tv Election Assistance Commissioners on Election Security CSPAN July 14, 2018 5:00am-6:59am EDT
[inaudible conversations] good morning the committee will come to order. welcome to our witnesses today and i'm particularlyour colleags from the senate will start us off with observations they have about this critically important issue. also my fellow legislator from missouri i could learn about his company and the area a few weeks ago and i look forward to his testimony as i do of all the others. this is the second in a series of hearings on election
security. during the 2016 election cycle , state and local officials were tested like they have not been tested before it even after the election were more aware of the threats that were out there and we need to have better information about those threats and more help how to deal with them. at the last hearing local officials told us they needed timely information and cybersecurity resources as well as technical assistance today return to federal officials who are in charge of helping to provide that assistance and looking at how they can better provide those resources as well as private-sector election vendors. efforts secure american elections are not new following the 2000 election
help america vote act hoped to establish the election assistance commission to replace voting systems and improving the administration. that bill also created a partnership between the election assistance commission in the national institute of standards and technology to create guidance for voting systems and to be certified by the systems january 2017 dhs one --dash dhs designated the election infrastructure as critical. so now we are in the first election series since that designation was made and the last hearing we heard with this designation to affect information sharing between state and local federal littl little -- federal governments to hear about the other aspects of that designation.
which is the formalization of information sharing and collaboration between private entities and the federal government through the sector coordinating council. more recently flight 2018 spending bill congress appropriated $380 million to the u.s. election agency to have them enhance that infrastructure in 49 states and territories have requested $350 million of that money and in many cases have already received the money they asked for. want to find out about the tools available that the federal government can provide officials with information sharing that is occurring and should occur between state and federal and local officials. and learn more what we might do to encourage cybersecurity
best practices. also to have senator wyden here and now we have opening remarks. >> thank you mr. chairman for holding this important hearing. thank you to general wyden to be here and senator langford for your work. you are both on the intelligence committee and i know how incredibly important this topic is with a lot of focus on what has happened and what did happen but we have to keep her eyes forward to protect yourself so it doesn't happen again. i am particularly pleased with the work senator langford and i have done and he will describe this legislation to improve government sharing between election officials in the federal government with resources and expertise making
it easier to confirm election outcomes with the backup paper ballots legislation has significant bipartisan support we have painstakingly spent the last 18 months working with state and federal officials and we have made significant changes with legislation and listen to people with the secretary of state around the country to meet their concerns. it is vital we work together this is one effort but there are so many others with the intelligence committee has handled this investigation and it is truly important that we are bipartisan we had a hearing in front of judiciary and it was very clear that while a lot of the focus on interference has been the general election 2016 it was also going on in the primary specifically targeted at the
rubio campaign and it is important to tell those stories it wasn't just one party versus another. they were doing things that affected things like the primary or outside of the 11.com -- actual election trying to turn people against each other whether the pipeline in north dakota or rallies in florida at the state locally -- election officials administering on the front lines are working hard to ensure the election systems are secure my secretary of state was here recently and would tell you that he and his colleagues across the country are very focused on this last month we heard from some of those officials and the need of additional resources in light of a continuing threat
from potential adversaries we will hear from federal officials currently over 90% of americans vote on machines from three companies i believe one of these companies is here today but i wish the other two also have joined us given the threat that we face oversight is vital that they are providing reliable machines to others we must everything we can to defend elections to bolster america's confidence in our democratic process i'm glad we have a system with different state jurisdictions because then one hack will not ruin everything but one hack in one county or state will charge people's confidence they came close to hack into 21 states and got as close to the voter list in illinois we
don't want this to happen again thank you very much mr. chairman. >> i look forward to working with you on this even with senator wyden with me we care deeply about these issues and have a lot of time to think about them and senator wyden if you would like to start you can go for. >> first thank you for your thoughtfulness to make this possible to come today i look forward to working with you in senator clover chart with these issues. mr. chairman you have a busy schedule i will try to make a few key points. my full statement can go into the record but according to the latest numbers at least 44 million americans and perhaps millions more have
insecure voting machines that make hackers and hostile foreign governments salivate. it is inexcusable that our democracy depends on such half of all voter technology made by a handful of companies to evade oversight and in fact have been stonewalling congress so those efforts by russia in the 2016 election with that serious threat people face and then to introduce a new cybersecurity bill and that accuracy of federal elections and it seems to be enormously important given the prospects that
hackers can get out those voting machines the legislation focuses on two commonsense measures backed by the overwhelming number of cybersecurity experts in our country. so in spite of this campaign of ducking and bobbing and weaving and stonewalling from the voter machine coverage as a member of the intelligence committee i have reached out to cybersecurity experts and election officials i wrote asking basic questions about cybersecurity. have you been hacked? what about cyberexperts? cyberhygiene 101.
companies refuse to answer if they protect those systems of the american people and earlier this year the new york times published a story that the largest voting machine manufacturer was selling devices preinstalled with modems and remote monitoring software. . . . . but they seem dead in safeguarding it. states use voting machines that
do not produce a paper trail and the only records are kept individual records that could be hacked and is impossible to audit reliably. that strikes me as a prescription for disaster. americans need paper ballots marked by hand until the system is adopted every election that goes by is yet another that goes by that o a foreign government including russia can hack. the congress appropriated $380 million to help states upgrade their election technology. the money is now in the hands of the commission on the way to the states. it ought to be used to bolster security. unfortunately, it's not clear at all how the commission is using the money to do this and my concern as you and i have talked about is the state could go out
and buy a whole lot more technology from the stonewalling voting machine companies. let me just wrap up by saying before we conclude the statements of the commissioner whose number two at the commission also concern me greatly. she stated that she disagrees with the intelligence community that russia won't believe how to influence. you and i have heard again and again that it is a the overwhelming view of the community that russia sought the influence of the election so i can't figure out where the number two official is dismissing the analysis of the government, the administration intelligence experts. you can set aside the outcome no
matter who you pulled the lever for the last time around all of us here in the senate care about defending our elections from foreign hackers going forward. i want to thank you for the time that you and i have spent talking about this and i look forward to working with you in the days ahead. >> we are pleased you're here this morning as well. i want to apologize for my colleague for ducking out because i know he has something important to say and the finance committee is pending. i thank my colleague and ranking member. >> mr. chairman, thank you for inviting me back. it's good to be back in the conversation. there's a lot still needs to be done. senator klobuchar and i have worked very hard on the act has
been a work in progress returning pencils and it can be used to erase, the edit over and over again as we've gone through the multiple iterations. we do need to deal with the obvious threat. this will take a long time to be able to roll out responses over the course of the nation. to build a focus on the ability of states to counter issues and threats that they face let me reiterate this. i have zero doubt the russians tried to influence. they were trying to engage in any way they could to bring instability to the democracy that i have no question that states are not only qualified to be able to handle, but they are constitutionally able to handle.
the states need to be able to continue to control. with senator klobuchar and others we worked on together to find how we handle this issue from coming at us again and it's not so much about the next because there's a lot being paid to the next. it's what is the structure or 20 years from now when we let our guard down and will focus not be there to put some focus in place to make sure 20 years from now we've not forgotten the lessons we should have learned and some basic things have come out of the conversation. one is increasing the communication between the federal government and states. there wasn't enough between the federal government and the states leading up to the time period and there also wasn't security clearance for individuals in the states so when the issues were discovered there was no one to communicate that with that already had clearance. across the nation they do not have auditable there was no way
to audit at the end to determine did everything go correctly. it was a best guess of yes there was no way to really know and there are many states that do limit the then after it is overt some states do not. when it's a federal election is difficult if there is a threat to any one entity state that affects every other state hospitalstate aswell so there ac things that can be done and could be done to ou allow the states to control their structure and have flexibility on the type of machines. it should be completely up to the states to be able to run that. we worked very hard to find the secure elections act and had a tremendous amount of feedback as mentioned from secretaries of
state. we met with a bipartisan group of state secretaries in april including the national association of secretaries of state, the secretary from louisiana and simon from minnesota when we incorporated their advice we have feedback quite frankly from the chief election official in my state as well as former official masterson. we also talked with secretary nielsen from the dhs and received a tremendous amount of feedback as well. they can share a lot of that information with other states and with the federal government. but there are some simple things that can be in place that do not usurp the authority to be able to run their own elections but they do ge give a secure systemr the future. it's not so much 2020. we are all paying attention what
will it be like 20 years from now will we still have a process when the guard is down we think it is a wise idea to continue the ongoing cooperation so when the issues are discovered it can be shared state to state. thank you again for the invitation to be able to be here it is my honor to join this conversation if only for a brief moment thank you for holding this hearing. from the national institutes of the standards of technology and
mr. masterson from the department of homeland security. the. we have another panel after you and want to have a chance to ask questions so you can deal with h your time however you would like to, but if you want to summarize anything in your statement, we will have your statement in the record and we are glad to have it as we are glad to have you here today so we will start with the chairman of the advisory commission with you and then go to the commissioner mccormick and doctor romaine and mr. masterson.
>> good morning chairman, ranking members of the committee. i am pleased to testify to discuss the assistance commission work to support the local leaders and efforts to conduct efficient accessible and secure elections. the commission takes pride in the resources and assistance to the officials and voters as well as the title role we play for the state and local governments, private industry command because the organizations and others in the industry. as emphasized by witnesses at the last hearing, they are focused solely on the elections serving for other federal agencies that spend only part of their time working on this important issue including those that specialize in technology and cybersecurity. our partners ranging from the department of homeland security, federal bureau of investigatio
investigations, u.s. postal service and the dod rely on the deep knowledge of how elections work in the clear line of communications to those in the field who administered the vote most recently the partner agencies can't hurt on them to fulfill this role with regard to election security. this topic isn't new to the state and local officials who run the tens of thousands of administrators staff and members who support the work it has long been a primary focus for the men and women on the frontlines something they think of 365 days a year and during the 366 days a year. the job description of the official as everything from compliance and voter registration to the mail management and human resources. this is why it is vital congress and federal agencies provide administrators with the resources and tools they need to
succeed. the establishment is a part of the critical infrastructure was one way the federal government sought to improve the mechanisms to accomplish this goal. in many ways it has worked on the 2016 federal election to such a fundamental effort for this. at the time we worked with dhs and the fbi to distribute security alerts and threat indicators to the states and territories tterritories to pror systems from specific cybersecurity threats. we also met this goal with our federal partners agencies by meeting with the white house to discuss these threats of systems security protocols and dramatics of the systems and the jurisdictions nationwide. following the former secretary johnson's critical infrastructure announcement, they work to provide state and local officials with a voice at
the table during this discussion and how they would function. the often stated that the coordinating council was formed faster than any other sector council to date and takes great pride in this role, one that we play to make that happen. it is proof of how local, state and federal governments can work together towards a common goal of protecting the nation's infrastructure. i serve on the executive committee which has worked diligently to ensure the designation has a tangible meaningful impact across the nation that we all know that there's many solutions to the security challenges and we are pleased to members of the committee and your colleagues recognize this reality when supporting the act of 2018.
that legislation contained $380 million for the states and territories to improve the federal elections just three months after the bill was signed into law a distributed request for more than 97% of the funds from 51 of the 55 states and territories designated in the remarkable percentage demonstrates responsiveness and state urgency in addressing the methods to make their systems more resilient. less than two weeks after president trump signed the bill into law, the eac notified each jurisdiction and issued grants and awards letters to every state and territory. just one week after that, your home state received its funds and in the weeks that followed
they conducted a webcast and explained funding and worked directly to share this information. they also conducted webinars and other resources on the website and educated the nongovernmental groups including those focused on accessibility and security including the focus on those phones. our team has also helped states navigate this hurdle. in the meantime i want to thank you for inviting them to testify today and i look forward to answering any and all of your questions. members of the committee thank you for inviting us to testify
today about the vital issue of election security. starting out as a local voter registration assistant. when congress helped pass the act to establish a bipartisan commission charged with developing guidance to meet the requirements adopting the voluntary system guidelines into certifying the system serving as a national clearinghouse of information as well as dispensing of auditing the funds i am pleased to report our team continues to fulfill this mission and that officials across the nation consistently affirmed our work does indeed help america vote. today i offer my remarks on the impact of the newly appropriated funds and efforts to supplement the resources.
as the chairman noted the states and territories are wasting no time in applying for the portion of the $380 million was appropriated in march. this is no surprise to the. it's deserving of our praise and support thanks to ben systems from coast-to-coast were resilient in the face of the security threats. i have every confidence the newly appropriated funds are for holding officials to continue this work to strengthen the systems ahead of the next term election and the presidential election. while officials continue to work with state legislators, local beers from advocates and other stakeholders to find him how they will spend the funds i will provide a snapshot of the efforts that we already know are underway to make the system more accessible, efficient and
secure. south dakota is using the 3 million received upgrade voting equipment including the ballot marking devices and tabulators. the equipment was purchased in 2005 and the state will make crucial upgrades to its voter registration file. new york received over $19 million into the state plans to use this to implement a state and local cybersecurity risk assessment program immediate identified vulnerabilities, monitor ongoing security operations and respond to incidents should they occur. in west virginia's secretary office developed a plan after surveying the officials for cyber and physical security assessments the state will increase the system protections, bolster the capabilities and prepare for the corrective action if necessary. the territories many of which suffer catastrophic damage during the last year's hurricane season are especially grateful
for their funds for example the head of this year's elections american samoa is using their portion they receive to restore the territories election office and replace equipment damaged during the tropical cyclone. they are upgrading to voter registration systethe voterregim increasing accessibility of the poll, broadening the voter education effort into improving the workstations and databases. as a part of the clearinghouse function we are highlighting the states initiatives of other jurisdictions may refer to them as they might determine the best way to utilize the appropriated funds. right now the priority is to get the funds out the door as quickly and responsibly as possible. the academics, federal government officials and many
others to discuss approaches to strengthen a election systems and better serve american vote voters. they traveled to nearly a dozen states to prevent elections officials. these trainings are ongoing and we are working with dhs to put the training online to the fed platform. he regularly travel to the jurisdictions throughout the nation. how they may occu occur to you o improve the assistance and we conduct and hold forums to gather feedback. earlier this year we held a public forum to discuss the funding and to hear from election officials about the ways they are working to secure the systems and improve the process. most recently we held a forum in baltimore where hundreds of americans with disabilities were
gathered for the national disability rights network annual conference. so we focus on the administration of elections we appreciate the congress support of our efforts and the states and territories we serve a. i'm the director of the information technology laboratory at the institute of standards and technology. thank you for the opportunity to appear before you today to discuss the role in the election security. the systems calls on the expertise and management science in working with standards and development stakeholder communities and the development of testing infrastructures
necessary to support the standards implementation. additionally our experience working in the multi-stick with the process is critica processee success of the voting program. for more than a decade, the program partnered with the assistance commission to develop the science, tools and standards necessary to improve the accuracy, reliability, usability, accessibility and security of the equipment used in federal elections for both domestic and overseas voters as outlined in the help america vote act of 2002 into the military overseas voter empowerment act. hava reports to the federal advisory committee and support includes research and development to support the development of a set of voluntary voting system guidelines or guideline that have been considered for adoption. version 1.1 of the guideline
would have an approved and we immediately began work on the next iteration of the guidelines version 2.0. they are used as a part of the state and national certification process by the state and local officials were evaluating the systems for the potentially using their jurisdictions and by manufacturers who need to ensure the products fulfill the requirements to be certified. the guidelines address many aspects of the systems including determining the system readiness, ballot preservation, ballot counting, safeguards against system failure and tampering and auditing. we established a set of groups together together a wide variety of stakeholders in the development of the next iteration of the guideline 2.0. there are currently 963 members across the seven working groups three of which are aimed at the us and three groups focused on the cybersecurity, usability and
accessibility and interoperability command one thacome and onethat will addresd to testing. they've grown hundred 62 members and engages in discussions regarding security of u.s. elections. as the infrastructure evolves, so have its security concerns which today range from unauthorized attempts to the axis of the voter registration systems of multiple state to the errors or motion software attacks. the guidelines address these evolving concerns including support for advanced auditing methods and a two factor authentication security protections developed by industries over the past decade are built into the voting system. other security issues to be resolved include the need for the regular and timely software updates and security patches for network communication is another important issue and many jurisdictions rely on the public telecommunications networks for certain functions such as reporting results to state agencies and media outlets the s
the night of an election. they briefed the significant expansion of the service and their security requires further study. in january, 2017, the department designated the infrastructure is critical infrastructure in support of this effort providing the creation of an election profile framework to improve their cybersecurity foster we also conduct evaluations of independent laboratories and provided the eac a list of the laboratories proposed to be accredited. nist usability accessibility and functionality requirements to achieve the uniformity and testing among laboratories. nist is addressing security by strengthening the guidelines for the voting systems and by
working with our government prefers to provide guidance to state and local election officials on how to secure their systems including voter registration an and reporting systems. thank you for the opportunity to justify and i would be pleased to answer any questions that you may have. >> thank you. >> thank you chairma >> thank you chairman blunt, ranking member klobuchar and members of the committee for the opportunity to testify regarding the department of homeland depad security's ongoing efforts to assist state and local election officials, those wh who own and operate the election systems with improving the resilience of america's elections. later this week tha the leadersp will meet with officials and private sector partners as they gathered in philadelphia the birthplace of our democracy for the national summer conference ansummer conferenceand meetingse coordinating councils throughout my career i worked with state and local officials to defend the use of technology to better
serve american voters. in the last three years i served as a commissioner at the assistance commission and now i served as a senior adviser at the dhs focused on the work the department is doing to support the thousands of officials across the country. in this decade of work i can tell you the best part is working with a dedicated professionals that administer elections in the face of sophisticated threats these officials have responded by working with us, state and local resources, private sector academia and improve resilience. the risk are real, the midterms remain a potential target for the russian actors and while we have yet to see any evidence of a robust campaign aimed at targeting the infrastructure like in 2016, the committee continues to see russia using social media, falsified personas, sympathetic spokesman and other means to influence the opposite ends of controversial
issues. we remain vigilant and we will continue to work with partners to strengthen the resilience of our election systems. as i travel the country working with state and local officials, it's clear they are taking the risk seriously. for example, the officials are engaged with dhs and the university of west florida to conduct robust training across the state and in addition to the state of florida and supervisors became the first state to have every count county joined the information sharing center and we are currently working with florida counties to employ the network sensors across the entire state. this remarkable progress in a short amount of time. the mission is to ensure that the stakeholders have the necessary information and support to assess and mitigate risk. we've made significant progress during a state and local officials as well as private sector partners who support them are at the table working with us. we've created government governt private-sector councils to collaboratively work to share information and best practices.
we created the infrastructure sharing and analysis center grow into almost a thousand members including all 50 states in just under five months. this is unprecedented growth compared with others. since february, 2018, we have quadrupled our awareness into the election infrastructure through network monitors. we are sponsoring security clearances from the multiple election officials in each state which allow the officials to receive classified threat information. the increased availability and deployment of the technical services to the officials. the dhs offers a variety of services such as cybersecurity assessments, detection capabilities, information sharing and awareness and response and training. our services will continue to mature as the requirements identified by the stakeholders mature. we understand the only way to deliver the resilient election system is to work collaboratively with those officials on the front lines running the process. dhs has been leading an
. >> i look forward to your questions. >> we plan to stay for both panels but also i'm interested to hear what other people's questions are. there are two areas of congress that they think they are experts at elections and air travel. [laughter] you are here for the elections part of that now i will start.
>> you for being here with us today. i would just like to ask a clarifying question. in the past i was the appropriate or on the subcommittee which provided the $380 million to the agency. looking the previous year 2017 that eac had a $9 million budget? >> yes that is our operating budget so that additional 380 million was just for appropriation. >> i will admit to being a skeptic is if you go from nine up at 380 million can they really handle this? in the testimony that i have heard the far rest my mind.
>> also we have given out $3.4 billion over the life. >> so you are all -- you are well versed so because of the diversity, in some ways it is a naïve thought with security without a singular system all across the nation. and the secretary of state mack warner at the forefront. and we have received $3.6 million in what secretary wants to do with those dollars.
with the quickest update of 2004 equipment. and with the security. and as compared to say 12 or 13 years ago. >> and to talk directly i am not a computer expert overall but with those voting system guidelines have not truly been updated since 2007. until the smart phone and the iphone and the tablet. and technologically far into the future in terms of security with phones and other aspects of computer technology.
eac has updated our standards for that. and with that voting equipment that once those guidelines are approved, they will be more stringent and more accessible for security overall. >> nothing to the actual technologies but again and with the t5 with the development of the new guidelines. with greater emphasis on system security. >> and with the topic that i am concerned on and the
senator and i have worked on this with the broadband caucus. and this is the open question but so what will 2020 look like? do you see some difficulties with a lower reach of broadband connection? how that could affect election security in your opinion. >> and why we run elections locally to deploy those systems in the locality with the official and with that connectivity in that way.
so the resource challenges are real and the money that congress appropriated to help support with the largest jurisdictions and to help them take the states and so then the eac is built into their parameters and with those particular needs might be whether or not since i have been in this position and every state is the same but every state is different so if that is the urban or were.
that is one of the misconceptions that the elections are not run by the jurisdictions basically with the testimony to be ada compliant from a to c. >> so let me throw up on that discussion. so unable to pass the guidelines? correct? how else has lack of a quorum impacted t5? >> we can do the work the t5 has put forth. we cannot vote on new policy.
and if we don't have a quorum and is that able to move quickly? you can go see the board and board of advisors. and if we do get another commissioner to establish a quorum it is up to that commissioner to decide if he or she is comfortable with the approach we are taking. and with that commissioner and voting for the new standards. >> it is my understanding that not every van loan -- vendor is certified? that is because of the voting system guidelines.
>> how long does it take to certify a vendor? >> @125 that answer. >> half of the vendors are certified? >> just for risk and vulnerability assessments so how many have received those assessments x. >> so as it stands now 18 states have requested and to have them in process to have those teams deploy out. >> please provide you with a
list and those assessments. >> i will take your request back to the office generally we don't share who we work with on any of the services so they will continue to engage but i will go back to pull information whatever we can. >> so let me jump back so that issue that just comes back but a lot of discussion about whether or not they should be used more broadly across the country. starting with the t5 commissioners what about those that are most effective and what is the difference they may make? >> so for instance estate like
oregon and so with that audit it would be helpful for them. they don't have the paper audit trail there are ways to audit those systems as well. but it just depends on what the states want to do to have their audits run. we have the pleasure to go out to colorado recently. and that they will be taking that into account with rhode island in mexico -- new mexico to see what audits can be done. and that is where the real problem lies. >> i want to stress we need to remember every state is a canvas but then they do cover
a lot of that. but based on what kinds of systems but all states do some sort of auditing. >> that the follow-up at least with to certify those elections that is part of that if you campus before you certify. >> first and want to thank you for calling this important hearing it is a critically important issue i'm not sure gets enough attention.
so this is complicated stuff with a decentralized system and machines and all of that. is it safe to say the simplest rule there should always be a paper backup? >> it depends on the state. >> i am not discipline -- suggesting regulation but but if you don't have a paper backup it is hard to determine if you have an accurate count. >> paper is interesting because everyone can't use paper if you have a disability then it is hard to do that paper piece.
if we could do security with paper to make sure it is accessible then that is 100% right with the paper backup. >> serving on the intelligence committee with cybersecurity issues and with those bug bounties. but with those levels of security i don't want to say they are overconfident but they have a level of confidence that may not be justified. trust but verify as reagan said what about that provision. but then to penetrate the systems.
and then to have that come up reading from washington. for what they need to do. and then to great effect. until somebody shows them they are not. that is what they are suggesting. >> from this perspective outside the purview of a missed function. and to have those experts of those guidelines and standards and and that is appropriate. >> as you are aware with a friday at three services to state and local officials. and those are in depth
penetration of the systems so to use the services as they see fit. >> and those not asking for it may be the ones that need it. >> i would also add that it isn't the only offerings. and with the national guard as well as private sector partners used in the same ways so my experience and with that penetration is of value in many states they are doing that in the jurisdiction.
>> and going into 2018 that is four months away? >> i have confidence the process is resilient with election officials working with us with the resources and localities to protect based on the research that they have that also what we talked about frequently. >> and talk about voting machines but in those lists are maintained at the state level so it wouldn't take much to disrupt the election with everybody named smith then people show up at the polls and could not vote. the registration list are those secure? >> the states have taken numerous steps to improve the security and it comes back not just from protection but the
plans that are in place. so that ability to respond with federal law to have that provisional ballot is an important piece of resilience everybody can receive a ballot regardless if they show up and are not on the list. >> are those provisions in every state? >> that is mandated. >> so now we ask the next panel to take another five minute opening statement more like three minutes. [laughter] we do have votes at noon and we can work through part of that.
we do want to get to you and to ask this panel questions. >> the future men. so what are your agencies doing for the post audit and every state? >> we worked with the government coordinating council with funding considerations with the use of the funds that congress appropriated including is the important one -- and the importance for the first election audits we continue to work with the government with those practices. >> we provided a lot of information how they could use the funds and that was included in the rates to use that money to provide guidance in that regard.
>> same. >> same. >> are the states working well with the assistance commission with the department of homeland security with ample communication and resources to make sure they are secure and what can be done to improve communications with the states ? >> we're looking looking a lot better than we dead one -- then we did. to work with dhs and fbi we are functioning a lot better at this point than we were during election season. >> chairman blanche recognizes we will not have another panel. >> senator clover char. >> one --dash there have been statements indicating foreign adversaries i'm sure you are
aware that they say that you know securities in this country from president obama now president tom has said this is a threat moving forward and as the intelligence director that has said that in fact they are good one -- getting bolder can you confirm that is real and what they are doing to secure elections is warranted? >> as i said in my opening comments the elections are a target, a real risk to the systems. whether or not there are specific threats to the infrastructure is irrelevant to the importance of the information that we share with local officials to build the
resilience of overall cybersecurity and so the focus remains on helping states identify to mitigate those risks. >> several officials at the last hearing complemented the efforts with the 380 million for elections security funding and according to your testimony that uac has received disbursements for 97% of the funds from 55 states 51 of those. can you describe these varying accounts briefly? >> so to be associated with legislation the chief election official to go back to their legislatures to figure out how to request that many. >> like my state?
>> not the fault of our election. >> very good. >> doctor, according to the requirements and that act of 2002 with the current configuration there should be for technical aspects how many members of these are cybersecurity experts? >> i have to get back to you on that i don't know off the top of my head. >> as you may know that senator langford and i understand the technical guidelines with the membership to provide additional cybersecurity expertise so with this expansion do you think the committee will be better equipped to provide best practices and recommendations to cybersecurity? >> it think additional expertise would be welcome in almost every facet of anything we do. >> and then continuing on with
a secure elections to implement the audit to confirm election results, do you believe that performing that audit is a best practice to use to increase confidence in federal elections? >> yes. >> do you all agree? >> thank you. >> i will ask a couple of questions as senator warner is thinking about how you want to close these questions out. there will be a time to submit written questions and there will be rich and questions so the commissioner hicks, the $380 million allocated to the states through you. how much is now out the door?
>> 97% is been requested we usually get that out in less than a week. so i can get the exact number of the dollar amounts. >> no. i know 154 million was in the first 30 days so you are almost totally out now. the states have no required standards to meet to qualify currently? >> there are requirements they have to meet under the law. >> like having the auditable ballot trail is not a requirement? >> correct. >> so in a non- paper environment there are ways to audit the returns? i'm trying to come up with one of those
ways with a certainty to guarantee what happened on election day is what happened? how would you audit those non- paper systems? >> they are audited because there is no non- paper systems. it is a physical paper ballot that people are testifying to each has a paper of record inc. in its system that is encrypted. so that is where the audit come comes. >> so they look at the paper record generated by the individual voting device? p make yes. the issue becomes if that is voter verified. >> i understand. commissioner hughes said the canvas is the audit but really that is where local officials report to state officials the final county return is? >> right. they check overall to see the
paper trails from the machines to make sure they match the numbers. in a way those are audited before they are certified. the election reporting is not official but they have the process to check those paper receipts and the voting numbers to make sure we can certify as official results. it isn't exactly an audit that one form of an audit. >> i think it isn't exactly an audit but i understand what you say. election night returns are always unofficial and always need to be verified but on the topic, the maryland primary just completed, some some of the registrations were not downloaded appropriately.
i don't know how many provisional ballots were cast because of that do either of you know? >> and don't know the numbers that we can get that from maryland to mecca think we're in the process of getting that but what i wonder about is concerned about what happens if the election day record is not what you want it to be which is exactly what happened. so my two questions would be how much does it slow down the election day voting process if you have to cast a provisional ballot? maybe maryland is an example where most of those cast in recent times and another question is my interest is how much that is slow down with the final results. but every state has a provisional ballot requirement if the voter shows up to make the case they should be
allowed to vote for whatever reason is not that applies to all federal elections. >> that is the requirement. there have been a number of cases where los angeles was a jurisdiction to have the names list left off of the voter registration list and they do add some time and that is one of the concerns of a possible attack as well because if there were we would rely on provisional ballots to ensure that they were registered and eligible to vote in the election. that could cause a delay but a lot of those voter registrars have that process down quite well and they do a lot of training with election officials on how to do that. >> senator warner?
>> mr. chairman, thank you in the ranking member for the work you have done on this subject matter. and those of us sharing that intelligence committee also have a broad perspective and we appreciate the panel being here. i want to have two questions so to think the leadership of the committee to getting that $300 million into the budget with election officials around the country. so first, it is hard for any large enterprise to evaluate the cybersecurity claims that firms make in terms of
protections they are willing to put in place. does that he ac give guidance or best practices as individual states or localities evaluate the effectiveness of the cybersecurity protection monitored offered in the marketplace? >> we'll give that specific advice but we have worked with dhs to say these are some of the things that are free like monitors and so forth. individual election officials have to be vigilant knowing there will be pop-ups looking for a quick buck but i believe the way that he ac is done now to provide resources to the states for things like it management for election officials has helped them.
basically giving them other aspects that allows them to have more confidence. >> with the independent rating entity? >> with cybersecurity i applied all of them but sorting through is a tough challenge and for election officials in the enterprise not with the specific expertise strongly is a real challenge but the second part of my question, but what we just saw from 2016 the tip of the ear of the ability for social media to manipulate information. one of the questions that i have is as you think about the
election, or any state evaluating the social media platforms how they are communicating or mis- communicating to voters in your state? or how do they acquire that expertise? >> this is nothing new in terms of information put out. it used to be the information was close to the vote but now it is a lot quicker through social media. >> now you can touch a whole universe with a keystroke. >> correct we have met with some of the technology groups information in social media groups to find out what they are doing to ensure this does not happen again or ways to prevent it. or give some assurances to be
put in place but i do feel that those funds overall could be used toward that but i could check because it is very broad what you can use that money for but i would think if you look to improve the process of the election overall the administration should be able to use that money but i want to make sure of that before i give a definitive answer. >> we are encouraging state and local election officials to monitor social media to make sure correct information is out there if they see something incorrect to contact the platform to make sure it is taken down or corrected. >> i might hope there might be some way social media companies have been slow but are getting better there has to be a level of ongoing communication and collaboration and see how we might work on that.
thank you mr. chairman it is great to have attended the hearing with you and a distinguished ranking member. >> we are delighted in the fact we have another panel. >> thank you mr. chairman and each of the witnesses for being here and your testimony. the state election systems were declared critical infrastructure. can you discuss the practical effects of the destination and what dhs has done differently since that designation? >> thank you for your question the focus to declare elections with critical infrastructure is threefold to ensure that state and local election officials have access to timely information such that they can make a risk to their
systems. largely done through information sharing and analysis so routinely share information out to ensure election officials have the information they need to protect their systems and second is to provide services to local officials on a voluntary basis. we provide on-site risk and vulnerability assessments and hygiene scans and assessments on resilience and readiness in order to support state and local officials should they need it. working at the federal level of intelligence committee that intelligence is shared as one of the lessons we have all learned from 2016 to ensure that the operators are empowered to receiving information to protect their systems so we have been cooperating to make sure that
information is shared. >> in march congress allocated $380 million of spending to be put toward election security. how is that money spent and what's type of oversight controls to be sure money is put to good use to make elections more secure? >> i will defer to my colleague colleagues. >> we have run that through the grants division that is used for cybersecurity efforts and upgrading voting systems especially those that are quite old we require the states to provide a narrative and a budget with the drawdown of the money and we will audit how that money is used in every state is audited on the use of the money if it was used appropriately.
>> how significantly do you assess the threat of an election being hacked with the results at the ballot be altered electronically? >> i think it would be very difficult with the election infrastructure with 8000 in and jurisdiction none of those are connected to each other each have to be packed individually that is the greatest security rehab it would be extremely difficult but that said, every system is full level and things can happen but officials are vigilant we do testing on every single machine before used in the election so we can see if they are recording the votes correctly there are numerous ways to check afterwards like the postelection audit.
it would be very hard but i can't ever say impossible. >> there has been a lot of discussion that there are no indications there was any actual hacking of election equipment or alternate outcomes? >> we don't know any that was changed in any way. what happened in 2016 was characterized and overstated we see thousands and thousands of these types of scans every single day with every single system. i would say we are concerned about security of the systems with the entire election but nothing happened in 2016 and the real untold story is election officials did their job and kept the system safe
from any further hacking. >> what would you characterize as the most important security reform they should put in place to ensure the integrity of our process? >> we need to make sure that we have confidence of the voter because if we erode that confidence they will not come out to cast their ballots. a to z basically voter registration to election night reporting those are all valid. >> thank you senator and a panel at some .1 of my follow-ups will be if you have these thousands of attempts to get into the systems all the time, what do we do or how do we help state and local officials to figure out which they need to take seriously or one group of state officials
here last week and one said with 100,000 attempts i believe he said every day to get into their system they report 100,000 attempts to review what do you do about that? so now we will move to the second panel thank you obviously a great interest to the country and the panel and we are grateful you are here. with the second panel and the panel and we are grateful you are here. with the second panel of a company that provides the ipad registration booklets and more than half of the states including the district of columbia. and we have a vice president of operations and brian is the ceo and founder of democracy live representing a sector
coordinating council. we move from the government part of the hearing to the nongovernment part of the hearing. and we will see how this goes. we are glad to have you here. we have your written testimony as part of the record. so mr. leyendecker either read or summarize what that testimony has told us before we get to ask you some questions will be fine i thank you senator and ranking member and members of the committee, thank you for the opportunity to be with you i am grateful for your willingness to engage and take into consideration the perspective. i'm here to talk about specifically my experience in the past as former election director is a unique perspective i can bring to the table.
i want to talk about the different things that we do to ultimately secure our products which is the electronic poll roster that basically uses the ipad and ultimately helps with the security side and to leverage the ios operating system. so to sum up very quickly come in order to continue innovating and providing strong security initiatives we help the federal government will consider a partner and we hope that today's hearing is just the beginning of a new conversation with the committee and the federal government will have with vendors and together with the ones in missouri and minnesota on the front lines with today's elections through the process we want to offer this committee and others in federal government to help shape public policy to ensure the process. thank you.
>> thank you i will keep my comments short i know we are running short on time thank you chairman and ranking member thank you for having us here. i'm the vice president of operations that we are voting system provider based in austin texas serving 27 million voters across united states and we are part of the solution on security of dhs and eac and other members of the sector coordinating council. i will clarify voting systems are not just commodities but solutions and we are partners with our customers and constantly working with customers we don't just tell them something and expect them to run on their own but we are sharing best practices and webinars giving papers to customers and helping them run care elections.
i also want to go off the relatively -- rich in record for a minute and to address the comment specifically because an important voting system provider in the united states we have been open we did answer the letter that editor widens sent to voting system providers and our core values at heart art of candor which i am using right now and integrity that we feel is very important and one of our basic tenets is we are election geeks love elections and we feel we are helping america vote. thank you. >> mr. chairman and members of the committee here as a seattle-based technology firm
delivering electronic balloting to members of military and overseas voters and the 35 million disabled voters in the united states including the military and overseas voters and in your state and senator warner in your state. wesley had the honor to be nominated as a founding member home insecurity elections sector executive committee. this represents a broad and diverse coalition of two dozen companies and nonprofits developing elections and voting selections since 200 trillion eligible voters and thousands of hard-working administrators across united states and in addition working collaboratively with the commission as well as state and local officers have a secure stable voting system to
represent the greater elections provided absolutely support the increased focus of attention on those systems and as we know those attempts to probe those platforms during the presidential campaign were clearly aimed at undermining america's democratic institutions while the consensus among the intelligence community remains clear no vote tallies were altered or no evidence that any private sector provider was compromised the existence of foreign threats means we need to continue to be diligent in protecting the critical voting infrastructure to instill confidence in the electoral systems. the sec members are prepared to meet the threat of the challenges however less than two dozen providers serving the needs represent over 200 million voters and
expectations must be aligned with existing levels of government investment must correspond with the growing threat to the entire electoral system as the partners to what is truly the engine of our democracy it is critical we are engaged at the start of any planning or testing or other initiatives relating to voting systems. as we consider how to better look at our infrastructure remember that the voting tabulation systems although the lion share of attention is only the endpoint of a long process of hundreds of voter points before they even cast a ballot's points also must be secured like voter registration, election night reporting, and mail balloting which is the fastest-growing method and what appears on the ballot and finally what can
and should be strengthened to those tabulation systems if they are corrupted or manipulated in all the working resources is put into hardening the systems and those could be negated. so in this era of misinformation more voters are turning to officials for accurate and objective information and with information systems manipulated and not the tabulation systems i would encourage congress to support officials to offer secure objective and accessible voter information that voters can trust. thank you. >> you provide the ipad book and how many states? >> currently that is the ipad -based solution in 25 states
and 600 jurisdictions nationwide. >> and canada? >> just recently acquired our solution we actually just so you know and this is good information, we went to the ministry of defense and they did an audit and the results were just released yesterday and there was zero vulnerabilities in our source code. >> can we get a copy of that. >> us to this get a copy of it. >> and i think the senator wants to know that you are now transitioning number of minnesota counties. >> we have been working with secretary simon using our products about two years now and i think in the primary elections coming up august 15 we will be and i will be there
and a number of us but we have about 50 counties moving toward that solutions mac how many voters do you think were included and the registration material you were managing in the last election cycle? >> 2016? >> just an estimate. >> several million. >> where i'm really going is the question of how many people tried to get into the systems and what do you do to determine the vulnerability of the systems your company works with? >> there is a number of things that from our knowledge nobody tried to tamper with our products but one of the nice things using the ipad is that the baked insecurity already offered. that is what i liked about
this solution as a former director in st. louis looking at the different solutions available to me. but security is a big thing so i don't have to be a security expert. i am leveraged in the apple ipad that has the bells and whistles. so we average from security experts we are not trying to be although we do have individuals that are experts on staff and that is a big part of it to leverage the right hardware and software obviously encrypt everything on the ipad to anything in transit is encrypted so that is a big part of what we try to due to ensure we are responsible and thoughtful throughout the process with regards to security.
>> is there anybody in your organization to find weaknesses of any system you try to manage? >> absolutely after we get done testing applications like the one we just got finished with a few months ago, whether interna internal, that is the first course and then ultimately through the penetration test and that is the big thing we have been doing from day number one. not just what we decided to do because the russians decided to try to meddle in our elections process. this is something we have done from day number one to make sure we were being responsible to our clients that have provided that information that we have actually started to do more tests throughout the year because.
>> and people monitoring to get into the voter registration system that could be a legitimate effort to see if that is possible to get in? >> we don't deal directly with voter registration we are just the paper poll book. >> so what is your penetration effort xp make the only concern there are jurisdictions that like to connect devices. where the information can move from one area to the other one polling location to make sure that individual is checked off. and it is local and up to the jurisdiction if they want to do that but that is the only way. all of that is encrypted.
>> i know we have the vote so i will be quick. speaking with the secretary of state's office that was brought to my attention we talked about the risk limiting audit but i also understand others require a voting system reduce the cast vote record which is basically the identifier for the valet and many new systems have this capability but they are using the older systems that don't produce that vote of that record. and the new funds are not in those states to purchase those newer voting systems is or anything your offenders are doing to support those upgrades of risk audit processes? >> yes. we do have a new voting system we started to develop in 2015
it is new from the ground up so it takes advantage of the security features in the first person we hired was the security officer and it does support risk limiting audit some are listed as required or optional but we doing courage every state has some sort of audit so i would say imaging technologies and almost all of them will provide like a paper trail or the cast ballot records. >> you heard the previous discussion to certify those machines is purely voluntary but my understanding the
reason why they don't go through that process it is cumbersome. >> i took a note if your question about that. and they have different approaches to that. and we always go through the eac. with that stamp of approval from the federal government not all states require the eac certification at least the voting systems. then to go through that approved and that their vote
count in they have faith in the franchise. >> is there a reason why so should we make sure everybody goes through that process? sometimes it is expected and we don't always agree with the interpretation. >> i would just caution the voting machine themselves are only one element of the entire process. you can have the cast ballot record and the verified paper trail but the way that we are registering to vote or knowing how to vote with that
diligent about defending against that. >> we take that very seriously and part of our job is to protect the democracy in the voting systems and information. >> we heard officials are limited in their ability to assess the cybersecurity vulnerabilities because of vendor contracts. do they restrict officials from conducting third-party vulnerability assessments? >> we would work with them to do so. >> our contacts don' don't preva customer from doing that. we would like to let customers know i what they are doing that. we in fact embrace that and encourage that paperless systems given what we know.
my experience as a director i don't see a reason not to. i think it is responsible to have a paper attachments to it. i understand some of the concerns like the chair man brought up, but i think there is a in-place in the help america vote act but i don't see why there wouldn't be. would be. >> we support local choice in this local choices for the paperless system, then we do provide that and it's based on state certification guidelines. i want to make clear there are records on atomic voting systems
that can be audited and there are copies of the record that can be compared against each other for audits. >> i would caution the congress always think of paper as a panacea in part because the 35 million perhaps they cannot see the ballot. they have literacy issues and there are innovations taking place like that state of california developed a successful audio capability for even things like my home state of washington where it's 100% paper that's wonderful for most of us in the room today because we can see the ballot if you can't see it because you are blind or visually impaired, what can you do about that so you have to leave room for the innovation and accessibility.
>> how do you communicate about concert debate co- security concerns? do they establish responsibility for that notification cyber security incidents were reported to the? >> we work with the jurisdiction and we've done a penetration test and help them better understand what we've done and give talking points so they can provide to outside sources like the media and things like that. we have been doing this for some time. it's not just in response to the past but this is something we've been giving almos doing almost h our jurisdictions. >> we heard how 1.8 million in chicago and potentially sensitive information being
exposed and the la times explained that the data were exposed by the vendor that had placed on an amazon service a backup file. does your company store data in the cloud services? >> we do store data in the cloud that is protected. the incident in chicago was a mistake by that vendor. >> because of the portion of the cloud of a put upon? >> they just didn't apply a password and left it open for my knowledge and that is what i would consider a stupid mistake. >> we appreciate that. senator warner has returned.
>> did you say that was very blunt? [laughter] this will be a good thing. senator warner. very efficient committee. i wish all committees worked this efficiently. first, a generalized comment. i'm very concerned about is a lot about how we did in 2016 and i think we should be very cautious in terms of some of the claims that have been made that russia and/or others will be back to try to penetrate the
systems. i believe in competition, but it worries me when you've got three vendors that control over 90% of the market for the voting systems. i have to take exception from some of the comments because i can tell you after the elections did an extraordinary thorough review i pushed to make sure we would have paper audit trail because we had to statewide elections in 2017 and during that time, the 2,017th elections many of the systems were reluctant to turn over their machines and they were that
close. you are one of our vendors, yet your company refused to work with the commonwealth of virginia making that equipment available. so the comment that you are transparent and willing to work with all the systems wasn't the case in the commonwealth of virginia and on a going forward basis, i would like to get a commitment that he will work not only with virginia and other states going through such a review and we are also going to be willing to look at a second half of the problem. one of the things we know is when you sign the contract, you've got that ongoing maintenance contract that often times means even if they want to choose a different service or they are not able to do that so i was like a commitment from you that you are willing on a going forward basis in other states and number two, what you are
doing that is moving towards interoperability and how we make sure in terms of third-party servicing contracts that are existing contracts don't preclude that. my fear is by precluding the third-party servicing, you've got that system then that does not have the ability to bring in third-party research or other to look at the systems. >> super scummy guess i make that commitment to the commonwealth of virginia and we only had a few customers in you and all of them were looking at going to the new system so the point was they all were moving on. >> the commonwealth requested the machines and you did not. that is the record. second, do we keep the customers
into a surface with us, we provide other vendors to provide service to the machines and we actually make our equipment self serviceable so we don't need to go out and touch the apartment for example. we tried to make a much more open going forward. >> so they could be the ongoing servicer. >> yes, and we have customers that do that. interoperability that is the thing of the future. we are not currently working on that and that will depend on certification and nist and all that good stuff. in terms of the vendors sitting here today, we represent different components of the system that you have the tabulation system, we have the overseas in the military voter
information tools come so i believe it is critical within the elections industry so not one vendor can own the entire electoral apparatus in one jurisdiction. i think we do believe that they blossom by the innovation mantra. making sure the three of us can work seamlessly together. if the system works within electronic poll books or provides the data for information to the overseas military voters are blind and disabled voters that are all working together i think it helps to secure and harden the overall electoral system. >> i know he's got to go vote. let me just say i believe when we've got such concentration on the system is on the backend, 90% concentration and the
possibilities that exist and still exist i think that we need to at least think of this level of concentration and the ability to have at least independent cyber security researchers have some access to give that good housekeeping seal of approval at some point on some of the systems. i'm afraid it's not the vulnerability. the rest will be open for one week and i would ask you to respond quickly if you get the questions in writing and the committee is adjourned.