Skip to main content

tv   U.S. Election Assistance Commission Meeting on Security  CSPAN  August 17, 2019 11:02pm-12:37am EDT

11:02 pm
it as a win-win. >> would you say the united states is winning the trade war? >> i think the fact that china needs to consider excepting intellectual property rights, changing the fundamental business model, they are saying no right now but in the end it is clearly on the table for something they will have to concede. middle ofll in the the back-and-forth in the negotiation -- there's no clear winner one way or another but the possibility of getting a good trade agreement is still there. announcer: "newsmakers" with david mcintosh, tomorrow at 10:00 a.m. and 6:00 p.m. eastern on c-span. announcer: u.s. election assistance commission recently held a meeting with state election directors. government representatives and international technology companies talked about election security and voting security certification. this portion of the meeting is
11:03 pm
an hour and a half. >> i call this public forum to order. if you would all stand with me for the pledge of allegiance. allegiance to the flag of the united states of america and to the republic for which it stands, one nation, under god, indivisible, with liberty and justice for all. if you could silence your cell phones and electronics i would appreciate it. i'm going to take the role.
11:04 pm
good afternoon, thank you for joining us at the u.s. election tosistence commission, examine the security challenge election administration faced to head of the 2020 presidential election. this little conversation will provide us with a better understanding of ways the commission can help, address a variety of security issues, including those that stem from aging voting technology. when congress passed the help america vote act it established the eac as the only federal entity solely focused on supporting election officials and the voters they serve. part of our charges to be the nation's clearinghouse of information on election administration. it is this responsibility that brings us here today and guides our election security efforts. we pride ourselves in convening the right people at the right time to address significant issues and this event is yet another example of that work
11:05 pm
stop while there are plenty of news headlines that can serve as the backdrop for this conversation we are not here to address any one specific media report, we are gathered for a comprehensive look in here from three people, including secretaries of state, a state election director, our federal partners, testing and certification professionals, and representatives from the election industry. today's forum and input from these witnesses could not be more timely or important. election security is front of mind for everyone, especially those on the frontlines of administering the vote. the recently released 2018 election administration voting nationwidealed that fees election officials reported to,422 pieces of equipment cast in tabulated votes in the 2018 midterm elections.
11:06 pm
election officials are responsible for each and every piece of that equipment. we know they rely on federal partners and election vendors to provide the resources and support they need to make election systems more secure and resilient. we all have a responsibility to provide that assistance. it is my wish we leave today's forum with a better keepstanding of how to things safe, the ongoing innovative approaches they can use to ward off security threats, and how all of us in this room can help the elections that garner public confidence in the end result. i ask my fellow commissioners to make the opening statement. >> thank you, chairwoman mccormick. i'm pleased we are holding this forum on such an important topic. in the six months since the commissioner and i were sworn in, they have been highly focused on our role with voting technology. our first action with a restore
11:07 pm
forum was to start a 90 day public comment period on the voting system guidelines. public meetings on this new draft version of the principles and guidelines during which we heard that it is a significant step forward to modernized voting technology. we also discussed how the voluntary nature results in a system where the full value was only realized if the guidelines and the testing and certification program are utilized across country. should strive we to create a testing and certification system that is responsive to the needs of the election officials and provides access and security to the american voter that they deserve. speaking of the testing and certification program, we recently added jessica bowers and paula meyer, who have brought decades of experience with election equipment and
11:08 pm
certification to the team. we are lucky to have such talented individuals working here. i'm confident our agency and the testing and certification see arrived at the challenge before us today and worked with election officials, voting system manufacturers, test laboratories, and federal partners from the national institute of standards and technology and the security agency to quickly develop processes and procedures to incentivize the efficient deployment of patches or updates to voting systems in the field. doing so is crucial to the security of our election systems but they do not exist in a vacuum. onlier i mentioned our work the bsg -- we are also working on drafting the new technical requirements crucial to developing the next generation of voting equipment. these efforts to complement the
11:09 pm
important conversations happening every day in the yield on issues like assessing and mitigating risks or adopting a coordinated vulnerability so that potential issues can be reported and fixed before they can be exploited. this forum will be an important step in identifying areas where we has an agency can do more to improve election technology -- would it be nice if we could solve everything? i suspect this will be more of a start then a finish but we must get the job done. we must strive to maintain and improve testing and certification programs that provide real value to the elections community without adding unnecessary burdens or cost. if there are avenues where we can do more programmatically or administratively, we must consider such suggestions. if legislative fixes are necessary we should identify those numbers without delay.
11:10 pm
i look forward to today's conversation i would like to thank all the witnesses for engaging with us on this important issue. and before i turn it over i would like to anchor the staff for all the work pulling this event together, thank you. >> thank you. commissioner, do you have an opening statement? >> good afternoon. i'd like to thank our witnesses for participating, as well as those of us who are tuned in online. today's forum is a chance to provide needed clarity about where election security efforts to ahead of the election and how the eac can lead to make the election systems and infrastructure strong and secure. state and local election officials are on the front lines for democracy. i have full confidence that we will zealously prepare and train for the 2020 election and in the end will get the job done for
11:11 pm
the american people as they did in 2016 and 2018. because of the unique role congress gave us and the fact that we work closely with federal officials, the eac must take a leadership role. we arestion is whether adequately planning in establishing lines of communications with the necessary information to prevent and recover that many attempted ransomware attacks or other disruption from a man-made disaster or first strike on our democratic ideals. the $380 million appropriate if i is going a long way for preparation and planning on the fundamentals but as dwight eisenhower said in preparing for battle i have always found that plans are useless but planning is indispensable. as we look ahead at the panels i'm eager to hear from experts on a number of topics, including the dynamic topics faced by election administrators and
11:12 pm
policies to implement and address election security and the federal partnership put in place. i'm looking forward to hearing more about how we are working to address end-of-life software used in election systems, your opinions about the values in establishing a vulnerability disclosure program and your input about how the testing and certification program can provide more meaningful security testing. as a former state election official i am familiar with the challenges faced by the men and women who run elections across the nation -- i know they often face difficult decisions that stem from limited resources and unlimited needs, including the growing activity associated with securing election. my goal is to conclude this meeting with a better understanding of election official needs and concerns as well as some suggestions for how industry leaders and others can
11:13 pm
best support local efforts to secure elections. strengthen the nation's election system is on the line, protecting that faith will take all of us working together and today we have the opportunity to demonstrate our commitment to our voters. thank you for participating and i look forward to a robust conversation on these issues. >> thank you, commissioner. do you have an opening statement? >> i do. to theme our witnesses cac security election form. i think all of you in attendance, watching online and those in the overflow room on this very interesting topic. with the next year's presidential election less than 15 months away i am pleased to be joined by my fellow commissioners for this essential and timely discussion. as i travel across the nation to visit election offices, give
11:14 pm
presentations, or attend conferences, election security is often the centerpiece of those conversations. after the election it was clear that our nation needed to look under the hood of election systems and through that process we identified a number of areas where we need to do better and a lot of progress has been made. including the improvement of communications between state and local election leaders and federal partners to support their work. today's forum will likely provide even more evidence of the progress we made but it is also a chance for us to collectively identify opportunities to further advancement and cooperation, including the market for election equipment and better attract supply chains. the challenges face by election officials today are often due to aging voting equipment or lack of resources. i suspect we will hear some of that reflected in today's testimony. the reality that the eac strives
11:15 pm
to reflect the day-to-day work, including the forum and our ongoing efforts. i'm proud of the work we did last year after congress appropriated $380 million of much-needed financial support to the states and territories. the eac quickly and responsibly got these vital resources out the door. today we continue to provide oversight and guidance of all these funds. our most recent conversation with those who received these funds is projected at 85% of the money it is likely to spend by the 2020 general election, with 90% going to replacing aging voting equipment or improving security and resiliency. we know that more resources are always welcome, and my fellow commissioners and i have passed that along with our interactions to members of congress. today's forum is a perfect opportunity to examine these entities, lawmakers, federal agencies, election manufacturers, and others can
11:16 pm
work together or continue to work together to improve security and strengthen voter confidence. it is also a chance for us to remember that our efforts must not undermine access to the polls. as work to make elections more secure continues we must also safeguard the statutory right that every eligible american can cast their vote independently and privately regardless of ability. i look forward to the forum and ofk forward to being a part the work that makes this accurate. thank you. >> thank you. i would like to invite our executive director to make remarks on behalf of the staff. >> by way of introducing the agenda, we will have three panels representing three flights of testimony that was
11:17 pm
arranged as first secretaries of state, then the eac testing and andification director, other stakeholders related to certification and software changes, including federal partners, dhs, and microsoft. manyhird panel represents registered voting equipment manufacturers as well as test labs. has beenale participating in another meeting this morning and will be arriving after that panel begins. if for some reason he has difficulty getting in time we will move him to the third panel . one final comment about today. theosoft windows 7 was topic that started this discussion and we are pleased that microsoft is here today but today's topic is much broader and we will talk about risk but i wanted to acknowledge risk at a different level. almost all of you have discussed
11:18 pm
security with election officials, congress, and other stakeholders and bike causing to discuss these and to engage in public dialogue where the clear end result is not yet known as a and and i hope all will see appreciate the role we are taking in this regard. the election equipment vendors and microsoft have taken a risk to come here and talk openly about the security issues the industry shares. i know you appreciate the willingness to come in today and speak candidly at these issues. beyond those who are speaking today, we are receiving other fromnts from the record, the center for democracy and technology and dominion voting. these statements are available and will be posted on our website. this represents one of the broadest public meetings ever held, certainly the largest ever
11:19 pm
with 13 individuals appearing today and with that background i hand things back to the chairwoman for introductions of the first panel. >> thank you. is secretaryel denise who will be joining us shortly so we will start with sec. hardwood. he is and 44th secretary of state, a resident of baton rouge. he was elected december 8, 2018. he brings a wealth of knowledge to the office, having served as interim secretary of state from may until his election and first a secretary secretary of state prior to that. as treasurerserves of the national association of secretaries of state and on the subsector govern coordinating council. his goals include securing new voting equipment for the state, protecting sensitive voting data, and continuing the
11:20 pm
high-tech protections for the election and commercial division welcome. >> thank you, commissioners. it is a pleasure to be here, it's a pleasure to represent the great state of louisiana, but most importantly it is so important to be here to discuss .he important issues >> microsoft announced they would no longer sell windows 7 6mputers and on september microsoft announced the end of support for windows 7 would be january 14 of 2020. i informed the8, governor of our state that the windows 7 operating system's conflict with the legacy voting machines for early voting and election day. i also provided information for
11:21 pm
the resources that would be messes every to move louisiana forward. in the summer and fall of this 250 we are switching out windows 7 pcs and voters offices. clerks have already received windows 10 virtual laptops, uploads to the state election .egistration network so how did this effect the state of louisiana? endeavor,een a costly replacing all windows 7 with windows 10 virtual laptops over the past two years has caused well over $250,000. thank you. the state's leasing voting machines with its current vendor until the request for proposals process is completed
11:22 pm
and awarded due to the windows 7 end-of-life issue. the least machines require the use of windows 10. the endeavor has cost us leasing of these machines in excess of $2 million. we have been diligent in keeping the virus definition files updated for our systems, all laptops are scanned regardless of whether or not they connected to the internet prior to each election. we have sent strict directives to all registrars and warehouse employees and secretary of state election divisions, stressing that they are never to insert memory sticks into these laptops or change their phones or any other device. we also discussed this agreed deal with our training and person, duringin
11:23 pm
the process of our voting equipment and how critical it is to follow these directives. in addition they are instructed to never insert a memory stick they are allck and scanned for viruses upon return to our office as a preventative measure. means any homework environments that are used by our local election officers, all of this has led us to additional security measures. i would like to say that additionally, the cost of the windows 10 desktops has been $670 per machine, and that does not include the cost to train,re, test, deploy, or maintain. all windows 7 equipment is air theed, meaning none of devices ever touch the internet connected. scanned forted or
11:24 pm
viruses before every use. we will only be used with password protected memory devices. so how do software upgrades affect our office? upgrades can be mandated at inopportune times. it leaves the short on time to get everyone completed and tested. notalling an upgrade and properly testing the upgrade would be detrimental to our system. methodical and thorough and establishing an infrastructure is critical. testing the various environments like staging and production with one week between each, with production scheduled around the cycle can be and usually is very time-consuming and not a corner we can afford to cut.
11:25 pm
-- if an important patch comes out three to four weeks before an election, it causes us to wait to implement because we can't interfere in the election process that is already in motion. can require extensive troubleshooting to identify and resolve upgrading the software. qualifying, due to a situation -- a cyber incident in our state not affecting our election system but certainly of concern because it affected local governing bodies -- we had to install new pcs. once turned on because we weren't able to have the time iame normally have as referred to earlier, which began implementing new updates as soon as they were turned on.
11:26 pm
this sucked the entire ability of bandwidth for the local institute that had to use them and thus affected the court office which then caused us issues of qualifying. microsoft sends patch updates every second tuesday of the month, and we provide development and testing, updating and testing, and we provide staging mimicking the pre-deployment, and then we deploy. we perform extensive in-house testing on all components used in the field. upgrades can sometimes cause issues that only occur due to their system being slightly all parties -- to
11:27 pm
ensure the uniformity in the updates. nonuniformity makes fixing issues more difficult. how remediation could be addressed -- certainly the ac is making it quicker and cheaper for vendors to certify upgrades, certifying components versus , publishing vote capture devices or vote tabulation is helpful. using common data format is important. vendors are using the same , so they are able to live up to the tabulation using automated tests, by running a standard series of result outputs. assuming a common input, the election results are able to make sure that the components output is what is expected. encouraging asymmetric encryption on data transfers is more important and integrity and
11:28 pm
authenticity, data transfers could be between our errant system and election management system. integrity confidentiality and authenticity of the most important components and asymmetric encryption offers us that. now implementing for future equipment purchases requires devices to apply. we are requiring implementation of future equipment for devices to firm updates less than three months after manufacture. we will also be requiring any commercial off-the-shelf equipment to remain within the mainstream support window of the manufacturer and be upgraded in dac certified for release of the updates by manufacturers. when accommodating older technology in general, we require additional layers.
11:29 pm
requiring additional layers of production that are costly and time-consuming and can lead to taking stronger measures when reacting to threats -- reacting to threats is cutting off local access out of an abundance of caution. implementing these additional layers can break things. what i mean by breaking things is that after we deploy new windows 10, all bandwidth, which i referred to earlier, was consumed during qualifying with windows updates that we had to block temporarily. vendors will state that you can force the updates, but it will break eac certification. this leaves our office is vulnerable to anything that happens. eac certification, in our opinion, is of the utmost importance. so how are
11:30 pm
i am closing out -- this little red light keeps blinking out me. reaching out to users and reaching out on the vulnerabilities we have today is key. stressing to them that while additional security measures may be cumbersome, they are absolutely necessary. the sooner this is understood and accepted, the easier it will be transitioning to these new means of ensuring elections and are in election system. additional security will become second nature and become accepted as common business practice stay in for the most part michael election officials -- loc electiona officials are vigilant in securing our elections. it is important to note we were doing election security before 2016. unless you have been an election official and actually have put on an election, there is a huge gap by federal officials elected
11:31 pm
or appointed regarding the reality of our processes and procedures versus magnitude of speculation going on in washington dc. election security is not a partisan issue. what is partisan is using election security to create fear for partisan policies which have nothing to do with election security. you, secretary. i would like to welcome the secretary from connecticut. she was elected to her third term as connecticut's secretary of state november 6, 2018. as connecticut's chief elections official, she focused on modernizing connecticut's elections and improving access to public record. since taking office, she supported and expanded democratic participation, injuring every citizen's price and -- ensuring every citizen's
11:32 pm
rights are protected. she secured a voter participation through online registration. she improved connecticut's accountability and integrity of a series of rapid responses to election day problems. thewas elected the neck -- secretary of state and serves as the board of advisers to the u.s. assistant commission. prior to her election as a secretary of state, she served as state representative for 17 years. thank you, and welcome. >> apologies for my delay. my flight was delayed. they never told us. as you just heard, i did have the privilege of being a president during the 2016 election. sometimes i think i drew the short straw. it was quite an experience. i was very involved in the
11:33 pm
reactions to what happened during the 2016 election and thereafter in terms of setting up lots of different communication structures to deal with the cybersecurity risks we att became aware were aimed election systems and our country. i think all of my colleagues would agree we have come a long way since then in terms of setting up lots of communication systems so that we can have a better response if we uncover some of these problems during elections. we have a much better understanding of these drugs. esey of us have - -th threats. should paint you a picture of connecticut, because
11:34 pm
it is quite different than what my colleague was describing in louisiana. connecticut has the distinction of being the only state that has no counties. we have an election situation where we have 169 very small towns. and very independent minded. the administrators of the elections. my office act as an advisory body. we have the voter registry. we had one of the earliest voter registries. we have used the same vendor for 20 years, which has now been acquired by other companies in the interim. most of what we have done has been through that vendor. the voter registration system has had many upgrades, but it is
11:35 pm
housed and managed by our state i.t. department. ice-t -- i.t. staff of my own. said, many ofes us have been doing security on voter registry, one of the biggest databases we keep. we did avail ourselves of anything dhs had to offer. i was told by our i.t. staff things were redundant. essentially we were one of the 21 states told they had seen problems in our system. -- probes in our system. none of them got in. i will not be as technical in my presentation, because i am giving you an overview of what i
11:36 pm
have done rather than getting into the nitty-gritty. the most important thing that happened last year was the release of $380 million. i would like to tell you about what we have done with it. we have taken a conservative view of technology in connecticut. although we had one of the original voter registries and we have an election management wetem, as do many states, have not adopted e poll books. we have an organization called the yukon voting center. we may be unique in the country in having the services of a computer sciences based -- it is part of the computer science division. they test equipment. they evaluate equipment. systems.uate they are completely nonpartisan, objective. they are not vendors.
11:37 pm
they are not selling anything. that has been a big help to us. they every election test all of the computer chips in our tabulators. we have been using the same tabulators since they were purchased many years ago. they have served us very well. we have paper ballots. we have a fairly strong audit process after the election, although i would like to see us do more. right now people's trust is the most important thing we are dealing with. i think the stronger an audit process we can have, the better off we will all be. it is the next thing i would like to do in connecticut is strengthen our audit. we audit 5% of all of the eachncts, three offices in precinct after the election. we used to do 10%, but it is a
11:38 pm
machine audit. it has proven to be 99.9% accurate. in of the lords, it is working isin other words, it working. the cards are tested before and after by the uconn voting center. they check they are working properly, and they mail them back. we do nothing online. that is why when we got dollars from the state to purchase electronic pollbooks, because at the time it seemed like a good idea. it is much more efficient, it is much more accurate. there is no doubt about that, but when they evaluated three different versions of electronic pollbooks, they did nothing they were secure -- did not think they were secure. the reasons they offered at the time surprised me, because a lot
11:39 pm
of states are using them. they said their questions about cravery, what happens if we sh, but the more important question they had, it is true, we will order people to not connect them to the internet, but they are capable to be connected. we are still looking at. -- at it. we are taking a very conservative approach. with our election management has theyou can -- it capability of uploading results from the tabulators if you put them on a memory stick. do require them to type in the results from the tabulators. we do not feel comfortable with
11:40 pm
having that information uploaded even from a memory stick. like i say, conservative approach. that has its share of problems, too. if you can imagine, 169 small towns . many of our election officials come in twice a week. there are towns that have no computers in the townhall -- deliberately. i have had many a fight with several mayors about this issue. some are as small as many as 800 voters. we have cities also. that is the challenge we face. we have taken our $5 million and spent a good deal on something called a virtual desktop, which, as i understand it, does two things. it solves the problem of
11:41 pm
microsoft 7. we don't know what operating systems they are using in their tens. we gave them microsoft 7 at the time we installed the equipment with the original system. apparently if you use this desktop, which allows us to log in to every desktop on the system and to help see what is going on. of -- a a great time great deal of time on the phone with people who can't login. this will allow us to override their systems. it will use a microsoft 10 operating system. it, will, as i understand make it not necessary for us to go with buying all new operating systems for each town.
11:42 pm
we had to spend some of our money on used tabulators. the tabulators we have now are coming to the end of their useful life. they were purchased two decades ago. that is egypt history in terms of -- ancient history in terms of computers. millionased almost $1 -- almost $1 million of the money we have used to purchase tabulators. we have no funds for buying an entirely new system. there is no way. i am having a committee looking at what we are calling the future of voting, because we don't know where it is going. that is the case with any computerized system. thisggest ask of organization is to hustle up with organization standards. we will have to replace our current system within the next
11:43 pm
few years. we have been very satisfied with the usage of these systems. we have paper ballots. people mark them themselves. there is a great deal of trust in the connecticut election process, because we use the best practices. i can see there is a need for us to have a lot of information from a source that understands this. would be by request. $5 million has been invaluable in maintaining what we have and do better. plan that goes on for several years. connecticut is also unique. we don't have clerks managing elections. towns, we the 169 have two registrars of voters.
11:44 pm
you have a town clerk who does absentee ballots. it is a decentralized system, but lots of training is involved. it is basic, really. that covers it . thank you for having this hearing. i feel like we are in a pretty good place at the moment. open from like to questions from the commissioners. the jurisdiction schema in your state, are you comfortable control visibility and
11:45 pm
you have over state security as it pertains to voting equipment and software? >> when it comes to the voter registry, yes. i.t. housed in our department. it. called do we want go -- won't go there. they do a good job. made upgrades, but in the next few years we will look at another upgrade. it is difficult to manage. i have made proposals to have a little more centralization, bring back a county level of government. to no avail. i think we will be where we are. well forremarkably some purposes.
11:46 pm
i can't imagine trying to hack my election tabulators. i'm comfortable at the moment. i can see two, three years from now, maybe not. you mentioned a cyber incident in louisiana that caused you great concern. you are changing from windows 7 to windows dangerous do you have -- windows 10. do you have the tools necessary? ned you are only prepared when something happens. you don't know what to expect until you are in the situation. i was plased with help -- pleased with how my staff reacted. it is because of louisiana being a top down system.
11:47 pm
with some having windows 7 and few having windows 10, we knew there were vulnerabilities there. because of everything we have a strictg, we kept inventory of which parishes had windows seven units, and how many. those were the ones we immediately banned from the system permanently from the moment the incident was brought to our attention. the incident affected some local governing bodies, but never touched the election system. knowing some interacted with parish government authorities, we felt the need to shut down the system. we decided to take money that had been allocated from itself generated revenues within our agency and not just -- not just
11:48 pm
purchaseor the -- not centers for the court clerk's office and switch to windows 10, given that was a greater need in our system moving forward. we were able to move fast. we quarantined the system immediately. when we knew which parishes had been hit, we kept those parishes quarantined and un-quarantined the others until we could drink them back up. -- bring them back up. tooke parish was hit, we them off-line. i am pleased and thankful for my staff reacting quickly.
11:49 pm
it takes that type of incident to realize how quickly things can happen within your state. i immediately contacted the forident of -- and asked contact with her secretaries because we, informed them it could be more than one state attack. the importance is information is key for election officials. if we don't get information, we can't protect our system. the timeliness of the information is absolute. our systems are secure, we have to get that through a local partner or state partner or federal partner. sometimes we just don't get it. one question for both of you.
11:50 pm
how do you field updates? about updates to microsoft. when you are running several elections a year, how do you run that into your schedule? the elections start, primaries, the general election, how do you fit updates into that schedule? sec. adroin: the best we can. the monthly tuesday updates, when they come in -- the problem once we start the clock for election preparations, there is no stopping that clock, because the timelines are so detailed.
11:51 pm
we have a deadline to meet. we can't avoid those deadlines. through, patch comes we may have to delay the implementation of that patch. it affected us having to adjust with regard to this incident. it affected our ability to do qualifying online because of the patches that were being automatically updated. we had to stop that process in the registrar's office because the clerk was not able to do their job. is concerning to us. we need to make sure our voices are being heard with our vendors, whether it be microsoft or voting equipment vendors.
11:52 pm
we are a little unique. early voting.any we don't do anything uocava in the period of 45 days which is what it is in our state. we don't really know what our local towns are running. we really have very little control over their local systems. this virtual desktop hopefully will override that problem. we will not be able to do a pilot until this year in our municipal election. we will be able to do a pilot this year but it hopefully will be in place for 2020. up until now, we patch our own system and that's the basic voter registry. everything else is at the local level. >> thank you. chair, do you have questions? >> thank you.
11:53 pm
thank you all for being here and we appreciate your testimony. weretary ardoin, you talking a lot about the process and it is extensive. it is not just taking out your phone and hitting update. one of the things that that really sends home to me is the cost associated with this. people and labor in addition to equipment. one of the questions we get asked a lot by congress is about the $380 million that secretary merrill mentioned. do you all see -- would it be useful if there was -- obviously federalism, if there were a consistent, modest federal funding stream that was specifically toward security upgrades, maintaining
11:54 pm
maintaining equipment, maybe implementing programs like illinois' cybernavigator program where you have state-based election technology and i.t. experts that assists parishes and counties and towns with fewer resources? is that something that would be helpful and needed? >> of course, resources are always helpful and necessary. i was say that what we have been doing in louisiana is that we set aside our $5.8 million in uocava funds strictly for the new voting technology to purchase new equipment. what we have been doing is absorbing in our regular budgets, all the cybersecurity needs we have, which is growing exponentially each and every year. what we would hope for is if the federal government does make additional resources necessary and there be no strings
11:55 pm
attached, that each state is different. just the two of us sitting here, we've explained how different our states are. the cultures are different and the voters have different expectations. we all have the same expectation which is a secure environment for our elections and that every vote is accurately counted. and everybody gets to participate who wishes to participate. i will say this -- the federal government providing additional resources would be helpful, but the federal government also needs to communicate to the states that they have an absolute responsibility. i'm no different than my colleague here. we are constantly asking for additional resources to fend off cybersecurity issues, to update equipment, and to do what is necessary to secure our elections and offer our people the right to vote. in addition to that, we are taking on, in louisiana, we have a strong responsibility.
11:56 pm
we have all the i.t. operations for elections in my agency and we do that for the locals as well. we provide equipment to the locals. that takes a lot of money. all partners, parish or local, state and federal need to cooperate and work together on this funding issue for resources for securing our elections. let's face it, we are all in one large ship, and that is the ship of america. if we are not working together to secure our elections and fund them appropriately, then what are we here for? thank you. >> secretary merrill? >> i would concur with that, just recognizing the states have very different capacities for funding their elections. for quite a while, connecticut funded most of what we do through bond funds, which is
11:57 pm
perfectly appropriate because it is equipment and infrastructure for the state. not every state can do that and right now, connecticut is not too willing to do that at the moment. we are in a budget crisis that's been going on for four or five years. i think there is certainly a role and that would be very helpful in my state because the reason we have not gone forward with providing more local equipment, upgrading their operating systems and so forth, is because we don't have money for that and traditionally, it's been funded by the towns and the state. i agree with my colleague that the states have a responsibility here, too, but like i say, they have different capacities for doing things and i think it is imperative that this country and this state and the local governments and all of us, as you say, work together to do this. this is one of the fundamental
11:58 pm
operations of government. you're not going to privatize elections. it's time we put some dollars behind what's happening. this is a really recent development. it was only in 2016 that we realized there were all these cyber threats. we have reacted i think pretty well in the short term. in my state, it's much more efficient to control security for these big databases from a central level. i respect that. it makes a lot of sense as long as i have someone in my office who can work with that person. i think we should take the same attitude overall, that we work on it together and we are able to articulate what our particular needs are around these questions and that you provide some sort of framework for that, for the funding, but i do think some funding needs to come from the federal level. >> thank you. i want to be sensitive to our time, so i will hold off any other questions until after my
11:59 pm
colleagues go. >> thank you. do you have questions? >> just a few -- would you agree -- what i hear from both of you i think is that the priority in your states is that you need to upgrade your voting systems and your voter registration systems and these are fundamentals of the electoral process. that is where most of the money will really help your states, is that true? >> true statement. >> our job is to set new voting system standards on security and visibility, get them out to the manufacturers designing to those standards. i think that's all i have. >> my state is about to embark on an rfp process and we will do this -- we will be dealing with standards that were set in 2015. much of the blame is to the federal government for not having had a functioning eac with a full commission.
12:00 am
i'm very thankful we now have a full commission and you all are working very hard, but we are now behind the times because of that, and 2016 snuck up on us quickly and we reacted as quickly as we could with the resources we had. i'm going to have to go a little further as i stated earlier and what the requirements that we will have to work under that is not necessarily even issued by you all. that's very concerning to me, not to mention all of the various legislation rolling around congress that could require this or that or the other. >> i have one follow-up question -- as congress looks at different funding potential, one of the things we hear -- and am fairly comfortable in my observations and having worked at the state level that the executive branch, the governor or i.t. at the state level have a lot of the
12:01 am
protections the secretary talked about. i'm more concerned about the small towns who may not have those resources or oversight. is it possible the money can be used in a way to help those localities upgrade their local i.t. systems to be more resilient in warding off these attacks? >> i would say that's exactly what i'm doing with the money, the 5 million dollars. by instituting the virtual desktop, we have essentially given them more capacity. maybe that's a direction that others could follow. we have not tested it out yet so i don't know how it will work. rather than purchasing 169 towns worth of new equipment, it might be better to work with what they have as long as the virtual desktop takes care of the security part. the training is all local capacity building. you are right, that's my biggest
12:02 am
fear is vulnerability at the local level. that's exactly what we are working on. >> that was exactly my fear. it almost came to fruition and out of the grace of god it did not. we are taking those steps because we were able to retain our election i.t. in our system and not be forced into a consolidated system along with the rest of the state agencies. then we were able to control our own destiny and work with the local election officials to secure our environment and continue to secure our environment and train them on our environment. being able to see it from a larger picture, 30,000 feet, if you will, that was the right thing to do for our state. we continue to be able to predict vulnerability and work with vendors outside to look for
12:03 am
newer ways to secure our system. it gives us the ability to quickly react versus having to go to the state and ask for permission. i'm not saying it's not working for others, but it is an important component for us. >> do you have a question? >> i will have a couple of comments and i hope i can put a couple of questions in there as well. secretary merrill, i want to say that i was saddened to hear that peggy reeves retired. i have not worked with ted yet, but i hope he can fill her shoes. she was a very important woman and i think she's done a great job for your state. one of the things that i wanted to ask is a little bit about the overall training. secretaries of state and other election officials, you have more than one job. your job is not just to run
12:04 am
elections. it might the other aspects as well. are there other aspects -- tax collection or other aspects, that you have to have updates and how are those updates incorporated? >> yes, absolutely, i am among other things, the business registrar. i have the other large database of the state, which is the business registry. we are constantly updating it. samelps that we have the vendor for both systems. we have historically many years. you don't have that one day -- i compare an election to giving a wedding. you have the one day where everything has to go right. unlike the business registry, where there are constant deadlines for this and that. we don't have the same issues in that sense. >> i am also responsible for the commercial registry in the state of louisiana. it's the same thing and we do use the same vendor as well.
12:05 am
i think we actually have the same vendor. it is a constant concern, because that system also is being constantly scanned and probed. business identity theft is a growing phenomenon, so we protect businesses as much of but as secretary merrill said, that's an ongoing process. election day is critical. we have early voting with seven days in the state of louisiana and that's critical as well. voters have to check in using our system on a daily basis. there is concern. we don't have electronic poll books. given the situation where we are, i will never ask for electronic poll books. you just have to now be looking for things that you didn't necessarily have to look for before.
12:06 am
as we say, cybersecurity is not an endgame, there is no finish line in cybersecurity. >> that reminds me about you plans andns for your former heavyweight champion mike tyson saying that everyone has a plan until they get punched in the mouth. i figured we have our plans ready for 2020, but i think there will be a lot of swings at us and i don't think we will get hit hard, but there will be a lot of attempts for folks to hit us. i think states are doing a good job of planning for that. i would put the plug in that the eac has i.t. training for election officials. i'm participating in a couple of those, and our director of testing and his team have been going out to states. if there is an opportunity to take advantage of our training
12:07 am
for folks, definitely do that. i have been to both of your states, and i think folks have done a great job with the election process. the last thing i would ask is a little more that other than money, what can the federal government do for you? no strings attached, but -- [laughter] >> we don't say that. >> it's more what sort of things we can help you with moving forward in 2020 and 2022. >> can you convince microsoft not to charge us for the three years of support after january? [laughter] that would be a good start for us, because it is pretty expensive. i think our quote was $300 per unit moving forward for three years. that can get quite costly. if we are unable to replace all of the windows 7 units. whatever your parish just bought
12:08 am
for you, put it aside. it's not worth the threat. they don't have the money because they just bought the systems. the new equipment, but they did it by -- didn't buy the windows 10. >> hustle up with those certification standards. that's really the short answer. just thinking out loud, the maintenance cost of all these systems is a very large ongoing cost. maybe that is where the state should be, because that is not something we can expect money every year from the federal government. infrastructure cost might be where we could use the most help. that's the kind of thing where you pay it once and maybe the state should pick up the ongoing costs together with the towns. it's different in different states. that would be my short answer for certification standards. people are out buying things
12:09 am
right now and they need help. >> thank you. >> i want to extend my sincere thanks to both of you for being here and we appreciate your comments and we will take all of that in as we continue forward looking at these issues, thank you very much. >> thank you for having us. let's call up panel 2, please.
12:10 am
>> i want to thank you all for being here for this forum. this is important information for us to learn from you. what we can about these issues that are critical at this time. i let the secretaries go a little bit on time, but i wanted to let you know that the clock is set for five minutes and it flashes yellow at one minute and the red light comes on when your time is up. i want to introduce the panel. to my right here is our director of testing and certification at the u.s. elections commission, jerome lovato. in this role, jerome assists jurisdictions with developing
12:11 am
practices and procedures and conducting and implement a nd audits and published a white paper to provide the foundation for election officials. prior to joining the ese, he worked as a voting's system specialist in colorado for 10 years where he served as a voting system certification lead and risk implementing audit project manager. next to jerome is jarred dearing of the kentucky state board of elections. he has worked in campaigns and elections administration for over 10 years. he has worked in the public and state level, including the city of louisville and the office of california governor jerry brown. his private sector work includes several tech startups located in the bay area in boston. he's a graduate of the university of california, berkeley where he studied public policy and engineering. the director of strategic
12:12 am
projects for microsoft's defending democracy program. she tackles the growing state of nationstate attacks against democratic institutions globally. this includes increasing campaign elections in addressing the issue of disinformation has an impact these organizations' processes. previous to this role, she focused on engagement with political organizations and their use of data and analytics and other emerging technologies. prior to joining microsoft in 2014, she was vice president for political accounts at cmdi, where she worked closely with senate and campaign officers and has over 15 years experience in political technology and has been recognized as a rising star and has received the american association of political consultants under 40 award. next to jenny we have matthew sholz, the chief of the security computer division in the
12:13 am
information technology laboratory at the national institute of standards and technology. his responsibilities include cryptographic standards used by the u.s. government and internationally cyber research and development and cybersecurity standards and guidelines for federal agency security programs. he also leads nist participation with national and international standards and associated performance testing programs. he is also a u.s. army veteran and currently has over 20 years of federal service. finally, we have our friend jeffrey hale, the director of the election security initiative at dhs' cybersecurity agency. electiona focus on security in response to the cybersecurity incidents of 2016. he has been instrumental to the eac's ongoing collaboration with dhs. thanks to all of you for being
12:14 am
here. let's start with jerome. >> sorry about that, i don't know how to operate a microphone. good afternoon. thank you for hosting today's forum and for taking the lead on addressing the complexity of testing, certifying and then applying software security updates to voting systems. i also want to acknowledge and thank the panelists for participating in this discussion. personally, i greatly appreciate and value your input and look forward to hearing your thoughts. i have been heavily involved in voting system testing certification for over 12 years now. i have literally installed voting system software in thousands of voting devices in my career. i would like to highlight that once the eac certifies a voting system, that system is certified to requirements in that moment in time.
12:15 am
our testing certification program manual provides guidance on changes to voting systems that i can talk about in more detail if time allows, but recognizing we have limited time today, i would like to hear more from our panelists and i'm glad to answer any questions you all have. i just want to lay the groundwork, because we have limited time. as some of you know, i can talk about this stuff for a long time. i will refrain and allow others to have the opportunity to express their thoughts. >> thank you. mr. dearing. >> thank you. thank you commissioners for having me today to participate in this important conversation. i am the southern region representative for the national association of state election directors. i'm also the executive director for the kentucky state board of elections.
12:16 am
prior to my current position, i have worked in the private and public sector, specifically public policy and engineering, including software development. i'm glad we're having this conversation, but also wish it could have taken place sooner. microsoft announced it was ending support for windows 7 several years ago and in 2014, it ended support for windows xp. this is not our time first experiencing this as a community. since the passage of help america vote act of 2002, election administration has grown increasingly reliant on technology. it was mandated among other things, every state was to replace punchcard lever voting machines and created the quality voting system guidelines in the voting system testing programs. the move away from lever and punchcard machines was designed to move the act of voting to a more modern technology. yet the move to any technology requires ongoing maintenance. technology is not static and is
12:17 am
in a constant state of iteration. operating systems and software all require ongoing updates to maintain both functionality and security. as of august 2, the msisac has sent out 81 advisories in 2018 tone, ranging from mozilla firefox and microsoft. anyone who is try to use a laptop or cell phone knows that keeping technology current and past is critical to maintaining its lifespan. the well-documented funding issues in election administration means state and local elections officials need equipment to last as long as possible. when we invest in new technology, we do so knowing we may not have the funding do so over the next 10 or 15 years. dedicatedhines are technology kept under tight physical security. election officials at the state and local level work hard to keep machines patched. as with most things in elections, our ability to do so
12:18 am
varies by state. in kentucky, while we certified voting systems at the state level after they have been certified by the eac, their operation and maintenance takes place at the county level, which means the commonwealth relies on county officials to update and patch voting systems after patches and modifications are approved by the state. our county offices and officials , like many around the country, are severely under resourced. other states handle patching and updates differently, but a common thread is that most of us cannot compel our local election jurisdictions to update their equipment. we can strongly encourage it, but we cannot require it. in many places, the local jurisdictions must make arrangements with the voting system services providers directly to have voting machines patched, which can come with a fairly heavy price tag. every dollar counts. unfortunately, that means that patches are not made when they should be often times. there are challenges with
12:19 am
a national certification program. different states have different needs, laws, and structures, but consistent nationwide is our certification process represents a moment in time. the vendors submits system for certification and uses an operating system which is a time capsule of when the system was developed. we all know that it is not how -- we all know that is not how technology works. more importantly, that is not how bad actors work either. we need to balance the need for certification with the eminence need of election officials on the ground. last month, i participated in a conversation about coordinated vulnerability disclosure on capitol hill with representatives from congress, the cybersecurity introduction security agency and vendors in community and technology. there are a lot of smart engineers and hackers out there who want to use their skills for good to make our elections more
12:20 am
secure. we need to work as a field to develop a process by which ethical hackers can effectively communicate vulnerabilities they find to the relevant parties. but elections officials and vendors also need to respond fixes beforeploy the vulnerabilities are exposed. it is not enough to find and report bugs. there must also be a way for systems administrators to quickly digest and remediate these issues after notification. beyond the hacker community, some vendors have already worked with cisa to have a critical evaluation of the voting systems conducted at the idaho national laboratories. to take advantage of the cybersecurity expertise that our federal government can offer. the assessment conducted is more in depth than the security testing performed by the voting system test labs. the eac currently does not have a procedure in place to incorporate these results into the voting system certification
12:21 am
process. this means that the vistal must conduct security testing which makes it time-consuming and expensive for voting system manufacturers trying to make the systems more secure. must develop a process to quickly certify modifications made by the voting system vendors to address potential vulnerabilities found in the assessments. needs to be the stamp of approval that tells us our technologies and secure, not the obstacle to more secure system. our current system of certification d incentivizes upgrades and patches leading to issues with common end-of-life cycle processes as we see with windows 7. as a community, we must come together to adapt quickly in light of an ever-changing threat service and create a certification program that can accommodate the constantly iterating security environment we are in.
12:22 am
there are a lot of intelligent individuals working on this, including the eac. we need to continue to work together to develop a more efficient process the federal level to drive these modifications, patches, and upgrades. thank you again for the opportunity to speak to you today and i look forward to your questions. >> thank you. welcome. >> thank you so much for the opportunity. i am the director of strategic projects for microsoft's democracy program. microsoft's decision to engage more directly on election security comes from the company's belief that building and maintaining systems to bring photo confidence cannot be accomplished by one organization alone. it takes participation from all of us, the federal government, state and local, election system vendors, technology center, academia and civil society and voters themselves to come together and drive solutions. that is why last year, microsoft formed the defending democracy
12:23 am
program which works with a variety of governmental and non-governmental stakeholders globally to tackle issues around campaign and election security. which brings us to the topic of conversation today. election security and certification reform. we've given a lot of consideration to the role that microsoft can play and be an impactful partner to the election community. one thing i want to notice as many of you are familiar with dr. josh benelow, an advocate for the end to end verifiable elections. the idea that advanced cartography could come alongside the current voting process and enable a voter to learn that their vote was correctly counted was appealing to us as a team. that is why we announced the creation of election guard, an open source software development kit that will allow vendors to allow dis functionality into their system. we have norton along the elections to identify how technology might interact with certain systems and explain
12:24 am
possible pilot opportunities. intersection of microsoft one technology and elections is the issue of windows 7 end-of-life. by way of quick background, the company announced several years ago that in january, 2020, the windows team would end support for windows 7 operating system. we are committed to helping our copper -- helping our customers remain secure. we understand that some customers will need more time, which is why we will offer extended security updates to customers still running windows7 on their systems. details are still being worked out regarding the cost and progress and we will have more information to share the coming weeks about exactly how these updates will be made available to this community and what will cost. i can assure you that microsoft will do whatever it takes to ensure that these customers have access and security updates that are straightforward and affordable. we are committed to protecting our elections and are dedicated doing our part. i also want to highlight a related issue that's been
12:25 am
brought up this afternoon. protecting our election systems against known vulnerabilities is extremely important, which is why we should be focusing on how to remove unintentional disincentives that have been created by requiring recertification after patching or updating the system. in our perception, there's a lack of clarity about if and how the security software update can be applied to a system without triggering a comprehensive recertification process. we should stop giving election administrators the choice of using election systems with known vulnerabilities or applying security patches, and eirso doing, taking th systems out of certification. i look forward to discussing this and other issues this and welcome your questions. >> thank you. >> thank you for having me. i am from the u.s. national institute of standards and technology, where i lead
12:26 am
computer technology within the technology labs. one of my mission and what we provide is a set of tools, references, and information to assist organizations, state and local, our federal government partners, and u.s. industry in securing their technologies and infrastructures. in these toolsets we provide, we have a series of both documentary guidance to assist an organization in establishing a patch management program. this will allow an organization to make medical decisions about setting up a program and making the critical business decisions about prioritization, timing, and application of patches and updates to important systems that they used in order to achieve their business objectives. we also provide guidance not on patch management, but on configuration management. implementing and maintaining
12:27 am
bothity configurations for end points as well as backend machines used to support these business executives. not just documentary guidance, but we also provide tools to allow for the automated implementation of security configuration, as well as to allow for toolsets to identify items, endpoints, operating systems that are in spec and secure. if not, to allow for other toolsets to remediate and enforce security configurations. this also provides references for organizations to identify if they are vulnerable. one of our references we provide is the u.s. national vulnerability database. it categorizes and incorporates every known publicly declared information technology vulnerability and publishes it in a machine-readable format. we also provide severity metrics for these vulnerabilities for organizations to use. this then provides an essential
12:28 am
metric for them to decide how to prioritize patches and whether or not a patch is critical to them and the information technology they use. i would like to echo some things that were said by my prior speakers. this runs several conforming and testing programs specific to cybersecurity products. it is incredibly important for any certification program to clearly communicate where the certification balances lie, between upgrade and patch versus maintaining a certification to a version number. often, we give organizations a business risk rather than an information technology or cybersecurity risk decision in maintaining a certification versus patching a vulnerability. clear, concise, communication on the intent of the program, especially in the dynamic
12:29 am
environment in which information technology exists is critical so that folks can make good decisions based on those balanced decisions and maintain the security of their products. thank you for having me here and i look forward to answering any questions you may have. >> thank you. welcome. >> good afternoon chair, vice chair, commissioners. i want to thank you for the opportunity to speak on election security and want to thank you for considering me for a role in the technical guidelines development community. i serve as the director of the election security initiative within the cybersecurity agency. my team's mission is to ensure that elections stakeholders have the necessary information to manage risk to their system. within our charge, we oversee the sector specific agency, coordinate field engagement, provide technical assistance, support election officials, vendors, partisan organizations and the electorate toward the objective of advancing election
12:30 am
security and countering foreign interference. our support comes at no cost to our partners and is entirely voluntary. what we have seen out in the field is the need to continue to do the fundamentals. fundamentals like understanding the different impacts of integrity and confidentiality. attacks on system like ensuring that systems are able to detect and recover from exploits, which is why we provide a series of the series -- services, including education training and cyber exercises, promoting email security practices, protecting the organization's online presence, securing information, and developing incident response plans. we have been thrilled by the engagement of the election community. with all 50 states, many jurisdictions and vendors participating in some capacity. this is timely. discussing the end-of-life of windows 7 is consistent with our vulnerability services.
12:31 am
two of the most common vulnerabilities we have our systems and processes. election officials are asked to administer a complex array of systems in a strange environment. improving software patching can reduce one of the risks, but it cannot solve a technology deficit. the most recent grant fund is one way for states to address the risk and you should be commended for rapidly distributing that funding. because i have touched on the vulnerabilities in the field, it is worth noting that although large number of -- is not to take away from the importance of securing voting systems. to that end, we've invested in open ending testing for phone -- for voting systems. again, encouraged by the vendor communities involvement.
12:32 am
these evaluations are aimed at enumerating vulnerabilities and hardware and software in election management systems and other components. matures, weystem believe there can be a complement relationship between our vulnerability assistance and compliance. as you move forward, we see an opportunity to work with you on refining the process. cap's more than ever, the eyes of the election -- of the security community is on elections. for election officials to benefit from security expertise as other critical sectors have, i believe they will look to the eac. because of the leadership role, serving as an honest broker, we are in a position to provide additional value to the election community, through improving vulnerability disclosure, and management.
12:33 am
any coordinated vulnerability program is only as effective as the testing process enables. we work with these challenges across several sectors. we identify and discover have abilities, and management program where researchers turn to us for assistance. with this wealth of material, we look to you for helmet can integrate our information with your policies and processes in a way that allows adaptability to vulnerabilities and risks, including updates and patching in a timely fashion. we value our partnership with you and we look forward to additional opportunities to bring our corresponding expertise together. now and in the years to come in support of election officials. thank you. "q&a," doug mills talks about photos covering president trump. >> he enjoys having us around.
12:34 am
i really believe that despite his constant comments about fake news into the media and so forth, i feel he enjoys having us around because it helps drive his message. it helps drive the news of the day, which he can do every day and does every day. he is constantly driving a message. therefore having us around really allows a -- allows him to do that. >> sunday at 8:00 p.m. eastern on "q&a." >> sunday at 9:00 p.m. eastern, "afterwords," natalie wechsler. >> they don't have the background knowledge. it's not that they can't make an inference, they make inferences all the time in life. that is. the problem so much as
12:35 am
they lack the background knowledge in vocabulary to understand the passage. thathas been a big problem has been overlooked. >> watch sunday at 9:00 p.m. eastern on book tv on c-span2. ♪ at 9:00 a.m. eastern, and washington journal and american history tv live special call-in program looking back at woodstock, the 1969 cultural and musical phenomenon. the author of "the age of great dreams" joins us to take your calls. >> drugs matter, but who takes these drugs? why did they have the effect they did in the 1960's and 1970's? it is something we are still wrestling to understand. technology of drugs, it is
12:36 am
imperative to understanding not only the 1960's that -- but history. the drugs we use at a given time and place can change the direction of the society. talk with the david farber about the social movements of the 1960's leading up to woodstock and its legacy. woodstock: 50 years sunday at "washingtonstern on journal" and also on c-span3. challenge hosted its so buck nation speech so case -- showcase. civics to promote engagement among students. this is one hour and 10 minutes.


info Stream Only

Uploaded by TV Archive on