possible time, and continue to be briefed throughout the process and then it was opened up to all the members of the committee. i'm not sure that i had ever shared that with everybody. i just wanted to make sure that everybody was aware of that. senator reid. >> thank you very much, ladies and gentlemen, aside with mr. prestep. are you aware of any direction or guidance from president trump
3:11 pm
to conduct this investigation about russian intrusion in our elections? >> sir, i can't comment on that, it could be potentially related to things under the special counsel's purview. >> ms. manfred in terms of security, are you aware of any direction by the president to conduct these types of operations? or your investigations? >> sir, to clarify the question, direction from the president to -- >> president. united states as directed that we, that the department of homeland security and other federal agencies conduct the activities that you're conducting, essentially investigation into russian hacking and the election. >> i can't comment on the president's direction specifically, but the secretary is committed to, understanding what happened and insuring that we are better protected in the future. so our activities are fully supported. >> he has not communicated that this is at the direction of the
3:12 pm
president of the united states? >> no. sir. >> dr. giles? >> sir this comes directly down from the i krric's that have be working on it for a while but nothing from the president. >> i thought senator king raised some interesting issues in terms of most national elections, there's much you would like to think about, particularly from rhode island are not decided in certain states, but decided in certain cities and counties which raised an interesting question. you were very assertive that you would be able to diagnose an intrusion that was altering loader votes, literally. when could you do that, within weeks of the election, on election day, after election day? >> sir, from an ic perspective, the way we would do that is by looking at the threats themselves targeting different entities. the other element is as the reporting was coming in, if there were any statistical anomalies. and i would point out we're
3:13 pm
talking about internet-connected systems here and not all of the key counties that you represent would be those internet-connected systems. >> but effectively, i think what you've said is you would have to wait for confirmation until the results started coming in on election day. which raises the issue of even if you detected an election day, what do we do? the votes have already been cast. is anyone planning on what's the, what's the reaction we take? how do we notify people? what steps we take? >> i'd have to defer to other -- >> yes, sir. i did want to clarify when we say that activity would be difficult to detect it would be difficult to go on undetected. that we're discussing both at the polling station or the jurisdiction that it would be hard for somebody to do that without anybody. not necessarily that the department would have that immediate insight.
3:14 pm
and to answer your questions, yes, that is absolutely something that is a part of our planning and what we would look forward to partnering with the state and local officials on understanding. so we're about 18 months away from election. we have to be able to develop not a technical infrastructure, but an organizational infrastructure that could react, maybe on very short notice to the discovery that actual votes had been tampered with. is that accurate? >> absolutely. it is both technical and organizational. >> do you think there's enough emphasis in terms of the resources and support to do that the collaboration? you've got 50 states and among those states, many of the voting jurisdictions are not at the state level, the city or township. are we taking a serious issue? >> absolutely. it's one of our highest priorities and i would note we're not just looking ahead to 2018 as election officials
3:15 pm
remind me routinely that elections are conducted on a regular basis. >> let me ask mr. prestep if i've pronounced it correctly. you testified today and your colleagues that information was taken by the russians what type of information was taken and what could it be used for? >> yes, i don't want to get into the details of what victim information was taken. and we've got a variety of pending investigations. but again it could be used for a variety of purposes. it could have been taken to understand what's in those systems. it could have been taken to use to try to target, learn more about individuals so they could be targeted. it could have been taken in a way to publicize just to send a message that for an adversary has the ability to take things and to sow doubt in our voters'
3:16 pm
minds. >> let me ask you this question, judgment. given the activities that the russians have deployed, significant resources, constant effort over as you, the intelligence community probably a decade, do you think they have a better grasp of the vulnerabilities of the american voting system than you have? >> i hope not. i think it's, i think it's an excellent question and i can, well first of all, i hope not and i don't think so, but if they did, i don't think they do any more. >> thank you very much. >> thank you senator reed, before we move to the second panel. one last question, mr. prestep, for you. is there any evidence that the attempt to penetrate the dnc was for the purposes of launching this election year intrusion
3:17 pm
process that they went on or was this at the time, one of multiple fishing expeditions that existed by russian actors in the united states? >> in my opinion, it was one of many efforts you call it a fishing expedition. but to determine what is out there. what intelligence can they collect so they don't go after one place, they go after lots of places and then -- >> tens, hundreds? >> hundreds. at least hundreds. >> okay. >> i want to wrap up the first panel with just a slight recap. i think you have thoroughly covered that there's no question that russia carried out attacks on state election systems. no vote tallies were, were affected or affected the outcome of the elections.
3:18 pm
russia continues to engage in exploitation of the u.s. elections process. and elections are now consider ed a critical infrastructure which is extremely important and does bring some interesting potential new guidelines that might apply to other areas of critical infrastructure that we have not thought of because of the autonomy of each individual state and the control within their state of their election systems. so i'm sure this will be further discussed as the appropriate committees talk about federal jurisdictions. where that extends to and clearly i think it's, this committee's responsibility as we wrap up our investigation to hand off to that committee somewhat of a road map from what we've learned are areas we need to address and we will work very closely with dhs and with the bureau as we do that.
3:19 pm
with that, i will dismiss the first panel and call up the second panel.
3:20 pm
>>. i call the second panel to order. ask those visitors to please take their seats. as we move into our second panel this morning, our hearing is shifting from a federal government focus, to a state level focus. during the second panel we'll again, we'll gain insight into the experiences of the states in 2016, as well as hear about efforts to maintain election security moving forward. for our second panel i'd like to welcome our witnesses, the honorable connie lawson,
3:21 pm
president-elect of the national association of secretaries of state and the secretary of state of indiana. michael haas, the midwest regional representative to the national association of state election directors. and the administrator of the wisconsin election commission. steve sandvass, executive director of the illinois state board of elections. and dr. j. alex halderman, professor of computer science and engineering, university of michigan. thank you all for being here. collectively, you bring a wealth of knowledge and a depth of understanding of our state election systems, potential vulnerabilities of our voting processes and procedures and the mitigation measures we need to take at the state level to protect the foundation of american democracy in january of of this year, then secretary of state, secretary of homeland security jeh johnson designated the post election as a critical
3:22 pm
opponent of u.s. infrastructure. the dhs stated that the designated the election infrastructure as a priority within the national infrastructure protection plan. it enabled the department to prioritize our cybersecurity assistance to state and local election officials, for those who requested it. and made it publicly known that the election infrastructure enjoys all the benefits and protections of critical infrastructure that the u.s. government has to offer. some of your colleagues objected to this designation. seeing it as federal government interference. today i'd like to hear your views on this specifically. but more broadly how the states and the federal government can best work together. i'm a proud defender of state's rights, but this could easily be a moment of divided we fall. we must set aside our suspicions and see this for what it is. an opportunity to unite against a common threat. together we can bring considerable resources to bear, and keep the election system
3:23 pm
safe. again i'd like to thank our witnesses for being here and at that time i would turn to the vice chairman for any comments he might make. vice chairman doesn't have any, i will assume, mr. haas, is that by some process you have been elected to go first. unless there is an agreement, where are we going to start? >> i think we were going to defer to secretary lawson to start. if that's okay with the chair. >> madam secretary, you are recognized. >> good morning chairman burr and vice chairman warner and distinguished members of the committee. i want to thank you for the chance to appear before you today. it's an honor to represent the nation's secretaries of state. 40 of whom serve as chief state election officials. i am connie lawson, indiana secretary of state, and i'm also president-elect of the bipartisan national association of secretaries of state. i'm here to discuss our capacity to secure state and locally run elections from very significant and persistent nation-state
3:24 pm
cyberthreats. with statewide elections in new jersey and virginia this year and many more contests to follow in '18, i want to assure you and all americans that election officials across the united states are taking cybersecurity very seriously. first and foremost. this hearing offer as chance to separate facts from fiction regarding the 16 presidential election. we have seen no evidence that vote casting or counting was subject to manipulation in any state or locality. nor do we have any reason to question the results. just a quick summary of what we know about documented foreign targets of state and local election systems. in the 2016 election cycle as confirmed by the department of homeland security no major cybersecurity issues were reported op election day november 8th. last summer our intelligence agencies found up to 20 state networks had been probed by
3:25 pm
entities essentially rattling the doorknobs to check for unlocked doors. foreign-based hackers were able to gain access to voter registration systems in arizona and illinois. prompting the fbi to warn state election offices to increase their election security measures for the november election. and more recent days we've learned from a top-secret nsa report that the identity of a company providing voter registration support services in several states was compromised. of course it's gravely concerning that election officials have only recently learned about the threats outlined in the leaked nsa report. especially given the fact that the former dhs secretary jeh johnson repeatedly told my colleagues and i that no specific or credible threats existed in the fall of '16. it's unclear why our intelligence agencies would with hold timely and specific threat information from election officials. i have every confidence that
3:26 pm
other panelists will address voting equipment risks and conceptual attack skep yoes for you today. but i want to emphasize some systemic safeguards that we have against cyber attackers. our system is complex and decentralized with a grat deal of agility and low levels of connectivity. even within states much diversity can exist from one locality to the next. this autonomy serves a as a check on the capabilities of nefarious actors. i also want to mention the recent designation of election systems as critical infrastructure. real issues exist with a designation. including a lack of clear parameters around the order, which currently provides dhs and other federal agencies with a large amount of unchecked executive authority over our elections process. at no time between august of '16 and january of '17 did nas and its members ever are a thorough discussion with dhs on what the
3:27 pm
designation means. threat-sharing has been touted as a key justification for the designation. yet nearly six months later, no secretary of state is currently authorized to receive classified threat information from our intelligence agencies. from information gaps to knowledge gaps that aren't being addressed, the this process threatens to erode public confidence in the election process. it's also unable to determine their own election procedures, such to designation reduces diversity and autonomy in our voting process. the potential for adverse effects from perceived or real cyberattacks will likely be much greater and not the other way around. looking ahead, the national association, the nas election security task force was created to insure that state election officials are working together
3:28 pm
to combat threats and foster effective partnerships with the federal government and other public-private stakeholders, the trend line is positive but more can be done. most notably many states and localities are looking to replace or update their voting equipment. if i have one major request for you today, other than rescinding the critical infrastructure designation for election, it is to help election officials get access to classified information sharing. we need this information to defend state elections from foreign interference and respond to threats. thank you and i look forward to answering your questions. >> who would like -- mr. haas? >> thank you, good morning. chairman burr, vice chairman warner and committee members, on behalf of the national association of state election directors, thank you for this opportunity to share what states learned from the 2016 elections and some steps that we are
3:29 pm
taking to further secure our election systems. i serve as wisconsin's chief election official and i'm a member of na s's executive board. we do not have a state-elected official who oversees elections in wisconsin. many of our state election directors across the country are housed in the secretary of state's office, but some are not. 2016 presidential election reinforced several basic lessons. although sometimes in a new context. for instance, all of us understand the importance of constant and effective communication to insure that all actors have the tools they need. the new twist in 2016 of course involved communicating about the security of election systems with the department of homeland security as well as the state staff who provide cybersecurity protection to our voter registration databases. as we have heard this morning, some states have expressed concerns about the timeliness
3:30 pm
and the details of communications from homeland security regarding potential threats, security threats to state election systems. the recent reports about attempted attacks on state voter registration systems which occurred last fall, caught many states by surprise. we look forward to working with the dhs and other federal officials to develop protocols, and expectations for communicating similar information going forward. state election officials believe that it's important that we be in the loop regarding contacts that dhs has with local election officials regarding security threats, such as a spearphishing attempts that were recently publicized. states should be aware of this information to protect their systems, so we can provide additional training and guidance to local election officials. i appreciate the concern that was expressed this morning that this is a two-way street and we
3:31 pm
at the state level also need to think carefully how to most effectively communicate with our local election officials if and when there is an incident that we are aware of at the state level. >> as part of the dhs designation of election systems as critical infrastructure, bodies such as coordinating councils can help to facilitate, decisions regarding the proper balance between notifying state and local officials, and protecting confidential or sensitive information. nas believes that those coordinating bodies should consist of a broad representation of stakeholders and we have expressed strong interest to dhs in participating on those bodies. i would also note that the executive board of nas-ed supports the request of the u.s. elections commission that it serve as the co-sector specific agency as a logical federal
3:32 pm
agency to partner with dhs to provide subject matter expertise and assistance in communicating with local election officials as the a.c. has that communication structure already in place. and the 2016 elections reinforce the need to constantly enhancing the security of voter registration databases as we have heard this morning. while hacking into a voter registration system, as has no effect on tabulating election results, intrukss could result in unauthorized parties getting access to data, regarding voters, candidates and polling places. i would note that while much of the information public upon request, there may be some confidential data held in those databases such as a voter's date of birth, the driver's license number, the last four digits of the social security number.
3:33 pm
different states have different laws about what pieces of that data is confidential. the 2016 elections demonstrated that state and local election officials can implement steps to improve the voter data and many of these steps are not complicated. in addition, to the cyber hygiene scams and risk assessments, states are implementing greater use of multifactor authentication for users of our systems. updating firewalls, the use of white lists to block unauthorized users and completely block access from any foreign ip address. the final lesson of 2016 i would like to address relates to voting equipment. to be clear as it has been said many it thims morning there is no evidence that shoeting machines have been altered in the u.s. elections. i appreciate the committee ts
3:34 pm
emphasis on that. i think for the public that cannot be stated strongly enough. we as election administrators must exercise vigilance to assure that such theoretical attacks do not become a reality. we must also continue to educate the public about safeguards in the system. those safeguards include the decentralized structure of elections that we've heard about this morning and the diversity of voting equipment. in most cases voting equipment is not connected to the internet. and therefore cannot be attacked through cyberspace, it's important to keep in mind that three out of four ballots cast in american elections are on paper ballots. most ballots on touch screen equipment have a paper trail and that election officials can use for audits and recounts there are also several redundancies in the testing and certification of
3:35 pm
voting equipment. it's important to realize that voting equipment is not only used on election day, its functionality is tested several times during the process in short the 2016 elections taught us that the potential for disresulting the elections process is by technology, is a serious and increasing concern. we have state election directors believe that continued cooperation and more effective communication, along with continued vigilance and innovation will insure the integrity of our voting process, and election results, we look forward to working with our federal partners as we plan for elections going forward. thank you for the opportunity to share these thoughts, and i'd be happy to answer any questions. >> mr. sandvass? >> good morning. thank you chairman burr, vice chairman warner and distinguished members of the committee. as director of the state board
3:36 pm
of elections, i would like to briefly describe what our agency does, we are an independent bipartisan agency created by the 1970 illinois constitution, charged with general supervision over the election and registration laws in the state of illinois. as all of you seem to be aware, almost a year ago today, on june 23rd, the illinois state boards of elections was the victim of a malicious cyberattack of unknown origin against the illinois's voter registration system database. because of the initial low-volume nature of the attack, the state board of elections staff did not become aware of it at first. almost three weeks later on july 12th, the state board of elections i.t. staff was made aware of performance issues with the ivrs database server. the processor's usage had spiked to 100% with no explanation. analysis of the service logs,
3:37 pm
showed that the heavy load was due to the application queries of our paperless online voter application website. additionally the server log showed the database queries were malicious in nature. it was a form of cyberattack known as sql, structured query language injection. sql injections are unauthorized malicious database queries entered into a data field we determined that these sqls originated from several foreign-based ip addresses, programmers introduced code changes to eliminate this particular vulnerability in our website. the following day on july 13th, the sbeit made the decision to take the website and the database offline to investigate the severity of the attack. sbe staff map taned the ability to log and view all site
3:38 pm
attempts, malicious ip's from the addresses continued. firewall monitoring indicated that the attackers were hitting sbe ip addresses five times per second, 24 hours a day. these attacks continued until august 12 when they abruptly ceased. sbe staff began working to evaluate the extent of the breach and introducing security enhancements to the web servers and database. a week later on july 19th, we notified the illinois general assembly of the security breach. in addition, we notified the attorney general's office. on july 21st, the state board of elections, time staff completed security enhancements and began to bring the ivrs system back online. on july 28th, both the illinois
3:39 pm
registration system and the paperless online voting application became fully functional again. since the attack occurred, the dhs scans the state board of elections for systems for vulnerabilities on a weekly basis. the illinois department of innovation and technology, an entity that coordinate the i.t. systems of many illinois state agencies, continuously monitors activities on the illinois central network. the network that provide the firewall protections. this department of innovation and technology also called do it, provider spr security awareness training for all state employees. >> we continue to monitor web service and firewall logs on a daily basis. and a virus security software is
3:40 pm
downloaded on a daily basis. the state board of elections by the federal bureau of investigation. we have fully cooperated with the fbi in their ongoing investigation. the fbi advised that we work with the department of homeland securities, united states computer readiness team. to insure that there is no ongoing malicious activity to any of the sbe sxs. the department of homeland security occurring in sbe computer systems. to comply with the personal information protection act, 76,000 registered voters were contacted as potential victims of the data breach. the sbe provided information to these individuals, on steps to take if they felt they were the victims of identity theft. additionally the sbe developed an online pool to inform affected individuals of the
3:41 pm
specific information that was included in their voter record that may have been compromised. as far as looking for future concerns. one of the concerns facing our state and many others i believe is aging voting equipment. the help america vote act, establish requirements for voting equipment. while never funding was made available to replace the old punch card equipment, additional funding has not been further appropriated. if additional fund something not available, we would like to receive permission to use the state's existing funds. the ivrs database is a federal mandate through the help america vote act. cyberattacks targeting end users are also of particular concern. security training funded and provided by a federal entity such as the eac, or dhs would also be beneficial in our view.
3:42 pm
any guide answer is to protect voting systems from cyberinstrugss are always welcome. thank you for the time and i'm happy to answer any questions. >> dr. halderman? >> chairman burr, vice chairman warner and members of the kmity, thank you for inviting me po speak with you today about the security of u.s. elections. i'm a professor of computer science and have spent the last ten years studying the electronic voting systems that our nation relies on. my conclusion from that work is our highly computerized election infrastructure is vulnerable to sabotage and even to cyberattacks that could change votes. these realities risk making our election results more difficult for the american people to trust. i know america's voting machines are vulnerable. because my colleagues and i have hacked them repeatedly.
3:43 pm
as part of a decade of research studying the technology that operates elections how to make it stronger. we've created a tax that can spread from machine to machine, like a computer vice and silently affect the outcomes. we've studied touchscreens and optical scanning systems, we found cases for hackers to sabotage machines and steal votes, these capabilities are certainly within reach for america's enemies. as you know states choose their own voting technology and while some states are doing well with security, others are alarmingly vulnerable. this puts the entire nation at risk. in close elections, an attacker can probe the most important swing states or swing counties, find areas with the weakest protection and strike there in a close election year, changing a few votes in key localities could be enough to tip national results. the key lesson from 2016 is that
3:44 pm
these threats are real. we've heard that russian efforts to target voter registration systems struck 21 states and we've seen reports detailing efforts to spread an attack from an election technology vendor to local election offices. attacking vendors and municipalities could have put russia in an position to sabotage causing long lines or disruptions, we could have engineered this chaos to have a partisan effect by striking places that lean heavily towards one candidate. some say the fact that voting machines rent directly connected to the internet makes them secure. but unfortunately this is not true. voting machines are not as distant from the internet as they may seem. before every election they need to be programmed with races and candidates. that programming is created on a desk top computer. then transferred to voting
3:45 pm
machines. if russia infiltrated these election management computers it could have spread a vote stealing attack to vast numbers of machines. i don't know how far russia got, or whether they managed to interfere with equipment on election day. but there's no doubt that russia has the technical ability to commit widespread attacks against our voting system. ing james comey, when he warned here two weeks ago we know they're coming after america. and they'll be back. we must start preparing now. fortunately there's a broad consensus among cybersecurity experts about measures that would make america's election infrastructure much harder to attack. i've cosigned a letter that i've entered into the record from over 100 leading computer scientists security experts and election officials, that recommends three essential
3:46 pm
steps. we need to upgrade technology that 36 states already use. paper provides a physical record of the vote. that simply hacked. president trump made this point well on fox news the morning after, the morning of the election. he said something really nice about the old paper ballot system. you don't worry about hacking. second, we need to use the paper to make sure that the computer results are right. this is a common-sense quality control and it should be routine. using what's known as a risk limiting audit. officials can check a small random sample of the ballots to quickly and affordably provide high assurance that the election outcome was correct. only two states, colorado and new mexico, currently conduct audits that are robust enough to reliably detect hacking attacks.
3:47 pm
we need to conduct comprehensive threat assessments and applying cybersecurity best practices to the design of voting equipment and the management of elections. these are affordable fixes. replacing insecure paperless voting systems wide would cost $130 million to $140 million. risk-limiting audits for federal elections would cost less than $20 million a year. these amounts are vanishingly small compared to the national security improvement they buy. state and local election officials have an extremely difficult job. even without having to worry about cyberattacks by hostile governments, but the federal government can make prudent investments an uphold voters confidence, we all want election results that we can trust if congress works closely with the states, we can upgrade our election infrastructure in time for 2018 and 2020. but if we fail to act i think
3:48 pm
it's only a matter of time. until a major election is disrupted or stolen in a cyberattack. thank you for the opportunity to testify today. and for your leadership on this critical matter, i look forward to answering any questions. >> dr. halderman, thank you. the chair would recognize himself for five minutes, members will be recognized by seniority. secretary lawson, how many states is a secretary of state in charge of the elections process? do you know? >> yes, sir, it's 40. >> would you be specific? what do the secretary of states do? what is it they do not like about elections being designated critical infrastructure? >> the most important issue, sir, is that there have been no clear parameters set. and even after the three calls that we had with secretary jeh johnson before the designation was made, we consistently asked
3:49 pm
for what would be different if the designation was made. and how we would communicate. would it be any difference -- >> nothing has negatively happened, except you don't have the guidance to know what to do? >> nothing has negatively happened to this date. but also nothing positive has happened. >> got it. >> mr. sandvos. illinois is one of the few states that have publicly been identified, i guess that's -- in part because you took the initiative to do it. you gave a good chronology, 23 june, first signed 12 july, state i.t. staff, took action, 12 august. the attack stopped. at what point was the state of illinois contacted by any federal entity about their system having been attacked.
3:50 pm
or was it the state of illinois that contacted the federal government? >> we were contacted by the fbi, i don't have the exact date. but it was after after we had rd the matter to the attorney general's office. my guess would be probably a week after. >> after the a.g. was notified by us of this breach. >> and the a.g. was notified approximately when? >> on july 19th. >> july 19th, okay. at what point did the state of illinois know that it was the russians? >> actually to this day we don't know with certainty that it was the russians. we've never been told by any official entity, and the only one that we're aware of that was investigating was the fbi, and they have not told us definitively that it was the russians. our i.t. staff was able to identify i think it was seven
3:51 pm
i.p. addresses from foreign location, i believe it was the netherlands. that doesn't mean the attack originated in the netherlands. we have no idea where it originated from. >> did your i.t. staff have some initial assessments on their own? >> no, because i think anything of that nature would have been speculative and we didn't want to do that. i think we wanted to leave that to the professional investigators. >> you gave an update on what you're currently doing to enhance the security, dhs weekly security checks. in your estimation, has the federal government responded appropriately today? >> i believe they have, yes. i've heard nothing from our i.t. division and they'd be the persons that would know. i've heard nothing from them that dhs's work in that matter
3:52 pm
has been less than satisfactory. >> let me ask all of you, except you, mr. sandvoss, do you believe the threat of cyber threats to the election cycle be made public? should we identify those assassinates. >> i think we're certainly sensitive to the balance that homeland security and others need to make. i think so far as we've gone, we want to know as the victims or potential victims and then i think as part of the coordinating council and the designation of critical infrastructure, there has to be a conversation amongst the -- >> is there a right of the public in your state to know? >> yes, i believe there is. if there was a hack into our system, i think we would certainly want to consult our
3:53 pm
statutes and so forth. but we would -- we believe in transparency. we would want to let the public know. >> dr. halderman. >> i think the public needs details about these attacks and the vulnerability of the system in order to make informed decisions about how we can make the system better and provide the resources that election officials need. so yes. >> secretary lawson? >> i lay awake at night wondering about confidence in our public election systems. i think we need to be very careful and balance the information because the worst thing that we can do is make people think that their vote doesn't count or it can be san se -- cancelled out. so telling the public that these systems are out there, it doesn't undermine confidence, it makes them know we are doing everything we can to stop the attacks, i would be in favor in
3:54 pm
it. >> i teak fake for granted that of you have evidence that vote tallies were altered in the 2016 elections? >> correct. >> when you and your colleagues hacked the system, did you get caught? >> we hacked the systems as part of our -- >> i get that. did you get caught? did they see the intrusion into your system? >> the one instance was invited to hack a real voting system was in washington, d.c. in 2010. in that instance it took less than 48 hours for us to change all the votes and we were not caught. >> vice chairman. >> i'd like to thank all the witnesses for their testimony. i find a little stunning mr. sandvoss, your answer. i think if you saw the preceding panel, you had the dhs and the
3:55 pm
fbi unambiguously say that it was the russians who hacked into these 21 systems and find a little strange that they've not relaid thi relay -- relayed that information to you. we found that even though we know those 21 states attempted to be hacked into or doors rattled or whatever analogy you want to use, in many cases the state election officials, whether the state directors or the secretaries of state, may not even have been notified. i find that stunning. and clearly lots of local election officials where the activities really take place haven't been notified. so i've got a series of
3:56 pm
questions and i'd ask fairly brief responses. dr. halderman, can you just again restate, as senator king mentioned in the earlier testimony, you don't need to disrupt a whole system. you could disrupt a single jurisdiction in a state and if you could in effect wipe that ledger clean, could you invalidate potentially not just that local election but then the results of the state, the congressional level, the state and ultimately the nation, is that not correct? >> yes, that's correct. >> so i believe it's important in our centralized system, we are on as strong as our weakest link. is that correct? >> that's correct. >> do you believe all 21 states that were hacked that the state elections officials are aware? >> i can't answer that question, sir. i will tell you that indiana has not been notified.
3:57 pm
i don't know if we're even on the list. >> i don't know for sure except dhs did indicate in a teleconference that all the states that were attacked have been notified. >> we were told earlier that's not the case. we were told the vendors may have been notified. do you know if wisconsin was attacked? >> we have not been told there was not an attack in wisconsin. >> are you comfortable, either one of you, with not having that knowledge? >> we are hyper sensitive about our security. i would say when the fbi sent the notice in september for states to look for certain i.p. addresses to see if their systems had been penetrated or attempted to be penetrated, we absolutely searched -- in fact, we looked at 15,500,000 log-ins that had happened in our system since the first of january that
3:58 pm
year so we believe that our system has not been hacked. >> i would also state that both our office and the chief was in officer of the state and his office would likely be able to detect that the system was hacked. >> we've got the two leading state election officials not knowing whether their states were one of the 21 that at least the russians probed. let me finish, please. >> the notion that state officials wouldn't know that local election officials clearly haven't been notified, i appreciate the chairman's offer. the chairman and i are going to write a letter to all the states, if you view yourself as victims, i think there is a public obligation to disclose. again not to relitigate 2016 but to make sure we're prepared for 2017 where i have state elections in my state this years and 2018. and it's -- to do otherwise
3:59 pm
because there are some, there are some still in the political process that believe this whole russian incursion into our elections is a witch hunt and fake news. i could easily understand some local elected official saying this is not a problem, this is not a bother. i don't need to tighten up my security procedures at all and that would do a huge, huge disservice to secretary lawson that you say you want to try to prevent and provide to our voters. i hope when you receive the letter from our -- and we'll write this on a confidential basis, that you would urge your colleagues to come forward. again, not to embarrass any state, but i find it totally unacceptable, one, that the public doesn't know that local election officials don't know that you as the leaders of the state election officials don't even know whether your states were part of the 21 that has been testified by the dhs that
4:00 pm
at least they were if not looked at, door jiggled or actually as the case in illinois were information from where voter registration efforts were -- my hope is you'll work with us on a cooperative basis. we want to make sure dhs and others are better at sharing the information and you get the classified briefings that you deserve. >> july 12 was the date you first learned you had issues, right? >> that's correct. >> and that was as a result of a high volume spike, correct? >> that is correct. >> and when you looked you saw it started joon 23rd. >> gentlemen. >> and those were low-volume
4:01 pm
spikes on june 23rd? >> yes. >> so had they not turned up the volume, would you not have discovered it? >> i would say it would not have been des covered, certainly right away. if the volume was low up in, even an analysis of our server logs might not catch something like that because it wouldn't stand out. i think the answer to your question is yes. >> so you said the 19th you notified the attorney general; is that correct? >> yes, correct. >> that was the illinois attorney general, not the u.s. attorney general, correct? >> yes. state law requires we notify the attorney general in these instance. >> so the next thing was that you were contacted by the fbi; is that correct? >> yes. >> so the question i've got and i'm just trying to get an understanding of the facts, are you assuming that the illinois a.g. contacted the fbi or do you
4:02 pm
know that or not know that? >> i don't know that for sure but i would suspect that they did because how else would the fbi know. >> that's where i was getting it. that was not the result of a federal analysis that turned up what had actually happened. is that a fair statement? >> i believe so, yes. >> you then did some things to try to mitigate what had happened. have you shared this with other states as to what you had done in order to develop a best practices if you would? >> we didn't have any formal notification to all 50 states, no.
4:03 pm
>> i believe that once the fbi became aware of this, i believe that they contacted the different states. i don't believe our attorney general's office did, though i don't know for service. we didn't have any formal communication with all 50 states regarding this. >> and do you believe you have developed a best practices action after this attack that you've described for us? >> i believe so, yes. >> do you think it would be appropriate for you to get that out through the secretary of state's organization or other organization so that other states could have that? >> certainly. absolutely. >> mr. halderman, your hacking that you've described for us, would your ability -- if you were sitting in russia right now and wanted to do the same thing that you had done, would that ability be dependent upon the
4:04 pm
machines or whatever system is used being connected to the internet? >> that ability would depend on whether pieces of election i.t. equipment, i.t. offices where the election programming is prepared are connected to the internet. the machines themselves don't have to be directly connected to the internet for a remote attacker to target them. >> so would you recommend that the voting system be disconnected from the internet; that is, be a stand-alone system that can't be accessed from the outside? >> it's a best practice certainly to isolate vote tabulate equipment to be disconnected from the internet
4:05 pm
but other pieces of election infrastructure that are critical, such as electronic phone books or online registration systems do sometimes need to be connected to systems that have internet access. >> but that wouldn't necessarily require that it be connected to the internet for the actual voting process;; is that right? >> that's right. >> and then the extrication of that information off of the voting machine, would that be fair? >> i think that's fair to say. >> thank you. mr. chairman, i think all of this really needs to be drilled down a little built furthit fur because it seems to me with this experience, there's probably pretty good information where you could put a fire wall in place to stop this or at least minimize this. >> thank you. what are the dangers of manipulation of voter
4:06 pm
registration databases, particularly if it isn't apparent until election day when people show up at the polls to vote? >> i'm concerned that manipulating voter registration databases could be used to try to sabotage the election process on election day. if voters are removed from the voter registration database and they show up on election day that's going to cause problems, if voters are added to the voter registration database, that could be used to conduct further attacks. >> let me ask, and this can be directed at any of you, i'm trying to get my arms around this role of contractors and subcontractors and vendors who are involved in elections. any idea, even a ballpark number of how many of these people there are? >> ten?
4:07 pm
70? 200? >> voters that host the voter registration system? >> yeah. >> i'm sorry, senator, i don't have a number. >> sir, i don't have an exact number either, but i will tell you in indiana, for example, we have six different voting system types. counties make that decision on their own but they're all certified by our program. >> that was my next question. so somebody is doing certification over these contractors and subcontractors and equipment vendors and the like? does that include voting machines, by the way? >> it does. most states will have a mechanism to certify the voting machines that they're using, electronic poll books they're using, the tabulation machines they're using, making sure they comply with federal and state
4:08 pm
law and have the audit process -- >> do you all have a high degree of confidence that the certification prossies acesses leaving this other world of subcontractors and the like vulnerable? >> i have several concerns about those certification processes, including that some states do not railroad -- require certification case to the federal standards, and the standards are long overdue for an update and have significant gaps when it comes to security and that the certification process doesn't necessarily cover all of the actors that are involved in that process, including the date-to-day operations of companies that do preelection programming. >> one last question. we oregonians and a number of my
4:09 pm
colleagues are supportive of an effort to take vote by mail national. and we've had it -- i was in effect the country's first senator elected by vote by mail in 1996, we've got a paper trail. we've got air gap computers, we've got plenty of time to correct voter registration problems if there are any. aren't those the key elements of trying to get on top of this? because it seems to me particularly the paper trail, if you want to seasonnd a message the people who are putting at risk the integrity of our electoral institutions, having a paper trail is just fund -- fundamental to having the paper trail we need. one or two of you at the end are
4:10 pm
nodding affirmatively and i'll quit while i'm ahead if that's the case. would either of you like to take that on? >> vote by mail has significant cyber security benefits. it's very difficult to hack a vote by mail sm from an office in moscow. there are -- whether vote by mail is appropriate in every state and every context is in our system, of course, a maher for the states but it offers positive security benefits. >> thank you. >> on that last answer to that last question, how do you count vote-by-mail sfwhaulballots? >> they would be generally be counted by optical scanners. >> generally they are as -- >> if they are subsequently audited, you can get high
4:11 pm
security from that process. >> that's a different question. the question is you prefer paper ballots and an audit trail and i do, too, but let's not assume that the vote by mail ballots are counted any differently -- they're counted probably at a more central location, but that doesn't mean that all the manipulation you talked about that we need to protect against wouldn't happen in a vote by mail election. you've got a way to go back and you've got a paper trail to count. >> that's correct. there are three things you need, paper, auditing and otherwise good security practices. >> while i've got you there, on auditing, how would you audit a non-paper system. fi if it's a touch screen system, you mentioned san francisco already required a paper audit. how would you do a non-paper
4:12 pm
audit? >> senator, i think it would be difficult or impossible to audit non-paper systems with the technology that we use in the united states to a high level of assurance. >> so even -- if you don't have something to audit, it's pretty hard to audit a system that didn't leave a trail. >> basically impossible. >> so mr. sandvoss, in illinois do you certify counting systems? >> and do you certify counting systems? >> yes, sir. >> somebody is -- >> we rely on the eac certification and our commission does a testing protocol and then approves the equipment to be used in the state of wisconsin. >> and then back in illinois, do you then monitor that counting system while it's doing the actual counting?
4:13 pm
>> no, the actual counting done on election day or rk night rather is done locally at the county clerk's office or one of our commissioner's offices. we. they have a fairly rigorous test of the roting equipment but then in actual practice, woo do conduct preelection tests of the voting equipment before each election but it's a limited number of jurisdictions. >> and do you do that in a way that allows you to go to your central office or do you go to the local jurisdictions or just monit monitor. >> we actually visited the jurisdiction. >> secretary lawson, similar? >> similar, however, the states
4:14 pm
do not go -- the states are required to do a public test. it's public. they're required to do testing in. >> i guess the i want to make is that not opening that door to the counting system, if you don't have a door, nobody else can get threw there's monitoring, there's local testing. don't suggest at all that dr. halderman as comments aren't important or something we should guard against, i was an election official for 20 years, including the chief election official for eight of those and as we were transitioning to these systems, something i was always concerned about is what could possibly be done that could be done and undetected. one of the reasons i always liked the audit trail. obviously, dr. alderman, you do,
4:15 pm
too. you do have something to go back if have a reason to go back and really determine what happened on election day. let talk for just a moment about the much more open registration system. secretary law what are they logging in there, the statewide registration system? >> the 92 clerks in indiana are and the log-ins reflected the work they did that year. >> caller: 15 -- >> 15 million,do you have counties where they can also put those registrations direct ory.
4:16 pm
we do have a record that is compared to the b and b questions and the they find that information in their hopper the next day -- or their computer system -- and the next day they will have the ability to determine whether the application is correct. >> do all of your three jurisdictions here have some kind of provisional voting if you get to the voting place on election day and your address is wrong or your name is wrong or it doesn't appear at all, do you have a way somebody can cast a ballot before they leave? >> yes, sir. >> and illinois? >> yes weeks do. >> we have provisional ballots but they're very limited. and we also have election day registration so people can register at the polls. >> so the failure to have your name properly on the -- i
4:17 pm
understand, chairman, and i also notice the time on others. but just the registration system is much more open than the tallying system. that doesn't mean the tallying the idea that ing ting is. >> senator cane. >> thank you, mr. chairman. >> dr. halderman, you're pretty good at hacking voting machines by your testimony. did russians of the resources -- >> you've testified here today that you were able to hack into a voting machine in 48 hours,
4:18 pm
change the results and nobody knew you had done it. and if you could do it, i think the point is the russians could do it if they chose. and we've been talking a lot about registration lists. my understanding is that quite often a voter registration list at some point in the process is linked up with the computer that has the voter registration list is linked up with configuring the voting machines and perhaps even tallying votes. is that true? can any of you -- >> no, sir. >> there's no connection between the registration list and the voting machines? >> no. >> no in tt in illinois. that's correct. >> dr. halderman? >> i believe that depends on the specific equipment involved. there may be some designs of voting systems where the sign-in and the vote counting system are linked. >> but of course, as you
4:19 pm
testified i think, if the voting registration list is tampered with on some day, it would be chaos if names disappeared and people arrived at the polls and their names weren't on the list. isn't that correct, ms. lawson? >> if a person showed up at the polls to vote and their name want on the list as they were expected they would be given a provisional ballot, i think the biggest danger is that the lines at the polls were increase significantly if there was a large up in of folks might have to do that in each precinct. >> right that, is what i was referring to. on august 1 of 016, press reports indicated there was an fbi notification to all of their field offices about the danger of cyber intrusions into voting systems. supposedly those were did you
4:20 pm
folks get something from the fbi that gave people information around i.p. warnings and what should be done? >> yes, we did. >> his lawson, did you see that? >> we did as well. >> so there is some interconnection. one of the things that i'm sort of hearing and i'm frankly appreciative and happy that you all did see that notice. but there. >> if something happens in illinois, some system where by you can alert your ol eegs across i and the pb rrn, they c
4:21 pm
can dr. halder man? >> yes, i would support further information sharing. >> and finally we talked about what we do about this. paper trails has come up. is that the present pal defense? dr. halderman, what if -- i ask. >> what would be the three things most important or my secretary of state in maine to protect themselves against a threat we know is coming? >> the most important things are to make sure we have votes recorded on paper, paper ballots, which just cannot be changed in a cyber attack, that we look at enough of that paper in a post election, risk limiting audit and to make sure
4:22 pm
we are generally. >> one final question. is it possible that pb i tiber attack for a vendor to tamper with those machines before ne if from. and our system in practice is not quite as decentralized as it may appear. attacks spreading by vendors could be a way to reach voting equipment over a very large year. a and. >> thank you, mr. chairman. i want to thank you for holding this hearing. this is such important information for the public and for our democracy.
4:23 pm
i bleach. >> thank you, sir. >> senator harris. >> so there's a saying i'm sure many of have -- in terms of our election, there's prevention, detection and also resilience, if we discover that we've been manipulated, let's have the ability to stand back up as quickly as possible. so i have a few questions in that regard. flul, have each of you, you received for the states received the notification from the fbi. ; is that correct? >> yes, ma'am. >> yes, yes. >> and were any of you also notified by dhs?
4:24 pm
. >> we've had communications with dhs. i don't know how they were initiated. i do know there were some conference calls with them and it may have been the fbi. >> and i'm speaking before the 2016 election. >> yes. >> secretary lawson? >> we did have conversations wi with. >> i did have contact but it was through our association, it was not a drk i believe was but our communications with dhs were more about general steps that could be taken to follow up o
4:25 pm
ourthat might be helpful so we can figure out how notifications might be more helpful to you in the nut. hopefully they're not net you about fwrfrmt, requiring states to report to the federal government if there's been a breach or a hack. can yfrp he's that kitty mr frn if the fbi or the department of hochlland skurpt ways to count are those attacks or to make sure that the reconnaissance is done after auch indiana did not
4:26 pm
take the opportunity -- that would be the con. >> can you, professor halderman tell me -- before this last election cycle, there had been a lot of talk through the various states, i'm sure you were part of the talk about the efficacy of online voting, it would be speed and accuracy and now we see there could be great vulnerabilities by doing that. can you talk with me a little just in terms of policy? is the day of discussing the need for online voting, has that day passed because of the vulnerabilities that are associated with that? >> i think that online voting unfortunately would be painting a bulls eye on our election system. today's technology just does not
4:27 pm
provide the level of security assurance for an online election that you would need in order for voters to have high confidence. and i say that having myself done that was about to be used in real elections, having found vulnerabilities in online voting systems used in other countries, the technology just isn't ready for use. >> isn't that the irony that the professor of computer engineering and i who always believed that we need to do more to adopt be i think we're talking about some election vendors have required states to sign agreements that prevent or
4:28 pm
inhibit independent security testing, are you familiar with that? >> that certainly had been something that inhibited attempts by researchers like me to study election systems in the past. >> and do you believe that that's a practice that is continuing? >> i do not -- i don't know theans to that question. >> have any of you had that experience with any of your vendors? >> in illinois, no, i have not and i don't believe illinois would allow such an agreement. >> i don't believe that would happen in indiana either, about because in order have voting it has to be certified, which -- >> which requires testing. >> yes. >> thank you. >> i want to thank all of you for your testimony today. secretary lawson, to you, i
4:29 pm
really encourage you as the next representative of secretary of state to remain engaged with the federal government, particularly the department of homeland security. and i this with any transfer of administration there is a handoff and a ramp up. and i've been extremely impressed with our witness from dhs who not only was here today, but she has taken the bull buy t -- by the horns on this issue and i think you'll see those guidelines very quickly and i hope that there will be some interaction between secretaries because since in 40 states, you control the voting process. and you can find the system of federal guidance and collaboration that works comfortably with every secretary of state in your organization. i think it is absolutely critical that we have not only a
4:30 pm
collaboration but a communication between the federal government and the states as it relates to our voting systems. if not, i fear that there would be an attempt to in some way, shape or form nationalize that. that is not the answer. and i'll continue to point mr. sandvoss to illinois. it is a great example of a state that apparently focused on the i.t. infrastructure and staff and didn't wait for the federal government to knock on the door and say, hey, you got a problem. you identified your problem, you began to remediate it. at some point the federal government came in as a partner and you think where we see our greatest strength is to work with states and to chase people like you, dr. halderman who like to break into -- no, i'm just kidding with you. listen, i think what you did is important, and i think the
4:31 pm
questions that you raised about the fact that you really can target to make the impact of what you're trying to do very, very effective. and that's clearly what campaigns do every day. so we shouldn't be surprised if the russians actually looked at that or anybody else who wants to intrude into our voting system and our democracy in this country. i've got to admit that the variation of voting methods, in indiana where i don't know how many counties you've got, i've got a hundred county in north carolina, it may be that i find out every county in north carolina has the power to determine what voting machines and software they have. this can get extremely complicated. short of trying to standardize everything, which i don't think
4:32 pm
is the answer how do we create the mechanism for the federal governments collaborate and understand up front what we bring to the table and how woo bring it so that we're all looking at the same thing, the integrity of every vote going to exactly who it was intended to do. so we're going to have debates on lker will be -- at the end of the day if we haven't gotten collaboration and communication, i can assure you we'll be here with another congress with another committee asking the same questions because we won't have fixed it. i think what dr. halderman has said to us is there are some ways where we can approach this whereas our certainty of intrusion and the accuracy of
4:33 pm
the vote totals can be certified. i thank all the four of you for being here today in our second panel. this hearing is now adjourned.
4:34 pm
this morning in a series of tweets, president trump said that former homeland security adviser jeh johnson is the latest top intelligence official to state there was no grand scheme between trump and russia. he was referring to the former secretary's yesteay


info Stream Only

Uploaded by TV Archive on